MD5: ac1b961a03737445661048a40945478c
SHA1: 8b282e04388738dcb9073b778707e1b1a20bfbec
SHA256: 31e0249684d8068b80e5bd36a4cbc209b853392bddc61bd1d7a741a268c3138b
SSDeep: 12288:IYFGeEkL3AT4GFPNvOQFxi6k7b59q0u0i84C:VGeEkrAT/FPhS6LC
Size: 1392640 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, MicrosoftVisualBasicv50v60
Company: no certificate found
Created at: 2011-04-07 05:18:58
Analyzed on: WindowsXP SP3 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Process activity

The Trojan creates the following process(es):

%original file name%.exe:464
%original file name%.exe:2016
Lskmkx.exe:1688
Lskmkx.exe:1136

The Trojan injects its code into the following process(es):

vmacthlp.exe:920
csrss.exe:656
winlogon.exe:680
services.exe:724
lsass.exe:736
svchost.exe:936
svchost.exe:1012
svchost.exe:1108
Explorer.EXE:1140
svchost.exe:1156
svchost.exe:1212
spoolsv.exe:1448
jqs.exe:1656
wmiprvse.exe:2004

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe (8657 bytes)

Registry activity

The process %original file name%.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 67 39 5F EC FC 4E C5 55 D7 E4 C2 11 78 C7 00"

The process %original file name%.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 DB E5 15 2F 16 80 63 0F 72 05 A9 BA B6 3E 65"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Shell" = "explorer.exe,%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

The process Lskmkx.exe:1688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 FA 39 D9 9D B2 B9 64 CE 72 53 2B E1 BB 1B 83"

The process Lskmkx.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 A1 35 A2 DB A7 F3 FA 21 EF 16 7B 01 AD F2 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Trojan installs the following user-mode hooks in WS2_32.dll:

send

The Trojan installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Trojan installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.

VersionInfo

Company Name: Image
Product Name: JNYVZ
Product Version: 22.15.0002
Legal Copyright: muhfk
Legal Trademarks: dozwzlpfr
Original Filename: tivqjvbwbvx.exe
Internal Name: tivqjvbwbvx
File Version: 22.15.0002
File Description:
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\csrss.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

winlogon.exe_680_rwx_00AD0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

\??\%System%\winlogon.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

services.exe_724_rwx_00770000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@d%x

%System%\services.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

x\Device\HarddiskVolume1\WINDOWS\system32\services.exe

lsass.exe_736_rwx_00A50000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\lsass.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe

svchost.exe_936_rwx_005C0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

]\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1012_rwx_00B10000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1108_rwx_00A80000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\System32\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

Explorer.EXE_1140_rwx_01E00000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%WinDir%\Explorer.EXE

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

Lskmkx.exe

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\explorer.exe

svchost.exe_1156_rwx_00830000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1212_rwx_00B80000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\svchost.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

spoolsv.exe_1448_rwx_00B70000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\spoolsv.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

jqs.exe_1656_rwx_010C0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%Program Files%\Java\jre6\bin\jqs.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

wmiprvse.exe_2004_rwx_00DE0000_00024000:

.text

`.rdata

@.data

.reloc

:.datt

tB<%u4

toSSSSSSSSSShl

ShellExecuteA

SHELL32.dll

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

ntdll.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

GetWindowsDirectoryW

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegCreateKeyExW

ADVAPI32.dll

ole32.dll

%s.%s

%s.%S

%s.Blocked "%S" from creating "%s"

%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!

autorun.inf

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

%s.%s ->> %s : %s

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Link sent!

%s.p21-> Link sent!

msnmsg

JOIN #

%s.Detected process "%S" sending an IRC packet to server %s:%d.. Removing at reboot

PRIVMSG #

%s.PTF://%s:%s@%s:%d (p='%S')

PASS %s

USER %s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

1.0.0

hXXp://VVV.nobrain.dk

msn.set

msn.int

w00t.edu

dns.photomarket.me

USER %s 0 0 :%s

NICK %s

JOIN %s %s

PART %s

PRIVMSG %s :%s

QUIT :%s

PONG %s

PRIVMSG

[v ="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S"

[d="%s" s="%d bytes"] Executed file "%S"

[Slowloris]: Starting flood on "%s" for %d minutes

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s" for %d seconds

[UDP]: Finished flood on "%s"

[SSYN]: Starting flood on "%s" for %d seconds

[SSYN]: Finished flood on "%s"

[USB]: Infected %s

[MSN]: Updated MSN spread link to "%s"

[MSN]: Updated MSN spread interval to "%s"

[Visit]: Visited "%s"

[d="%s" s="%d bytes"] Error update md5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type.. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Removing "%s" at reboot

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

ftplog

ftpinfect

httplogin

httptraff

hXXp://api.wipmania.com/

\\.\pipe\%s_ipc

<iframe src ="hXXp://VVV.google.co.uk" width="100%" height="300"></iframe>

print '%s<br>';

%s<br>%s

.webroot.

.fortinet.

.virusbuster..nprotect.

.gdatasoftware.

.virus.

.precisesecurity.

.lavasoft.

check.tc

.emsisoft.

.onlinemalwarescanner.

onecare.live.

.bullguard.

.clamav.

.pandasecurity.

.sophos.

.malwarebytes.

.sunbeltsoftware.

.norton.

.norman.

.mcafee.

.symantec

.comodo.

.avast.

.avira.

.avg.

.bitdefender.

.eset.

.kaspersky.

.trendmicro.

.iseclab.

.virscan.

.garyshood.

.viruschief.

.jotti.

.threatexpert.

.novirusthanks.

.virustotal.

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s:%d

hXXp://%s/%s

hXXp://%s/

POST /23s

{%s|%s}%s

n{%s|%s}%s

%s|%s

%s|%s|%s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

/c "start Í%

&&%windir%\explorer.exe

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%s.exe

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

%s.disable

%s-Mutex

%s_%d

%s_%lu

kernel32.dll

%System%\wbem\wmiprvse.exe

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe

%WinDir%

wlcomm.exe

msmsgs.exe

msnmsgr.exe

pidgin.exe

iexplore.exe

firefox.exe

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

"%s" %S

Internet Explorer\iexplore.exe

lol.exe

explorer.exe

urlmon.dll

nspr4.dll

dnsapi.dll

wininet.dll

ws2_32.dll

Akernel23.dll

yntdll.dll

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:464
   %original file name%.exe:2016
   Lskmkx.exe:1688
   Lskmkx.exe:1136
   

3. Delete the original Trojan file.
   
4. Delete or disinfect the following files created/modified by the Trojan:
   

   %Documents and Settings%\%current user%\Application Data\Lskmkx.exe (8657 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"
   
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
7. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.