Virus.Win32.Sality_598804a3aa

by malwarelabrobot on April 29th, 2014 in Malware Descriptions.

Virus.Win32.Sality.gen (Kaspersky), Win32.Sality.3 (B) (Emsisoft), Win32.Sality.3 (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Sality.FD, Virus.Win32.Sality.2.FD, VirusSality.YR, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Virus, WormAutorun, IRCBot


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 598804a3aad6bbbd0ec2946772f63e03
SHA1: c82760b0942e07631fbe41a68951fdc8b031ca5a
SHA256: b696adcd2f0f081b3702116d057a02c66d711080e76db5d5ffe75e132eecf8b3
SSDeep: 24576:i6rT7/pZLZzHA9PkpiowEusqiydSMY5AEbDe8:iC7RnYPkpMshyoZy8
Size: 886008 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2007-05-05 08:40:22
Analyzed on: WindowsXP SP3 32-bit


Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.


Process activity

The Virus creates the following process(es):

attrib.exe:1160
wuauclt.exe:540
regedit.exe:1092
AgentSvr.exe:2088
%original file name%.exe:2012

The Virus injects its code into the following process(es):

spoolv.exe:1180
Explorer.EXE:1912

File activity

The process wuauclt.exe:540 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
%WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
%WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)

The Virus deletes the following file(s):

%WinDir%\SoftwareDistribution\DataStore\Logs\tmp.edb (0 bytes)

The process spoolv.exe:1180 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\spoolv\control.ini (80 bytes)
%WinDir%\spoolv\TMP3.$$$ (51 bytes)
%WinDir%\spoolv\TMP4.$$$ (60 bytes)
%WinDir%\spoolv\TMP1.$$$ (30 bytes)
%WinDir%\spoolv\remote.ini (8197 bytes)
%WinDir%\spoolv\TMP2.$$$ (46 bytes)
%WinDir%\spoolv\mirc.ini (112512 bytes)

The Virus deletes the following file(s):

%WinDir%\spoolv\TMP3.$$$ (0 bytes)
%WinDir%\spoolv\TMP4.$$$ (0 bytes)
%WinDir%\spoolv\TMP1.$$$ (0 bytes)
%WinDir%\spoolv\TMP6.$$$ (0 bytes)
%WinDir%\spoolv\TMP2.$$$ (0 bytes)
%WinDir%\spoolv\TMP5.$$$ (0 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%WinDir%\spoolv\spoolv.exe (33452 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000455EC_Rar\%original file name%.exe (6841 bytes)
%WinDir%\spoolv\control.ini (42 bytes)
%WinDir%\spoolv\run.bat (135 bytes)
%WinDir%\spoolv\ccc.mrc (10 bytes)
%WinDir%\spoolv\idents.txt (135 bytes)
%WinDir%\spoolv\aliases.ini (72 bytes)
%WinDir%\spoolv\reg.reg (1 bytes)
%WinDir%\spoolv\servers.ini (605 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00045531_Rar\%original file name%.exe (6841 bytes)
%WinDir%\spoolv\mirc.ico (5 bytes)
%WinDir%\spoolv\users.ini (178 bytes)
%WinDir%\spoolv\fullnames.txt (78 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000453D9_Rar\%original file name%.exe (6841 bytes)
%WinDir%\spoolv\mirc.ini (3 bytes)

The Virus deletes the following file(s):

%WinDir%\spoolv\__tmp_rar_sfx_access_check_284140 (0 bytes)

Registry activity

The process attrib.exe:1160 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE AB 75 CA 17 D2 E0 F4 16 39 B2 27 D5 7A 98 BB"

The process spoolv.exe:1180 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 E0 34 2B 1F 62 78 6E B0 D2 A8 9C 4D 94 ED C2"

[HKCR\ChatFile\Shell\open\ddeexec\Topic]
"(Default)" = "Connect"

[HKCR\irc]
"(Default)" = "URL:IRC Protocol"

[HKCR\.cha]
"(Default)" = "ChatFile"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\mIRC]
"UninstallString" = "%WinDir%\spoolv\spoolv.exe -uninstall"
"DisplayName" = "mIRC"

[HKCR\ChatFile\Shell\open\command]
"(Default)" = "%WinDir%\spoolv\spoolv.exe -noconnect"

[HKCR\irc\Shell\open\ddeexec\ifexec]
"(Default)" = "%1"

[HKCR\irc\Shell\open\ddeexec\Application]
"(Default)" = "svchost"

[HKCR\irc\Shell\open\ddeexec\Topic]
"(Default)" = "Connect"

[HKCR\ChatFile]
"(Default)" = "Chat File"

[HKCR\irc\Shell\open\command]
"(Default)" = "%WinDir%\spoolv\spoolv.exe -noconnect"

[HKCR\ChatFile\Shell\open\ddeexec]
"(Default)" = "%1"

[HKCR\irc]
"EditFlags" = "02 00 00 00"
"URL Protocol" = ""

[HKCR\irc\Shell\open\ddeexec]
"(Default)" = "%1"

[HKCR\.chat]
"(Default)" = "ChatFile"

[HKCR\ChatFile\Shell\open\ddeexec\Application]
"(Default)" = "svchost"

[HKCR\irc\DefaultIcon]
"(Default)" = "%WinDir%\spoolv\spoolv.exe"

[HKCR\ChatFile\Shell\open\ddeexec\ifexec]
"(Default)" = "%1"

[HKCR\ChatFile\DefaultIcon]
"(Default)" = "%WinDir%\spoolv\spoolv.exe"

The process regedit.exe:1092 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 5A 6F 26 05 14 2A 15 64 3A 1D 6C AE BC BB B7"

[HKCU\Software\mIRC\LockOptions]
"(Default)" = "0,4096"

[HKCU\Software\mIRC\License]
"(Default)" = "5662-546732"

[HKCU\Software\mIRC\UserName]
"(Default)" = "WhiteHat"

[HKLM\System\CurrentControlSet\Services\Svchost\Parameters]
"AppDirectory" = "C:\Windows\spoolv\spoolv.exe"
"Application" = "C:\Windows\spoolv\spoolv.exe"

To automatically run itself each time Windows is booted, the Virus adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"spoolv" = "C:\Windows\spoolv\spoolv.exe"

The process AgentSvr.exe:2088 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Microsoft Agent]
"UseBalloon" = "1"
"CommandsWindowLeft" = "4294967295"
"KeyHoldHotKey" = "145"
"PropertySheetPage" = "0"
"PropertySheetWidth" = "0"
"SRModeID" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
"SpeakingSpeed" = "5"
"CommandsWindowTop" = "4294967295"
"UseCharacterFont" = "1"
"UseVoiceTips" = "1"
"CommandsWindowHeight" = "200"
"EnableSpeaking" = "1"
"VoiceEnabled" = "1"
"CommandsWindowWidth" = "200"
"PropertySheetHeight" = "0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 46 0F 7E 4F 7E 7E 39 EA C1 00 B9 30 8D E9 22"

[HKCU\Software\Microsoft\Microsoft Agent]
"CommandsWindowLocationSet" = "0"
"UseSoundEffects" = "1"
"PropertySheetY" = "999999"
"PropertySheetX" = "999999"
"SRTimerDelay" = "2000"
"UseBeepSRPrompt" = "1"

The process %original file name%.exe:2012 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Aas]
"a4_36" = "258088356"
"a4_30" = "215073630"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a1_50" = "4267342224"
"a2_28" = "200730413"
"a2_29" = "207899426"
"a2_26" = "186388573"
"a2_27" = "193573873"
"a2_24" = "172061634"
"a2_25" = "179228956"
"a2_22" = "157728729"
"a2_23" = "164896728"
"a2_20" = "143379083"
"a2_21" = "150544185"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Aas]
"a2_7" = "50176954"
"a2_6" = "43009444"
"a2_5" = "35841042"
"a2_4" = "28673537"
"a2_3" = "21498089"
"a2_2" = "14346572"
"a2_1" = "7173091"
"a2_0" = "9832"
"a2_9" = "64528830"
"a2_8" = "57360172"
"a4_5" = "35845605"
"a4_4" = "28676484"
"a4_7" = "50183847"
"a4_6" = "43014726"
"a4_1" = "7169121"
"a4_0" = "0"
"a4_3" = "21507363"
"a4_2" = "14338242"
"a2_53" = "379972038"
"a3_43" = "324843106"
"a2_51" = "365619674"
"a2_50" = "358449583"
"a4_9" = "64522089"
"a4_8" = "57352968"
"a2_55" = "394299729"
"a2_54" = "387136433"
"a3_35" = "267899754"
"a4_54" = "387132534"
"a4_57" = "408639897"
"a4_56" = "401470776"
"a4_51" = "365625171"
"a4_50" = "358456050"
"a4_53" = "379963413"
"a1_48" = "262978150"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Aas]
"a1_12" = "1174665665"
"a1_13" = "4076776892"
"a1_10" = "1071546649"
"a1_11" = "2318739959"
"a1_16" = "1472144990"
"a1_17" = "3772702960"
"a1_14" = "4170948361"
"a1_15" = "247433699"
"a1_18" = "1449162629"
"a1_19" = "3052690794"
"a2_48" = "344126011"
"a2_49" = "351278618"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_40" = "286766458"
"a2_41" = "293932015"
"a2_42" = "301100597"
"a2_43" = "308266908"
"a2_44" = "315449677"
"a2_45" = "322613994"
"a2_46" = "329785115"
"a2_47" = "336951251"

"a3_36" = "241268621"
"a4_42" = "301103082"
"a4_43" = "308272203"
"a4_40" = "286764840"
"a4_41" = "293933961"
"a4_46" = "329779566"
"a4_47" = "336948687"
"a4_44" = "315441324"
"a4_45" = "322610445"
"a4_48" = "344117808"
"a4_49" = "351286929"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 12 22 E7 5A E4 1E 1F 02 C4 B6 78 B8 E9 82 28"

[HKCU\Software\Aas]
"a2_57" = "408634468"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a2_56" = "401466235"
"a3_42" = "284237251"
"a3_18" = "112354555"
"a3_19" = "152901914"
"a3_14" = "83367783"
"a3_15" = "124488582"
"a3_16" = "131411001"
"a3_17" = "104906840"
"a3_10" = "88506851"
"a3_11" = "95435266"
"a3_12" = "69459621"
"a3_13" = "76378820"
"a4_37" = "265257477"
"a4_11" = "78860331"
"a4_35" = "250919235"
"a4_34" = "243750114"
"a4_33" = "236580993"
"a4_32" = "229411872"
"a4_31" = "222242751"
"a4_10" = "71691210"
"a4_13" = "93198573"
"a4_39" = "279595719"
"a4_38" = "272426598"
"a1_41" = "1175678420"
"a1_40" = "3112489572"
"a1_43" = "812055938"
"a4_12" = "86029452"
"a1_45" = "2664743508"
"a1_44" = "806423141"
"a1_47" = "3114940119"
"a1_46" = "382469827"
"a1_49" = "1624578760"
"a4_15" = "107536815"
"a3_41" = "277248416"
"a4_14" = "100367694"
"a4_17" = "121875057"
"a3_28" = "183865525"
"a4_16" = "114705936"
"a3_40" = "269796609"
"a3_29" = "224867540"
"a4_19" = "136213299"
"a4_18" = "129044178"
"a3_21" = "167399900"
"a3_20" = "159956413"
"a3_23" = "148336286"
"a3_22" = "140888703"
"a3_25" = "195929936"
"a3_24" = "188875569"
"a3_27" = "176880658"
"a3_26" = "169827315"
"a4_24" = "172058904"
"a4_25" = "179228025"
"a4_26" = "186397146"
"a4_27" = "193566267"
"a4_20" = "143382420"
"a4_21" = "150551541"
"a4_22" = "157720662"
"a4_23" = "164889783"
"a3_47" = "353765350"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\windows\spoolv]
"run.bat" = "run"

[HKCU\Software\Aas]
"a4_28" = "200735388"
"a4_29" = "207904509"
"a3_38" = "289377359"
"a3_39" = "296296686"
"a1_22" = "767601794"
"a1_56" = "776211010"
"a1_57" = "3096474560"
"a1_54" = "622265903"
"a1_55" = "2017316994"
"a1_52" = "638804490"
"a1_53" = "1560123974"
"a3_37" = "248309804"
"a1_51" = "2008350609"
"a4_55" = "394301655"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Aas]
"a3_46" = "313221959"
"a1_21" = "3088289700"
"a2_17" = "121878036"
"a2_16" = "114708582"
"a2_15" = "107543232"
"a2_14" = "100362012"
"a2_13" = "93206883"
"a2_12" = "86027549"
"a2_11" = "78860252"
"a2_10" = "71693673"
"a1_42" = "608335292"

[HKCU\Software\WinRAR SFX]
"c%%windows%spoolv%" = "c:\windows\spoolv\"

[HKCU\Software\Aas]
"a2_19" = "136209430"
"a2_18" = "129046589"
"a1_0" = "3299283285"
"a1_1" = "3386940473"
"a1_2" = "3712339979"
"a1_3" = "2620474486"
"a1_4" = "83174613"
"a1_5" = "616562248"
"a1_6" = "454656014"
"a1_7" = "2401786110"
"a1_8" = "310532945"
"a1_9" = "2948510009"
"a3_49" = "368270520"
"a3_48" = "360822809"
"a3_34" = "260325067"
"a1_23" = "1393522403"
"a1_29" = "2974281407"
"a1_28" = "3228685785"
"a3_8" = "40388897"
"a3_9" = "47967552"
"a3_6" = "59977839"
"a3_7" = "67032206"
"a3_4" = "11991981"
"a1_20" = "1050578346"
"a3_2" = "31040235"
"a3_3" = "4933386"
"a3_0" = "17001001"
"a3_1" = "23989832"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Aas]
"a3_5" = "52535244"
"a3_44" = "332278405"
"a3_30" = "231909751"

"a1_27" = "889908127"
"a3_31" = "205278614"
"a1_26" = "675954575"
"a1_25" = "2922091070"
"a2_52" = "372799793"
"a3_32" = "212854281"
"a1_24" = "2020335726"
"a3_50" = "341766363"
"a3_51" = "348755322"
"a3_52" = "389745053"
"a3_53" = "396796476"
"a3_54" = "370165343"
"a3_55" = "377748222"
"a3_56" = "384737041"
"a3_57" = "425210800"
"a4_52" = "372794292"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Aas]
"a1_38" = "213872447"
"a1_39" = "3964775043"
"a3_33" = "253401768"
"a1_30" = "2646907918"
"a1_31" = "3886322426"
"a1_32" = "1167938370"
"a1_33" = "2462240188"
"a1_34" = "2225036716"
"a1_35" = "370808629"
"a1_36" = "2012235382"
"a1_37" = "3198637671"
"a2_31" = "222234361"
"a2_30" = "215079550"
"a2_33" = "236579903"
"a2_32" = "229414781"
"a2_35" = "250911624"
"a2_34" = "243747348"
"a2_37" = "265263361"
"a2_36" = "258081705"
"a2_39" = "279598592"
"a2_38" = "272431981"
"a3_45" = "305778468"

The Virus modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Virus modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Virus modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Dropped PE files

MD5 File path
b766003f431cad186bd115f5761592d1 c:\WINDOWS\spoolv\spoolv.exe
42cdcb63592ce0e938c024cb751e3972 c:\qbja.pif

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Virus's file once a user opens a drive's folder in Windows Explorer.

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 81920 79360 4.47529 e8b04bea2b59e75204346433e5b25e30
.data 86016 28672 2560 3.40909 fe3e541d125dbe299f892385c2f9e9c8
.idata 114688 4096 4096 3.56036 04f40b1b08e22882e24d4ec0e5f542e8
.rsrc 118784 90112 90112 5.37512 60744d27c7c168ebb1c3bd41d960db9a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 14

Traffic

Web Traffic was not found.

spoolv.exe_1180:

.text
`.data
.rdata
P.idata
@.edata
@.rsrc
<"u%Cj"S
t'h.AV
uDPj
;/u%C
FtPj
:%u"j
t.JtC
?t.VW
xmsg
xmsg *
%u8F3
.progid
.result
.error
.errortext
.argerr
.dispatch
.unknown
%d,%d,%d
%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d
*.acs
\spd=d\\pit=%d\\vol=%d\
%d.%d
.char
.name
.fname
.visible
.speed
.pitch
.idle
.effects
.active
.langid
.hide
.anim
.balloon
.line
mirc.ini
urls.ini
4DOS.COM
kernel32.dll
shell32.dll
riched20.dll
uxtheme.dll
%slang.dll
MSWHEEL_ROLLMSG
%s %lu%%
msimg32.dll
Send %s %s %lu%%
Get %s %s %lu%%
%stblogo.bmp
Software\Microsoft\Windows\CurrentVersion\Uninstall\mIRC
Software\Microsoft\Windows\CurrentVersion\Uninstall
.chat
%s.lnk
miunst_.exe
mlink32.exe
aliases.ini
popups.ini
servers.ini
control.ini
mirc.hlp
mirc.gid
mirc.fts
ircintro.hlp
ircintro.fts
ircintro.gid
readme.txt
versions.txt
VCMD
%s, %s
.mute
website
name=%s
email=%s
website=%s
ipaddr=%s
picture=%s
note%d=%s
PRIVMSG %s :
WHOIS %s
ctcp
/!.dcc chat %s
Nick: %s
/!.server %s
%s*.wav
,ctcp
,"%s"
%s,%d,%s,%s,%d,%d,%d,%d,%d
&%d %s
%s*.ini
%s%salias%d%s
%s%s*%s
%saliases.ini
%d:%d/%d (%0.1Lfk)
%s,%d,%d
%s,%d
%s*.bmp
.word
.nword
.long
.nlong
-> %s
%sdebug.log
\/:*?"<>|^
%s%s%s%s
%s%s%s
%smirc.hlp
%s %s
write.exe %s
notepad.exe %s
*!*@%s
%s!*@*
%splayq%d.txt
%d.%d.%d.%d
[Auto-unban in %s]
MODE %s  b
MODE %s  e
MODE %s  I
MODE %s -
MODE %s -b b %s %s
MODE %s -e e %s %s
MODE %s -I I %s %s
TOPIC %s :%s
MODE %s
MODE %s -k %s
%s,"%s"
%s,"%s",,%s
%s,,,%s
JOIN %s
/!.server %s -j %s
NAMES %s
JOIN
JOIN %s %s
channels.txt
LIST %s
LIST <%d
LIST >%d,<%d
,*%s*
LISTX <%d
LISTX >%d,<%d
%s.txt
NOTICE %s :DCC Fserve (%s)
NOTICE %s :DCC Chat (%s)
DCC CHAT chat %lu %u
DCC CHAT chat %lu %u %d
Serve %s
Chat %s
110 %s
100 %s
%s!id@%s
/!ignore -wdu %s
%s!%s
/!ignore -du %s
Serve %s (%s)
Chat %s (%s)
111 %s
101 %s
* %s %s
<%s> %s
nicklist
%d,%d
/!.join -n %s
/!.join %s
%smirc.ini
port
password
cnicks
Any nick
(Idle:%d)
.color
.colour
.modes
.levels
.method
.anymode
.nomode
.ignore
.voice
.protect
.notify
Ctcp text
Join text
Nick text
d%c%s
d%s
PRIVMSG
MODE %s -b %s
MODE %s  b %s
closemsg
-> [%s] %s
NOTICE %s :
/!.window -n %s
/!.window %s
ACTION %s
-> *%s* %s
%s (server)
%s on
%s off
(%s %d)
/!.ruser %s %s
,private,channel,notice,ctcp,dcc,invite,codes
PART %s
$%&*() =#:;@<>,.?/\
-> *%s*
anick
tnick
NICK :%s %s
NICK :%s
cprivmsg
privmsg
PRIVMSG %s :!%s %s%s
-> *%s* !%s %s%s
PRIVMSG %s :%s
-> -%s-
WATCH -%s
WATCH  %s
omsg
PRIVMSG @
-> Ops %s: %s
-> Server: %s
Ctcps
SERVER:%s:%s
GROUP:%s
%sSERVER:%s:%d:%sGROUP:%s
SOUND "%s%s"
SOUND %s%s
-> [%s] SOUND
WHOIS %s %s
%c%d,d
%c%d,%d
%cd
* %s:
[%s SOUND]
[%s:%s %s]
[%s %s]
VERSION mIRC %s Khaled Mardam-Bey
PING %s
FINGER %s (%s) Idle %lu seconds
TIME %s
DCC ACCEPT file.ext %u %lu
DCC ACCEPT file.ext %u %lu %d
$did(%s,%d)
, in '%s'
.title
.modal
.table
.cancel
.focus
.hwnd
.state
.enabled
.lines
.next
.prev
.edited
.selstart
.selend
.seltext
%d %s
%s*.*
EXTDIR:%s
EXTAPP:%s
EXTCOM:%s
defaultEXTDIR:%s
%s*.txt
opera
OPERA
mIRC %s
NICKNAME
SERVERPORT
%s:%d
PORT
/!.server %s %u -l -j %s
/!.server -j %s
d:d:d
00:00:00
dccnicks
%s (%s)
(of %s)
/!.server -m %s %u -l -j %s
/!.server -m -j %s
%s:%u
lang.dll
lang32.dll
*.wav:/sound $1 $2-
*.*:/dcc send $1 $2-
%s "%s"
%s.bmp
%d,%d,"%s","%s",%d
awaymsg
cmdbox
cmdline
cnick(
dccport
hnick(
mircexe
mknickfn(
mnick
nick
nickmode
nick(
nhnick(
nopnick(
nvnick(
opnick(
pnick
portfree(
rnick(
snick(
snicks
vcmd(
vcmdver
vcmdstat
vnick(
$nick
*.wav,*.mid,*.mp3,*.wma,*.oggEXTDIR:%s
*.wavEXTDIR:%s
*.midEXTDIR:%s
*.mp3EXTDIR:%s
*.wmaEXTDIR:%s
*.oggEXTDIR:%s
%sdownload
defaultEXTDIR:%s\
EXTOPT:%s
dirinfo.srv
mIRC %s File Server
$%s($1,$2)
%ld %s
CONNECT %s:%ld HTTP/1.0
%s:%s
Authorization: Basic %s
Proxy-Authorization: Basic %s
/!ignore -u%d *!*%s
/!ignore -u%d *!%s
PRIVMSG %s :FLOODCHECK
Get %s %s
DCC RESUME file.ext %u %lu
DCC RESUME file.ext %u %lu %d
121 %s %lu
130 %s %s\%s
132 %s %lu
%lu%% Get %s %s
%lu Get %s %s
.size
.unset
.item
.data
%d,%d,%d,30,
%d,%d,%d,%d,%s,%s
color %d
%s%s,
,"%s",%ld
http://
https://
ftp://
.nick
.pnick
.addr
.user
.host
.mark
%s %ld
%s (%s) %ld
.date
.ctime
%d, %d : USERID : %s : %s
.info
.email
.website
.ipaddr
.note
.picture
.topic
.status
joining
joined
.logfile
.stamp
.mode
.limit
.banlist
.inwho
.owner
.help
.type
.network
.secs
.label
.free
$evalnext(%s,%d)
$evalnext(%s,0)
.atime
.mtime
.shortfn
.file
.path
.rcvd
.done
.resume
.sound
.flash
.message
.nicks
if (%s) { return 1 } | else { return 0 }
.alias
.level
.deowner
.deop
.dehelp
.devoice
.unban
.whois
.ison
.width
.height
.sent
.desc
.port
.group
.pass
status %s position
.length
status %s length
return %s
$style(%d)
.time
d:d
.reps
.delay
.anysc
*@*.*
.sbtext
.sbcolor
.icon
.font
.fontbold
.fontsize
.ontop
urls
%s,%s
%sSERVER:%s:%s
n%d=%s
%scontrol.ini
ports
[urls]
addrbk.ini
%sfinger.txt
*.jpg,*.gif,*.png,*.bmp,*.txt,*.log,*.wav,*.mid,*.mp3,*.wma,*.ogg,*.zip
*.exe,*.com,*.bat,*.dll,*.ini,*.mrc,*.vbs,*.js,*.pif,*.scr,*.lnk,*.pl,*.shs,*.htm,*.html
%sSERVER:%s:%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%u,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%u,%d,%d,%d,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%ld,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%ld,%d,%d,%d,%d,%d
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%ld,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
windows
%@<>,.:*^)!( 0
set -ls %s
set -l %s
hop /part # | /join #$$1
amsg
cnick
ctcpreply
ctcps
join
sockudp
vcmd
MODE %s
JOIN
KICK %s %s
MODE %s -o %s
NICK
CTCPREPLY
PONG :%s
* Knock: %s
MEMBERKEY
*%s* whispers:
%s!%s@%s
PRIVMSG
(%s, %s)
(%s!%s)
&temp[strlen(temp)] (%s)
(d:d)
MODE %s  v %s
MODE %s  o %s
%s %s %s
%s %s set by %s
%s@%s
%s %s %s %s@%s :%s
%s %s %s %s@%s
IRC Operator
%s,%s,%s
NICK %s
/nick
* %s: %s
%cServices Message (%s)
%d,%d,%d,%d,%d,%d,%d,%d,%d,%d
user32.dll
%s (%s) %s
Links: %d servers
%lu,%d
URL List
%s%s%s\%s%s
%s%s%s.%s%s
%s%s%s.ddd%s
%s%s\
%s*.log
*!%s@%s
*!*%s@%s
%s!*%s@%s
%s!*@%s
.%s:!
Nick List
&0 %s
%s*.hlp
%s*.htm
%s*.chm
%s%s.hlp
%s.hlp
%s%s.bmp
/!.drawsave -b24 %s %s%s
/!.names %s
%snewlist.txt
URL:%s
%c:%sURL:%s
/!.notify
/!.links
%slinks.ini
/!.join %s %s
/!.topic %s
/!.load -a "%s"
/!.reload -a "%s"
/!.load -p
/!.reload -p
/!.load -r
/!.reload -r
MPEG %0.1Lf Layer %d
Joint Stereo
Opera
.album
.artist
.year
.comment
.genre
.track
.version
.bitrate
.variable
.sample
.copyright
.private
%d,%d,%d,%d,%d,%d
%s\%s
131 %s %lu
Notify List (%d/%d)
ISON %s
%d,%d,%d,%d,%s,%s,"%s",%d
Wave (*.wav)
Midi (*.mid)
Mp3 (*.mp3)
Wma (*.wma)
Ogg (*.ogg)
%s*.bmp;*.jpg;*.png
%s*.ico
%s%s*.ico
mirc.exe
mirc32.exe
*.wav
MODE %s  i
MODE %s -i
0123456789
All Networks,%s
%sperform.ini
/notice %s
/.notice %s
/msg %s
/.msg %s
/!.play
1.2.1
%d,%d,%d,%d,0,0,0
Windows
0,0,0,0,0,1,0
%s%sscript%s
%s%sscript%d%s
"%s" "%s" %s
"%s" -uninstall
"%s" -noconnect
ChatFile\Shell\open\ddeexec
ChatFile\Shell\open\ddeexec\Application
ChatFile\Shell\open\ddeexec\ifexec
ChatFile\Shell\open\ddeexec\Topic
URL:IRC Protocol
URL Protocol
Software\Classes\irc\Shell\open\ddeexec
Software\Classes\irc\Shell\open\ddeexec\Application
Software\Classes\irc\Shell\open\ddeexec\ifexec
Software\Classes\irc\Shell\open\ddeexec\Topic
http\shell\open
/!.run mailto:%s
.sta\shell\open
$bnick
$hnick
$keychar
$keyrpt
$keyval
$knick
$matchkey
$newnick
$opnick
$vnick
=$nick
KEYDOWN
KEYUP
UDPREAD
UDPWRITE
ctcp
remote.ini
%sscript.ini
Send %s %s
120 %s %lu %s
DCC SEND "%s"
DCC SEND %s
%lu %u %lu
%lu %u %lu %d
NOTICE %s :DCC Send %s (%s)
%lu%% Send %s %s
%lu Send %s %s
%lu %s
* signal '%s' (%s)
* signal '%s'
* /sockudp: '%s' %s
* /sockudp: %s
* /socklisten: '%s' %s
* /socklisten: %s
* /sockaccept: '%s' %s
* /sockaccept: %s
* /sockrename: '%s' %s
* /sockopen: '%s' %s
* /sockread: %s
* /sockwrite: '%s' %s
* /sockwrite: %s
%s:%u
(on: %s %u)
.bindip
.bindport
.saddr
.sport
.wserr
.wsmsg
open "%s" type waveaudio alias mircwave
open "%s" type sequencer alias mircmidi
open "%s" alias mircsong
open "%s" type mpegvideo alias mircsong
open "%s" type mpegvideo2 alias mircsong
play mircsong from %d notify
[%s GET] %s%s
seek mircsong to %d
%a %b %d %X %Y
[d:d]
d:d
"%s","",0xFFFFFFFF,0x4,"","",""
"%s","",0x0,0x4,"","",""
WWW_OpenURL
URL List [%s%s]
USERHOST %s
.value
.local
mIRC_Url
ourl
%d,%d,%d,%d,%d,%d,%d,%d
surl
:%s!%s PART %s
PASS %s
"%s" "%s" :%s
QUIT :%s
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
erroffset passed as NULL
Bogus message code %d
Invalid component ID %d in SOS
IDCT output block size %d not supported
Wrong JPEG library version: library is %d, caller expects %d
Invalid memory pool code %d
Unsupported JPEG data precision %d
Invalid progressive parameters Ss=%d Se=%d Ah=%d Al=%d
Invalid progressive parameters at scan script entry %d
Invalid scan script at entry %d
Improper call to JPEG library in state %d
JPEG parameter struct mismatch: library thinks size is %u, caller expects %u
Buffer passed to JPEG library is too small
Too many color components: %d, max %d
Unsupported color conversion request
Bogus DAC index %d
Bogus DAC value 0x%x
Bogus DHT index %d
Bogus DQT index %d
Empty JPEG image (DNL not supported)
Maximum supported image dimension is %u pixels
Cannot transcode due to multiple use of quantization table %d
Backing store not supported
Huffman table 0xx was not defined
Quantization table 0xx was not defined
Not a JPEG file: starts with 0xx 0xx
Insufficient memory (case %d)
Cannot quantize more than %d color components
Cannot quantize to fewer than %d colors
Cannot quantize to more than %d colors
Unsupported JPEG process: SOF type 0xx
Failed to create temporary file %s
Unsupported marker type 0xx
Adobe APP14 marker: version %d, flags 0xx 0xx, transform %d
Unknown APP0 marker (not JFIF), length %u
Unknown APP14 marker (not Adobe), length %u
Define Arithmetic Table 0xx: 0xx
Define Huffman Table 0xx
Define Quantization Table %d precision %d
Define Restart Interval %u
Freed EMS handle %u
Obtained EMS handle %u
= = = = = = = =
JFIF APP0 marker: version %d.d, density %dx%d %d
Warning: thumbnail image size does not match data length %u
JFIF extension marker: type 0xx, length %u
with %d x %d thumbnail image
Miscellaneous marker 0xx, length %u
Unexpected marker 0xx
%4u %4u %4u %4u %4u %4u %4u %4u
Quantizing to %d = %d*%d*%d colors
Quantizing to %d colors
Selected %d colors for quantization
At marker 0xx, recovery action %d
RST%d
Smoothing not supported with nonstandard sampling ratios
Start Of Frame 0xx: width=%u, height=%u, components=%d
Component %d: %dhx%dv q=%d
Start Of Scan: %d components
Component %d: dc=%d ac=%d
Ss=%d, Se=%d, Ah=%d, Al=%d
Closed temporary file %s
Opened temporary file %s
JFIF extension marker: JPEG-compressed thumbnail image, length %u
JFIF extension marker: palette thumbnail image, length %u
JFIF extension marker: RGB thumbnail image, length %u
Unrecognized component IDs %d %d %d, assuming YCbCr
Freed XMS handle %u
Obtained XMS handle %u
Unknown Adobe color transform code %d
Inconsistent progression sequence for component %d coefficient %d
Corrupt JPEG data: %u extraneous bytes before marker 0xx
Warning: unknown JFIF revision number %d.d
Corrupt JPEG data: found marker 0xx instead of RST%d
%ld%c
%d %s %d d:d:d  0000
libpng version 1.2.1 - December 12, 2001
libpng version 1.2.1 - December 12, 2001 (header)
1.1.3
1.0.6 or earlier
NULL row buffer for row %ld, pass %d
Buffer error in compressed datastream in %s chunk
Data error in compressed datastream in %s chunk
Incomplete compressed datastream in %s chunk
Unknown zTXt compression type %d
iTXt chunk not supported.
This version of libpng does not support user transform info
inflate 1.1.3 Copyright 1995-1998 Mark Adler
XX.CPP
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
XXTYPE.CPP
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
%x %X
%s: %s error
d/d/d -:d:d.d
merlin.acs
* Connect retry #1 91.236.182.1 (6667)
%WinDir%\spoolv\spoolv.exe
%WinDir%\spoolv\mirc.ico
%WinDir%\spoolv\addrbk.ini
TampaSERVER:91.236.182.1:6667GROUP:Undernet
* %s sets mode:
on %s
%WinDir%\spoolv\
%WinDir%\spoolv\mirc.ini
%WinDir%\spoolv\finger.txt
poolv.exe
Status: niekkuf [ iwx] on zeta.eu.ix.undernet.org:6667
5662-546732
%WinDir%\spoolv\logs\
%WinDir%\spoolv\sounds\
Microsoft Windows
,0,0,0,0,0
%Program Files%\Outlook Express\msimn.exe
%Program Files%\Internet Explorer\iexplore.exe
*!*@Ciggy.users.undernet.org
%WinDir%\spoolv\servers.ini
WINDOWS\spoolv\
%WinDir%\spoolv\urls.ini
ADVAPI32.dll
KERNEL32.dll
MPR.dll
VERSION.dll
WSOCK32.dll
COMDLG32.dll
GDI32.dll
SHELL32.dll
USER32.dll
WINMM.dll
OLE32.dll
OLEAUT32.dll
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegDeleteKeyA
RegEnumKeyA
RegOpenKeyA
RegOpenKeyExA
GetCPInfo
GetWindowsDirectoryA
WinExec
FindExecutableA
SHFileOperationA
ShellExecuteA
EnumThreadWindows
GetAsyncKeyState
GetKeyState
GetKeyboardState
MapVirtualKeyA
SetKeyboardState
SetWindowsHookExA
UnhookWindowsHookEx
&-\ /]&6
'''""'8*"8:5
KI[[[[[[[[M/.MCIK
[[/LI.CIK
%UXGUG5:
[[[M/.MC
[[[M/.MCIK
%UUGXG:
[[[[??[[
?[[[-[[[[?
[[/ML.CIK
[[[?8686[[[&
`.bss
.idata
KERNEL32.DLL
USER32.DLL
CRTDLL.DLL
&4 Nick List
&Ctcps
1995-2002
Visit the mIRC website at:
http://www.mirc.com
(for example: *.txt,*.doc,*.wri)
&Sort files by nickname into own folders
Nick
&Port(s):
Passwords are only needed by special types of users.
Pass&word:
Add URL
&Get Active URL
&Joins/Parts
&URLs
Web browser:
Enable support for &chat links
&Key:
Nick:
&Nickname:
&Default Port:
&Use random ports for listening sockets
&Own nickname
O&wn nickname
&Address (nick!user@host):
C&tcp
DCC Ports:
Use &multi-line editboxes in chat windows
Enable &dual monitor support
&Chat with nick or address:
&No key
&Shift key
&Joins:
&Ctcps:
&Nicks:
Find URL
&Finger nick or address:
&Firewall support:
&Ctcp replies
&Escape key minimizes windows
&Hotlinks only when shift key pressed
Titlebar right-click needs &Shift key
Tab key changes editbox &focus
&Port:
Use qu&ery for notify nicks
Auto-join ch&annel on invite
&Rejoin channel when kicked
Rejoin channels on c&onnect
&Hide channel key
Use short joins/parts
Cancel away on &keypress
Enter name of &channel to join:
&Join
Join
&Password:
&Join channel on connect
&Minimize on join
Transparency works only on desktop windows.
&Url List
irc.demon.co.uk:6667
stork.doc.ic.ac.uk:6667
&Change servers and join the channel
&Join the channel on the current server
Ask for password:
Lock Password
Enter password to lock Hide options
Ctcp &finger reply:
File 'moo.mrc' has changed, reload from disk?
Command to perform on nick double-click:
&Nick List:
&Nick colors:
Add Nick
Nick &Color:
&Nick or Address (nick!user@host):
&Listen for '!nick file' get requests
&Send '!nick file' as private message
Listen on &Port:
You can enter a wildcard address below in the form nick!user@host.
The file '%s' may contain programs or macros. Opening it may cause damage to your computer, or may install a virus or trojan on your system.
c:\mirc\download
&Ctcp reply:
By default, windows open inside the main mIRC window. They can be made to open on the desktop by checking the boxes below.
&URL List
H&ide minimized desktop windows
&Group windows by network
&Move all windows for active connection to top
* /%s: '%s' (%s) already loaded
* Loaded agent '%s' (%s)
* /%s: error loading '%s' (%s)
* Unloaded agent '%s'
* /%s: '%s' not loaded
* /%s: error showing %s
* Showing agent '%s'
* /%s: error hiding %s
* Hiding agent '%s'
* /%s: error moving %s
#* Moving agent '%s' to %d,%d (%ld)
* Moving agent '%s' to %d,%d
* Sizing agent '%s' to %d,%d
* /%s: '%s' error talking
* Agent '%s' thinks: %s
* Agent '%s' says: (%s) %s
* Agent '%s' says: (%s)
* Agent '%s' talks: %s
$* /%s: '%s' error playing '%s' (%s)
* Agent '%s' plays: (%s)
* /%s: '%s' error pointing
* Agent '%s' points at %d,%d
* Agent '%s' stopped
* /%s: '%s' balloon error
* Agent '%s' balloons are on
* Agent '%s' balloons are off
* Agent '%s' idle is on
* Agent '%s' idle is off
* Agent '%s' effects are on
* Agent '%s' effects are off
"* Agent '%s' language id 0x%0.4lx
* Agent '%s' hiding is on
* Agent '%s' hiding is off
TThis nickname is currently listed in your address book.
=This nickname is not currently listed in your address book.
%s on %s says:
%s on %s:
%s says:
%s on %s notice:
%s notice:
%s on %s sends ctcp:
%s sends ctcp:
You've joined channel %s
You've rejoined channel %s
%s has joined channel %s
You've left channel %s
%s has left channel %s
%s has kicked you off %s
%s has kicked %s off: %s
Your nickname is now %s
%s has changed nickname to %s
!%s has invited you to channel %s
%You've connected to %s network as %s
$You've connected to server %s as %s
'%s you've disconnected from %s network
&%s you've disconnected from server %s
%s is on IRC
%s has left IRC
%s wants to DCC Chat with you
DCC Chat with %s connected
DCC Chat with %s failed
DCC Chat with %s closed
!%s wants to DCC Send you file %s
Getting file %s from %s
"DCC Get of file %s from %s failed
ÜC Get of file %s from %s completed
Sending file %s to %s
!DCC Send of file %s to %s failed
$DCC Send of file %s to %s completed
%s changes modes on %s
%s sets user mode %s
for %s
%s on %s
%d addresses
%s says: %s
%s: %s
%s has quit IRC
Topic on %s is: %s
"%s on %s has changed topic to: %s
%s on %s has removed topic
"* Updated auto-op channels for %s
* Updated auto-op for %s
* Added %s to auto-op list
* Removed %s from auto-op list
* %s isn't in auto-op list
* Com '%s' already open
* Opened Com '%s' (%s)
* Closed Com '%s'
* No such Com '%s' open
* Unregistered Com '%s'
* Unable to unregister Com '%s'
* Registered Com '%s'
* Unable to register Com '%s'
[no nick]
logging on to %s
connecting to %s
not connected to %s
* Auto-join on invite is on
* Auto-join on invite is off
* Removed '%s' alias
* /alias: unable to remove '%s'
* /alias: '%s' doesn't exist
"* /alias: error adding '%s' alias
* Replaced '%s' alias
* Added '%s' alias
!* /amsg: you're not on a channel
* /background: no such nick
#* /background: unable to load '%s'
** Waiting %d seconds for previous request
* Retrieving %s info...
* /copy: file exists '%s'
* Copied '%s' to '%s'
%* /copy: unable to copy '%s' to '%s'
* /ctcp: use /dcc command
* Ctcps are on
* Ctcps are off
* DCC Packet Size is %d
1* File request by %s rejected due to busy state
7NOTICE %s :System is currently busy, try again later.
* DDE Server is on (%s)
* Debug output on (%s)
* /describe: no such nick
)* Remote default user level is set to %d
* DCC Server is on (%d
* /editbox: no such nick
* /%s: no such group(s)
* Removed %s from color list
"* Removed item %d from color list
* Added %s to color list
* Updated %s in color list
0* /alias: unable to remove '%s' (line %d, %s%s)
* Dcc trust is on (%d entries)
* Dcc trust is off (%d entries)
/* Trigger: %d, Queue: %d, User: %d, Ignore: %d
* %d messages waiting in queue
* Flushed %d nicks
* No nicks needed to be flushed
7* FileServer request by %s rejected (existing session)
 * FileServer request by %s rejected (busy)
* In file %s%s
* User name: %s
* Email address: %s
* Identd is on (%s)
* /join: no such channel
* Loaded aliases '%s'
* Loaded popup '%s'
* Loaded users '%s'
* Loaded variables '%s'
* Reloaded script '%s'
* Loaded script '%s'
* /loadbuf: no such nick
* Logging %s to '%s'
* Logging for %s halted
* %s is being logged
* %s is not being logged
$* /me: must use /msg in this window
* /mkdir: unable to create '%s'
* /rmdir: unable to remove '%s'
* /msg: no such nick
* /msg: DCC Chat is not active
* Your nickname is now %s
$* Your alternate nickname is now %s
* Use /msg in this window
* /notify: %s not in list
* Removed %s from notify list
!* /notify: %s is already in list
* Added %s to notify list
* /%s: you're not on a channel
* /%s: must be an Op on %s
* /%s: no other Ops on %s
 NOTICE %s :FileServer is busy, try later.
* Marked %s with '%s'
* Unmarked %s
* Ctcp protection is on
* Ctcp protection is off
* You're not an Op on %s
* Removed '%s'
!* /remove: unable to remove '%s'
* /remove: no such file '%s'
* Renamed '%s' to '%s'
)* /rename: unable to rename '%s' to '%s'
!* Removed level(s) from %d users
* Saved popup to '%s'
* Saved users to '%s'
* Saved variables to '%s'
* /savebuf: no such nick
* Updated '%s' in servers list
* Added '%s' to servers list
* /server: '%s' no such server
!* Removed '%s' from servers list
#* /sound: no such nick in DCC Chat
'* /sound: must use /msg in this window
* /sound: unable to play '%s%s'
* /splay: no such file '%s'
* /splay: unable to play '%s'
* Timestamp for %s is on
* Timestamp for %s is off
* Unloaded aliases '%s'
* Unloaded script '%s'
* URL Catcher is on
* URL Catcher is off
* Looking up %s user info...
* Timestamp format: %s
DCC Fileserver to %s: %s
DCC Chat with %s: %s
Client: %s (%s)
Client: %s (%u)
%s [message waiting]
DCC Fileserver to %s closed
Chat with %s
Serving %s
Time: %s
Edit Nick
%d/%d Channels
%d/%d Channels on %s
!Enter password to unlock options
* Connecting to %s (%d)
* Connect retry #%d %s (%d)
'* Sound request: unable to play '%s%s'
!* Sound request: can't find '%s'
#* Ignored DCC Chat request from %s
DCC Chat from %s rejected
/DCC Chat from %s rejected (invalid parameters)
#* Ignored DCC Send request from %s
DCC Send from %s rejected
/DCC Send from %s rejected (invalid parameters)
1DCC Resume from %s rejected (invalid parameters)
1DCC Accept from %s rejected (invalid parameters)
2DCC Send from %s rejected (%s, file type ignored)
* $dialog: '%s' invalid id '%s'
"* $dialog: '%s' duplicate id '%d'
(* $dialog: '%s' error loading icon '%s'
$* $dialog: '%s' invalid prefix '%s'
* $dialog: '%s' invalid table
* /dialog: '%s' invalid name
* /dialog: '%s' name in use
* /dialog: '%s' no such table
* /dialog: '%s' creation error
* /did: '%s' error loading '%s'
* /did: '%s' invalid id '%d'
* $dialog: '%s' invalid name
* $dialog: '%s' name in use
* $dialog: '%s' creation error
* DDE name '%s' is in use
Delete selected URL(s)?
Current server:%u
* Looking up %s
* /dns: no such user %s
* Unable to resolve %s
* Resolved %s to %s
* /dll: no such routine '%s'
* $dll: unable to open '%s'
* $dll: no such routine '%s'
* %s: error loading '%s'
* /drawsave: error saving '%s'
* /%s: insufficient parameters
* /%s: no such file '%s'
* /%s: error allocating memory
* Error allocating %s memory
* /%s: invalid parameters
* /%s: unable to open '%s'
* /%s: unable to open file
Error allocating %s memory
* /%s: invalid window
* /%s: string too long
(line %d, %s%s)
(* /%s: command locked in options dialog
* /%s: not connected to server
$* /%s: unable to resolve local host
* Finger server query by %s
* Finger server query %s
by %s
(unable to open %s)
'%s'?
 * Flood protection: %d message(s) in queue
Trying %s
Attempting to finger %s@%s
Attempting to finger @%s
[error opening file %s]
* /goto: duplicate '%s' found
* /goto: '%s' not found
hThe file '%s%s' cannot be saved to the main mIRC folder.
JThe file '%s%s' is currently in use.
DCC Get of %s from %s: %s
!DCC Get of %s from %s incomplete
5DCC Get of %s from %s incomplete (unable to connect)
DCC Get of %s from %s complete
* Unable to run '%s'
* /%s: table '%s' exists
* /%s: no such table '%s'
* Made hash table '%s' (%d)
* Freed hash table '%s' (%d)
'* Freed %d hash table(s) matching '%s'
%* Added item '%s' to hash table '%s'
)* Deleted item '%s' from hash table '%s'
/* Deleted %d '%s' item(s) from hash table '%s'
#* Loaded hash table '%s' from '%s'
* Saved hash table '%s' to '%s'
/* /%s: error loading hash table '%s' from '%s'
,* /%s: error saving hash table '%s' to '%s'
Nickname and Message
Nickname only
* Identd request from %s
,* Identd replied: %d, %d : USERID : %s : %s
!* Updated ignore switches for %s
* Added %s to ignore list
&* Added %s to ignore list for %d secs
* Removed %s from ignore list
* %s isn't in ignore list
* /%s: line too long
* /if: '%s' unknown operator
* /if: unknown operator
!* /elseif: '%s' unknown operator
* /elseif: unknown operator
* /while: '%s' unknown operator
* /while: unknown operator
!* %s (%s) invites you to join %s
* %s invites you to join %s
* Rejoined channel %s
* Now talking in %s
* %s (%s) has joined %s
* %s has joined %s
* Joins: %s (%s)
* Joins: %s
* Joins %s: %s (%s)
* Joins %s: %s
* You were kicked by %s
* You were kicked from %s by %s
"* Attempting to rejoin channel %s
* %s was kicked by %s
* You were killed by %s (%s)
* %s killed by %s (%s)
* %s sets %s mode:
* %s is now known as %s
* Your nick is now %s
[%s PING reply]
[%s %s reply]
* %s (%s) has left %s
* %s has left %s
* Parts: %s (%s)
* Parts: %s
* Parts %s: %s (%s)
* Parts %s: %s
* PONG from %s
* %s has quit IRC
* Quits: %s
* %s (%s) Quit
* %s changes topic to '%s
* %s changes topic to ''
%s is
%s on %s
%s using %s
%s is away:
%s was
%s has been idle %s
, signed on %s
* Topic is '%s
* Set by %s on %s
%s topic set by %s on %s
%s url is %s
%s created on %s
%s has been invited to %s
%s unable to join channel
* Unable to join channel
need correct key
not using registered nick
Session Start: %s
Session Close: %s
* Unable to open log file '%s'
Start of %s buffer: %s
End of %s buffer %s
%* Error opening/writing to file '%s'
* %s buffer saved to file '%s'
Session Time: %s
&Join channel
&Visit Website
Save &URL
* Unable to open '%s'
Load URLs
Save URLs
Channel windows are open.
Chat/Query windows are open.
Query windows are open.
 File '%s%s' has changed, reload from disk?
* DCC Server request from %s
DCC Send of %s to %s timed out
DCC Get of %s from %s timed out
Fileserver to %s timed out
* Reset connection id to: %d
* Active connection id: %d
* No such connection id: %d
* Set connection id to: %d
"* %s: property can't use brackets
is on IRC (%s)
MOTD's often include important information such as POLICIES and RULES for the IRC Server or Network to which you are connecting.
Enter password to lock options
Enter password to lock mIRC
(* Resuming '%s%s' to %s with %dms delay
* /play: unable to open '%s'
(* /play: topic '%s' not found in '%s%s'
7* Playing topic '%s' from '%s%s' to %s with %dms delay
'* Playing '%s%s' to %s with %dms delay
* Playback of '%s%s' stopped
* Playback of '%s%s' complete
* Play queue at max. size of %d
)* User exceeded play request limit of %d
&* Queued '%s%s' to %s with %dms delay
Random line, %dms, %s%s
%s, %d/%d, %dms, %s%s
Line %d, %dms, %s%s
%d/%d lines, %dms, %s%s
"* Updated protect channels for %s
* Added %s to protect list
* Removed %s from protect list
* %s isn't in protect list
mIRC Password
Please enter your password
* /bread: error accessing '%s'
* /bread: error reading '%s'
* /bwrite: error accessing '%s'
* $read: error opening %s
* /%s: error updating '%s'
* /%s: too large: '%s'
somewhere around line %d.
Editing: %s%s
Editing: Nick List
File: %s
Load Nick List Popup
Save Nick List Popup
.The file '%s' is currently loaded and in use.
*The file '%s' already exists.
DCC Send of %s to %s: %s
DCC Send of %s to %s complete
DCC Send of %s to %s incomplete
0DCC Send to %s incomplete (service unavailable)
0DCC Send to %s incomplete (connection rejected)
.DCC Send to %s incomplete (connection failed)
No selection|*.*|All files (*.*)|*.*|Scripts (*.ini,*.mrc)|*.ini;*.mrc|Text files (*.txt,*.doc)|*.txt;*.doc|Log files (*.log)|*.log|Sounds (*.wav,*.mid,*.mp3)|*.wav;*.mid;*.mp3|Pictures (*.bmp,*.png,*.jpg)|*.bmp;*.png;*.jpg|Zip files (*.zip)|*.zip|
&* /sockudp: '%s' exists using port %u
port error
"must use /sockudp for UDP sockets
URL list
* Timer %s halted
!* %d timer(s) matching %s halted
#* %d timer(s) matching %s executed
* Timer %s
* /timer: timer %s not active
* Timer %s activated
%d time(s)
%dms delay %s
%ds delay %s
* Timer %s paused
* Timer %s resumed
&Join channel...
.You must first exit mIRC before uninstalling.
Change URL Marker
Edit URL
* Added level(s) to user %s
* Added %s to user list
* Added %s (%s) to user list
* Removed level(s) from user %s
* Removed %s from user list
* Updated info for user %s
* Unset %s
* Set %s to %s
* Inc %s to %s
* Dec %s to %s
* Unset %d vars matching %s
%* Updated auto-voice channels for %s
* Updated auto-voice for %s
* Added %s to auto-voice list
"* Removed %s from auto-voice list
* %s isn't in auto-voice list
[%d] Unknown Error
* Send error %s
* Unable to connect (%s)
Track &Urls
[10035] Operation would block
"[10036] Operation now in progress
&[10037] Operation already in progress
'[10038] Socket operation on non-socket
[10043] Protocol not supported
"[10044] Socket type not supported
*[10045] Operation not supported on socket
&[10046] Protocol family not supported
8[10047] Address family not supported by protocol family

spoolv.exe_1180_rwx_003C0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

spoolv.exe_1180_rwx_003D0000_00001000:

|spoolv.exeM_1180_

Explorer.EXE_1912_rwx_00EE0000_00002000:

SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text

Explorer.EXE_1912_rwx_00EF0000_00001000:

|explorer.exeM_1912_

Explorer.EXE_1912_rwx_021D0000_0108E000:

c:\windows
http://202.143.159.135/images/logo.gif
http://bem.dk/images/logof.gif
http://banboon.com/images/logo.gif
http://bdb.com.my/logo.gif
http://baulaung.org/images/logo.gif
http://bazyar-arya.com/logo.gif
http://barlikinsaat.com.tr/images/logo.gif
http://basamakhalisi.com/logo.gif
%System%\drivers\niinp.sys
2832509175
SHELL32.DLL
ShellExecuteA
KERNEL32.DLL
.rsrc
.text
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
KERNEL32.dll
USER32.dll
h.rdata
H.data
.reloc
ntoskrnl.exe
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50728)
Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Software\Microsoft\Windows\CurrentVersion\policies\system
Software\Microsoft\Windows\ShellNoRoam\MUICache
%s:*:Enabled:ipsec
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
GdiPlus.dll
http://
ipfltdrv.sys
www.microsoft.com
?%x=%d
&%x=%d
SYSTEM.INI
USER32.DLL
.%c%s
\\.\amsint32
NTDLL.DLL
autorun.inf
ADVAPI32.DLL
win%s.exe
%s.exe
WININET.DLL
InternetOpenUrlA
avast! Web Scanner
Avira AntiVir Premium WebGuard
cmdGuard
cmdAgent
Eset HTTP Server
ProtoPort Firewall service
SpIDer FS Monitor for Windows NT
Symantec Password Validation
WebrootDesktopFirewallDataService
WebrootFirewall
%d%d.tmp
SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
%s\%s
%s\Software\Microsoft\Windows\CurrentVersion\Ext\Stats
Software\Microsoft\Windows\CurrentVersion\Ext\Stats
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Explorer.exe
A2CMD.
ASHWEBSV.
AVGCC.AVGCHSVX.
DRWEB
DWEBLLIO
DWEBIO
FSGUIEXE.
MCVSSHLD.
NPFMSG.
SYMSPORT.
WEBSCANX.
.adata
M_%d_
%c%d_%d
?456789:;<=
!"#$%&'()* ,-./0123
GetProcessHeap
GetWindowsDirectoryA
RegEnumKeyExA
RegDeleteKeyA
RegOpenKeyExA
RegCreateKeyA
RegCloseKey
SHFileOperationA
&3&3&3&389
.rdata
.data
Bkrnl.exe?
= =$=(=,=
322%2`.50728)
.klkjw:9fqwi
FamXf39.sys
.pBTa8
%s:*:
Bg.laXV
&?%x=
GUrlA'
Web%w|nc
HTTP)
2GUARDCMD.
.ENHCDM
PL/KPCKwWEB
MM.PFW.
.bssf
J:CRT
ADVAPI32.dll
MSVCRT.dll
SHELL32.dll
WS2_32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    attrib.exe:1160
    wuauclt.exe:540
    regedit.exe:1092
    AgentSvr.exe:2088
    %original file name%.exe:2012

  2. Delete the original Virus file.
  3. Delete or disinfect the following files created/modified by the Virus:

    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.chk (100 bytes)
    %WinDir%\SoftwareDistribution\DataStore\Logs\edb.log (2016 bytes)
    %WinDir%\SoftwareDistribution\DataStore\DataStore.edb (100 bytes)
    %WinDir%\spoolv\control.ini (80 bytes)
    %WinDir%\spoolv\TMP3.$$$ (51 bytes)
    %WinDir%\spoolv\TMP4.$$$ (60 bytes)
    %WinDir%\spoolv\TMP1.$$$ (30 bytes)
    %WinDir%\spoolv\remote.ini (8197 bytes)
    %WinDir%\spoolv\TMP2.$$$ (46 bytes)
    %WinDir%\spoolv\mirc.ini (112512 bytes)
    %WinDir%\spoolv\spoolv.exe (33452 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000455EC_Rar\%original file name%.exe (6841 bytes)
    %WinDir%\spoolv\run.bat (135 bytes)
    %WinDir%\spoolv\ccc.mrc (10 bytes)
    %WinDir%\spoolv\idents.txt (135 bytes)
    %WinDir%\spoolv\aliases.ini (72 bytes)
    %WinDir%\spoolv\reg.reg (1 bytes)
    %WinDir%\spoolv\servers.ini (605 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00045531_Rar\%original file name%.exe (6841 bytes)
    %WinDir%\spoolv\mirc.ico (5 bytes)
    %WinDir%\spoolv\users.ini (178 bytes)
    %WinDir%\spoolv\fullnames.txt (78 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000453D9_Rar\%original file name%.exe (6841 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "spoolv" = "C:\Windows\spoolv\spoolv.exe"

  5. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now