MD5: d729b9dba948eb4ef2508833bbe9286e
SHA1: 194c9325997d404794c16e005ba1a63bf9e880e8
SHA256: 0ca06ec17d5b3a33724017aa2830b7b8881c2088274af30b9ca304bffc1fb105
SSDeep: 3072:GtxtIqHl1YQZsmobimd4dvhyiRSrC66WmhxGerDCXgFPcy26IT7EisOYA0qFv:GDtIqHEmGCnSrTS5awut9TDs1Sx
Size: 201728 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-08-09 11:05:19
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:260
%original file name%.exe:528

The Trojan injects its code into the following process(es):

calc.exe:392
notepad.exe:916
mscorsvw.exe:1924
svchost.exe:1744
Explorer.EXE:512
csrss.exe:704
winlogon.exe:728
services.exe:772
svchost.exe:940
wmiprvse.exe:956
svchost.exe:1020
svchost.exe:1104
svchost.exe:1152
svchost.exe:1208
spoolsv.exe:1440
jqs.exe:1964

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)

The process calc.exe:392 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)

The process notepad.exe:916 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe (1281 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process %original file name%.exe:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 7F 7C BA EA 2B 7B BB AF 25 14 59 E5 56 86 FC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 2A 5E C6 18 3D C2 41 BA BE ED 4B 25 59 E9 55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process calc.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 6F AD 7B 25 58 A6 A0 01 15 A3 E7 F6 67 32 99"

The process notepad.exe:916 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 03 EF 83 CB 0E 0A DA 31 DB 33 53 42 AC CB 79"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Trojan installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Trojan installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Trojan installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name: PortableApps.com
Product Name: Feed Notifier Portable
Product Version: 2.6.0.0
Legal Copyright: PortableApps.com Installer Copyright 2007-2012 PortableApps.com.
Legal Trademarks: PortableApps.com is a registered trademark of Rare Ideas, LLC.
Original Filename: FeedNotifierPortable_2.6_English.paf.exe
Internal Name: Feed Notifier Portable
File Version: 2.6.0.0
File Description: Feed Notifier Portable
Comments: For additional details, visit PortableApps.com
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_1744_rwx_00090000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

c:\%original file name%.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_1744_rwx_000D0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1744_rwx_00A10000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

c:\%original file name%.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

calc.exe_392:

.text

`.data

.rsrc

SHELL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

GDI32.dll

USER32.dll

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

calc.pdb

j.OXO

_acmdln

RegCloseKey

RegOpenKeyExA

name="Microsoft.Windows.Shell.calc"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

CalcMsgPumpWnd

The requested operation may take a very long time to complete.

Do you want to let the calculation continue, or stop the operation now?

Windows Calculator application file

5.1.2600.0 (xpclient.010817-1148)

CALC.EXE

Windows

Operating System

5.1.2600.0

Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.

Do you want to abort the operation now?

calc.hlp

Cannot open Clipboard.TThere is not enough memory for data.

calc.chm

calc.exe_392_rwx_000A0000_00002000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

465011237

2u42t.exe

ncf0m.exe

d7jv3.exe

vfsch.exe

jeh2r.exe

wbtsy.exe

b2pgd.exe

0a2b1.exe

cl66d.exe

lcqin.exe

6q0kg.exe

kt3ip.exe

5f4ie.exe

2xiu8.exe

wys1x.exe

3wuym.exe

jtmov.exe

xn54b.exe

4jw68.exe

user32.dll

urlmon.dll

URLDownloadToFileA

wininet.dll

hXXp://VVV.google.com

calc.exe_392_rwx_00970000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\calc.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\calc.exe

c:\%original file name%.exe

notepad.exe_916:

.text

`.data

.rsrc

comdlg32.dll

SHELL32.dll

WINSPOOL.DRV

COMCTL32.dll

msvcrt.dll

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

notepad.chm

hhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

notepad.pdb

t%SSh

_acmdln

RegCloseKey

RegCreateKeyW

RegOpenKeyExA

SetViewportExtEx

GetKeyboardLayout

name="Microsoft.Windows.Shell.notepad"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

&*$#$$#$*

MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM

*.txt

/.SETUP

5.1.2600.5512 (xpsp.080413-2105)

NOTEPAD.EXE

Windows

Operating System

5.1.2600.5512

notepad.hlp

Text Documents (*.txt)

You cannot quit Windows because the Save As dialog

dialog box, and then try quitting Windows again.

Common Dialog error (0xx)

Not enough memory available to complete this operation. Quit one or more applications to increase available memory, and then try again.KThe %% file is too large for Notepad.

Not a valid file name.MCannot create the %% file.

Make sure that the path and filename are correct.RCannot carry out the Word Wrap command because there is too much text in the file.

Page %d

Ln %d, Col %d

notepad.exe_916_rwx_000A0000_00029000:

.text

`.data

.rsrc

@.reloc

*windows defender*

*windowsupdate*

*drweb*

dwwin.exe

kernel32.dll

iphlpapi.dll

GetExtendedTcpTable

GetOwnerModuleFromTcpEntry

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Identities\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

/c "start %Í%%%s & attrib -s -h %Í%%%s & xcopy /F /S /Q /H /R /Y %Í%%%s %%temp%%\%s\ & attrib  s  h %Í%%%s & start %%temp%%\%s\%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\c731200

%s\%s

%s\%s.lnk

Windows_Shared_Mutex_231_c000100

ntdll.dll

\ScreenSaverPro.scr

\temp.bin

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

WinExec

URLDownloadToFileA

hXXp://VVV.google.com

\calc.exe

\Reader_sl.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

notepad.exe

\notepad.exe

\svchost.exe

WindowsId

Identities\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

a.aiphon1egalaxyblack42.com

a.ajjjqws1fkxx42.com

a.adoyou1understandme42.com

a.amous1epadsafa42.com

a.acaraka1lagroup42.com

a.aire1bobohayawen42.com

a.ajhvdqw1ladies42.com

a.biphon2egalaxyblack42.com

a.bmous2epadsafa42.com

a.bcaraka2lagroup42.com

a.anabok1hasn1aser42.com

a.athemall1gonowhaha42.com

a.bdoyou2understandme42.com

a.bnabok2hasn1aser42.com

a.bjjjqws2fkxx42.com

a.bjhvdqw2ladies42.com

a.bthemall2gonowhaha42.com

a.bire2bobohayawen42.com

a.cdoyou3understandme42.com

a.cmous3epadsafa42.com

a.dmous4epadsafa42.com

a.ciphon3egalaxyblack42.com

a.cnabok3hasn1aser42.com

a.cire3bobohayawen42.com

a.cthemall3gonowhaha42.com

a.cjhvdqw3ladies42.com

a.cjjjqws3fkxx42.com

a.ccaraka3lagroup42.com

a.diphon4egalaxyblack42.com

a.ddoyou4understandme42.com

a.dnabok4hasn1aser42.com

a.dire4bobohayawen42.com

a.djjjqws4fkxx42.com

a.djhvdqw4ladies42.com

a.dthemall4gonowhaha42.com

a.edoyou5understandme42.com

a.dcaraka4lagroup42.com

a.emous5epadsafa42.com

a.ecaraka5lagroup42.com

a.eiphon5egalaxyblack42.com

a.enabok5hasn1aser42.com

a.eire5bobohayawen42.com

a.ejjjqws5fkxx42.com

a.ejhvdqw5ladies42.com

a.ethemall5gonowhaha42.com

a.roooggeyyy2.com

a.roooggeyyy3.com

a.roooggeyyy4.com

a.so1aa00.com

a.saao20000.com

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteExW

SHELL32.dll

SetTcpEntry

SHLWAPI.dll

RPCRT4.dll

NETAPI32.dll

DNSAPI.dll

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

WindowsMark

m1xg.org

mxxtxxt.biz

meob.me

%System%\notepad.exe

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

Secur32.dll

ShellExecuteA

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

shlwapi.dll

crypt32.dll

wtsapi32.dll

samcli.dll

netutils.dll

userenv.dll

WindowsSecondaryDesktop

\charmap.exe

\Windows Media Player\wmprph.exe

c:\%original file name%.exe

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

notepad.exe_916_rwx_008B0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

c:\%original file name%.exe

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

\\.\pipe\c1419a97

%System%\notepad.exe

%WinDir%

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe

Explorer.EXE_512_rwx_01F80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%WinDir%\Explorer.EXE

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\explorer.exe

c:\%original file name%.exe

csrss.exe_704_rwx_00CC0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

\??\%System%\csrss.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

c:\%original file name%.exe

winlogon.exe_728_rwx_01900000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

\??\%System%\winlogon.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

c:\%original file name%.exe

services.exe_772_rwx_00B00000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\services.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\services.exe

c:\%original file name%.exe

svchost.exe_940_rwx_00ED0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

wmiprvse.exe_956_rwx_00DE0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\wbem\wmiprvse.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

c:\%original file name%.exe

svchost.exe_1020_rwx_00B80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1104_rwx_02C20000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%WinDir%\System32\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1152_rwx_00860000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1208_rwx_00CF0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

spoolsv.exe_1440_rwx_00E10000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%System%\spoolsv.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

c:\%original file name%.exe

mscorsvw.exe_1924_rwx_008E0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

c:\%original file name%.exe

jqs.exe_1964_rwx_010C0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

PTF://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

hXXp://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

\\.\%c:

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

m1xg.org

mxxtxxt.biz

meob.me

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\c1419a97

%Program Files%\Java\jre6\bin\jqs.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe

7 767<7~7

8*808;8~8

%s\Identities\%s.exe

\\.\pipe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\

winlogon.exe

notepad.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

c:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:260
   %original file name%.exe:528
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\c731200 (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\c731200 (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe (1281 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Uukmkg" = "%Documents and Settings%\%current user%\Application Data\Identities\Uukmkg.exe"

6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.