Packed.Win32.MoleBoxVS_715690f93c

by malwarelabrobot on June 26th, 2014 in Malware Descriptions.

Trojan.Win32.Swrort.3.FD, GenericAutorunWorm.YR, GenericInjector.YR, PackedMoleBoxVS.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Packed, WormAutorun


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 715690f93c7a1f79468deffc8e432147
SHA1: b3f09bf8a88eb6aa67cb71258ba49d48c540da32
SHA256: a605dd89c34c37ca3fff432507df43cb8d6f754cc75e0c099c0d8334e7adcb62
SSDeep: 98304:19Y02Ch0TDVy7pfFPNeTp39u1bSJEwF1QKTwhhLf0iNBwox1uTyX1vyJzsq R:1xnWDVy9fF1eTR b RF1QIwvfbwoiylN
Size: 5012656 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer.


Process activity

The Packed creates the following process(es):

net1.exe:580
net1.exe:1368
ping.exe:1484
net.exe:2008
net.exe:916
%original file name%.exe:1332
sort.exe:1788
sort.exe:868
find.exe:1376
find.exe:1264

The Packed injects its code into the following process(es):

getsusp_300373.exe:900

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process getsusp_300373.exe:900 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

C:\ (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%WinDir%\GetSusp.sys (588 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Program Files%\Common Files\System (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
%System%\config\SystemProfile (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
%WinDir% (1264 bytes)
C:\$Directory (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (96 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\CatRoot2\dberr.txt (155 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%System% (8396 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\NetworkService (4 bytes)

The Packed deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (0 bytes)

The process %original file name%.exe:1332 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)

The Packed deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process sort.exe:1788 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)

The process sort.exe:868 makes changes in the file system.
The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes)

Registry activity

The process net1.exe:580 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D0 93 1A 79 08 52 A2 57 C9 C8 01 7C 96 98 FF"

The process net1.exe:1368 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CF 91 61 D4 98 2B 8A E5 9C 9C E7 A5 6C 0B FB"

The process ping.exe:1484 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 97 9D F3 7B AD C1 33 A3 C9 68 5A 79 D2 4C 17"

The process net.exe:2008 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 3F 55 F9 1E E8 CB DA E0 CF DF 15 59 83 EE 94"

The process net.exe:916 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 2B 63 BB 5A 28 79 6B 9F 6C 2E 82 AE AA BD 67"

The process getsusp_300373.exe:900 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD ED CA CD AE 39 F9 C5 7A C4 B3 93 A4 4C 1F E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1" = "\Device\HarddiskVolume1\Documents and Settings\Default User\NTUSER.DAT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Packed deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1"

The process %original file name%.exe:1332 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 43 8A B7 33 F5 3A 24 80 54 64 AF F6 1C 25 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Security Analysis Response Script - Auto Upload\Components]
"Main" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process sort.exe:1788 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 D8 4D 0A 79 7A D7 F4 4D FF 08 DB 9F 83 65 27"

The process sort.exe:868 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 8B A8 5D B6 56 5E 77 C9 B8 FE 86 77 79 9A F4"

The process find.exe:1376 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF FC F1 45 A9 A4 A1 9E 03 12 E4 49 47 05 E0 C0"

The process find.exe:1264 makes changes in the system registry.
The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 15 0A A9 23 99 6E 53 C4 31 0D E2 E9 34 CB F9"

Dropped PE files

MD5 File path
53e433146f2060b01e80128652d63c36 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\PsInfo.exe
3872fdfe8b16111a123b215956db4fac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\autorunsc.exe
449ddec37abe10b10400e97906528784 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.dll
c7b92f83bd2658d2ca70c24dd8df20c9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.exe
5e978ec5f615396eaa1b14334197b68e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\date.exe
96ef10196a343b237a21a06c66fe02c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\du.exe
327c50edeb8e370392d5d55018b193c0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\gawk.exe
83a3d89f40a05038760110b1e6e54762 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\grep.exe
6b854ffc12e5e2c32683a03714cf6c5d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libeay32.dll
331f570aa7c20bc93deb7b237b21cc9c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libiconv2.dll
db7aabf38d66b4f8152f12e0f313d00c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libintl3.dll
37580b9354e984bf7c1a2b4ed7fa824b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libssl32.dll
57cac848fa14ae38f14f9441f8933282 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pcre3.dll
ad06aa36e330434560593590330222e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pslist.exe
328ba584bd06c3083e3a66cb47779eac c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\psloglist.exe
547c43567ab8c08eb30f6c6bacb479a3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\regex2.dll
289c007f63e4216757e3c03c38555133 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sed.exe
b23b2c00cb9f44b9b2d05012cfee1db4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sleep.exe
3f73eb468ad5f5977ca2f4cd36c46b94 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\ssleay32.dll
959312470e74c3b2220e74ff181abece c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\uniq.exe
fecf803f7d84d4cfa81277298574d6e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\unzip.exe
aa173375c21ea31b8cc615dccb54e43b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wget.exe
f7438fb5b244eb8a4f409dc660b469e3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wput.exe
79aef4a7acaeb0e979537a4bc3dcc851 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\zip.exe
4857084657ceff6cc7891dce8ada8507 c:\WINDOWS\GetSusp.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

Company Name: Schlumberger Security Operations Team
Product Name: Security Analysis Response Script - Automatic Upload
Product Version: 1.0.7.6
Legal Copyright: (c) 2008-2013 - Unpublished work. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.7.6
File Description: Tool for IR Data Collection.
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 225280 130952 131072 3.4391 7861b17ec4aec8476bdfecd2dc4490bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2004.crl
hxxp://crl.slb.com/CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt 199.6.154.95
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinIntPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/tspca.crl
hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl 178.255.83.2
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftRootAuthority.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicWinHarComPCA_2010-11-01.crl
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl 205.237.69.73
hxxp://crl.microsoft.com/pki/crl/products/WinIntPCA.crl 205.237.69.73
hxxp://crl.verisign.com/pca3-g5.crl 23.9.117.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl 23.9.117.163
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl 205.237.69.73
hxxp://crl.verisign.com/pca3-g2.crl 23.9.117.163
hxxp://crl.verisign.com/pca3.crl 23.9.117.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl 23.9.117.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt 205.237.69.74
hxxp://CSC3-2004-crl.verisign.com/CSC3-2004.crl
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl 23.9.117.163
hxxp://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2010-11-01.crl 205.237.69.73
csc3-2004-crl.verisign.com 23.9.117.163


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /UTN-USERFirst-Object.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.usertrust.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Wed, 25 Jun 2014 17:26:14 GMT
Content-Type: application/x-pkcs7-crl
Content-Length: 75433
Last-Modified: Tue, 24 Jun 2014 19:46:01 GMT
Connection: close
X-CCACDN-Mirror-ID: t8edcacrl3
Accept-Ranges: bytes
0..&.0..%....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Sa
lt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.user
trust.com1.0...U....UTN-USERFirst-Object..140624194601Z..140628194601Z
0..$.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525
090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..05060
2075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050
607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..05
0630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......0
50711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...0
50721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......
050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&
..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(
..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.
g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q
]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5&g
t;ocV.. ....050824075512Z0"....|..5u[.}<..[[email protected]!..GJ
.C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!.
.*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!.
.Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0".
...-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0"
.......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0
!...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181
<<< skipped >>>


GET /pki/crl/products/WinIntPCA.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Mon, 05 Apr 2010 23:14:32 GMT
Accept-Ranges: bytes
ETag: "07ca8bf15d5ca1:0"
Server: Microsoft-IIS/8.0
VTag: 279616832800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 528
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:25:49 GMT
Connection: keep-alive
0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1806..U.../Microsoft Windows
 Verification Intermediate PCA..100405230430Z.A0?0...U.#..0.....[3.A..
.BrvWo..%Sz.0... .....7.......0...U.......0...*.H.............P^0...8.
.(3k&.SD..F6g.C...l...,...=.'V..u..l=..Qz..<...u...>.......A..:.
........2./....u*. =.G..B&)"...'.I. x ......vOP...N..CE...Z. C407...U.
.. ."..#.Z7P...E.t..$i..n..p......-.;[email protected][..X...0...n
..}.D#.8....Nx.H- .....~.kC..`qFZ`w.............


GET /pki/crl/products/tspca.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:54 GMT
Accept-Ranges: bytes
ETag: "8ab194b3d77cf1:0"
Server: Microsoft-IIS/8.0
VTag: 791326843100000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 521
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:25:50 GMT
Connection: keep-alive
0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...U..
..Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Timestam
ping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K......
;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...e".
x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c.3o
A.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:....\
.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.G..
...@....".Y..V.].?.7..7`.7...r...~.3..c..4.HTTP/1.1 200 OK..Content-Ty
pe: application/pkix-crl..Last-Modified: Sat, 24 May 2014 05:04:54 GMT
..Accept-Ranges: bytes..ETag: "8ab194b3d77cf1:0"..Server: Microsoft-II
S/8.0..VTag: 791326843100000000..P3P: CP="ALL IND DSP COR ADM CONo CUR
 CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE 
PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 521..Cache-Control: m
ax-age=900..Date: Wed, 25 Jun 2014 17:25:50 GMT..Connection: keep-aliv
e..0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...
U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Times
tamping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K...
...;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...
e".x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c
.3oA.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:..
..\.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.
G.....@....".Y..V.].?.7..7`.7...r...~.3..c..4.....
<<< skipped >>>

GET /pki/crl/products/MicrosoftRootAuthority.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 22 Jun 2014 05:05:27 GMT
Accept-Ranges: bytes
ETag: "ec45e394d78dcf1:0"
Server: Microsoft-IIS/8.0
VTag: 791166943900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 603
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:26:31 GMT
Connection: keep-alive
0..W0..?...0...*.H........0p1 0)..U..."Copyright (c) 1997 Microsoft Co
rp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority
..140621173809Z..140920055809Z0:0...:..../...V..091210010336Z0........
$... ..020225080156Z._0]0...U.#..0...J\u".F....9.N...`...0... .....7..
.....0...U......$0... .....7......140919174809Z0...*.H.............S.&
gt;l.._....)j.k%..vm.'Y.....Q......p,..X.#..6......8...............xT.
.>.E..H.#......U...'.../....p....(5.....,..F:.......~.....M..".....
.I"....;0.]..,.OI}.....f.2~.].,u...hp.W,.'wj..%<......Y.N.. ..u',..
 ..v$#A....l..9..m.T:s... .>Z.k...l.....kVyi......o.....


GET /pki/crl/products/MicWinHarComPCA_2010-11-01.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.microsoft.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sat, 24 May 2014 05:04:55 GMT
Accept-Ranges: bytes
ETag: "4af46b4d77cf1:0"
Server: Microsoft-IIS/8.0
VTag: 438117044800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 588
Cache-Control: max-age=900
Date: Wed, 25 Jun 2014 17:26:31 GMT
Connection: keep-alive
0..H0..0...0...*.H..



GET /CSC3-2009.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "295161c3f5c709ceee58f31341af4cb2:1403687411"
Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT
Accept-Ranges: bytes
Content-Length: 2249
Date: Wed, 25 Jun 2014 17:25:49 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA.
.140625090003Z..140709090003Z0...0!.....zOR.D...,oMa...090525061903Z0!
......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!
...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!
.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!
...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!
.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220
Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018
Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736
Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104
Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238
Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756
Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940
Z0!..?..}p 2I..o.\[email protected]`......l..090527022214
Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620
Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259
Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737
Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534
Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205
535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09
<<< skipped >>>


GET /CSC3-2004.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: CSC3-2004-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "bad60e8883e1e3037719ce5c0095e6e4:1403687410"
Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT
Accept-Ranges: bytes
Content-Length: 96299
Date: Wed, 25 Jun 2014 17:25:34 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0..x&0..w.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0.
..U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.ve
risign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..
140625090001Z..140705090001Z0..v$0!.....'...._.=.t.{...060411095352Z0!
........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!
.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!
...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!
...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850
Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153
307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607
081209Z0!...^[email protected]..`..061207041025Z0!...ol4....{.........080520
210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018
225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217
144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041
221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080
804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060
308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060
406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...
070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>.......
...070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c..
...080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....Wa
r.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!....&.G.E.
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: VVV.download.windowsupdate.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Content-Type: text/plain
Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT
Accept-Ranges: bytes
ETag: "806f4cbb43dcf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 18
Date: Wed, 25 Jun 2014 17:25:43 GMT
Connection: keep-alive
X-CCC: US
X-CID: 2
1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modi
fied: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f
4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Conte
nt-Length: 18..Date: Wed, 25 Jun 2014 17:25:43 GMT..Connection: keep-a
live..X-CCC: US..X-CID: 2..1401CF3DB40B609892..



GET /CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.slb.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Connection: Keep-Alive
Set-Cookie: ISAWPLB{69E13F28-20AA-4495-9939-BA543948AF92}={3DA5B21E-753C-42F2-A8FD-AE14C3BA35B2}; HttpOnly; Path=/
Content-Length: 1544
Date: Wed, 25 Jun 2014 17:25:42 GMT
Content-Type: application/x-x509-ca-cert
ETag: "0253321785cb1:0"
Server: Microsoft-IIS/7.5
Accept-Ranges: bytes
Last-Modified: Mon, 15 Nov 2010 22:48:18 GMT
0...0..........m.......A..H_7fb0...*.H........0..1.0...U....US1.0...U.
...Texas1.0...U....Houston1.0...U....slb.com1.0...U....Schlumberger1'0
%..U....Schlumberger Corporate Root CA0...071018201958Z..301115164814Z
0..1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....slb.com1.
0...U....Schlumberger1'0%..U....Schlumberger Corporate Root CA0.."0...
*.H.............0.........L....%..2 ....qJ........R...c........Aq.?.")
...]j.l.........B.`... ..]........h..'..v....['...a\..t-i...55.xW.J...
.Jt.=.....\&.g|(x..; }g?..4.$W~....{xt..........J...Y{i.3g.ae...Y....S
o~..3.....$..."AjF....F...L).3....w...B.}....z.....=B.u...Q.....F.go..
d.W).t *.O..@[.....j.s.r.S........6\.YO.....W.(...Q....Q.M".......:.t9
......k.O...0..g...zNh$b...=....=X...I.t.D..<[email protected]|,39t.|........,w
..W.gy..,.(.!..|...XQ.k....l....[........*.......e'.be.....8le.?G.....
.b.".N.....lyQB....T!.dt.jd..n..U.L.9.....m.xr..S.......v0t0...U......
..0...U.......0....0...U........P)..=.!..7...V}...0... .....7.......0#
.. .....7........-.Pi..W........SQ.0...*.H............. ..^.R....-..pe
....h...f1;...F........V.x.....GT ......'..........j.....fQ..4..gfJ.&g
t;.$..1....Y....w.W..V......o.2c.......5./_....X......'........Y...%..
..G .Z....^..;-._.%.|2..[@..2\r.....T1.|vv... b..k=...V..`Lx(.x.D.P...
......-...9G..l..:....[......<9....K...'G.(.bG........f.`.~.L..1..@
(.<....Cu......#.T=..}a.;f@..!....}....f.;......=.% K...3H7%B.0.f..
..c. .&..q...*...2.P_$.q.....M...:N.5x.....{.H.*=.yI............*.6...
.V`;.S......~...;lY.HLt..9..U..V..Rt&pB....z..\Vw.n."...uW..q....l
<<< skipped >>>


GET /CSC3-2009-2.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2009-2-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "3149437b01e8720b11bd72c13d900647:1403687410"
Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT
Accept-Ranges: bytes
Content-Length: 37388
Date: Wed, 25 Jun 2014 17:25:46 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0
...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.v
erisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 C
A..140625090002Z..140709090002Z0...0!.....V..t..'.F(z....121202220203Z
0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z
0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z
0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z
0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z
0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z
[email protected]!.........}..Dt...!..090922192227Z
0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z
0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z
0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z
0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z
0!......Q_.G..|.......091009145530Z0!........>..O...=72..1006161609
34Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..1009221422
43Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...1010
04225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........0912
03194409Z0!....B....d...*[email protected]!.......m. .V.....~..1011
11134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......1006
02074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....1010
11182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....
<<< skipped >>>


GET /CSC3-2010.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: csc3-2010-crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "94bf67ac76d178e0363ec64a6a88e27a:1403687411"
Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT
Accept-Ranges: bytes
Content-Length: 130966
Date: Wed, 25 Jun 2014 17:25:47 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0....0...x...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1
.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://www
.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 C
A..140625090004Z..140709090004Z0...Z0!....c..k....D.k.....120708062201
Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130
117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153
956Z0!...d...=..q!_...g9..130729145216Z0!...l.....h2<.H......120329
152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221
080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423
054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102
230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108
164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228
182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521
222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131
012247Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121
172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209
181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402
[email protected]!...........].{7.....120730
000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318
195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120
424164254Z0!...@........... .a..121109212441Z0!...L.&L..o.8..=6....110
311141238Z0!...L...5...s $.=.=..130205142241Z0!...O.c.........t...
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"
Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT
Accept-Ranges: bytes
Content-Length: 933
Date: Wed, 25 Jun 2014 17:25:33 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..140320000000Z..140
630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.
^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6....
....%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ET
ag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat,
 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..
Date: Wed, 25 Jun 2014 17:25:33 GMT..Connection: keep-alive..Content-T
ype: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0..
.U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Au
thority..140320000000Z..140630235959Z0..x0!...v....a_>..2......0209
24164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...0
80605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.
<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"
Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT
Accept-Ranges: bytes
Content-Length: 533
Date: Wed, 25 Jun 2014 17:25:47 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U
....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For aut
horized use only1E0C..U...<VeriSign Class 3 Public Primary Certific
ation Authority - G5..140320000000Z..140630235959Z0...*.H.............
}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..
F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....
'Z........y.Ye.......M.._5.9..B.*.. [email protected]#...... UL.F......iDg..6...'
z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...iHTTP/1.1 200 OK..Serv
er: Apache..ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"..Last-
Modified: Sat, 29 Mar 2014 21:25:08 GMT..Accept-Ranges: bytes..Content
-Length: 533..Date: Wed, 25 Jun 2014 17:25:47 GMT..Connection: keep-al
ive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0.
..U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:0
8..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<
;VeriSign Class 3 Public Primary Certification Authority - G5..1403200
00000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt.
.a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. 
&|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9.
.B.*.. [email protected]#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...
o..>..k1N...P...i....
<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1


Accept: */*
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
Host: crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Pragma: no-cache


HTTP/1.1 200 OK
Server: Apache
ETag: "072641a27cd10308fabc881f069f37c1:1396126208"
Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT
Accept-Ranges: bytes
Content-Length: 1415
Date: Wed, 25 Jun 2014 17:25:48 GMT
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0
:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1
(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign T
rust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..08
0403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...14
0129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....08
0403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t..
.070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:.
.080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..
."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d.
.9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s.......
....080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f.....
.7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.
:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3...
 F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.
^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~..
[email protected]!..r.q.I-Ln./........080403173458Z0!..t8....D....
.......080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw.
.W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z
=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p..
.U...........$).V.D....B@....
<<< skipped >>>

The Packed connects to the servers at the folowing location(s):

cmd.exe_1076:

.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
%EXEDIR%\%GETSUSPCMD% --silent --ePO --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%
MOVE %EXEDIR%\%computername%\*.zip %EXEDIR% 1>NUL 2>NUL
IF NOT ERRORLEVEL 0 CALL :writesarslogentry mcafee_getsusp, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %GETSUSPCMD% --silent --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%"
CALL :writesarslogentry mcafee_getsusp, "End Running McAfee GetSusp Version %GETSUSPCMD%"
ECHO * This system appears to be running Windows 2000 *
ECHO * This operating system is no longer supported *
ECHO * http://www.ithelp.slb.com *
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This system appears to be running Windows 2000 *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This operating system is no longer supported *"
IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* http://www.ithelp.slb.com *"
::References: http://www.dostips.com/DtTipsStringManipulation.php#Snippets.MidString
ECHO * Script Version: %SARSVer%
ECHO * Date/Time: ÚTESTAMP%
ECHO * Computer Name: %COMPUTERNAME%
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Script Version: %SARSVer%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Date/Time: ÚTESTAMP%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Computer Name: %COMPUTERNAME%"
IF DEFINED DEBUG CALL :writesarslogentry banner, "* Spawned From: %SPAWNLOCATION%"
::Executes the GNU date utility becuase it is more accurate and returns a DATE
FOR /f %%a in ('%SPATH%\date.exe -u  %%Y%%m%%d') DO SET archive_date=%%a
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u  %%Y%%m%%d"
FOR /f %%a in ('%SPATH%\date.exe -u  %%H%%M%%S') DO SET archive_time=%%a
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u  %%H%%M%%S"
SET ARCNME=%archive_date%_%archive_time%_%computername%
IF DEFINED DEBUG CALL :writesarslogentry get_archive_name, "Archive Name ==> %archive_date%_%archive_time%_%computername%"
::1.0.7.0
get_web_version
CALL :get_web_version
::Gets the current version posted on the WEB.
:get_web_version 
CALL :writesarslogentry get_web_version, "Start Checking the posted Web Version of SARS"
CALL :reachable REACHABLE "www.secops.slb.com"
IF DEFINED DEBUG ECHO [get_web_version]Connectivity www.secops.slb.com got an ANSWER of %REACHABLE%
IF %REACHABLE%==N SET /p SARSWeb=%SARSVer% & GOTO :EOF
CALL :writesarslogentry get_web_version, "Getting currently published SARS Version!"
TITLE %SARSTITLE%
IF DEFINED DEBUG ECHO [get_web_version]About to run WGET
%EXEDIR%\wget --output-document=%LOGDIR%\web_version.txt --connect-timeout=2 --verbose http://www.secops.slb.com/version/sars/ 1> %LOGDIR%\web_errors.txt 2> %LOGDIR%\web_output.txt
IF DEFINED DEBUG ECHO [get_web_version]Executed the WGET Command
IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_web_version, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %EXEDIR%\wget --output
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373 --silent --ePO --offline --COMMENT="SARS Version 1.0.7.6 COMPUTERNAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
NAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
o %eMail% -f %fromeMail% %subj% %server% %mdebug% %x%"
nameOperations
> %LOGDIR%\%COMPUTERNAME%_pending_moves.txt"
ort.csv >> FOUNDINMDL.txt
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark;C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
-vi "slb.atosorigin-asp.com" ^| sort ^| uniq -ui') do findstr /I /C:"%%A" mdl_export.csv >> FOUNDINMDL.txt
CMDEXTVERSION
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables
%s %s
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
operable program or batch file.
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

getsusp_300373.exe_900:

!Win32 .EXE.
.MPRESS1
`.MPRESS2
`.rsrc
t4Jt.Ju1 ]
N8SSh
PWSSh(
Pj.j.SW
Pj*j%SW
[u.jD
!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB
Ht.Ht!
It.It
SSh0~q
F( %U
3333333
?\u%f
FTPh8
St.Ht
FTPh
.itst
PSSSh
SSSSh
FTPQ
F4PSSh
t j%S
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB
FTPS
d/d/%d d:d
HTTPS
161.69.31.104
GetUdpTable
AllocateAndGetUdpExTableFromStack
GetExtendedUdpTable
GetTcpTable
AllocateAndGetTcpExTableFromStack
GetExtendedTcpTable
%u.%u.%u.%u:%u
\GetSusp.sys
GetSusp1.tmp
Logs\McAfee-Product.txt
Logs\Files.xml
Logs\Files.xsl
Logs\Trace.log
Logs\Network.xsl
Logs\Network.xml
Logs\GetSusp.xsl
Logs\GetSusp.log
GetSusp.tmp
GetSusp.xml
\Windows\assembly\GAC_MSIL
avvclean.dat
avvnames.dat
avvscan.dat
XXXXXX
FramePkg.exe
\MCAFEE SECURITY SCAN\UNINSTALL.EXE
\Windows\assembly\NativeImages
Autoconfig-Url
Proxy-Port
3.0.0.373
EngineVersionMajor %d
AVDatVersion %d
AVDatDate %s
Task/Actions/Exec/Arguments
Task/Actions/Exec/Command
Windows-Firewall
%commonprogramw6432%
%commonprogramfiles%
Run-Key
\Prefetch\NTOSBOOT-B00DFAAD.pf
0123456789
%WinDir%\assembly\NativeImages
Received unknown IO request type %d
rundll32.exe
server_passwd
url_artemis
url_upload
Unknown-Error %d
Windows 2000
Windows XP
Web Edition
Windows Server 2003,
Windows XP Professional x64 Edition
Windows Home Server
Windows Storage Server 2003
Windows Server 2003 R2,
Web Server Edition
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
--password
1.3.6.1.4.1.311.72.1.1
Status: 0x%x
network.proxy.autoconfig_url
network.proxy.http_port
"network.proxy.http"
network.proxy.type
network.proxy
.rsrc
config.dat
u.u
Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u
'%s' Driver
KERNEL32.dll
%WinDir%\TEST.EXE
).EXPORT
).COPY
.ITEM
.dump
midiOutShortMsg
midiOutLongMsg
keybd_event
WinExecErrorW
WinExecErrorA
WinExec
WaitNamedPipeW
WaitNamedPipeA
WSARecvMsg
WSAAsyncGetServByPort
VkKeyScanW
VkKeyScanExW
VkKeyScanExA
VkKeyScanA
UpdateICMRegKeyW
UpdateICMRegKeyA
UnregisterHotKey
UnloadKeyboardLayout
UnhookWindowsHookEx
UnhookWindowsHook
TransactNamedPipe
TileWindows
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SetWindowsHookW
SetWindowsHookExW
SetWindowsHookExA
SetWindowsHookA
SetViewportOrgEx
SetViewportExtEx
SetProcessWindowStation
SetProcessShutdownParameters
SetNamedPipeHandleState
SetKeyboardState
SetConsoleOutputCP
ScaleViewportExtEx
SHFileOperationW
SHFileOperationA
ReportEventW
ReportEventA
RegisterHotKey
RegUnLoadKeyW
RegUnLoadKeyA
RegSetKeySecurity
RegSaveKeyW
RegSaveKeyA
RegRestoreKeyW
RegRestoreKeyA
RegReplaceKeyW
RegReplaceKeyA
RegQueryInfoKeyW
RegQueryInfoKeyA
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegLoadKeyW
RegLoadKeyA
RegGetKeySecurity
RegFlushKey
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyA
RegDeleteKeyW
RegDeleteKeyA
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ProcessHRC
PeekNamedPipe
OpenWindowStationW
OpenWindowStationA
OleExecute
OffsetViewportOrgEx
OemKeyScan
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyExW
MapVirtualKeyExA
MapVirtualKeyA
LoadKeyboardLayoutW
LoadKeyboardLayoutA
ImpersonateNamedPipeClient
ImmSimulateHotKey
ImmGetVirtualKey
GetWindowsDirectoryW
GetWindowsDirectoryA
GetViewportOrgEx
GetViewportExtEx
GetTcpStatisticsEx
GetTcpStatistics
GetServiceKeyNameW
GetServiceKeyNameA
GetProcessWindowStation
GetProcessShutdownParameters
GetProcessHeaps
GetProcessHeap
GetNamedPipeInfo
GetNamedPipeHandleStateW
GetNamedPipeHandleStateA
GetLargestConsoleWindowSize
GetKeyboardType
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
GetKeyNameTextA
GetConsoleOutputCP
GetCPInfo
GetAsyncKeyState
FindExecutableW
FindExecutableA
ExitWindowsEx
EnumWindows
EnumWindowStationsW
EnumWindowStationsA
EnumThreadWindows
EnumPortsW
EnumPortsA
EnumDesktopWindows
EnumChildWindows
DisconnectNamedPipe
DeletePortW
DeletePortA
CreateWindowStationW
CreateWindowStationA
CreatePipe
CreateNamedPipeW
CreateNamedPipeA
CreateIoCompletionPort
CreateDialogIndirectParamW
CreateDialogIndirectParamA
ConnectNamedPipe
ConfigurePortW
ConfigurePortA
CloseWindowStation
CascadeWindows
CallNamedPipeW
CallNamedPipeA
CallMsgFilterW
CallMsgFilterA
ArrangeIconicWindows
AddPortW
AddPortA
ActivateKeyboardLayout
WINSTART.BAT
AUTOEXEC.BAT
SCRIPT.INI
NICK
OUTLOOK.APPLICATION
SCRIPTING.FILESYSTEMOBJECT
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKEY_LOCAL_MACHINE\
MSGBOX
JOIN
.GzVBj/&IA42[vrC89pEhqO
.encode
%s:x
%s:x,x,x
KERNEL32.DLL
%WinDir%\
/usr/lib/test.so
%WinDir%\TEST.DLL
%WinDir%
join
export
.memory_hook
ÌdiouxXeEfgGnpsSaA
%WinDir%\SYSTEM32\
%WinDir%\SYSTEM
%d.d.d
Timer, %u, 1/100ms,
EINF, AV_APIVERSION_V%c
%s DAT version %ld.ld (%d.d)
Driver version %ld (%d.d)
API version (%s - %s) API: V%d.d
MCSCAN32.DLL
EREP, %d,
rwabs32.dll
MCTOOL.EXE
calwin32.dll
mcscan.log
mcscan.vlt
seqnum_%ld_thread_%s_
[%s;%s;%s]
Scan started at: %s
Scan completed at: %s
, %s: '%s'
%s: '%s'
* %4s........ GFS Disabled
,not scanned (code %d)
,not scanned (not executable).
%s, %u, %u, %u,
%s, %u, %u, %u
%s, %s
%s, %lu
,%s {
, %s, %s
%s:%d
%sx
  x -> x
  x [ xx ]
%s %s, %s
%s, %u
%s %lu
%s %d
%s (%s - action %d)
,not repaired (code %d)
%s %s
, normal hit "%s"
, negative hit "%s"
, "%s"
%s%lu
Leaving container (%d)
Entering container (%d)
RegDeleteKeyExW
scan.dat
names.dat
clean.dat
extra.dat
%s%c%s
RegDeleteKeyExA
%s (ID X, VER X)
ERR_OPERATION_FAILED
%s(X)
Runtime Check failed: %s in %s at line %d.
1.0.4
WFV*.tmp
vd
%c_%s
\\.\MCSCAN32.VXD
.data
.petite
.tlsdir
.neolit
.avp-md
.ficken
.BJFnt
.pklstb
Emu Buffer written to %s
(x)x:
-_@{}~`!#() =[]
SYSTEM.INI
WIN.INI
NTVDM.EXE
VDMDBG.DLL
PSAPI.DLL
windows
^$.[()|? *\
.tbz2
x.OLE
lld.ie
lx.OLE
kernel32.dll
.relo2
x.EXE
PEBUNDLE.LNK
TEMP$01.EXE
x.%.3s
x.EML
::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable
LINKCMDL.OLE
%lu%s
lX.VCH
lX.OLE
__SRP_%x
"$"#,##0_);\(
wininit.ini
%s %s==0x%lx
%s - %s %s - %s 0x%lx %s 0x%lx
%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx
%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx
%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx
%s - %s %s %s 0x%lx %s 0x%lx
%s - %s %s - read 0x%lx %s 0x%lx
%s - %s %s %d %s 0x%lx %s 0x%lx
%s - %s 0x%lx,%s 0x%lx
NTDLL.DLL
\\.\vwin32
\\.\PhysicalDrive%ud
\\.\%c:
Address_x.mem
%s_x.mem
PID\%d
Ntdll.dll
Kernel32.dll
x.PDF
x,
dwordbe:x
dword:x
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
script00.wsc
content%d.rtf
attach%d.dat
X.%s
0000000000000000000
h.dllhel32hkern
rsrc.rsrrelo.relUPX1UPX0ExeS.eda
rsrc.rsrrelo.relnoesExeS.eda.res
.Ncryo
.De-vir
x.B64
x.bin
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
.?AV?$TIndexedManifestSection@E@@
.?AVCNAICmdTarget@@
.?AVCPublicKeySection@@
.?AVCExecLibrary@@
.?AVItfIndexedValidationDataStore@@
.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@
.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@
.?AV?$TKeyDataSet@KI@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@
.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@
.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@
.?AVIImportRec@@
.?AVCWin32ImportRec@@
.?AVCEmuRegistryKey@@
.?AVCMD5@@
.?AVCImportantBlockSubStrategy@@
.?AVCHashValue@CObjectReporter@@
.?AVCObjectReporter@@
.?AVCDATMsg@@
Replace and press any key when ready
.?AVCImportMap@CFNCallGraph@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@
.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@
.?AVCOM2EXEFile@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile@@
.?AVW32EXEUncompress@@
.?AVCexeFile@@
.?AVexe32packFile@@
.?AVCW32EXEUncompressExt@@
.?AVEXEBundleDirectory@@
.?AVPEBundleEXEFile@@
.?AVPEBundleEXERepair@@
.?AVJoinerDirectory@@
.?AVexe32packDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@
.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@
.?AVWebScript@@
.?AVCHTMLWebScript@@
.?AVWebScriptDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@
.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@
.?AVLZEXEFile@@
.?AVCOLE2Operator@@
.?AVIOLE2Operator@@
.?AVProcessHandler@@
.?AVCRegOperator@@
.?AVIRegOperator@@
.?AVXRegOperator@CRegOperator@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile2@@
.?AVEXEStealthFile@@
.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@
.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@
.?AVCO12Operator@@
.?AVIO12Operator@@
.?AVXO12Operator@CO12Operator@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
.BJ!J~s
$D.FS
T.FaV
S_%cGrB\
zM%C{n
'I.EZT
.vrgW
.qyxdf
.Cr$!
/k%X#
;|K%C
.DT.^
RS9_%D<\
.=9_r.zDa
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
To download the latest version of GetSusp Click Here
For GetSusp Suspicious Files Report, click on File Log
For GetSusp Network log, click on Network Log
For information on installed McAfee products, click on McAfee Product Log
McAfee Community
Network Statistics Report
https://www.virustotal.com/file/
.text
h.rdata
H.data
B.reloc
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb
ntoskrnl.exe
Thawte Certification1
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
 http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
2Terms of use at https://www.verisign.com/rpa (c)041.0,
https://www.verisign.com/rpa01
http://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
https://www.verisign.com/rpa0
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
http://www.mcafee.com 0
.pdata
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb
getsusp.exe
VERSION.dll
COMCTL32.dll
WINHTTP.dll
WinHttpOpen
WS2_32.dll
USERENV.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
MAPI32.dll
WINTRUST.dll
CRYPT32.dll
CryptMsgClose
.6$$$~~~
hNULhYa.hh5
McAfee Labs GetSusp
\\.\GetSusp
ERROR: Login failed due to invalid proxy credentials
Login failed for user '%s'
eiphlpapi.dll
Please enter id and password.
%s ... is Suspicious !!!
%s\%s\ntuser.dat
\autorun.vnf
\autorun.ini
\autorun.inf
%COMPUTERNAME%
.EngineVersionMinor
reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt
regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE
Scan results are saved at %s.
GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).
%c Possibly Infected:.............%d
Boot Sector(s):.................%d
Master Boot Record(s):....%d
%s !!!
\Local Settings\Temporary Internet Files\Content.IE5
\AppData\Local\Microsoft\Windows\Temporary Internet Files
\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\Software\Microsoft\Windows\CurrentVersion\RunOnce
RunOnce key values for '%s'
\Software\Microsoft\Windows\CurrentVersion\Run
Run key values for '%s'
\$Recycle.Bin
%SYSTEMDRIVE%
\Microsoft.NET\Framework
\Windows NT
\Windows Media Player
\Opera
\Mozilla Firefox\Plugins
\Mozilla Firefox\Components
\Mozilla Firefox
\COMMON FILES\Microsoft Shared\Web Folders
Please specify Proxy address and port
\GetSusp.opt
Status: %u%%
Suspicious: %u
Unknown: %u
The GetSusp executable has been modified and may be infected.
-- Send only the report
-- Specify proxy address and port
-- Specify automatic configuration script url
http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe
Unable to load scan engine, support DLL not found.
B%s ... is OK.
dnsapi.dll
Report saved to %s
Report
Could not write to %s file.
\GetSusp.txt
This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing
http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml
Failed to execute GetSusp from long path.
%s could not be scanned (%d)!!!
%s ... is Unknown Scan Object !!!
%s ... is Zero Byte File !!!
%s ... Scan Aborted !!!
%s ... is Block-Char-Fifo Files !!!
%s ... is Out-Of-Memory !!!
%s ... is Encrypted !!!
%s ... is Corrupted !!!
Cannot save report file while a scan is in progress.
%s ... is Unknown !!!
chrome
firefox
http\shell\open\command
https://getclean.mcafee.com/getsusp
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
\prefs.js
\Mozilla\Firefox\Profiles
\StringFileInfo\XX\%s
L\\.\SSFILTERDEV
\\.\WGUARDNT
3c224a00-5d51-11cf-b3ca-000000000001
/0123456789:;<=>
0000000000000000
X\\?\
\\?\UNC
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
Save report to file
McAfee GetSusp 3.0.0.373
Report all scanned files
Port
Password:
getsusp.sys
5500-1093

getsusp_300373.exe_900_rwx_00401000_00443000:

t4Jt.Ju1 ]
N8SSh
PWSSh(
Pj.j.SW
Pj*j%SW
[u.jD
!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB
Ht.Ht!
It.It
SSh0~q
F( %U
3333333
?\u%f
FTPh8
St.Ht
FTPh
.itst
PSSSh
SSSSh
FTPQ
F4PSSh
t j%S
!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB
FTPS
d/d/%d d:d
HTTPS
161.69.31.104
GetUdpTable
AllocateAndGetUdpExTableFromStack
GetExtendedUdpTable
GetTcpTable
AllocateAndGetTcpExTableFromStack
GetExtendedTcpTable
%u.%u.%u.%u:%u
\GetSusp.sys
GetSusp1.tmp
Logs\McAfee-Product.txt
Logs\Files.xml
Logs\Files.xsl
Logs\Trace.log
Logs\Network.xsl
Logs\Network.xml
Logs\GetSusp.xsl
Logs\GetSusp.log
GetSusp.tmp
GetSusp.xml
\Windows\assembly\GAC_MSIL
avvclean.dat
avvnames.dat
avvscan.dat
XXXXXX
FramePkg.exe
\MCAFEE SECURITY SCAN\UNINSTALL.EXE
\Windows\assembly\NativeImages
Autoconfig-Url
Proxy-Port
3.0.0.373
EngineVersionMajor %d
AVDatVersion %d
AVDatDate %s
Task/Actions/Exec/Arguments
Task/Actions/Exec/Command
Windows-Firewall
%commonprogramw6432%
%commonprogramfiles%
Run-Key
\Prefetch\NTOSBOOT-B00DFAAD.pf
0123456789
%WinDir%\assembly\NativeImages
Received unknown IO request type %d
rundll32.exe
server_passwd
url_artemis
url_upload
Unknown-Error %d
Windows 2000
Windows XP
Web Edition
Windows Server 2003,
Windows XP Professional x64 Edition
Windows Home Server
Windows Storage Server 2003
Windows Server 2003 R2,
Web Server Edition
Windows Server 2012
Windows 8
Windows Server 2008 R2
Windows 7
Windows Server 2008
Windows Vista
--password
1.3.6.1.4.1.311.72.1.1
Status: 0x%x
network.proxy.autoconfig_url
network.proxy.http_port
"network.proxy.http"
network.proxy.type
network.proxy
.rsrc
config.dat
u.u
Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u
'%s' Driver
KERNEL32.dll
%WinDir%\TEST.EXE
).EXPORT
).COPY
.ITEM
.dump
midiOutShortMsg
midiOutLongMsg
keybd_event
WinExecErrorW
WinExecErrorA
WinExec
WaitNamedPipeW
WaitNamedPipeA
WSARecvMsg
WSAAsyncGetServByPort
VkKeyScanW
VkKeyScanExW
VkKeyScanExA
VkKeyScanA
UpdateICMRegKeyW
UpdateICMRegKeyA
UnregisterHotKey
UnloadKeyboardLayout
UnhookWindowsHookEx
UnhookWindowsHook
TransactNamedPipe
TileWindows
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SetWindowsHookW
SetWindowsHookExW
SetWindowsHookExA
SetWindowsHookA
SetViewportOrgEx
SetViewportExtEx
SetProcessWindowStation
SetProcessShutdownParameters
SetNamedPipeHandleState
SetKeyboardState
SetConsoleOutputCP
ScaleViewportExtEx
SHFileOperationW
SHFileOperationA
ReportEventW
ReportEventA
RegisterHotKey
RegUnLoadKeyW
RegUnLoadKeyA
RegSetKeySecurity
RegSaveKeyW
RegSaveKeyA
RegRestoreKeyW
RegRestoreKeyA
RegReplaceKeyW
RegReplaceKeyA
RegQueryInfoKeyW
RegQueryInfoKeyA
RegOpenKeyW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegLoadKeyW
RegLoadKeyA
RegGetKeySecurity
RegFlushKey
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyExA
RegEnumKeyA
RegDeleteKeyW
RegDeleteKeyA
RegCreateKeyW
RegCreateKeyExW
RegCreateKeyExA
RegCreateKeyA
RegCloseKey
ProcessHRC
PeekNamedPipe
OpenWindowStationW
OpenWindowStationA
OleExecute
OffsetViewportOrgEx
OemKeyScan
MsgWaitForMultipleObjects
MapVirtualKeyW
MapVirtualKeyExW
MapVirtualKeyExA
MapVirtualKeyA
LoadKeyboardLayoutW
LoadKeyboardLayoutA
ImpersonateNamedPipeClient
ImmSimulateHotKey
ImmGetVirtualKey
GetWindowsDirectoryW
GetWindowsDirectoryA
GetViewportOrgEx
GetViewportExtEx
GetTcpStatisticsEx
GetTcpStatistics
GetServiceKeyNameW
GetServiceKeyNameA
GetProcessWindowStation
GetProcessShutdownParameters
GetProcessHeaps
GetProcessHeap
GetNamedPipeInfo
GetNamedPipeHandleStateW
GetNamedPipeHandleStateA
GetLargestConsoleWindowSize
GetKeyboardType
GetKeyboardState
GetKeyboardLayoutNameW
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextW
GetKeyNameTextA
GetConsoleOutputCP
GetCPInfo
GetAsyncKeyState
FindExecutableW
FindExecutableA
ExitWindowsEx
EnumWindows
EnumWindowStationsW
EnumWindowStationsA
EnumThreadWindows
EnumPortsW
EnumPortsA
EnumDesktopWindows
EnumChildWindows
DisconnectNamedPipe
DeletePortW
DeletePortA
CreateWindowStationW
CreateWindowStationA
CreatePipe
CreateNamedPipeW
CreateNamedPipeA
CreateIoCompletionPort
CreateDialogIndirectParamW
CreateDialogIndirectParamA
ConnectNamedPipe
ConfigurePortW
ConfigurePortA
CloseWindowStation
CascadeWindows
CallNamedPipeW
CallNamedPipeA
CallMsgFilterW
CallMsgFilterA
ArrangeIconicWindows
AddPortW
AddPortA
ActivateKeyboardLayout
WINSTART.BAT
AUTOEXEC.BAT
SCRIPT.INI
NICK
OUTLOOK.APPLICATION
SCRIPTING.FILESYSTEMOBJECT
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\
HKEY_LOCAL_MACHINE\
MSGBOX
JOIN
.GzVBj/&IA42[vrC89pEhqO
.encode
%s:x
%s:x,x,x
KERNEL32.DLL
%WinDir%\
/usr/lib/test.so
%WinDir%\TEST.DLL
%WinDir%
join
export
.memory_hook
ÌdiouxXeEfgGnpsSaA
%WinDir%\SYSTEM32\
%WinDir%\SYSTEM
%d.d.d
Timer, %u, 1/100ms,
EINF, AV_APIVERSION_V%c
%s DAT version %ld.ld (%d.d)
Driver version %ld (%d.d)
API version (%s - %s) API: V%d.d
MCSCAN32.DLL
EREP, %d,
rwabs32.dll
MCTOOL.EXE
calwin32.dll
mcscan.log
mcscan.vlt
seqnum_%ld_thread_%s_
[%s;%s;%s]
Scan started at: %s
Scan completed at: %s
, %s: '%s'
%s: '%s'
* %4s........ GFS Disabled
,not scanned (code %d)
,not scanned (not executable).
%s, %u, %u, %u,
%s, %u, %u, %u
%s, %s
%s, %lu
,%s {
, %s, %s
%s:%d
%sx
  x -> x
  x [ xx ]
%s %s, %s
%s, %u
%s %lu
%s %d
%s (%s - action %d)
,not repaired (code %d)
%s %s
, normal hit "%s"
, negative hit "%s"
, "%s"
%s%lu
Leaving container (%d)
Entering container (%d)
RegDeleteKeyExW
scan.dat
names.dat
clean.dat
extra.dat
%s%c%s
RegDeleteKeyExA
%s (ID X, VER X)
ERR_OPERATION_FAILED
%s(X)
Runtime Check failed: %s in %s at line %d.
1.0.4
WFV*.tmp
vd
%c_%s
\\.\MCSCAN32.VXD
.data
.petite
.tlsdir
.neolit
.avp-md
.ficken
.BJFnt
.pklstb
Emu Buffer written to %s
(x)x:
-_@{}~`!#() =[]
SYSTEM.INI
WIN.INI
NTVDM.EXE
VDMDBG.DLL
PSAPI.DLL
windows
^$.[()|? *\
.tbz2
x.OLE
lld.ie
lx.OLE
kernel32.dll
.relo2
x.EXE
PEBUNDLE.LNK
TEMP$01.EXE
x.%.3s
x.EML
::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable
LINKCMDL.OLE
%lu%s
lX.VCH
lX.OLE
__SRP_%x
"$"#,##0_);\(
wininit.ini
%s %s==0x%lx
%s - %s %s - %s 0x%lx %s 0x%lx
%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx
%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx
%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx
%s - %s %s %s 0x%lx %s 0x%lx
%s - %s %s - read 0x%lx %s 0x%lx
%s - %s %s %d %s 0x%lx %s 0x%lx
%s - %s 0x%lx,%s 0x%lx
NTDLL.DLL
\\.\vwin32
\\.\PhysicalDrive%ud
\\.\%c:
Address_x.mem
%s_x.mem
PID\%d
Ntdll.dll
Kernel32.dll
x.PDF
x,
dwordbe:x
dword:x
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\
script00.wsc
content%d.rtf
attach%d.dat
X.%s
0000000000000000000
h.dllhel32hkern
rsrc.rsrrelo.relUPX1UPX0ExeS.eda
rsrc.rsrrelo.relnoesExeS.eda.res
.Ncryo
.De-vir
x.B64
x.bin
operator
deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler
1.2.5
zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll
.?AV?$TIndexedManifestSection@E@@
.?AVCNAICmdTarget@@
.?AVCPublicKeySection@@
.?AVCExecLibrary@@
.?AVItfIndexedValidationDataStore@@
.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@
.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@
.?AV?$TKeyDataSet@KI@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@
.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@
.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@
.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@
.?AVIImportRec@@
.?AVCWin32ImportRec@@
.?AVCEmuRegistryKey@@
.?AVCMD5@@
.?AVCImportantBlockSubStrategy@@
.?AVCHashValue@CObjectReporter@@
.?AVCObjectReporter@@
.?AVCDATMsg@@
Replace and press any key when ready
.?AVCImportMap@CFNCallGraph@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@
.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@
.?AVCOM2EXEFile@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile@@
.?AVW32EXEUncompress@@
.?AVCexeFile@@
.?AVexe32packFile@@
.?AVCW32EXEUncompressExt@@
.?AVEXEBundleDirectory@@
.?AVPEBundleEXEFile@@
.?AVPEBundleEXERepair@@
.?AVJoinerDirectory@@
.?AVexe32packDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@
.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@
.?AVWebScript@@
.?AVCHTMLWebScript@@
.?AVWebScriptDecode@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@
.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@
.?AVLZEXEFile@@
.?AVCOLE2Operator@@
.?AVIOLE2Operator@@
.?AVProcessHandler@@
.?AVCRegOperator@@
.?AVIRegOperator@@
.?AVXRegOperator@CRegOperator@@
.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@
.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@
.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@
.?AVW32EXEFile2@@
.?AVEXEStealthFile@@
.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@
.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@
.?AVCO12Operator@@
.?AVIO12Operator@@
.?AVXO12Operator@CO12Operator@@
zcÁ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe
.BJ!J~s
$D.FS
T.FaV
S_%cGrB\
zM%C{n
'I.EZT
.vrgW
.qyxdf
.Cr$!
/k%X#
;|K%C
.DT.^
RS9_%D<\
.=9_r.zDa
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
To download the latest version of GetSusp Click Here
For GetSusp Suspicious Files Report, click on File Log
For GetSusp Network log, click on Network Log
For information on installed McAfee products, click on McAfee Product Log
McAfee Community
Network Statistics Report
https://www.virustotal.com/file/
.text
h.rdata
H.data
B.reloc
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb
ntoskrnl.exe
Thawte Certification1
http://ocsp.thawte.com0
.http://crl.thawte.com/ThawteTimestampingCA.crl0
http://ts-ocsp.ws.symantec.com07
 http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.Class 3 Public Primary Certification Authority0
2Terms of use at https://www.verisign.com/rpa (c)041.0,
https://www.verisign.com/rpa01
http://crl.verisign.com/pca3.crl0
.Class 3 Public Primary Certification Authority
Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0
n.aAHu
https://www.verisign.com/rpa0
/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u
http://ocsp.verisign.com0?
3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0
http://www.mcafee.com 0
.pdata
c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb
getsusp.exe
VERSION.dll
COMCTL32.dll
WINHTTP.dll
WinHttpOpen
WS2_32.dll
USERENV.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
MAPI32.dll
WINTRUST.dll
CRYPT32.dll
CryptMsgClose
\\.\GetSusp
ERROR: Login failed due to invalid proxy credentials
Login failed for user '%s'
eiphlpapi.dll
Please enter id and password.
%s ... is Suspicious !!!
%s\%s\ntuser.dat
\autorun.vnf
\autorun.ini
\autorun.inf
%COMPUTERNAME%
.EngineVersionMinor
reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt
regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE
Scan results are saved at %s.
GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).
%c Possibly Infected:.............%d
Boot Sector(s):.................%d
Master Boot Record(s):....%d
%s !!!
\Local Settings\Temporary Internet Files\Content.IE5
\AppData\Local\Microsoft\Windows\Temporary Internet Files
\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
\Software\Microsoft\Windows\CurrentVersion\RunOnce
RunOnce key values for '%s'
\Software\Microsoft\Windows\CurrentVersion\Run
Run key values for '%s'
\$Recycle.Bin
%SYSTEMDRIVE%
\Microsoft.NET\Framework
\Windows NT
\Windows Media Player
\Opera
\Mozilla Firefox\Plugins
\Mozilla Firefox\Components
\Mozilla Firefox
\COMMON FILES\Microsoft Shared\Web Folders
Please specify Proxy address and port
\GetSusp.opt
Status: %u%%
Suspicious: %u
Unknown: %u
The GetSusp executable has been modified and may be infected.
-- Send only the report
-- Specify proxy address and port
-- Specify automatic configuration script url
http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe
Unable to load scan engine, support DLL not found.
B%s ... is OK.
dnsapi.dll
Report saved to %s
Report
Could not write to %s file.
\GetSusp.txt
This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing
http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml
Failed to execute GetSusp from long path.
%s could not be scanned (%d)!!!
%s ... is Unknown Scan Object !!!
%s ... is Zero Byte File !!!
%s ... Scan Aborted !!!
%s ... is Block-Char-Fifo Files !!!
%s ... is Out-Of-Memory !!!
%s ... is Encrypted !!!
%s ... is Corrupted !!!
Cannot save report file while a scan is in progress.
%s ... is Unknown !!!
chrome
firefox
http\shell\open\command
https://getclean.mcafee.com/getsusp
AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings
\prefs.js
\Mozilla\Firefox\Profiles
\StringFileInfo\XX\%s
L\\.\SSFILTERDEV
\\.\WGUARDNT
3c224a00-5d51-11cf-b3ca-000000000001
/0123456789:;<=>
0000000000000000
X\\?\
\\?\UNC
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
USER32.DLL
Save report to file
McAfee GetSusp 3.0.0.373
Report all scanned files
Port
Password:
getsusp.sys


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    net1.exe:580
    net1.exe:1368
    ping.exe:1484
    net.exe:2008
    net.exe:916
    %original file name%.exe:1332
    sort.exe:1788
    sort.exe:868
    find.exe:1376
    find.exe:1264

  2. Delete the original Packed file.
  3. Delete or disinfect the following files created/modified by the Packed:

    C:\ (4 bytes)
    %Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
    %Documents and Settings%\%current user%\Favorites (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
    %WinDir%\GetSusp.sys (588 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
    %Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
    %System%\drivers (32 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
    %Program Files%\Common Files\System (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
    %Documents and Settings%\LocalService (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
    %System%\config\SystemProfile (4 bytes)
    %WinDir%\WinSxS (12 bytes)
    %Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
    %WinDir%\AppPatch (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
    C:\$Directory (1792 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
    C:\PROGRAM FILES (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
    %Documents and Settings%\%current user%\My Documents (4 bytes)
    %System%\wbem (1064 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
    C:\DOCUMENTS AND SETTINGS (4 bytes)
    %Documents and Settings%\Default User\Local Settings (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
    %Program Files%\Internet Explorer (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
    %WinDir%\REGISTRATION (4 bytes)
    %System%\CatRoot2\dberr.txt (155 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
    %Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\LocalService\Local Settings (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
    %Program Files%\COMMON FILES (4 bytes)
    %Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
    %Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
    %Program Files%\Common Files\Microsoft Shared (4 bytes)
    %Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
    %System%\oobe (96 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
    %Program Files%\Common Files\VMware\Drivers (4 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
    %Program Files%\WIRESHARK (16 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
    %Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
    %Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
    %Documents and Settings%\NetworkService\Local Settings (4 bytes)
    %WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now