MD5: fece4f67f6a2c52c9eb7885ab1bdccec
SHA1: 2c57902195466f8de6bed04693d43c8257d0ff3a
SHA256: f2bc5c8ee948c148bc0d7aa958aee70252f27789a16955d46b483cb6fa900242
SSDeep: 3072:3Pz3bKIDJofjswlZrHO7cA2DIUFQiKojOJ9ou5g:3jbEfjq03FQWs9oy
Size: 107520 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: home
Created at: 2011-04-14 23:42:36
Analyzed on: WindowsXPESX SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

imapi.exe:1280
%original file name%.exe:1336
Yukmkk.exe:332
drwtsn32.exe:1060

The Trojan injects its code into the following process(es):

mscorsvw.exe:1920
rundll32.exe:1776
explorer.exe:488
csrss.exe:700
winlogon.exe:724
wmiprvse.exe:752
services.exe:768
svchost.exe:936
svchost.exe:1016
svchost.exe:1104
svchost.exe:1156
svchost.exe:1228
spoolsv.exe:1436
jqs.exe:1968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process imapi.exe:1280 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\7pf8i2gi.TMP (146970 bytes)

The process %original file name%.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe (601 bytes)

The process drwtsn32.exe:1060 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (184192 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (389768 bytes)

Registry activity

The process imapi.exe:1280 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 E4 53 70 F0 DC A4 6A 34 58 A1 6C 8A 36 ED 8A"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"

The process %original file name%.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 9F 35 17 7D CA A8 48 ED 57 5D E6 2A 68 1D 98"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Yukmkk" = "%Documents and Settings%\%current user%\Application Data\Yukmkk.exe"

The process rundll32.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 F0 6D 0E F9 CB 2C C9 E8 62 21 4D AE AA C4 B1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process Yukmkk.exe:332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 30 03 16 CF 52 CA 43 9C E1 00 AB 9C C6 E6 19"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process drwtsn32.exe:1060 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 94 33 93 9D 4F 0C F2 D1 8A CD 53 D9 83 3B AE"

[HKLM\SOFTWARE\Microsoft\DrWatson]
"NumberOfCrashes" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Trojan installs the following user-mode hooks in ADVAPI32.dll:

RegCreateKeyExA
RegCreateKeyExW

The Trojan installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Trojan installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name: Paragon Software Group
Product Name: Carrie
Product Version: 8.6
Legal Copyright:
Legal Trademarks:
Original Filename: Tyqugdc55v.exe
Internal Name: Fort Moles Mcgee
File Version: 8.6
File Description: Ely Bumps Breed
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
030aba06f91d849896c26498fd208cbf

URLs

URL	IP
hxxp://api.wipmania.com/

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Dorkbot GeoIP Lookup to wipmania
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET POLICY External IP Lookup Attempt To Wipmania

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0

Host: api.wipmania.com

HTTP/1.1 200 OK

Server: nginx

Date: Tue, 18 Nov 2014 19:18:53 GMT

Content-Type: text/html

Content-Length: 19

Connection: keep-alive

Keep-Alive: timeout=20
"%local server IP%"<br>CA..

The Trojan connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

BROWSEUI.dll

GDI32.dll

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

ole32.dll

OLEAUT32.dll

SHDOCVW.dll

SHELL32.dll

SHLWAPI.dll

USER32.dll

UxTheme.dll

FTSSh

t0SSh

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

SShwk

98~%SP

ExplorerStartMsgLoop

PSSh;

6SSSSh

SSSSh

SPSSSShL

u%SSh

t.WWWW

xpsp2res.dll

xpsp3res.dll

tbSSh

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu

Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel

kernel32.dll

GetSystemWindowsDirectoryW

NetGetJoinInformation

WINMM.dll

SETUPAPI.dll

WINSTA.dll

OLEACC.dll

USERENV.dll

ntdll.dll

RegEnumKeyExW

RegNotifyChangeKeyValue

RegOpenKeyExA

RegEnumKeyW

RegCloseKey

RegCreateKeyW

RegQueryInfoKeyW

RegOpenKeyExW

RegCreateKeyExW

OffsetViewportOrgEx

GetViewportOrgEx

SetViewportOrgEx

SetProcessShutdownParameters

GetProcessHeap

GetWindowsDirectoryW

CreateIoCompletionPort

ShellExecuteExW

SHRegCloseUSKey

SHRegCreateUSKeyW

AssocQueryKeyW

SHRegOpenUSKeyW

SHDeleteKeyW

TileWindows

ExitWindowsEx

RegisterHotKey

UnregisterHotKey

EnumChildWindows

GetKeyState

GetAsyncKeyState

CascadeWindows

MsgWaitForMultipleObjects

EnumWindows

explorer.pdb

name="Microsoft.Windows.Shell.explorer"

version="5.1.0.0"

<description>Windows Shell</description>

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

]]"```^]]\

3333333330

3333330

333333334

)@.   '5 !*

.DEHHF>?/

2<===@@=

&$%Uooqkezs

['$$#%&(4

3333333333333333333

33333333333330

7'''')) 

3'')))33.

222`444(555

%%%{///-

000000000

00000000

`[66...00

0000000

`]66./.000

/./././././././.

66///0000

0000000000000

0000000000

6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001

4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000

:;<;:;<;:;<;:;<;:;<0

)   )   )   )   )

|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),, 

22222222222

3333333

.SB99;;;99twv}ut{oxt~

.SB;;;:::2:w}{{qddgghg

" """ """ """ """ "" #

""" """ """ "#

.SG>''';;9::p

:5:5:5:5:5:5:5:5:5:5#"

# # # # # # # # # # # # # # # # # # # # # ##$

( # # # # # # # # # # # # # # # # # # # # ###

1232123212321232123

(&(((&(((&(((&(((&((&&)

&(((&(((&(((&()

`,''')))

'4,4'4,4'4,4'4,4'4,4)(

55///0000

5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0

555555555

55555555

5555555

14441444144414441

4343434343434343

5555555555555

5555555555

-,-,-,-,-,-,-,-,-,-,-*.

..............................JFJFJFJFJFJFJFJFJFJFJ.-

{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../

|ujjjjuhF..BBBBBBBBBBBBT

~j|F.BB*BBB*BBB*Bwop

&!!!&!!!&

44466666

44444444416

4446666

66666666

|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 

|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 

DDDDE%CTDD@

A%US$

%UUUU

%%UUU

33U

""2222!!

!"!"%UUR""

!""!"#2"""

"!!"#3"!"

dnnnnn:n.nfCnmddddd

////;/;;88

;888;;!/

!//!!;;^

:;:!::!!!

.88.88.8

.N.NN.M

::8.8...

:::!;;:!

//!!;888

.8.8.88...

:;!::!!;!//!;

!!;:!!::

.88..8..

!!:::/^!

!;/;!;;;!!!:

.8:!!!!^

!!:;:::..

/:!^^!;{8{../

...:::.-

**6***66*6**6566*5666 ,

6*6666*6*6 655*65

6*65 56*5 55  555 *5  6

555( 55 (5 5(  

76 5   66  555*677

6*6 5 5(5 (55( '5((5 (556 ('5

665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU

555(555(5((5(5(5(

5 5 5 5555 (555(555'(((5(5('55(((

((''('5'5(5('('('('('((''('(((@(((('&(((&

%&&%&&&&3>&3&3&33&3&3333&&3>3333

'(3&'&3&

3&33&&((

3323>33>%>3%>3>33>3%3&%

*5'(('((&@3(

,63%3>323>3%>&>33323>>%>

3(3'(((@@'5('@(@(&('(

>2>323%>3

75((((@3&333&3&&&%&3&&3&33>33%3>23%>3

>2%$32%>2>%>2$3>

3&%&&3&33>3>33

3>%>3%&3$23>23$2>2%$>2>

)4433((&(&('*

('((((''(**6(('' *

32323>3>

2$%>22%>%3' (

&(&''((5(5 *

'(&(&((&('''

&&%&3&&%3%

2%>22>22

5''3(((3(('&(&'&

3%%3%3%2#$

22$22$2%$22$2%2%$2%$2$222%$22

&>2$2$2$222$22$%%

:7'((('(3('(3(&(&

222222222222

22222222222222

222222222222222

22$22$22$22$

&(%3%&&&&3&&&3%3

222222222222222222

&&(&3(&(&'('((3'(&&

2222222

22$<$$2$22$%

&&(3(3('(&'

222"2212

22<2<22"

(&(3(3((

((565 ((( 6

333&33(&&

'(('('(('( 

 '&%%"$

2"2"22"2

2222<2"222

"2"22<2<22

2%('(3'32222?&'

2"2"2"121212<

2"2"2$"?

%%22%2

&3(3(3((&

"2"<"2<2<

<2<"<"<"<

1"?((&21

<?<?22<$2

2%""22&&

2<2$$2222

'&('(3(''

((%%%"

5(3%"%

"2%5*67

))) ))))

""**<****"""

"*<<<<*"

#2#---2222-222442-

--&#-(-%

$/222(--444222!

#&-221269924999;

&$-22-($2%

#(2---222622212-

#2221299629968

#&--%#(2##!

-222422422426662-%

"2-##&

!##-#&#-&&#%---#---#&-219662%

$&-(151,44.9

&1242662-

-(..19.19

,4492.12

12-$-,-,

-, $$----

#%#-15/-&

-,(,,(,(,

$$11651566/,$&&

,2592&&&-

2466/!$$

""*<*"****""

) '????[

&&&$-556>>61,,5994511-

$(//$$$(6>6/,$,-$

#$-22692/,,$,-&

-266661..4514#

&,2-&&##

&-222,22--#

#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88

&!#&!-##

&#--//11468>885882&

$266961$&--$&%

,1661,!-((#

&$,4255$,92

&$,44..&

""**""***""

"****<*<<**"

"**""""*""""

&-569./-,16522$

.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\

bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(

.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87

yzyzyzym^Z]WN3   $&$.Wt\

""*"""****""""

"***"**""**<**"

$5612,.2,

&$$,,,5]

$]t.Ft

7%8U8

3 303<3]3

2<3

8 8$8(8,8084888<8}8

5%5,575{6

<,<0<4<8<

7 7$7(7,70747

rundll32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage

Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

::{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}

::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}

::{D20EA4E1-3957-11d2-A40B-0C5020524153}

::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}

{208D2C60-3AEA-1069-A2D7-08002B30309D}

{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites

{450D8FBA-AD25-11D0-98A8-0800361B1103}

CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

Software\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain

Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz

\\.\WMIDataDevice

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\Microsoft\Windows NT\CurrentVersion\Windows

ExplorerIsShellMutex

desk.cpl

Software\Microsoft\Windows\CurrentVersion\Explorer

tourstart.exe

tourstart.exe,0

Microsoft.OfferTour

WINWORD.EXE

Software\Microsoft\Windows\CurrentVersion\Applets

Software\Microsoft\Windows\CurrentVersion\Applets\Tour

explorer.exe,9

Microsoft.FixScreenResolution

shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}

Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation

Software\Microsoft\Windows NT\CurrentVersion

shell:::{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}

Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

DDEEXECUTESHORTCIRCUIT

http\shell

IEXPLORE.EXE

Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop

Software\Microsoft\Windows\CurrentVersion\RunOnceEx

comctl32.dll

Software\Microsoft\Windows\Internet Settings

AutoConfigURL

system.ini

AppEvents\Schemes\Apps\.Default\%s\.current

Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify

MSShellRunDlgReady

res://mys.dll/mys.hta /explorer

mshta.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\Welcome

Software\Microsoft\Windows\CurrentVersion\Explorer\Tips

SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYS

cys.exe

SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz

install.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel

OUTLOOK.EXE

explorer.exe,16

iernonce.dll

WININET.DLL

UpdateURL

WindowsUpdate

HWND%x

Software\Microsoft\Windows\CurrentVersion\OemStartMenuData

fldrclnr.dll,Wizard_RunDLL

iexplore.exe

winbrand.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d

shell32.dll

nusrmgr.cpl ,initialTask=ChangePicture

NewExeName

Windows

ediskeer.dll

timedate.cpl

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU

Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Software\Microsoft\Internet Explorer\TypedURLs

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Games\Solitaire.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Paint.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\WordPad.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Windows Movie Maker.lnk

%USERPROFILE%\Start Menu\Programs\Accessories\Tour Windows XP.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Windows Messenger.lnk

%USERPROFILE%\Start Menu\Programs\Windows Media Player.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\MSN.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Get Online with MSN.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Get Going with Tablet PC.lnk

%ALLUSERSPROFILE%\Start Menu\Set Program Access and Defaults.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Windows Journal.lnk

%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Media Center\Media Center.lnk

%USERPROFILE%\Start Menu\Programs\Internet Explorer.lnk

Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

TSAppCMP.DLL

netapi32.dll

%SystemRoot%\system32\restore\rstrui.exe

RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s

RunDLL32.EXE

%s%d%s

Software\Microsoft\Windows\CurrentVersion\Policies\System

settings.dll

explorer.exe "

explorer.exe /e, "

WindowsLogon

WindowsLogoff

%s %s

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

uAppWiz.Cpl

\explorer.exe

Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu

::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

taskmgr.exe

ShellExecute

Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d

\WindowsShell.Manifest

Get Online with MSN.lnk

Set Program Access and Defaults.lnk

Link%d

OEM%d

Software\Microsoft\Windows\CurrentVersion\SMDEn

::{D20EA4E1-3957-11d2-A40B-0C5020524152}

%WinDir%\explorer.exe

There is a file or folder on your computer called "%s" which could cause certain applications to not function correctly. Renaming it to "%s" would solve this problem. Would you like to rename it now?

Ca&scade Windows

Tile Windows &Horizontally

Tile Windows V&ertically

&Windows Security...

&Help and Support

&Log Off %s...

Windows Explorer

6.00.2900.5512 (xpsp.080413-2105)

EXPLORER.EXE

Windows

Operating System

6.00.2900.5512

Keep the &taskbar on top of other windows

To remove records of recently accessed documents, programs, and Web sites, click Clear.

Windows displays icons for active and urgent notifications, and hides inactive ones. You can change this behavior for items in the list below.

Select this option to use the menu style from earlier versions of Windows.

6There is not enough memory to complete this operation.8Unable to run command.

The folder '%1' has been removed.WMy Computer or Windows Explorer has not been properly initialized yet. Try again later.

&Undo %s

Windows is running in safe mode.

This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.

startRThere was an internal error and one of the windows you were using has been closed.

Restrictions{This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.

&Show Open Windows

Windows was unable to change the display settings for the new configuration. Return the computer to the previous state, shut down Windows, and restart the computer in the desired configuration.

There may be a problem with your display settings if you continue. To safely change to a new configuration, you should shut down Windows and restart the computer in the desired configuration. Do you want to continue anyway?

This pre-release version of "Internet Explorer 4.0" Desktop/Explorer has expired. Please update to the latest release of "Internet Explorer 4.0" from WWW.MICROSOFT.COM

helpctr.exe>-FromStartHelp

Take a tour of Windows XP

NOpens a window where you can pick search options and work with search results.aOpens a central location for Help topics, tutorials, troubleshooting, and other support services.

/Opens a program, folder, document, or Web site.

Provides options for closing your programs and logging off, or for leaving your programs running and switching to another user.lProvides options for turning off or restarting your computer, or for activating Stand By or Hibernate modes.RDisconnects your session. You can reconnect to the session when you log on again.

&Windows Security

iOpens the My Documents folder, where you can store letters, reports, notes, and other kinds of documents./Displays recently opened documents and folders.KOpens the My Music folder, where you can store music and other audio files.]Opens the My Pictures folder, where you can store digital photos, images, and graphics files.zGives access to, and information about, the disk drives, cameras, scanners, and other hardware connected to your computer.MGives access to, and information about, folders and files on other computers.8Connects to other computers, networks, and the Internet.

explorer.exe_488_rwx_000A0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\explorer.exe

winlogon.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

40109cb.exe

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\explorer.exe

rundll32.exe_1776:

.text

`.data

.rsrc

msvcrt.dll

KERNEL32.dll

NTDLL.DLL

GDI32.dll

USER32.dll

IMAGEHLP.dll

rundll32.pdb

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

.manifest

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

Windows

Operating System

5.1.2600.5512

YThere is not enough memory to run the file %s.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Missing entry:%s

Error loading %s

rundll32.exe_1776_rwx_000A0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\rundll32.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\rundll32.exe

csrss.exe_700_rwx_00AD0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\csrss.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

winlogon.exe_724_rwx_00AD0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\winlogon.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

wmiprvse.exe_752_rwx_00DE0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\wbem\wmiprvse.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

services.exe_768_rwx_006F0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\services.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

p\Device\HarddiskVolume1\WINDOWS\system32\services.exe

svchost.exe_936_rwx_00940000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1016_rwx_00B50000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1104_rwx_01630000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

Qh$%d

u7hl%d

RPht%d

toSSSSSSSSSSh

/hd%d

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\System32\svchost.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1156_rwx_007F0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1228_rwx_00B80000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

spoolsv.exe_1436_rwx_009B0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\spoolsv.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

mscorsvw.exe_1920_rwx_008E0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

jqs.exe_1968_rwx_010C0000_00029000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSSh

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetWindowsDirectoryW

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.

PRIVMSG #

%s:%d

%s.PTF://%s:%s@%s:%d (p='%S')

%s:%s@%s:%d

PASS %s

USER %s

ftpgrab

%s.Blocked possible browser exploit pack call on URL '%s'

hXXp://

%s.Blocked possible browser exploit pack call on URL '%S'

ng.bestgamesever.biz

ng.xmyserverx.info

ng.idolmovies.com

ng.furioshizzle.info

ng.studyingcenter-org.com

fbi.gov

1.0.3

msn.set

msn.int

http.set

http.int

http.inj

logins

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

RSSR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

*megaupload.*/*login

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserve.*/login*

session[password]

*password]=*

*twitter.com/sessions

*:2086/login*

*:2083/login*

Password

*&Password=*

*.alertpay.*/*login.aspx

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

-\\.\PHYSICALDRIVE0

state_%s

shell32.dll

httpi

dnsapi.dll

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s%s}%s

n{%s|%s%s}%s

%s|%s|%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

explorer.exe

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

[Logins]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%RECYCLER\%s

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%Program Files%\Java\jre6\bin\jqs.exe

%Documents and Settings%\%current user%\Application Data\Yukmkk.exe

%WinDir%

0	0F0K0Q0e0r0x0~0

\\.\pipe

nwlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

xchat.exe

mirc.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

cipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

Internet Explorer\iexplore.exe

lol.exe

%s:Zone.Identifier

winlogon.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

skype.exe

lsass.exe

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   imapi.exe:1280
   %original file name%.exe:1336
   Yukmkk.exe:332
   drwtsn32.exe:1060
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %WinDir%\Temp\7pf8i2gi.TMP (146970 bytes)
   %Documents and Settings%\%current user%\Application Data\Yukmkk.exe (601 bytes)
   %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (184192 bytes)
   %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (389768 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Yukmkk" = "%Documents and Settings%\%current user%\Application Data\Yukmkk.exe"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.