MD5: 98cbe08cea0d6d73e3fbbad5eded93db
SHA1: 00bb81d8067d6888c5dbccad88d7c3066a0b8492
SHA256: 0ca73a465ddba379d96dd76d574421cd4668288d5987ab1d8462a13291befddd
SSDeep: 3072:MjxWhq1pugoWJRwabQytoR9HOfcET OiyiINbW:Mjh1oWJIyw9xETJiAbW
Size: 205824 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Piriform Ltd
Created at: no data
Analyzed on: WindowsXP SP3 32-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

%original file name%.exe:3452
%original file name%.exe:1896
%original file name%.exe:2812

The Worm injects its code into the following process(es):

mspaint.exe:600
mscorsvw.exe:424
svchost.exe:3856
svchost.exe:2896
svchost.exe:340
jqs.exe:480
csrss.exe:692
winlogon.exe:716
services.exe:760
svchost.exe:928
svchost.exe:1012
svchost.exe:1096
svchost.exe:1144
svchost.exe:1188
spoolsv.exe:1432
Explorer.EXE:1948
wmiprvse.exe:3704

File activity

The process mspaint.exe:600 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe (1281 bytes)

The Worm deletes the following file(s):

C:\%original file name%.exe (0 bytes)

The process %original file name%.exe:2812 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chk_fhueioulalaasso (9 bytes)
%Documents and Settings%\%current user%\Application Data\temp.bin (1281 bytes)

Registry activity

The process mspaint.exe:600 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 7D B2 D2 41 92 4B E4 A2 54 BD 2E C1 F3 7B 97"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 01 00 00 00 00 00 00 00"

The Worm modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Worm modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Npwiwv" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe"

The Worm modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:3452 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "3880839368"
"Name" = "%original file name%.exe"

The process %original file name%.exe:1896 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A AF 02 8A 4C B5 F4 70 A8 39 63 8A 95 C0 DD B8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process %original file name%.exe:2812 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 71 77 57 4E FA 2C E7 4E 48 FC EF F4 6B 7F 14"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in urlmon.dll:

URLDownloadToFileA
URLDownloadToFileW

The Worm installs the following user-mode hooks in WININET.dll:

InternetWriteFile
HttpSendRequestA
HttpSendRequestW

The Worm installs the following user-mode hooks in DNSAPI.dll:

DnsQuery_A
DnsQuery_W

The Worm installs the following user-mode hooks in WS2_32.dll:

send
GetAddrInfoW

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
ZwQueryDirectoryFile
ZwEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://api.wipmania.com/	68.64.170.190

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Dorkbot GeoIP Lookup to wipmania
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET POLICY External IP Lookup Attempt To Wipmania

Traffic

GET / HTTP/1.1

User-Agent: Mozilla/4.0

Host: api.wipmania.com

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 05 Jun 2014 23:03:14 GMT

Content-Type: text/html

Content-Length: 19

Connection: keep-alive

Keep-Alive: timeout=20
"%local server IP%"<br>CA..

The Worm connects to the servers at the folowing location(s):

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

svchost.exe_3856_rwx_00090000_00021000:

.text

.data

.rsrc

@.reloc

%systemroot%

%programfiles%\Common Files\*\*.exe

%appdata%\Microsoft\*.exe

%root%\RECYCLER\S-1-5-21-0243556031-888888379-*\*.exe

ole32.dll

/c "%%SystemRoot%%\explorer.exe %Í%%%s & start %Í%%%s & exit"

/c "start %Í%%%s & start %Í%%%s & exit"

%ALLUSERSPROFILE%\..\..\windows\system32\cmd.exe

%SystemRoot%\system32\SHELL32.dll

%s\temp.bin

%s\qLaLjs63wyhdghjfghasdu3

%s\%s

%s\%s.lnk

%s\ViewFiles.cmd

Windows_Shared_Mutex_231_fhueioulalaasso

\ScreenSaverPro.scr

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

kernel32.dll

ntdll.dll

user32.dll

advapi32.dll

shell32.dll

urlmon.dll

wininet.dll

gdi32.dll

rpcrt4.dll

netapi32.dll

*.exe

.gonewiththewings

*.gonewiththewings

6.exe

WindowsId

Microsoft\%s

%s\%s\%s.exe

:Zone.Identifier

.quarantined

"%s" -shell

"%s" -bind

userinit.exe

explorer.exe

Windows critical error, require reboot

Windows Update

GetProcessHeap

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegOpenKeyA

RegEnumKeyA

RegCreateKeyExA

RegOpenKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

SHLWAPI.dll

RPCRT4.dll

URLDownloadToFileA

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Run

Software\Microsoft\Windows\CurrentVersion\RunOnce

Software\Microsoft\Windows NT\CurrentVersion\Winlogon

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

Software\WindowsId Manager Reader

WindowsMark

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0A

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

%s_%d

-%sMutex

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

URLDownloadToFileW

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

WS2_32.dll

MSVCRT.dll

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

RegNotifyChangeKeyValue

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

7 767<7~7

8*808;8~8

<$<1<7<<<

{A5DCBF10-6530-11D2-901F-00C04FB951ED}

\mspaint.exe

\svchost.exe

%System%\mspaint.exe

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

svchost.exe_3856_rwx_00AC0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

.%System%\svchost.exe

c:\%original file name%.exe

mspaint.exe_600:

.text

`.data

.rsrc

mspaint.chm

COMDLG32.DLL

Fhhctrl.ocx

CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32

gdiplus.dll

UxTheme.dll

mspaint.pdb

SSSShH

[email protected]

GdiplusShutdown

MFC42u.DLL

_wcmdln

msvcrt.dll

RegCloseKey

RegOpenKeyExW

RegCreateKeyExW

RegOpenKeyW

RegEnumKeyW

ADVAPI32.dll

KERNEL32.dll

SetViewportExtEx

GDI32.dll

GetKeyState

GetKeyboardLayout

MsgWaitForMultipleObjects

USER32.dll

comdlg32.dll

ole32.dll

OLEAUT32.dll

SHELL32.dll

IMM32.dll

RegOpenKeyExA

.?AVCCmdTarget@@

.PAVCMemoryException@@

.PAVCFileException@@

.PAVCException@@

.PAVCResourceException@@

.PAVCNotSupportedException@@

name="Microsoft.Windows.Shell.mspaint"

version="5.1.0.0"

Windows Shell

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

R.bbbbbbbbbbbbbbbbbbbbbbbbbbOR@lVSV\

.bbbbbbbbbbbbbbbbbbb

K6*z^H=.fMM

6 .BT[r!G

8-/|:[email protected]

%d~%d

%u%su

mspaint.hlp

gdi32.dll

shell32.dll

;*.jpeg

Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

imm32.dll

SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Import

SOFTWARE\Microsoft\Shared Tools\Graphics Filters\Export

5.1.2600.5918 (xpsp_sp3_gdr.091216-2054)

MSPAINT.EXE

Windows

Operating System

5.1.2600.5918

24-bit Bitmap (*.bmp;*.dib)

Palette|*.pal|

untitled.pal

.rlecOLE 2.0 was unable to start.

Bitmap Files (*.bmp)

Paint.Picture

Monochrome Bitmap (*.bmp;*.dib)

16 Color Bitmap (*.bmp;*.dib)

256 Color Bitmap (*.bmp;*.dib)

,Displays instructions about how to use Help.%Displays Help for areas you click on..Displays Help for the current task or command.

.Centers this bitmap as the desktop background.

!Pastes a file into the selection.%Selects the scanner or camera device.2Downloads a new document from a scanner or camera.

%Sends a picture by using mail or fax.

Reduces the window to an icon.!Enlarges the window to full size.%Switches to the next document window.)Switches to the previous document window.>Closes the active window and asks if you want to save changes.

gThere is not enough memory or resources to complete operation.

Close some programs, and then try again.DLow on memory or resources.

JThis is not a valid bitmap file, or its format is not currently supported.

This is not a valid .PCS file.

6The grid spacing must be an integer between %d and %d.

%s bytes

%d x %d dots per inch

PencilUErases a portion of the picture, using the selected eraser shape.

,Flips or rotates the picture or a selection..Stretches or skews the picture or a selection.1Inverts the colors of the picture or a selection.&Changes the attributes of the picture. Clears the picture or selection.&The font size must be a numeric value.8Contains commands for working with the selected item(s).7Contains commands for selecting and transferring items..Contains commands for customizing this window.CContains commands for manipulating pictures and setting attributes.>Contains commands for using custom colors and drawing options.FContains commands for displaying Help for and information about Paint.

Creates a new color.*Uses a previously saved palette of colors..Saves the current palette of colors to a file.

Shows Paint Help.(Microsoft\Windows\CurrentVersion\Applets

Downloading picture,Reading data from the device (%d%% complete)

Processing data (%d%% complete)!Transferring data (%d%% complete)

svchost.exe_2896:

.text

`.data

.rsrc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

RPCRT4.dll

NETAPI32.dll

ole32.dll

ntdll.dll

RegCloseKey

RegOpenKeyExW

GetProcessHeap

NtOpenKey

svchost.pdb

\PIPE\

Software\Microsoft\Windows NT\CurrentVersion\Svchost

\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\

5.1.2600.5512 (xpsp.080413-2111)

svchost.exe

Windows

Operating System

5.1.2600.5512

mspaint.exe_600_rwx_01060000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

c:\%original file name%.exe

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

\\.\pipe\e3ac0cfb

%System%\mspaint.exe

%WinDir%

e3ac0cfb.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\mspaint.exe

svchost.exe_2896_rwx_00B70000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_340_rwx_00C80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

mscorsvw.exe_424_rwx_008D0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

c:\%original file name%.exe

jqs.exe_480_rwx_010C0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%Program Files%\Java\jre6\bin\jqs.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

c:\%original file name%.exe

csrss.exe_692_rwx_012C0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0-

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

\??\%System%\csrss.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

c:\%original file name%.exe

winlogon.exe_716_rwx_00A80000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

\??\%System%\winlogon.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

c:\%original file name%.exe

services.exe_760_rwx_00B70000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\services.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\services.exe

c:\%original file name%.exe

svchost.exe_928_rwx_00A30000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1012_rwx_00B30000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1096_rwx_03080000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%WinDir%\System32\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1144_rwx_00860000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

svchost.exe_1188_rwx_00B60000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\svchost.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

c:\%original file name%.exe

spoolsv.exe_1432_rwx_00D00000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\spoolsv.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe

c:\%original file name%.exe

Explorer.EXE_1948_rwx_023F0000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0@

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%WinDir%\Explorer.EXE

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\explorer.exe

c:\%original file name%.exe

wmiprvse.exe_3704_rwx_00D90000_0004E000:

.text

`.rdata

@.data

.reloc

=MSG t

>MSG u`

=PASS

8httpu1

8httpuM

tlSSSSSSSSSShL0

%s.%s

%s.%S

%s.Blocked "%s" from removing our bot file!

%s.Blocked "%S" from removing our bot file!

i.root-servers.org

%s.Blocked "%s" from moving our bot file

%s.Blocked "%S" from moving our bot file

%s.p10-> Message hijacked!

%s.p10-> Message to %s hijacked!

%s.p21-> Message hijacked!

msnmsg

CAL %d %6s

ngr->blocksize: %d

block_size: %d

\\.\pipe\%s

kernel32.dll

%s_%d

-%sMutex

ntdll.dll

%s-pid

%s-comm

JOIN #

PRIVMSG #

%s.Blocked "%S" from creating "%S"

%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!

%s.Detected process "%S" sending an IRC packet to server %s:%d.

%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).

PRIVMSG %5s

JOIN %5s

PRIVMSG

JOIN

%s:%d

%s.%s%s

%S%s%s

%s.%S%S

%S%S%S

state_%s

%s.%s (p='%S')

pop3://%s:%s@%s:%d

%s:%s@%s:%d

ftp://%s:%s@%s:%d

ftpgrab

%s.%s ->> %s (%s : %s)

%s.%s ->> %s : %s

%s-%s-%s

%s.Blocked possible browser exploit pack call on URL '%s'

%s.Blocked possible browser exploit pack call on URL '%S'

webroot.

virusbuster.nprotect.

heck.tc

onecare.live.

login[password]

login[username]

*members*.iknowthatgirl*/members*

*youporn.*/login*

*members.brazzers.com*

*bcointernacional*login*

*:2222/CMD_LOGIN*

*whcms*dologin*

*:2086/login*

*:2083/login*

*:2082/login*

*webnames.ru/*user_login*

Webnames

*dotster.com/*login*

loginid

*enom.com/login*

login.Pass

login.User

*login.Pass=*

*1and1.com/xml/config*

*moniker.com/*Login*

LoginPassword

LoginUserName

*LoginPassword=*

*namecheap.com/*login*

loginname

*godaddy.com/login*

Password

*Password=*

*alertpay.com/login*

*netflix.com/*ogin*

*thepiratebay.org/login*

*torrentleech.org/*login*

*vip-file.com/*/signin-do*

*sms4file.com/*/signin-do*

*letitbit.net*

*what.cd/login*

*oron.com/login*

*filesonic.com/*login*

*speedyshare.com/login*

*uploaded.to/*login*

*uploading.com/*login*

loginUserPassword

loginUserName

*loginUserPassword=*

*fileserv.com/login*

*hotfile.com/login*

*4shared.com/login*

txtpass

*txtpass=*

*netload.in/index*

*freakshare.com/login*

login_pass

*login_pass=*

*mediafire.com/*login*

*sendspace.com/login*

*megaupload.*/*login*

*depositfiles.*/*/login*

*signin.ebay*SignIn

*officebanking.cl/*login.asp*

*secure.logmein.*/*logincheck*

session[password]

*password]=*

*twitter.com/sessions

txtPassword

*&txtPassword=*

*.moneybookers.*/*login.pl

*runescape*/*weblogin*

*&password=*

*no-ip*/login*

*steampowered*/login*

quick_password

*hackforums.*/member.php

*facebook.*/login.php*

*login.yahoo.*/*login*

passwd

login

*passwd=*

*login.live.*/*post.srf*

TextfieldPassword

*TextfieldPassword=*

*gmx.*/*FormLogin*

*Passwd=*

FLN-Password

*FLN-Password=*

*pass=*

*bigstring.*/*index.php*

*screenname.aol.*/login.psp*

password

loginId

*password=*

*aol.*/*login.psp*

Passwd

*google.*/*ServiceLoginAuth*

login_password

login_email

*login_password=*

*paypal.*/webscr?cmd=_login-submit*

%s / ?%d HTTP/1.1

Host: %s

User-Agent: %s

Mozilla/4.0

\\.\PHYSICALDRIVE0

shell32.dll

httpi

dnsapi.dll

http://%s/%s

http://%s/

POST /23s

[%s{%s%s{%s

n%s[%s{%s%s{%s

%s[%s{%s

[DNS]: Redirecting "%s" to "%s"

%s|%s

[Logins]: Cleared %d logins

FTP ->

[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)

http://

[Login]: %s

[DNS]: Blocked %d domain(s) - Redirected %d domain(s)

[Speed]: Estimated upload speed %d KB/s

Software\Microsoft\Windows\CurrentVersion\Run

icon=shell32.dll,7

shellexecute=

%windir%\system32\cmd.exe

&&%%windir%%\explorer.exe %Í%%%s

/c "start %Í%%.Trasher\%s

.Trasher

\\.\%c:

%s\%s

%sautorun.tmp

%sautorun.inf

%0x.exe

*bebo.*/c/profile/comment_post.json

*bebo.*/mail/MailCompose.jsp*

*friendster.*/sendmessage.php*

*friendster.*/rpc.php

*vkontakte.ru/mail.php

*vkontakte.ru/wall.php

*vkontakte.ru/api.php

*facebook.*/ajax/*MessageComposerEndpoint.php*

msg_text

*facebook.*/ajax/chat/send.php*

-_.!~*'()

%s.%s hijacked!

MSG %d %s %d

MSG %d %1s

SDG %d %d

Content-Length: %d

SDG %d

%s_0xX

RegCreateKeyExW

RegCreateKeyExA

URLDownloadToFileW

URLDownloadToFileA

HttpSendRequestW

HttpSendRequestA

NtEnumerateValueKey

DNSAPI.dll

Secur32.dll

ShellExecuteA

SHELL32.dll

HttpQueryInfoA

InternetOpenUrlA

HttpQueryInfoW

WININET.dll

SHLWAPI.dll

WS2_32.dll

MSVCRT.dll

GetProcessHeap

ConnectNamedPipe

CreateNamedPipeA

DisconnectNamedPipe

GetWindowsDirectoryW

GetWindowsDirectoryA

KERNEL32.dll

USER32.dll

RegCloseKey

RegNotifyChangeKeyValue

RegOpenKeyExA

ADVAPI32.dll

ole32.dll

a.a444400.com

a.b444400.com

a.c44440000.com

]1.1.0.0

msn.set

msn.int

http.set

http.int

http.inj

logins

PASS %s

[.ShellClassInfo]

CLSID={645FF040-5081-101B-9F08-00AA002F954E}

SSRR %s 0 0 :%s

KCIK %s

SEND %s %s

PART %s

PPPPMSG %s :%s

QUIT :%s

PPNG %s

PPPPMSG

[v="%s" c="%s" h="%s" p="%S"]

[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d

[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d

[Slowloris]: Starting flood on "%s" for %d minute(s)

[Slowloris]: Finished flood on "%s"

[UDP]: Starting flood on "%s:%d" for %d second(s)

[UDP]: Finished flood on "%s:%d"

[SYN]: Starting flood on "%s:%d" for %d second(s)

[SYN]: Finished flood on "%s:%d"

[USB]: Infected %s

[MSN]: Updated MSN spread message to "%s"

[MSN]: Updated MSN spread interval to "%s"

[HTTP]: Updated HTTP spread message to "%s"

[HTTP]: Injected value is now %s.

[HTTP]: Updated HTTP spread interval to "%s"

[Visit]: Visited "%s"

[DNS]: Blocked "%s"

[usb="%d" msn="%d" http="%d" total="%d"]

[ftp="%d" pop="%d" http="%d" total="%d"]

[RSOCK4]: Started rsock4 on "%s:%d"

[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)

[d="%s"] Error downloading file [e="%d"]

[d="%s"] Error writing download to "%S" [e="%d"]

[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]

[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]

[d="%s"] Error getting temporary filename. [e="%d"]

[d='%s"] Error getting application data path [e="%d"]

[Visit]: Error visitng "%s"

[FTP Login]: %s

[POP3 Login]: %s

[FTP Infect]: %s was iframed

[HTTP Login]: %s

[HTTP Traffic]: %s

[Ruskill]: Detected File: "%s"

[Ruskill]: Detected DNS: "%s"

[Ruskill]: Detected Reg: "%s"

[PDef ]: %s

[DNS]: Blocked DNS "%s"

[MSN]: %s

[HTTP]: %s

ftplog

ftpinfect

httplogin

httptraff

httpspread

http://api.wipmania.com/

\\.\pipe\x_ipc

\\.\pipe\e3ac0cfb

%System%\wbem\wmiprvse.exe

%WinDir%

%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe

7 767<7~7

8*808;8~8

%s\Microsoft\%s.exe

\\.\pipe

Internet Explorer\iexplore.exe

autorun.inf

pidgin.exe

wlcomm.exe

msnmsgr.exe

msmsgs.exe

flock.exe

opera.exe

chrome.exe

ieuser.exe

iexplore.exe

firefox.exe

.ipconfig.exe

verclsid.exe

regedit.exe

rundll32.exe

cmd.exe

regsvr32.exe

l"%s" %S

lol.exe

n127.0.0.1

%s:Zone.Identifier

wininet.dll

secur32.dll

ws2_32.dll

:%S%S\Desktop.ini

winlogon.exe

mspaint.exe

Aadvapi32.dll

urlmon.dll

nspr4.dll

Akernel23.dll

y%s\%s.exe

lsass.exe

Software\Microsoft\Windows\CurrentVersion\Policies\System

.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run

\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe

c:\%original file name%.exe

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3452
   %original file name%.exe:1896
   %original file name%.exe:2812
   

3. Delete the original Worm file.
   
4. Delete or disinfect the following files created/modified by the Worm:
   

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe (1281 bytes)
   %Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr (1281 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\chk_fhueioulalaasso (9 bytes)
   %Documents and Settings%\%current user%\Application Data\temp.bin (1281 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Npwiwv" = "%Documents and Settings%\%current user%\Application Data\Microsoft\Npwiwv.exe"
   
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "Screen Saver Pro 3.1" = "%Documents and Settings%\%current user%\Application Data\ScreenSaverPro.scr"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
7. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
   
8. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.