Gen.Variant.Zusy.Elzob.2099_e1af816d11

by malwarelabrobot on September 28th, 2014 in Malware Descriptions.

Trojan.Win32.Bublik.lkn (Kaspersky), Gen:Variant.Zusy.Elzob.2099 (B) (Emsisoft), Gen:Variant.Zusy.Elzob.2099 (AdAware), Trojan.Win32.IEDummy.FD, GenericInjector.YR, GenericIRCBot.YR, GenericDownloader.YR (Lavasoft MAS)
Behaviour: Trojan, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: e1af816d11a87e5c0e32018c6d988cae
SHA1: f728c802dca84bb0789c75e67cd4995b18412142
SHA256: 4f7cbe24bd9be53113832a1d5750ffc646eebabc211b43695593e413aff9d824
SSDeep: 3072:AKnE/XpRhMk9mYyKm7b5fhcF0zBEs5pJ5LRmSTOzhkFE8en92yZum5yqYia0DsG:KHN9mv91hTqQDTOzgs2y35yqYPI
Size: 190464 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Trojan creates the following process(es):

server.exe:348
%original file name%.exe:1156

The Trojan injects its code into the following process(es):

iexplore.exe:1032

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process server.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Start Menu\Programs\Startup\Server (673 bytes)

The process %original file name%.exe:1156 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\server.exe (673 bytes)

Registry activity

The process server.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 39 A9 EA 46 D0 F8 B3 08 85 1B 74 B4 FD 92 F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{A66OVDU3-6XL3-5IDE-8D68-Y803Q22O36T6}]
"StubPath" = "%Documents and Settings%\%current user%\Application Data\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Server" = "%Documents and Settings%\%current user%\Application Data\server.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Server" = "%Documents and Settings%\%current user%\Application Data\server.exe"

The process %original file name%.exe:1156 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C D7 2F 6F FB 1E 43 74 A1 F7 B9 81 96 DA F1 52"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data]
"server.exe" = "server"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 27160 27648 4.44884 3d579b9fb030525e8d1f4546c6b2ab97
DATA 32768 188 512 1.02338 2cd3d11834ebdb276d199e9f59ed983e
BSS 36864 4217 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 45056 2352 2560 3.02893 3b59f6cec5952304ca6adfa9054e3a6f
.tls 49152 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 53248 24 512 0.14174 7f19c8e4e4884244b15fc4c0763e074a
.reloc 57344 1396 1536 4.36651 8cd3556bbefcf06293d1e6e630022af1
.rsrc 61440 156176 156672 5.53112 b51b3b7689eed5483df72c67c45fbdbd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
8441efe72c4783cfdc4c68b107f95d1e
545d90e65f985fc4a96e8946532915e8

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

iexplore.exe_1032:

%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512

iexplore.exe_1032_rwx_00150000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00290000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_002D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00310000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00350000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00390000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00C50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00C90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00CD0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00D10000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00D50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00D90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00DD0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00E10000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00E50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00E90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00ED0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00F10000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00F50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00F90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_00FD0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01010000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01050000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01090000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_010D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01110000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01150000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01190000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_011D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01210000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01250000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01290000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_012D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01310000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01350000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01390000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_013D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01400000_00001000:

user32.dll

iexplore.exe_1032_rwx_01530000_00001000:

GetKeyboardType

iexplore.exe_1032_rwx_01540000_00001000:

user32.dll

iexplore.exe_1032_rwx_01580000_00001000:

user32.dll

iexplore.exe_1032_rwx_015C0000_00001000:

user32.dll

iexplore.exe_1032_rwx_015F0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01730000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01760000_00001000:

RegOpenKeyExA

iexplore.exe_1032_rwx_01770000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_017A0000_00001000:

RegCloseKey

iexplore.exe_1032_rwx_017B0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_017E0000_00001000:

oleaut32.dll

iexplore.exe_1032_rwx_01920000_00001000:

oleaut32.dll

iexplore.exe_1032_rwx_01960000_00001000:

oleaut32.dll

iexplore.exe_1032_rwx_019A0000_00001000:

oleaut32.dll

iexplore.exe_1032_rwx_019D0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01B10000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01B50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01B90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01BD0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01C10000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01C50000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_01C80000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01DC0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01E00000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01E30000_00001000:

RegQueryInfoKeyA

iexplore.exe_1032_rwx_01E40000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01E70000_00001000:

RegOpenKeyExA

iexplore.exe_1032_rwx_01E80000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01EB0000_00001000:

RegFlushKey

iexplore.exe_1032_rwx_01EC0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01F00000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01F30000_00001000:

RegEnumKeyExA

iexplore.exe_1032_rwx_01F40000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01F80000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01FB0000_00001000:

RegDeleteKeyA

iexplore.exe_1032_rwx_01FC0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_01FF0000_00001000:

RegCreateKeyExA

iexplore.exe_1032_rwx_02000000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02030000_00001000:

RegCreateKeyA

iexplore.exe_1032_rwx_02040000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02070000_00001000:

RegCloseKey

iexplore.exe_1032_rwx_02080000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_020C0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02100000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02140000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02180000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_021C0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02200000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02240000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02280000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_022C0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02300000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02340000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_02370000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_024B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_024F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02530000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02560000_00001000:

WinExec

iexplore.exe_1032_rwx_02570000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_025B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_025F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02630000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02670000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_026B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_026F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02730000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02770000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_027B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_027F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02830000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02870000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_028B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_028F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02930000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02970000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_029B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_029F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02A30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02A70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02AB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02AF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02B30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02B70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02BA0000_00001000:

PeekNamedPipe

iexplore.exe_1032_rwx_02BB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02BF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02C30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02C70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02CB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02CF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02D30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02D70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02DB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02DF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02E30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02E70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02EB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02EF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02F30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02F70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02FB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_02FF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03030000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03070000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_030B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_030F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03130000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03170000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_031B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_031F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03230000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03270000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_032B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_032F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03330000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03370000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_033B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_033F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03430000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03470000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_034B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_034F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03530000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03570000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_035B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_035F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03630000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03670000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_036B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_036F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03730000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03770000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_037B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_037F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03830000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03870000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_038B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_038F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03930000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03970000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_039B0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_039F0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03A30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03A70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03AB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03AF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03B20000_00001000:

CreatePipe

iexplore.exe_1032_rwx_03B30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03B70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03BB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03BF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03C30000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03C70000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03CB0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03CF0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_03D20000_00001000:

mpr.dll

iexplore.exe_1032_rwx_03E60000_00001000:

mpr.dll

iexplore.exe_1032_rwx_03EA0000_00001000:

mpr.dll

iexplore.exe_1032_rwx_03EE0000_00001000:

mpr.dll

iexplore.exe_1032_rwx_03F20000_00001000:

mpr.dll

iexplore.exe_1032_rwx_03F50000_00001000:

version.dll

iexplore.exe_1032_rwx_04090000_00001000:

version.dll

iexplore.exe_1032_rwx_040D0000_00001000:

version.dll

iexplore.exe_1032_rwx_04110000_00001000:

version.dll

iexplore.exe_1032_rwx_04140000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04280000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_042C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04300000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04340000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04380000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_043C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04400000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04440000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04480000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_044C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04500000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04540000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04580000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_045C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04600000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04640000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04680000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_046C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04700000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04740000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04780000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_047C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04800000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04840000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_04880000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_048C0000_00001000:

gdi32.dll

iexplore.exe_1032_rwx_048F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04A30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04A70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04AB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04AE0000_00001000:

keybd_event

iexplore.exe_1032_rwx_04AF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04B20000_00001000:

VkKeyScanA

iexplore.exe_1032_rwx_04B30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04B70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04BB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04BF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04C30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04C70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04CB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04CF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04D30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04D70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04DB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04DE0000_00001000:

SetKeyboardState

iexplore.exe_1032_rwx_04DF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04E30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04E70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04EB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04EF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04F30000_00001000:

user32.dll

iexplore.exe_1032_rwx_04F70000_00001000:

user32.dll

iexplore.exe_1032_rwx_04FB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_04FF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05030000_00001000:

user32.dll

iexplore.exe_1032_rwx_05070000_00001000:

user32.dll

iexplore.exe_1032_rwx_050B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_050F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05130000_00001000:

user32.dll

iexplore.exe_1032_rwx_05160000_00001000:

MsgWaitForMultipleObjects

iexplore.exe_1032_rwx_05170000_00001000:

user32.dll

iexplore.exe_1032_rwx_051B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_051E0000_00001000:

MapVirtualKeyExA

iexplore.exe_1032_rwx_051F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05220000_00001000:

MapVirtualKeyA

iexplore.exe_1032_rwx_05230000_00001000:

user32.dll

iexplore.exe_1032_rwx_05270000_00001000:

user32.dll

iexplore.exe_1032_rwx_052B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_052F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05330000_00001000:

user32.dll

iexplore.exe_1032_rwx_05370000_00001000:

user32.dll

iexplore.exe_1032_rwx_053B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_053F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05430000_00001000:

user32.dll

iexplore.exe_1032_rwx_05470000_00001000:

user32.dll

iexplore.exe_1032_rwx_054B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_054F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05520000_00001000:

GetKeyboardState

iexplore.exe_1032_rwx_05530000_00001000:

user32.dll

iexplore.exe_1032_rwx_05560000_00001000:

GetKeyboardLayout

iexplore.exe_1032_rwx_05570000_00001000:

user32.dll

iexplore.exe_1032_rwx_055A0000_00001000:

GetKeyState

iexplore.exe_1032_rwx_055B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_055F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05630000_00001000:

user32.dll

iexplore.exe_1032_rwx_05670000_00001000:

user32.dll

iexplore.exe_1032_rwx_056B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_056F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05730000_00001000:

user32.dll

iexplore.exe_1032_rwx_05770000_00001000:

user32.dll

iexplore.exe_1032_rwx_057A0000_00001000:

GetAsyncKeyState

iexplore.exe_1032_rwx_057B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_057F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05820000_00001000:

ExitWindowsEx

iexplore.exe_1032_rwx_05830000_00001000:

user32.dll

iexplore.exe_1032_rwx_05860000_00001000:

EnumWindows

iexplore.exe_1032_rwx_05870000_00001000:

user32.dll

iexplore.exe_1032_rwx_058B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_058F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05930000_00001000:

user32.dll

iexplore.exe_1032_rwx_05970000_00001000:

user32.dll

iexplore.exe_1032_rwx_059B0000_00001000:

user32.dll

iexplore.exe_1032_rwx_059F0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05A30000_00001000:

user32.dll

iexplore.exe_1032_rwx_05A70000_00001000:

user32.dll

iexplore.exe_1032_rwx_05AB0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05AF0000_00001000:

user32.dll

iexplore.exe_1032_rwx_05B30000_00001000:

user32.dll

iexplore.exe_1032_rwx_05B60000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05CA0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05CE0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05D20000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05D60000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05DA0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05DE0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05E20000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05E50000_00001000:

getservbyport

iexplore.exe_1032_rwx_05E60000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05EA0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05EE0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05F20000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05F60000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05FA0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_05FE0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06020000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06060000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_060A0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_060E0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06120000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06160000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_061A0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_061E0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06220000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06260000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_062A0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_062E0000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06320000_00001000:

wsock32.dll

iexplore.exe_1032_rwx_06350000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06480000_00001000:

ShellExecuteA

iexplore.exe_1032_rwx_06490000_00001000:

shell32.dll

iexplore.exe_1032_rwx_064D0000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06500000_00001000:

SHFileOperationA

iexplore.exe_1032_rwx_06510000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06550000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06580000_00001000:

wininet.dll

iexplore.exe_1032_rwx_065D0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06610000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06640000_00001000:

InternetOpenUrlA

iexplore.exe_1032_rwx_06650000_00001000:

wininet.dll

iexplore.exe_1032_rwx_067A0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_067E0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06820000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06850000_00001000:

HttpSendRequestA

iexplore.exe_1032_rwx_06860000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06890000_00001000:

HttpQueryInfoA

iexplore.exe_1032_rwx_068A0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_068D0000_00001000:

HttpOpenRequestA

iexplore.exe_1032_rwx_068E0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06910000_00001000:

HttpAddRequestHeadersA

iexplore.exe_1032_rwx_06920000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06950000_00001000:

FtpSetCurrentDirectoryA

iexplore.exe_1032_rwx_06960000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06990000_00001000:

FtpPutFileA

iexplore.exe_1032_rwx_069A0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_069D0000_00001000:

FtpOpenFileA

iexplore.exe_1032_rwx_069E0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06A10000_00001000:

FtpFindFirstFileA

iexplore.exe_1032_rwx_06A20000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06A50000_00001000:

FindCloseUrlCache

iexplore.exe_1032_rwx_06A60000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06A90000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_06BD0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_06C00000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06D40000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06D80000_00001000:

shell32.dll

iexplore.exe_1032_rwx_06DB0000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06EF0000_00001000:

FindNextUrlCacheEntryA

iexplore.exe_1032_rwx_06F00000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06F30000_00001000:

FindFirstUrlCacheEntryA

iexplore.exe_1032_rwx_06F40000_00001000:

wininet.dll

iexplore.exe_1032_rwx_06F70000_00001000:

Crypt32.dll

iexplore.exe_1032_rwx_070B0000_00001000:

Crypt32.dll

iexplore.exe_1032_rwx_070E0000_00001000:

crypt32.dll

iexplore.exe_1032_rwx_07220000_00001000:

crypt32.dll

iexplore.exe_1032_rwx_07250000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07390000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_073D0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07410000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07450000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07490000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_074D0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07500000_00001000:

URLMON.DLL

iexplore.exe_1032_rwx_07630000_00001000:

URLDownloadToFileA

iexplore.exe_1032_rwx_07640000_00001000:

URLMON.DLL

iexplore.exe_1032_rwx_07670000_00001000:

ntdll.dll

iexplore.exe_1032_rwx_076B0000_00001000:

ntdll.dll

iexplore.exe_1032_rwx_076E0000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_07720000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_07760000_00001000:

kernel32.dll

iexplore.exe_1032_rwx_077A0000_00001000:

ntdll.dll

iexplore.exe_1032_rwx_077E0000_00001000:

ntdll.dll

iexplore.exe_1032_rwx_07B30000_00001000:

ntdll.dll

iexplore.exe_1032_rwx_07B60000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07CA0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07CD0000_00001000:

netapi32.dll

iexplore.exe_1032_rwx_07E10000_00001000:

netapi32.dll

iexplore.exe_1032_rwx_07E50000_00001000:

netapi32.dll

iexplore.exe_1032_rwx_07E80000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_07FC0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08000000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08040000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08080000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_080C0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08100000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08140000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08180000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_081C0000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08200000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08240000_00001000:

advapi32.dll

iexplore.exe_1032_rwx_08270000_00001000:

iphlpapi.dll

iexplore.exe_1032_rwx_083B0000_00001000:

iphlpapi.dll

iexplore.exe_1032_rwx_083E0000_00001000:

winmm.dll

iexplore.exe_1032_rwx_08420000_00001000:

winmm.dll

iexplore.exe_1032_rwx_08460000_00001000:

winmm.dll

iexplore.exe_1032_rwx_084A0000_00001000:

winmm.dll

iexplore.exe_1032_rwx_085F0000_00001000:

winmm.dll

iexplore.exe_1032_rwx_08630000_00001000:

winmm.dll

iexplore.exe_1032_rwx_08670000_00001000:

winmm.dll

iexplore.exe_1032_rwx_086B0000_00001000:

winmm.dll

iexplore.exe_1032_rwx_086E0000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_08820000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_08860000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_088A0000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_088E0000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_08920000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_08960000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_089A0000_00001000:

msacm32.dll

iexplore.exe_1032_rwx_10410000_0005C000:

.idata
.reloc
P.rsrc
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
kernel32.dll
Port
|Key|-|
STATUSMSG|6
STATUSMSG|7
$000000.tmp
avesvc.exe
ashdisp.exe
avgrsx.exe
bdss.exe
spider.exe
avp.exe
nod32krn.exe
cclaw.exe
dvpapi.exe
ewidoctrl.exe
mcshield.exe
pavfires.exe
almon.exe
ccapp.exe
pccntmon.exe
fssm32.exe
Dr.Web
issvc.exe
vsmon.exe
cpf.exe
ca.exe
tnbutil.exe
mpfservice.exe
npfmsg.exe
outpost.exe
tpsrv.exe
kpf4ss.exe
persfw.exe
vsserv.exe
smc.exe
op_mon.exe
Windows NT 4.0
Windows 2000
Windows XP
Windows Server 2003
Windows Vista
Windows Seven
Windows 95
Windows 98
Windows Me
rpcrt4.dll
Software\Classes\http\shell\open\command\
http\shell\open\command\
https\shell\open\command\
PSAPI.dll
\\StringFileInfo\\%.4x%.4x\\%s
ntdll.dll
BCASTSEARCHWINDOWS
Delete TCP
iphlpapi.dll
GetTcpTable
SetTcpEntry
GetExtendedTcpTable
GetExtendedUdpTable
*:*|UDP|-|
ACTIVEPORTS|
MSG|Error Listing Active Ports
HTTP/1.1 200 OK
Server: Apache/2.2.3 (CentOS)
ShellExecuteA
Software\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Explorer.exe
userinit.exe,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\WindowsName
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\WindowsName\
hXXp://
%sysdir%\
%serverpath%\
%sysdir%
%serverexe%
%serverpath%
CDKEYS|
\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
127.0.0.1 localhost #Redirects^To^Local^IP
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\
STATUSMSG|19
UnitPasswords
advapi32.dll
WindowsLive:name=*
** Password Unknown **
Password
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_finalize
sqlite3_column_bytes
sqlite3_column_blob
sqlite3_column_text
SELECT * FROM moz_logins
hXXps://login.facebook.com
hXXp://VVV.facebook.com
hXXp://sv.facebook.com
*pass
mozcrt19.dll
nspr4.dll
plc4.dll
plds4.dll
nssutil3.dll
softokn3.dll
nss3.dll
PK11_GetInternalKeySlot
Mozilla\Firefox\profiles.ini
Mozilla\Firefox\
signons.sqlite
MSG|Failed To Get Firefox Passwords
MSG|Mozilla Firefox not Found !
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command\
firefox.exe
BCAST|FIREFOX|
FIREFOXPASSWORDS|
-|-|-|-|
password
aim.ini
yahoo.ini
msn.ini
Trillian.SkinZip\DefaultIcon
LoginName
\*.dat
\.purple\accounts.xml
\.gaim\accounts.xml
<password>
** Password Unknown **|
[t]Password-Protected Web Site
BCAST|INTERNETEXPLORERPASSWORDS|
INTERNETEXPLORERPASSWORDS|
\FileZilla\recentservers.xml
<Port>
<Pass>
PTF://
DynDNS\Updater\config.dyndns
Software\DownloadManager\Passwords
Software\DownloadManager\Passwords\
EncPassword
Software\IMVU\password
Google\Chrome\User Data\Default\Web Data
MSG|Google Chrome not Found !
SQLite3.dll
SQLITENOTFOUND|
SELECT * FROM logins
BCAST|CHROMEPASSWORDS|
CHROMEPASSWORDS|
@default.talk.google.com
TWebDownloader
TFTPUploader
TFTPDownloader
GetUrlSize
UnitWebTransfers
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
t*hT%C
(hT%C
u\hT%C
2hT%C
DOWNSTARTED|HTTP Download|
|Download Complete, Executed|
|Download Complete, Error Executing !|
DOWNSTARTED|FTP Download|
|Download Complete, Error Executing|
UPSTARTED|FTP Upload|
|Error !, Unable To Connect To FTP Server|
SetupApi.dll
cfgmgr32.dll
ole32.dll
SetupDiOpenClassRegKey
MSG|Device Enabled
MSG|Error Enabling Device
MSG|Device Disabled
MSG|Error Disabling Device
TMemoryExecute
|File Executed In Memory, PID :
|Error Executing File In Memory|
UnitMemoryExecute
|Error, Can't Execute File|
PowrProf.dll
user32.dll
MSG|Error Listing Services !
00-00-00-00-00-00
IP : %s, SubNetMask : %s
%copiedfile%
STATUSMSG|13
Autorun.inf
MSG|Can't Find File To Copy To USB !
Software\Microsoft\Windows\CurrentVersion\Policies\System
Software\Policies\Microsoft\Windows\System
DisableCMD
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
<specialkey>[Backspace]</specialkey>
<specialkey>[Tab]</specialkey>
<specialkey>[Enter]</specialkey>
<specialkey>[Ctrl]</specialkey>
<specialkey>[Alt]</specialkey>
<specialkey>[Esc]</specialkey>
<specialkey>[Page Up]</specialkey>
<specialkey>[Page Down]</specialkey>
<specialkey>[End]</specialkey>
<specialkey>[Home]</specialkey>
<specialkey>[Left]</specialkey>
<specialkey>[Up]</specialkey>
<specialkey>[Right]</specialkey>
<specialkey>[Down]</specialkey>
<specialkey>[Print Screen]</specialkey>
<specialkey>[Insert]</specialkey>
<specialkey>[Del]</specialkey>
<specialkey>[Num Lock]</specialkey>
<specialkey>[Scroll Lock]</specialkey>
SingleKey|
MSG|Error Updating Server !
MSG|Updating Server...
MSG|Server Downloaded, Executing...
MSG|Server Uploaded, Executing...
MSG|Server Updated Successfully
MSG|Server Update Failed, Error Executing
MSG|Server Update Failed !
SENDSQLITEDLL
UnitWindowsProductKeys
\SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
avicap32.dll
UhE%D
msnmsgr.exe
_com.codexterity.fastsharemem.dataclass
Plugins\*.server.dll
10.0.0.3
mypassword
login
JOIN
NICK
PRIVMSG
The website have been opened.
File Downloaded & Executed!
Uh.jD
%Username%
%Country%
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WindowsName\Tag
127.0.0.1:3340,
%AppData%\ntsokrn.dat
/Invailed Path Supplied Caused Keylogger to Stop
explorer.exe
MSG|Remote Desktop Started
MSG|Error Connecting Remote Desktop !
KeyDown
KeyUp
WEBCAM
LISTWEBCAMS|
STATUSMSG|4
STATUSMSG|2
STATUSMSG|3
STATUSMSG|5
WEBCAMCAP
STATUSMSG|1
MSG|Audio Stream Started
MSG|Error Starting Audio Stream !
MSG|Audio Stream Stopped
MSG|Error Stopping Audio Stream !
cmd.exe /k
OPERAPASSWORDS
Opera\Opera\wand.dat
BCAST|OPERAPASSWORDS|
IMVUPASSWORDS
BCAST|IMVUPASSWORDS|
PALTALKPASSWORDS
BCAST|PALTALKPASSWORDS|
FILEZILLAPASSWORDS
BCAST|FILEZILLAPASSWORDS|
IDMLOGINS
BCAST|IDMLOGINS|
FIREFOX
MSPRODKEYS
BCAST|MSPRODKEYS|
INTERNETEXPLORERPASSWORDS
CHROMEPASSWORDS
MIRANDAPASSWORDS
BCAST|MIRANDAPASSWORDS|
TRILLIANPASSWORDS
BCAST|TRILLIANPASSWORDS|
PIDGINPASSWORDS
BCAST|PIDGINPASSWORDS|
GAIMPASSWORDS
BCAST|GAIMPASSWORDS|
MSG|WLM Sniffer Started
MSG|Error Starting WLM Sniffer !
MSG|WLM Sniffer Stopped
MSG|Error Stopping WLM Sniffer !
MSG|Chat Window Closed
MSG|Error Closing Chat Window !
MSG|Handle "
MSG|Error Closing Handle "
STATUSMSG|11
STATUSMSG|12
SEARCHWINDOWS
MSG|Process
MSG|Error Setting Process Priority
MSG|DLL Unloaded
MSG|Error Unloading DLL
MSG|Process(es) Terminated - PId :
MSG|Error Terminating Process(es) !
MSG|Process(es) Restarted - PId :
MSG|Error Restarting Process(es) !
MSG|Process(es) Suspended - PId :
MSG|Error Suspending Process(es) !
MSG|Process(es) Resumed - PId :
MSG|Error Resuming Process(es) !
MSG|Process Doesn't Have a Window - PID :
MSG|Window Brought To Front - PID :
MSG|Window Closed - PID :
MSG|Window Maximized - PID :
MSG|Window Minimized - PID :
MSG|Error Capturing Window !
PASSWORDS
ALLIMPASSWORDS
ALLIMPASSWORDS|
DYNDNSPASSWORDS
DYNDNSPASSWORDS|
MSNPASSWORDS
MSNPASSWORDS|
IMVUPASSWORDS|
MSPRODKEYS|
PALTALKPASSWORDS|
FILEZILLAPASSWORDS|
IDMLOGINS|
NOIPPASSWORDS
NOIPPASSWORDS|
FIREFOXPASSWORDS
OPERAPASSWORDS|
MSG|Opera not Found !
MIRANDAPASSWORDS|
TRILLIANPASSWORDS|
PIDGINPASSWORDS|
GAIMPASSWORDS|
SOCKSSTATUS|Socks Server Already Active on Port :
MSG|Uninstaller Executed
MSG|Could't Execute Uninstaller
SCDKEYS
CCDKEYS
CDKEYS
ACTIVEPORTS
CLOSEPORT
MSG|Port Closed
MSG|Error Closing Port
MSG|Host Removed
MSG|Error Removing Host
MSG|Hosts List Cleared
MSG|Host Added
MSG|Error Adding Host
MSG|Window Closed - Handel :
MSG|Window Diabled - Handel :
MSG|Window Enabled - Handel :
MSG|Window Maximized - Handel :
MSG|Window Minimized - Handel :
MSG|Window Hided - Handel :
MSG|Window Showed - Handel :
MSG|Close Button On Window With Handel :
MSG|Close Button on Window With Handel :
MSG|Window Title Changed To :
MSG|Error Changing Window Title !
SENDKEYS
MSG|Text Sent To Window With Handel :
MSG|Error Sending Text To Window - Handel :
MSG|Script Created and Executed
MSG|Error Creating/Executing Script
MSG|Clipboard Enabled
MSG|Clipboard Disabled
MSG|New Attributes are Now Set
MSG|Error Setting New Attributes !
MSG|Desktop Wallpaper Set To "
MSG|Error Changing Desktop Wallpaper
winlogon.exe
MSG|Application Executed as System
MSG|Error Executiong Application as System
MSG|File Executed Visible
MSG|Error While Trying to Run File
MSG|File Executed Hidden
MSG|Error Executing File
MSG|File Secure-Deleted
MSG|Error Secure-Deleting File
MSG|File Doesn't Exist
MSG|File Deleted
MSG|Error Deleting File
MSG|Folder Deleted Successfully
MSG|Error Deleting Folder
MSG|Folder Doesn't Exist
MSG|File Moved to Recycle Bin
MSG|Error Moveing File to Recycle Bin
MSG|File/Folder Doesn't Exist
MSG|File/Folder Renamed
MSG|Error Renaming File/Folder
MSG|Folder Created
MSG|Error Creating Folder !
MSG|Folder Already Exist, Choose Another Name
LISTKEYS
LISTKEYS|
MSG|Key Renamed
MSG|Error Renaming Key
DELETEKEY
MSG|Key/Value Deleted
MSG|Error Deleting Key/Value
NEWKEY
MSG|Key Created
MSG|Error Creating Key
MSG|Value Added
MSG|Error Adding Value
STATUSMSG|16
STATUSMSG|17
STATUSMSG|18
STATUSMSG|20
STATUSMSG|21
|Error, Target File or File To Execute Doesn't Exists|
DOWNLOADFROMFTP
UPLOADTOFTP
GETKEYLOG
MSG|Offline Key Logger Is Disabled !
MSG|Error, Log Doesn't Exists !
DELETEKEYLOG
MSG|Key Log Cleared !
MSG|Error Clearing Key Log File !
MSG|Error, File Not Found
MSG|Service Stopped
MSG|Service Started
MSG|Service "
MSG|Error Uninstalling Service
MSG|Service Created
MSG|Error Creating Service
MSG|Logoff Command Executed
MSG|Restart Command Executed
MSG|Shutdown Command Executed
MSG|Standby Command Executed
MSG|Hibernate Command Executed
MSG|Power Off Command Executed
0.3.2
abe2869f-9b47-4cd9-a358-c22904dba7f7
Unable to resolve HTTP prox
Portions Copyright (c) 1999,2003 Avenger by NhT
text/x-msmsgscontrol
ws2_32.dll
GetProcessHeap
oleaut32.dll
wsock32.dll
KWindows
178.49.197.132:3340,
9%Documents and Settings%\%current user%\Application Data\server.exe
&{A66OVDU3-6XL3-5IDE-8D68-Y803Q22O36T6}
%AppData%\log.txt
GetKeyboardType
RegOpenKeyExA
RegCloseKey
RegQueryInfoKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegCreateKeyA
WinExec
PeekNamedPipe
CreatePipe
mpr.dll
version.dll
gdi32.dll
keybd_event
VkKeyScanA
SetKeyboardState
MsgWaitForMultipleObjects
MapVirtualKeyExA
MapVirtualKeyA
GetKeyboardState
GetKeyboardLayout
GetKeyState
GetAsyncKeyState
ExitWindowsEx
EnumWindows
getservbyport
shell32.dll
SHFileOperationA
wininet.dll
InternetOpenUrlA
HttpSendRequestA
HttpQueryInfoA
HttpOpenRequestA
HttpAddRequestHeadersA
FtpSetCurrentDirectoryA
FtpPutFileA
FtpOpenFileA
FtpFindFirstFileA
FindCloseUrlCache
FindNextUrlCacheEntryA
FindFirstUrlCacheEntryA
Crypt32.dll
crypt32.dll
URLMON.DLL
URLDownloadToFileA
netapi32.dll
winmm.dll
msacm32.dll
0 0$0(0,0004080>1
5 5$5(5,5
6-6}6
178.49.197.132:3340,40
%AppData%\server.exe
C:\Windows\resources\themes\Aero\Aero.msstyles


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    server.exe:348
    %original file name%.exe:1156

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\Server (673 bytes)
    %Documents and Settings%\%current user%\Application Data\server.exe (673 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Server" = "%Documents and Settings%\%current user%\Application Data\server.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now