Worm.Win32.Dorkbot_be86d10e28

by malwarelabrobot on May 16th, 2014 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.VIZ.1 (B) (Emsisoft), Gen:Heur.VIZ.1 (AdAware), WormDorkbot.YR, GenericUDPFlooder.YR, GenericIRCBot.YR, GenericMSNWorm.YR, GenericUSBInfector.YR, GenericAutorunWorm.YR, GenericSYNFlooder.YR, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Flooder, Worm, WormAutorun, IRCBot, MSNWorm, UDPFlooder, SYNFlooder, USBInfector


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: be86d10e285d9312d593f9bf0b4498b2
SHA1: 363d4f75a98ee3bb98966fca10a766b0618835b6
SHA256: 6320f50b867d9065c471e7ce6b034bcf769f38d67d298eae689726d0fb78e425
SSDeep: 3072:bJlSFL9KSZPGCOTHLOoeIxKubTzRS6LTT8HIMH:TM9XV3OTrOBIIuHzRSUbMH
Size: 202748 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: PackerUPXCompresorGratuitowwwupxsourceforgenet, UPolyXv05_v6
Company: no certificate found
Created at: 2005-10-19 09:19:14
Analyzed on: WindowsXP SP3 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
UDPFlooder This program can make a UDP flood. A UDP flood attack is a denial-of-service attack using the User Datagram Protocol (UDP). It can be initiated by sending a large number of UDP packets to random ports on a remote host.
SYNFlooder This program can make a SYN flood. It is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target's system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.
USBInfector A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.


Process activity

The Worm creates the following process(es):

imapi.exe:1180
Lskmkx.exe:1696
drwtsn32.exe:1328
%original file name%.exe:1376

The Worm injects its code into the following process(es):

rundll32.exe:628
spoolsv.exe:1432
mscorsvw.exe:284
explorer.exe:476
jqs.exe:324
csrss.exe:692
winlogon.exe:716
services.exe:760
lsass.exe:772
svchost.exe:932
svchost.exe:1012
svchost.exe:1100
svchost.exe:1144
svchost.exe:1184

File activity

The process imapi.exe:1180 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%WinDir%\Temp\ubsoeb9w.TMP (146970 bytes)

The process drwtsn32.exe:1328 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (186631 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (453902 bytes)

The process %original file name%.exe:1376 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Lskmkx.exe (1281 bytes)

Registry activity

The process imapi.exe:1180 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 04 1C 7F 31 5B FE 7D A1 BD E3 B5 CD 31 DD 66"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"ControlFlags" = "1"
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"BitNames" = " ImapiDebugError ImapiDebugWarning ImapiDebugTrace ImapiDebugInfo ImapiDebugX ImapiDebugSort"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\Imapi\ImapiSvc]
"Guid" = "8107d8e9-e323-49f5-bba2-abc35c243dca"

The process Lskmkx.exe:1696 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 29 4C B8 4C B4 13 9D 9E 41 77 7D E0 D6 9E 22"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process rundll32.exe:628 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 C4 EF 9E 0F B4 61 A3 19 99 EF 30 B1 A7 05 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5c14c4f6-74da-11e2-81b0-000c29ec7fc5}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process drwtsn32.exe:1328 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 42 E4 9B 3D E3 86 DB 99 13 8D 62 1C 86 21 8A"

[HKLM\SOFTWARE\Microsoft\DrWatson]
"NumberOfCrashes" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

The process %original file name%.exe:1376 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 07 5C DC E8 2B CB 68 28 C4 9C 2F 25 2F F2 13"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

To automatically run itself each time Windows is booted, the Worm adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Worm installs the following user-mode hooks in WININET.dll:

HttpSendRequestW
InternetWriteFile
HttpSendRequestA

The Worm installs the following user-mode hooks in ADVAPI32.dll:

RegCreateKeyExA
RegCreateKeyExW

The Worm installs the following user-mode hooks in WS2_32.dll:

send

The Worm installs the following user-mode hooks in kernel32.dll:

MoveFileA
CopyFileW
CopyFileA
MoveFileW
CreateFileW
CreateFileA

The Worm installs the following user-mode hooks in ntdll.dll:

LdrLoadDll
NtResumeThread
NtQueryDirectoryFile
NtEnumerateValueKey

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Worm's file once a user opens a drive's folder in Windows Explorer.
A program can register a device notification with the help of RegisterDeviceNotification. So it is notified when a USB device is plugged and then the worm copies itself to the USB device plugged into the affected computer.
A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX0 4096 94208 0 0 d41d8cd98f00b204e9800998ecf8427e
UPX1 98304 102400 99328 5.51208 1ce4c008b15597e7ecd710df6791accc
.rsrc 200704 58364 37888 2.85617 f816f2d778660b92359938ad9439e0af

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
ff5b4185049e7dc770d16b2bfd4720b9

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Worm connects to the servers at the folowing location(s):

explorer.exe_476:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
BROWSEUI.dll
GDI32.dll
KERNEL32.dll
NTDLL.DLL
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHDOCVW.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
UxTheme.dll
FTSSh
t0SSh
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
SShwk
98~%SP
ExplorerStartMsgLoop
PSSh;
6SSSSh
SSSSh
SPSSSShL
u%SSh
t.WWWW
xpsp2res.dll
xpsp3res.dll
tbSSh
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu
Software\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel
kernel32.dll
GetSystemWindowsDirectoryW
NetGetJoinInformation
WINMM.dll
SETUPAPI.dll
WINSTA.dll
OLEACC.dll
USERENV.dll
ntdll.dll
RegEnumKeyExW
RegNotifyChangeKeyValue
RegOpenKeyExA
RegEnumKeyW
RegCloseKey
RegCreateKeyW
RegQueryInfoKeyW
RegOpenKeyExW
RegCreateKeyExW
OffsetViewportOrgEx
GetViewportOrgEx
SetViewportOrgEx
SetProcessShutdownParameters
GetProcessHeap
GetWindowsDirectoryW
CreateIoCompletionPort
ShellExecuteExW
SHRegCloseUSKey
SHRegCreateUSKeyW
AssocQueryKeyW
SHRegOpenUSKeyW
SHDeleteKeyW
TileWindows
ExitWindowsEx
RegisterHotKey
UnregisterHotKey
EnumChildWindows
GetKeyState
GetAsyncKeyState
CascadeWindows
MsgWaitForMultipleObjects
EnumWindows
explorer.pdb
name="Microsoft.Windows.Shell.explorer"
version="5.1.0.0"
Windows Shell
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
]]"```^]]\
3333333330
3333330
333333334
)@.   '5 !*
.DEHHF>?/
2<===@@=
&$%Uooqkezs
['$$#%&(4
3333333333333333333
33333333333330
7'''')) 
3'')))33.
222`444(555
%%%{///-
000000000
00000000
`[66...00
0000000
`]66./.000
/./././././././.
66///0000
0000000000000
0000000000
6666,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,0.010.010.010.010.010.010.010.010.010.010.001
4366666666K,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6,6.010.010.010.010.010.010.010.010.010.010.000
:;<;:;<;:;<;:;<;:;<0
)   )   )   )   )
|2222'2'2'2'2'2'2'2'2'2'2'2'2'2'2'2',),),),),),),),),),),),),),),),),),),),),),, 
22222222222
3333333
.SB99;;;99twv}ut{oxt~
.SB;;;:::2:w}{{qddgghg
" """ """ """ """ "" #
""" """ """ "#
.SG>''';;9::p
:5:5:5:5:5:5:5:5:5:5#"
# # # # # # # # # # # # # # # # # # # # # ##$
( # # # # # # # # # # # # # # # # # # # # ###
1232123212321232123
(&(((&(((&(((&(((&((&&)
&(((&(((&(((&()
`,''')))
'4,4'4,4'4,4'4,4'4,4)(
55///0000
5555-5-5-5-5-5-5-5-5-5-5-5-5-5-5-5-0
555555555
55555555
5555555
14441444144414441
4343434343434343
5555555555555
5555555555
-,-,-,-,-,-,-,-,-,-,-*.
..............................JFJFJFJFJFJFJFJFJFJFJ.-
{22*2*2*2*2*2*2*2*2*2*2*2*2*2*2*2*.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-../
|ujjjjuhF..BBBBBBBBBBBBT
~j|F.BB*BBB*BBB*Bwop
&!!!&!!!&
44466666
44444444416
4446666
66666666
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 
|= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= |= 
DDDDE%CTDD@
A%US$
%UUUU
%%UUU
33U
""2222!!
!"!"%UUR""
!""!"#2"""
"!!"#3"!"
dnnnnn:n.nfCnmddddd
////;/;;88
;888;;!/
!//!!;;^
:;:!::!!!
.88.88.8
.N.NN.M
::8.8...
:::!;;:!
//!!;888
.8.8.88...
:;!::!!;!//!;
!!;:!!::
.88..8..
!!:::/^!
!;/;!;;;!!!:
.8:!!!!^
!!:;:::..
/:!^^!;{8{../
...:::.-
**6***66*6**6566*5666 ,
6*6666*6*6 655*65
6*65 56*5 55  555 *5  6
555( 55 (5 5(  
76 5   66  555*677
6*6 5 5(5 (55( '5((5 (556 ('5
665**6(('S((((((S(((]('((@('SS((S(((((((6C-.NEC66S5sU
555(555(5((5(5(5(
5 5 5 5555 (555(555'(((5(5('55(((
((''('5'5(5('('('('('((''('(((@(((('&(((&
%&&%&&&&3>&3&3&33&3&3333&&3>3333
'(3&'&3&
3&33&&((
3323>33>%>3%>3>33>3%3&%
*5'(('((&@3(
,63%3>323>3%>&>33323>>%>
3(3'(((@@'5('@(@(&('(
>2>323%>3
75((((@3&333&3&&&%&3&&3&33>33%3>23%>3
>2%$32%>2>%>2$3>
3&%&&3&33>3>33
3>%>3%&3$23>23$2>2%$>2>
)4433((&(&('*
('((((''(**6(('' *
32323>3>
2$%>22%>%3' (
&(&''((5(5 *
'(&(&((&('''
&&%&3&&%3%
2%>22>22
5''3(((3(('&(&'&
3%%3%3%2#$
22$22$2%$22$2%2%$2%$2$222%$22
&>2$2$2$222$22$%%
:7'((('(3('(3(&(&
222222222222
22222222222222
222222222222222
22$22$22$22$
&(%3%&&&&3&&&3%3
222222222222222222
&&(&3(&(&'('((3'(&&
2222222
22$<$$2$22$%
&&(3(3('(&'
222"2212
22<2<22"
(&(3(3((
((565 ((( 6
333&33(&&
'(('('(('( 
 '&%%"$
2"2"22"2
2222<2"222
"2"22<2<22
2%('(3'32222?&'
2"2"2"121212<
2"2"2$"?
%%22%2
&3(3(3((&
"2"<"2<2<
<2<"<"<"<
1"?((&21
2%""22&&
2<2$$2222
'&('(3(''
((%%%"
5(3%"%
"2%5*67
))) ))))
""**<****"""
"*<<<<*"
#2#---2222-222442-
--&#-(-%
$/222(--444222!
#&-221269924999;
&$-22-($2%
#(2---222622212-
#2221299629968
#&--%#(2##!
-222422422426662-%
"2-##&
!##-#&#-&&#%---#---#&-219662%
$&-(151,44.9
&1242662-
-(..19.19
,4492.12
12-$-,-,
-, $$----
#%#-15/-&
-,(,,(,(,
$$11651566/,$&&
,2592&&&-
2466/!$$
""*<*"****""
) '????[
&&&$-556>>61,,5994511-
$(//$$$(6>6/,$,-$
#$-22692/,,$,-&
-266661..4514#
&,2-&&##
&-222,22--#
#&&---2-,-&$&(,,291.566..BNNNTNNNNNAABIAA88
&!#&!-##
&#--//11468>885882&
$266961$&--$&%
,1661,!-((#
&$,4255$,92
&$,44..&
""**""***""
"****<*<<**"
"**""""*""""
&-569./-,16522$
.BAA=86546888=AAAEAAEMNRMQQSWZZ\]gk__m__\
bTRHHHHHQQHQJQWJSSSSSSSSSSSSSSSSWWSSSS\\V]VZW8,.FW]\\]\]\]\\ZZ\\WFR>38(
.BTTkgn]ktvgmvvvvvmvvvsvzzzyzyzyzyyyzmkkkkkZSRA816;F87
yzyzyzym^Z]WN3   $&$.Wt\
""*"""****""""
"***"**""**<**"
$5612,.2,
&$$,,,5]
$]t.Ft
7%8U8
3 303<3]3
2<3
8 8$8(8,8084888<8}8
5%5,575{6
<,<0<4<8<
7 7$7(7,70747
rundll32.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
::{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}
::{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}
::{D20EA4E1-3957-11d2-A40B-0C5020524153}
::{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}
{208D2C60-3AEA-1069-A2D7-08002B30309D}
{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites
{450D8FBA-AD25-11D0-98A8-0800361B1103}
CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
Software\Microsoft\Windows\CurrentVersion\Explorer\DontShowMeThisDialogAgain
Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz
\\.\WMIDataDevice
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows NT\CurrentVersion\Windows
ExplorerIsShellMutex
desk.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer
tourstart.exe
tourstart.exe,0
Microsoft.OfferTour
WINWORD.EXE
Software\Microsoft\Windows\CurrentVersion\Applets
Software\Microsoft\Windows\CurrentVersion\Applets\Tour
explorer.exe,9
Microsoft.FixScreenResolution
shell:::{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation
Software\Microsoft\Windows NT\CurrentVersion
shell:::{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}
Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
DDEEXECUTESHORTCIRCUIT
http\shell
IEXPLORE.EXE
Software\Microsoft\Windows\CurrentVersion\Explorer\Streams\Desktop
Software\Microsoft\Windows\CurrentVersion\RunOnceEx
comctl32.dll
Software\Microsoft\Windows\Internet Settings
AutoConfigURL
system.ini
AppEvents\Schemes\Apps\.Default\%s\.current
Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify
MSShellRunDlgReady
res://mys.dll/mys.hta /explorer
mshta.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\Welcome
Software\Microsoft\Windows\CurrentVersion\Explorer\Tips
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\MYS
cys.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\srvWiz
install.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel
OUTLOOK.EXE
explorer.exe,16
iernonce.dll
WININET.DLL
UpdateURL
WindowsUpdate
HWND%x
Software\Microsoft\Windows\CurrentVersion\OemStartMenuData
fldrclnr.dll,Wizard_RunDLL
iexplore.exe
winbrand.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\Remote\%d
shell32.dll
nusrmgr.cpl ,initialTask=ChangePicture
NewExeName
Windows
ediskeer.dll
timedate.cpl
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\LastVisitedMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Comdlg32\OpenSaveMRU
Software\Microsoft\Windows\CurrentVersion\Explorer\Doc Find Spec MRU
Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Software\Microsoft\Internet Explorer\TypedURLs
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Calculator.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Games\Solitaire.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Paint.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\WordPad.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Windows Movie Maker.lnk
%USERPROFILE%\Start Menu\Programs\Accessories\Tour Windows XP.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Messenger.lnk
%USERPROFILE%\Start Menu\Programs\Windows Media Player.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Online with MSN.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Get Going with Tablet PC.lnk
%ALLUSERSPROFILE%\Start Menu\Set Program Access and Defaults.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Windows Journal.lnk
%ALLUSERSPROFILE%\Start Menu\Programs\Accessories\Media Center\Media Center.lnk
%USERPROFILE%\Start Menu\Programs\Internet Explorer.lnk
Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
TSAppCMP.DLL
netapi32.dll
%SystemRoot%\system32\restore\rstrui.exe
RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL ?0x%X?%s
RunDLL32.EXE
%s%d%s
Software\Microsoft\Windows\CurrentVersion\Policies\System
settings.dll
explorer.exe "
explorer.exe /e, "
WindowsLogon
WindowsLogoff
%s %s
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
uAppWiz.Cpl
\explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu
::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
taskmgr.exe
ShellExecute
Software\Microsoft\Windows\CurrentVersion\Explorer\AppKey\%d
\WindowsShell.Manifest
Get Online with MSN.lnk
Set Program Access and Defaults.lnk
Link%d
OEM%d
Software\Microsoft\Windows\CurrentVersion\SMDEn
::{D20EA4E1-3957-11d2-A40B-0C5020524152}
%WinDir%\explorer.exe
There is a file or folder on your computer called "%s" which could cause certain applications to not function correctly. Renaming it to "%s" would solve this problem. Would you like to rename it now?
Ca&scade Windows
Tile Windows &Horizontally
Tile Windows V&ertically
&Windows Security...
&Help and Support
&Log Off %s...
Windows Explorer
6.00.2900.5512 (xpsp.080413-2105)
EXPLORER.EXE
Windows
Operating System
6.00.2900.5512
Keep the &taskbar on top of other windows
To remove records of recently accessed documents, programs, and Web sites, click Clear.
Windows displays icons for active and urgent notifications, and hides inactive ones. You can change this behavior for items in the list below.
Select this option to use the menu style from earlier versions of Windows.
6There is not enough memory to complete this operation.8Unable to run command.
The folder '%1' has been removed.WMy Computer or Windows Explorer has not been properly initialized yet. Try again later.
&Undo %s
Windows is running in safe mode.
This special diagnostic mode of Windows enables you to fix a problem which may be caused by your network or hardware settings. Make sure these settings are correct in Control Panel, and then try starting Windows again. While in safe mode, some of your devices may not be available.
startRThere was an internal error and one of the windows you were using has been closed.
Restrictions{This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator.
&Show Open Windows
Windows was unable to change the display settings for the new configuration. Return the computer to the previous state, shut down Windows, and restart the computer in the desired configuration.
There may be a problem with your display settings if you continue. To safely change to a new configuration, you should shut down Windows and restart the computer in the desired configuration. Do you want to continue anyway?
This pre-release version of "Internet Explorer 4.0" Desktop/Explorer has expired. Please update to the latest release of "Internet Explorer 4.0" from WWW.MICROSOFT.COM
helpctr.exe>-FromStartHelp
Take a tour of Windows XP
NOpens a window where you can pick search options and work with search results.aOpens a central location for Help topics, tutorials, troubleshooting, and other support services.
/Opens a program, folder, document, or Web site.
Provides options for closing your programs and logging off, or for leaving your programs running and switching to another user.lProvides options for turning off or restarting your computer, or for activating Stand By or Hibernate modes.RDisconnects your session. You can reconnect to the session when you log on again.
&Windows Security
iOpens the My Documents folder, where you can store letters, reports, notes, and other kinds of documents./Displays recently opened documents and folders.KOpens the My Music folder, where you can store music and other audio files.]Opens the My Pictures folder, where you can store digital photos, images, and graphics files.zGives access to, and information about, the disk drives, cameras, scanners, and other hardware connected to your computer.MGives access to, and information about, folders and files on other computers.8Connects to other computers, networks, and the Internet.

explorer.exe_476_rwx_000A0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%WinDir%\explorer.exe
winlogon.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
BE86D10E285D9312D593F9BF0B4498B2.exe
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\explorer.exe

rundll32.exe_628:




.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s

rundll32.exe_628_rwx_000A0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\rundll32.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\rundll32.exe

mscorsvw.exe_284_rwx_008E0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%WinDir%\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

jqs.exe_324_rwx_010C0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%Program Files%\Java\jre6\bin\jqs.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\Program Files\Java\jre6\bin\jqs.exe

csrss.exe_692_rwx_00AB0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
\??\%System%\csrss.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe

winlogon.exe_716_rwx_00AD0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
\??\%System%\winlogon.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe

services.exe_760_rwx_006F0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\services.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
p\Device\HarddiskVolume1\WINDOWS\system32\services.exe

lsass.exe_772_rwx_00A10000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\lsass.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe

svchost.exe_932_rwx_00940000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\svchost.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1012_rwx_00B50000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\svchost.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1100_rwx_02630000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%WinDir%\System32\svchost.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1144_rwx_008B0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\svchost.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

svchost.exe_1184_rwx_00BC0000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\svchost.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe

spoolsv.exe_1432_rwx_00B70000_00026000:




.text
`.rdata
@.data
.reloc
:.datt
tB<%u4
toSSSSSSSSSSh
ShellExecuteA
SHELL32.dll
InternetOpenUrlA
HttpQueryInfoW
WININET.dll
SHLWAPI.dll
ntdll.dll
WS2_32.dll
MSVCRT.dll
GetWindowsDirectoryW
GetProcessHeap
ConnectNamedPipe
CreateNamedPipeA
DisconnectNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegCreateKeyExW
ADVAPI32.dll
ole32.dll
%s.%s
%s.%S
%s.Blocked "%S" from creating "%s" - "%s" will be removed at reboot!
autorun.inf
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
%s.%s ->> %s : %s
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.%s%s
%S%s%s
%s.%S%S
%S%S%S
%s.p10-> Link sent!
%s.p21-> Link sent!
msnmsg
JOIN #
%s.Detected process "%S" sending an IRC packet to server %s:%d.
PRIVMSG #
%s:%d
%s.ftp://%s:%s@%s:%d (p='%S')
%s:%s@%s:%d
PASS %s
USER %s
ftpgrab
%s.Blocked possible browser exploit pack call on URL '%s'
http://
%s.Blocked possible browser exploit pack call on URL '%S'
1.0.0
msn.set
msn.int
webroot.
virusbuster.nprotect.
heck.tc
necare.live.
b0ss.edu
193.106.172.98
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S"
[d="%s" s="%d bytes"] Executed file "%S"
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[Visit]: Visited "%s"
[BDns]: Blocked domain "%s"
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef ]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
ftplog
ftpinfect
httplogin
httptraff
http://api.wipmania.com/
\\.\pipe\%s_ipc
*secure.logmein.*/*logincheck*
*megaupload.*/*login
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserve.*/login*
session[password]
*password]=*
*twitter.com/sessions
*:2086/login*
*:2083/login*
Password
*&Password=*
*.alertpay.*/*login.aspx
txtPassword
*&txtPassword=*
*.moneybookers.*/*login.pl
*runescape*/*weblogin*
*&password=*
*no-ip*/login*
*steampowered*/login*
quick_password
*hackforums.*/member.php
*facebook.*/login.php*
*login.yahoo.*/*login*
passwd
login
*passwd=*
*login.live.*/*post.srf*
TextfieldPassword
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
FLN-Password
*FLN-Password=*
*pass=*
*bigstring.*/*index.php*
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
*google.*/*ServiceLoginAuth*
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Mozilla/4.0
MSG %d %s %d
MSG %d %1s
SDG %d %d
Content-Length: %d
SDG %d
state_%s
shell32.dll
http://%s/%s
http://%s/
POST /23s
{%s|%s%s}%s
n{%s|%s%s}%s
%s|%s
%s|%s|%s
icon=shell32.dll,7
shellexecute=
%windir%\system32\cmd.exe
/c "start Í%
&&%windir%\explorer.exe
\\.\%c:
%s\%s
%sautorun.tmp
%sautorun.inf
%s.exe
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
HttpSendRequestW
HttpSendRequestA
NtEnumerateValueKey
%s-Mutex
%s_%d
%s_%lu
kernel32.dll
%System%\spoolsv.exe
%Documents and Settings%\%current user%\Application Data\Lskmkx.exe
%WinDir%
5$5(5,5054585
\\.\pipe
nwlcomm.exe
msmsgs.exe
msnmsgr.exe
pidgin.exe
xchat.exe
mirc.exe
iexplore.exe
firefox.exe
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\Policies\System
.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run
cipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
Internet Explorer\iexplore.exe
lol.exe
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
wininet.dll
ws2_32.dll
Akernel23.dll
yntdll.dll
\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    imapi.exe:1180
    Lskmkx.exe:1696
    drwtsn32.exe:1328
    %original file name%.exe:1376

  3. Delete the original Worm file.
  4. Delete or disinfect the following files created/modified by the Worm:

    %WinDir%\Temp\ubsoeb9w.TMP (146970 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\user.dmp (186631 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (453902 bytes)
    %Documents and Settings%\%current user%\Application Data\Lskmkx.exe (1281 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Lskmkx" = "%Documents and Settings%\%current user%\Application Data\Lskmkx.exe"

  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now