Worm.Win32.AutoItGen_771e4514e4

by malwarelabrobot on January 8th, 2015 in Malware Descriptions.

WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Worm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 771e4514e4ac3ac440fa434f44f1d670
SHA1: f7bf8b7358a5ea5f0974b13ab49e66e9708f2389
SHA256: a4850313a2d63693f472fdf012e56b8ed21d2e6a70ed4a927579459f9758ec64
SSDeep: 49152:sf4R vwdRUtbCEm3Ub/MVo2iwKkM/B6EZM14USAyqd29SExFb Bb7tSg24/sr6Jf:sWWDbjmEbEVEwKkwfFFe724 6JcJA
Size: 4214896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Saitek
Created at: 2001-09-05 20:02:57
Analyzed on: Windows7Ada SP1 64-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:1632
setup.exe:2224

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1632 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)

The process setup.exe:2224 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (45 bytes)
C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (118 bytes)
C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
C:\$Directory (192 bytes)
C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (53 bytes)

Registry activity

The process setup.exe:2224 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB"

The Worm deletes the following value(s) in system registry:
The Worm disables automatic startup of the application by deleting the following autorun value:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"SaitekInstall"

Dropped PE files

MD5 File path
32f8b989e0ed59a999789355a0fb2167 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS
4da5da193e0e4f86f6f8fd43ef25329a c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL
41d0bae99ab9d8d57f3c794f1f8c8702 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll
af3f53271f502d8c14d49a2063800018 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll
f95da19233b10bb057336b9d23f4cb0c c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll
970d4875dda50c9464a27a26f5423b5c c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll
da1c6bb0c680f9a9e5d9559e8fade75f c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll
1cd181769d827a8a7df392d0b47a61b7 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll
2c4aef983519f16c1d1cac6eeb5439e0 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll
1849d7374aacc5d0b9b09acd56a0b166 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll
e7cb8c4fe2ca9abbc6f6366e01132d83 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll
55c84e9b8aa2d04592d0e455da38b24a c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll
ae13b83b04de797ec44849cf91459534 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll
979fddb85bb12fb3e27108b72ba43385 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll
bed7080125983a291e0d02986d913df9 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll
4a9b6763b4c428d5e3d62bb385af1404 c:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Saitek
Product Name: Sims_3_Mood_Mouse_SD7_00000000_64_Drivers
Product Version: 00000000
Legal Copyright: Copyright (c) Saitek 2011
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32
File Version: 00000000
File Description: Saitek SST (SD7)64bit Drivers webinstall
Comments: Drivers only
Language: English (Australia)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 72470 73728 4.57623 e169cd9727498334799ce574858324b5
.rdata 77824 6480 8192 3.31499 1d22aa58107cdb479897ec936f8bbe61
.data 86016 20024 8192 1.67875 7e0cfc2e100727b4ae39786ac23b9520
.rsrc 106496 182952 184320 4.86811 77ee4c2b4732dc70c78518e6c523780b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 30
506b65753779e5a72fee8443f8061a6c
ed811c2ebfc18a5ed42d9ff424e68373
419d2eab32cf44d5c0b096c9dbddc55c
72104f4074122d3b6dd5b9feca6c75f6
f8869decaa3e360267581d087fc9d0be
3964005c77fd15fffb1e0ec679e27b79
06788f55be1d2d0bf495b9ef40369cbe
9322ed5c0cf894ab92f610eb24618dd5
78564eee1b19157985c374ed44297428
327e2a55bb585da4c513baacb0cfdefd
4d801ca1aba96192afa9f22382cd8fb2
55a28ea8a1f39b6a3d21e019ede22bc4
cf84383996bd8d5a0e28a9cc5f7a130c
edae8f0b1aae38ae2a93a2b932650c80
1cf2fe773c8ce76bbedc80085a017e05
77d88fbd54956ce064cf8501b975fc1c
7cb5defa952ca85747df433dbb3ad02d
4d13901448116568bd274d7c6f0ea8ce
4c6296f522092db45b7266cd0ef494dd
a6a8a931443e27d3afc3127d4ff29305
c103d86d8c66b0954216fcfb331a67d7
4c9c89070bb6a18674418d779516964a
ae46af2e5ec110bcbc9007d036388a50
0c296e235d36161769fc3a7a89db7b63
1658bc5ac7936d572ff56ef1a5b1ea1f

URLs

URL IP
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI=
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8=
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl 88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= 23.43.139.27
hxxp://crl.verisign.com/pca3.crl 23.43.133.163
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= 23.43.139.27
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 88.221.132.207
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl 88.221.132.175
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= 23.43.139.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 88.221.132.207
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl 88.221.132.175
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl 88.221.132.175


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum

Traffic

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a98b935d26110583 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 05 Dec 2013 22:47:50 GMT
If-None-Match: "0af536cf2ce1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=86400
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
Accept-Ranges: bytes
ETag: "0b2464b1797cf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 6408
Date: Wed, 07 Jan 2015 04:48:56 GMT
Connection: keep-alive
MSCF............,...................O.......'#.........D.z .disallowed
cert.stl....2..'#CK...8T...g........g.k..".....mlI."d..m...P$"....e.J.
.......z.....\..........9g.9....~.........Q.Q......Q..DL.8.C.PS.K0.!P.
0........#.DY.8.....V.....$.C....a.0...........`......;.S.....0#...m..
. ..`0...?.!vR?.....d....`......_@..}....$...i..OR'..$....K..'Z....o.g
..*.Vc.....[nY e./.EJ...B.Y.......Ag......!....9......u..!..1Yy.......
r...Ss^@...M.Dtl\....i.k....3...B.Z.:.p.N....*......x,...ah/..].[....G
B..T..$A....SY..t.E5R..R...9!....*.*68V....1... ...Q{..."[email protected];
xd{.C.u?..e.U.=f.nx.........y.G..0.......\L .'.^....$......N=..m...Ujr
Zs...J.I.C....;......q_..e......?.T..2..bw....E.L.{...S...~.<......
...-.Q..|.l. .1..6r....[}!J..,...naPk.U.... ..{@LH..W....>.Sq...8.5
.,.z..0.jL.S..........]...yW_...Y.1..h.7...9{.....I......g.Y.,1...i8n.
6..........4.]...........=........^..n.K7...c.g).Z. .0..$7.ys.p...B.5.
].f...|(3!.|..P...j..^..j....#([email protected]..*.O..i..u....9..S.Y.n..HXW..
.F ..i...:.......!.] r......D..*ld.b.>>:Pp.....5:1 o=..5.'..4...
....hO....{.V.rx..V...%.}..u...6Wv-..".iV.b..B0.Q..,...E.Dy...x..5....
?Z.$L..1.....4...=.....g!....%..:..c..j..v~....._R.6.......;.#.Y*p..J.
4.#'..Vo...g^K...J....._.^..u...)....&/.....q....o......4.....S...,q..
...p.8IIe.....d|.3{)...M.0.X...4.."..P.......Hk.... ]!.!... ..#.x..<
;..X.........'.E(<b[.......#.. ....XiLl|[email protected] 
[email protected][email protected]..;.......mm....>~............j%..>
;.X.,V...J...C ....*..Z.8- RKGW...0./Z.__..)7g_'{.......pr......;.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=362894, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT
Expires: Sun, 11 Jan 2015 09:34:14 GMT
Date: Wed, 07 Jan 2015 04:50:21 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....2015010
4093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a.
.eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H........
.........P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#
YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?....
...$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ..
.Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3...
..../...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign,
 Inc.1705..U....Class 3 Public Primary Certification Authority0...1412
02000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporatio
n1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1
 OCSP Responder Certificate 30.."0...*.H.............0..........'.....
.Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; )....
.0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|
o....S..v.).)[email protected]#qh...u1T.].G0.]E...=._.....
. ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0
c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......
0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .
....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H
......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D.....
......e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1


Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=411363, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT
Expires: Sun, 11 Jan 2015 23:04:05 GMT
Date: Wed, 07 Jan 2015 04:50:26 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
4230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
..M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H........
........G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;
..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....
*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`[email protected]. ..v
....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=482014, public, no-transform, must-revalidate
Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT
Expires: Mon, 12 Jan 2015 18:44:32 GMT
Date: Wed, 07 Jan 2015 04:50:58 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
5184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.A..2.....:...:......20150105184432Z....20150112184432Z0...*.H........
.....P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0
.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....
w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`[email protected]
pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Tue, 01 Jul 2014 05:04:34 GMT
If-None-Match: "924558f3e994cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.0
VTag: 438246244800000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:43 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Si
gning PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3.
..L...0... .....7.........0...U......W0... .....7......150210174206Z0.
..*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K.
.[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..
=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%
.b([email protected]... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..
[email protected]/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified:
 Thu, 13 Nov 2014 06:02:42 GMT..Accept-Ranges: bytes..ETag: "88cab6f7f
fcf1:0"..Server: Microsoft-IIS/8.0..VTag: 438246244800000000..P3P: CP=
"ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo
 CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-
Length: 554..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:
43 GMT..Connection: keep-alive..0..&0......0...*.H........0y1.0...U...
.US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corpora
tion1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206
Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W
0... .....7......150210174206Z0...*.H................].`...D..9.>LO
.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.....
....:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&.....
......<7fS$..........t<X)%.b([email protected]... ,...K\.
<<< skipped >>>


GET /pca3.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.verisign.com


HTTP/1.1 200 OK
Server: Apache
ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"
Last-Modified: Fri, 19 Dec 2014 01:00:19 GMT
Date: Wed, 07 Jan 2015 04:50:32 GMT
Content-Length: 933
Connection: keep-alive
Content-Type: application/pkix-crl
0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U
....Class 3 Public Primary Certification Authority..141210000000Z..150
331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y
.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.....
..fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R
.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....
u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2..
..{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N
....* [email protected]!..Y......w
`G........070411175657Z0!..Z`[email protected].*q..080403172017Z0!..l....I..
.Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1
..7<.....e..010207211822Z0...*.H............5..v...V.._)....A... ..
..>.5]....6.(.0uFW.*:T...6$.....R...Y.N.k........%Jn..I.j*.6.3~...r
../[email protected]?....0.A.HTTP/1.1 200 OK..Server: Apache.
.ETag: "66304c4a5660ab8615727e6bb27b3cdb:1418950819"..Last-Modified: F
ri, 19 Dec 2014 01:00:19 GMT..Date: Wed, 07 Jan 2015 04:50:32 GMT..Con
tent-Length: 933..Connection: keep-alive..Content-Type: application/pk
ix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc
.1705..U....Class 3 Public Primary Certification Authority..1412100000
00Z..150331235959Z0..x0!...v....a_>..2......020924164823Z0!.....A..
...{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y
..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!.
<<< skipped >>>


GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEGwkCSV07gf3g5QOsqmf+MY= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=404827, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 21:14:33 GMT
Expires: Sun, 11 Jan 2015 21:14:33 GMT
Date: Wed, 07 Jan 2015 04:50:46 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..2015010
4211433Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5......
.l$.%t...............20150104211433Z....20150111211433Z0...*.H........
.....P.<...'A.!..?... .T T..0... .K... #.Z..X.@[email protected]...)`...z.fq
........L:T.........7.I....3.}.5&.b.c..DP....O...~....K....N....ny....
.`..Z....{...........f..n....j.h..A*...7T._.. .....q....6.5$|..=.....t
.)....,..B...8...*.O....SM6....VqP.....e...i7Y....Q-.....#0...0...0...
.......<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....Ve
riSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use a
t hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code S
igning 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...
U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms o
f use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Clas
s 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.......
..{(..t....2.Vf.....&;6).i*[email protected]._p.E.6.|.mk....(....
......p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.
}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....
(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U..
..0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisig
n.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp.
 by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U.....
...0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>


GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 24 May 2014 05:04:51 GMT
If-None-Match: "96bfbfb1d77cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
Accept-Ranges: bytes
ETag: "a2f3ff97eeecf1:0"
Server: Microsoft-IIS/8.5
VTag: 791502955900000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 813
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:02 GMT
Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..141022204822Z..
150121090822Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......'0... .....7......150120205822
Z0...*.H.............4....w.h.Y..L.p.Q... ..?.~.q.......'.a[... ]G....
....t.....^p..De..0*r.n....G|....$b-{......d/....m...r.xQ...t..XtF...O
W~.....@6...*x.h........wi.L.%.,<}.rULPR..T........P..g...._V.\z`..
../..^...e.............r.%...:.S..W.....Qy...6.W..Fo.;.~.e9.]...;7..[.
$wzD....|.%\.w..o...X.....R.2u.w."J\.&q.f.d<&.p....[31.....il.....d
I2.#...h.Y.._e........H.%2.r.w..M.(~...W.{[email protected].^o]...K....f
[.oN\.V.../<..&.)@P.A.......p....D.Gj.M}PhUY?s...YX>..e...PC...@
.^....v...:._[.l.....z.._(..>.l....O....ReP...M.%.B1..)HTTP/1.1 200
 OK..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 20
14 05:05:32 GMT..Accept-Ranges: bytes..ETag: "a2f3ff97eeecf1:0"..Serve
r: Microsoft-IIS/8.5..VTag: 791502955900000000..P3P: CP="ALL IND DSP C
OR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT N
AV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..C
ache-Control: max-age=900..Date: Wed, 07 Jan 2015 04:49:02 GMT..Connec
tion: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.0
.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authorit
y..141022204822Z..150121090822Z0.0...a......../..100208014912Z._0]0...
U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......'0... ..
<<< skipped >>>

GET /pki/crl/products/WinPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 07 May 2014 05:04:02 GMT
If-None-Match: "a413fc3b169cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 4389615400000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:07 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Window
s Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p
............<.J0... .....7.......0...U......30... .....7......15032
0224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c
.{[email protected].^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo....
_...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..
A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.]....
.uki~..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modif
ied: Sun, 21 Dec 2014 06:03:02 GMT..Accept-Ranges: bytes..ETag: "d2e35
dc7e31cd01:0"..Server: Microsoft-IIS/8.5..VTag: 4389615400000000..P3P:
 CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR 
SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Cont
ent-Length: 561..Cache-Control: max-age=900..Date: Wed, 07 Jan 2015 04
:49:07 GMT..Connection: keep-alive..0..-0......0...*.H........0..1.0..
.U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Co
rporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z.
.150321105154Z._0]0...U.#..0.......p............<.J0... .....7.....
..0...U......30... .....7......150320224154Z0...*.H.............h.~oH#
i.J.vh_.....A'B..g...........F....9c.{[email protected].^ 4.r..Wv.Q.0.w..j.
...c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(...
.~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A...
<<< skipped >>>

GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1


Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 05 May 2014 05:04:34 GMT
If-None-Match: "87fbb3811f68cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com


HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 438346843700000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Wed, 07 Jan 2015 04:49:13 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U.
...Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-St
amp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#[email protected].. .
.5..0... .....7.......0...U......10... .....7......150318222600Z0...*.
H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-
....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q&
gt;[email protected].('..e...Y..Bo..q..........I....'....i>
..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az.....
[email protected]..



GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ/xkCfyHfJr7GQ6M658NRZ4SHo/AQUCPVR6Pv+PT1kNnxoz1t4qN+5xTcCEGC2x6sSmevembHfY1acIZk= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com


HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1697
content-transfer-encoding: binary
Cache-Control: max-age=426631, public, no-transform, must-revalidate
Last-Modified: Mon, 5 Jan 2015 03:19:06 GMT
Expires: Mon, 12 Jan 2015 03:19:06 GMT
Date: Wed, 07 Jan 2015 04:50:38 GMT
Connection: keep-alive
0..........0..... .....0......0...0...A0?1=0;..U...4VeriSign Class 3 C
ode Signing 2004 CA OCSP Responder..20150105031906Z0s0q0I0... ........
[email protected].!......Q...==d6|h.[x....7..`..........cV.!.....201501
05031906Z....20150112031906Z0...*.H..............S.X.....3d*L....._.u.
.M...U...#..kf.?yG$Z...g#..=.R.~..#...S=<.;..K..,.......G..%eUb..'.
..K.vBd..u8`..H..4..\..2.........1.....J........N.......'|....}.xq...9
Y..l.f.[..q)DfS%;.}I......tm>O;.......b.0..(DZ.....x{]..\[...%.D...
. ..NM........5..V.;t.l..2........0...0...0..{.........[..I|.....Zm..0
...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....Veri
Sign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/
rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA0...140428000
000Z..150729235959Z0?1=0;..U...4VeriSign Class 3 Code Signing 2004 CA 
OCSP Responder0.."0...*.H.............0.........Y....h..@..>.....%.
-.....O...' y.........x..Gw.xF.....?..Z..u,.X.&..........3C..H.l.....f
..;]s!.\"v...|....][email protected]. ..W....n..*
..-f?EY.......UN...r...........-_.%..,P;b.....)(.P.4...,.%....<..6.
....[r^X.EV..S...5#'Y.. .TD...........0...0...U.......0.0...U.%..0... 
.......0...U...........0... .....0......0f..U. ._0]0[..`.H...E....0L0#
.. .........hXXps://d.symcb.com/cps0%.. .......0...hXXps://d.symcb.com
/rpa0!..U....0...0.1.0...U....TGV-B-1080...U......"...?....`>q..i1o
...0...U.#..0.....Q...==d6|h.[x....70...*.H.............B8@.$..wo.....
.E.....P52"b*@'C\.y.(...n....h.f..7f.....v...pb<...]..|........
<<< skipped >>>


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?6dfbde8ddb02bd83 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT
If-None-Match: "0b96c77303ecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com


HTTP/1.1 200 OK
Cache-Control: max-age=604800
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
Accept-Ranges: bytes
ETag: "805a83f2b9cecf1:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 56928
Date: Wed, 07 Jan 2015 04:49:49 GMT
Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
[email protected]/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|[email protected].._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'[email protected]}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}[email protected]....
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1632
    setup.exe:2224

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_09.dll (11765 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf905D.tmp (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft907E.tmp\pftw1.pkg (7484 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext905E.tmp (5 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\Sai3611.inf (2 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Fxxx.dll (1808 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_04.dll (12195 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0A.dll (13271 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_Vxxx.dll (1984 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_07.dll (12803 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_10.dll (12930 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_0C.dll (12195 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe (23729 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\SAIK3611.SYS (3252 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\sai3611.cat (8 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_12.dll (13172 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\3611\WDFCOINSTALLER01009.DLL (34600 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_19.dll (12887 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\PreReq_A501.dll (1053 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_11.dll (4230 bytes)
    C:\Windows\Temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\Setup_05.dll (11751 bytes)
    C:\Users\"%CurrentUserName%"\NTUSER.DAT (3032 bytes)
    C:\Users\"%CurrentUserName%"\ntuser.dat.LOG1 (2296 bytes)
    C:\$Directory (192 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "SaitekInstall" = "C:\Windows\temp\Saitek\Sims_3_Mood_Mouse_SD7_64_Drivers\00000000\setup.exe -S0 -R -WEB"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now