3 domains are used to control bots:
j.rania-style.com active
j.symtec.us not active
j.idolmovies.com not active
Resolved : [j.rania-style.com] To [175.6.1.159]
Resolved : [j.rania-style.com] To [122.226.202.221]
Resolved : [j.rania-style.com] To [117.21.224.29]
Resolved : [j.rania-style.com] To [121.61.118.106]
C&C server:
j.rania-style.com:1888
j.rania-style.com:6971
Traffic – by DNS
14 domain found
Country Domain IP
US 113890url.displayadfeed.com 66.45.56.124
US myvideos.stream-free-movies-online.com 66.45.56.124
CH viewster.com 80.74.132.62
US player.viewster.com 203.77.188.253
MY fpdownload2.macromedia.com 202.187.31.11
US viewster-farm.hiro.tv 203.77.188.253
US cdn.hiro.tv 216.137.55.129
NL viewsterapp.hiro.tv 176.34.226.113
US v.admaxserver.com 64.236.90.73
SG bs.serving-sys.com 202.79.210.121
MY ds.serving-sys.com 202.187.31.40
US event.adxpose.com 205.217.176.16
US divaag-99.fcod.llnwd.net 203.77.189.204
US 203.77.189.204 0.0.0.0
Traffic – by TCP/IP Connections
21 outbound connection found
Country IP Port
CN 117.21.224.29 1888
US 203.77.189.198 1935
US 65.54.234.101 443
US 66.45.56.124 80
CH 80.74.132.62 80
US 203.77.188.253 80
US 203.77.188.254 80
MY 202.187.31.11 80
US 216.137.55.129 80
NL 176.34.226.113 80
US 64.236.90.73 80
US 64.236.90.72 80
US 64.236.90.9 80
SG 202.79.210.121 80
MY 202.187.31.40 80
US 205.217.176.16 80
US 64.236.90.8 80
US 165.193.73.49 80
US 203.77.189.204 80
US 0.0.0.0 80
US 66.119.33.141 80
Traffic – by URL
77 outbound URL connection found
URL
113890url.displayadfeed.com/cpv.jsp?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6
113890url.displayadfeed.com/impressions?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20
113890url.displayadfeed.com/impressions/?p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20
113890url.displayadfeed.com/favicon.ico
113890url.displayadfeed.com/cresults.jsp?JS=X&p=113890&aid=10036145&partnerMin=0.00&ron=on&ronMin=0.00&url=&context=&default=http://cpvback.ols30.t6&ip=202.190.74.20&POS=4×136&VIEWPORT=773×437&IFRAME=N&FLASH=Y&COOKIES=Y&RES=800×600&REFERER=NONE
myvideos.stream-free-movies-online.com/results1/?http%3A%2F%2Fviewster.com%2Fsplash%2Fstar-interview-2.aspx%3Futm_source%3Dadon_275151_113890_10036145_none%26utm_medium%3Dcpv%26utm_campaign%3Dasiacpv%26adv%3D573900%26req%3D%24%7BCLICKID%7D
myvideos.stream-free-movies-online.com/favicon.ico
viewster.com/splash/star-interview-2.aspx?utm_source=adon_275151_113890_10036145_none&utm_medium=cpv&utm_campaign=asiacpv&adv=573900&req=${CLICKID}
player.viewster.com/landing-video/js/star-interview-2.js
player.viewster.com/landing-video/js/jquery-1.6.1.min.js
player.viewster.com/landing-video/flowplayer/flowplayer-3.2.6.min.js
player.viewster.com/landing-video/js/jquery.tools.min.1.2.7.js
player.viewster.com/landing-video/img/overlay/transparent.png
player.viewster.com/landing-video/img/index-screenshot.jpg
player.viewster.com/landing-video/img/headline-switcher.png
player.viewster.com/landing-video/img/overlay/close.png
player.viewster.com/landing-video/flowplayer/flowplayer.commercial-3.2.7-3.swf
fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml10.0.45.2
player.viewster.com/landing-video/flowplayer/flowplayer.analytics-3.2.2.swf
viewster.com/favicon.ico
player.viewster.com/landing-video/flowplayer/flowplayer.rtmp-3.2.3.swf
viewster-farm.hiro.tv/crossdomain.xml
viewster-farm.hiro.tv/iframes/scripts/webshop/Flowplayer_Hiro.swf
player.viewster.com/iframes/scripts/api/PublisherEvents.js
player.viewster.com/landing-video/flowplayer/flowplayer.controls-3.2.5.swf
cdn.hiro.tv/CookieSetterAS3.swf
viewsterapp.hiro.tv/crossdomain.xml
v.admaxserver.com/crossdomain.xml
v.admaxserver.com/?advideo/3.0/559.1/3744635/0//cc=2;vidAS=pre_roll;vidRT=VAST;vidRTV=2.0
v.admaxserver.com/?advideo/3.0/559.1/3744635/0//cc=2;cfp=1;rndc=1338601909;vidAS=pre_roll;vidRT=VAST;vidRTV=2.0
bs.serving-sys.com/crossdomain.xml
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601909882&cim=1
viewster.com/splash/star-interview-2.aspx/IncreaseTotalAdCount?{}
ds.serving-sys.com/BurstingRes//Site-13717/Type-12/c6611ed9-d6fe-4d2e-a6dd-bcc53f2b7483.flv
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2719198354;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2719198354;
event.adxpose.com/event.flow?uid=XL9NIwSc8U6QB7Yr_77001371&eventcode=000_000_12&location=&wh=&xy=&vchannel=3744635&cid=7700137&duration=0&iframed=0&referer=&p=0;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601921145&cim=1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2719198354;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=124818916&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2719198354;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2517875528;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=2338310408&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2517875528;
divaag-99.fcod.llnwd.net/fcs/ident2
203.77.189.204/open/1
divaag-99.fcod.llnwd.net/open/1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=601963243&cim=1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=riis&pl=VAST&pos=5860&c=24&ai=9359013&pluid=0&ord=94545476&dg=404485&ta=-1
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoStarted~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_CREATIVEVIEW;imptype=2;refsequenceid=2585018788;
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_START;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb25Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_25;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb50Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_MID;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^eb75Per_Played~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_75;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=isi&pl=VAST&interactionsStr=9359013~~0^ebVideoFullPlay~0~0~1~0~1~25245038~0&pos=5860&ebRandom=94545476&dg=404485&ta=-1
v.admaxserver.com/rmevent/3/559/3744635/0/0/AdId=7700137;CreativeId=55733;BnId=1;rmeventtype=VID_END;imptype=2;refsequenceid=2585018788;
bs.serving-sys.com/BurstingPipe/adServer.bs?cn=is&c=23&pl=VAST&pli=4555741&pi=0&pos=9090&ord=602038204&cim=1
channels,logins,strings included here:
Processes:
PID ParentPID User Path
--------------------------------------------------
896 1200 xxxx:xxx C:Documents and SettingsxxxMes documentsxxxxxxhhhh
Ports:
Port PID Type Path
--------------------------------------------------
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
719f74df RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)
719f80c4 RegOpenKeyExA (Protocol_Catalog9)
719f777e RegOpenKeyExA (000000B1)
719f764d RegOpenKeyExA (Catalog_Entries)
719f7cea RegOpenKeyExA (000000000001)
719f7cea RegOpenKeyExA (000000000002)
719f7cea RegOpenKeyExA (000000000003)
719f7cea RegOpenKeyExA (000000000004)
719f7cea RegOpenKeyExA (000000000005)
719f7cea RegOpenKeyExA (000000000006)
719f7cea RegOpenKeyExA (000000000007)
719f7cea RegOpenKeyExA (000000000008)
719f7cea RegOpenKeyExA (000000000009)
719f7cea RegOpenKeyExA (000000000010)
719f7cea RegOpenKeyExA (000000000011)
719f7cea RegOpenKeyExA (000000000012)
719f7cea RegOpenKeyExA (000000000013)
719f7cea RegOpenKeyExA (000000000014)
719f7cea RegOpenKeyExA (000000000015)
719f7cea RegOpenKeyExA (000000000016)
719f7cea RegOpenKeyExA (000000000017)
719f7cea RegOpenKeyExA (000000000018)
719f7cea RegOpenKeyExA (000000000019)
719f2623 WaitForSingleObject(790,0)
719f87c6 RegOpenKeyExA (NameSpace_Catalog5)
719f777e RegOpenKeyExA (00000039)
719f835b RegOpenKeyExA (Catalog_Entries)
719f84ef RegOpenKeyExA (000000000001)
719f84ef RegOpenKeyExA (000000000002)
719f84ef RegOpenKeyExA (000000000003)
719f84ef RegOpenKeyExA (000000000004)
719f2623 WaitForSingleObject(788,0)
719e1af2 RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)
719e198e GlobalAlloc()
7c80b72f ExitThread()
7d2454bb LoadLibraryA(KERNEL32.dll)=7c800000
7d2454bb LoadLibraryA(USER32.dll)=7e390000
7d2454bb LoadLibraryA(comdlg32.dll)=76340000
5cea9ca0 GetCurrentProcessId()=1200
58b53344 GetVersionExA()
58b533ab GetCommandLineA()
7d252c63 WaitForSingleObject(7e4,7530)
58b54952 GetVersionExA()
58b554e8 GetCurrentProcessId()=1200
58b55742 GetVersionExA()
7d252c63 WaitForSingleObject(77c,7530)
7ca0a547 GetVersionExA()
76341daf GetVersionExA()
7d23eab5 WaitForSingleObject(7e4,7530)
40175c GetCommandLineA()
4015f3 LoadLibraryA(advapi32.dll)=77da0000
7c8191f8 LoadLibraryA(advapi32.dll)=77da0000
77db991b RegOpenKeyExA (SOFTWAREMicrosoftCryptographyProvidersType 001)
77db99ab RegOpenKeyExA (HKLMSOFTWAREMicrosoftCryptographyDefaultsProvider TypesType 001)
77db7a7b RegOpenKeyExA (HKLMSOFTWAREMicrosoftCryptographyDefaultsProviderMicrosoft Strong Cryptographic Provider)
77db8d6c ReadFile()
7c821a94 CreateFileA(C:WINDOWSsystem32rsaenh.dll)
68026005 ReadFile()
680265ce RegOpenKeyExA (HKLMSoftwarePoliciesMicrosoftCryptography)
77db8830 LoadLibraryA(rsaenh.dll)=68000000
680223ff RegOpenKeyExA (HKLMSoftwareMicrosoftCryptography)
680257b0 RegOpenKeyExA (HKLMSoftwareMicrosoftCryptographyOffload)
4011f6 WriteProcessMemory(h=778,len=400)
401272 WriteProcessMemory(h=778,len=10000)
401272 WriteProcessMemory(h=778,len=3800)
401272 WriteProcessMemory(h=778,len=1e00)
4012e4 WriteProcessMemory(h=778,len=4)
401913 ExitProcess()
***** Injected Process Terminated *****
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:DOCUME~1xxxLOCALS~1Temp
Watching C:WINDOWS
Watching C:Program Files
Modifed: C:WINDOWSpfirewall.log
Created: C:DOCUME~1xxxLOCALS~1TempJET200A.tmp
Created: C:DOCUME~1xxxLOCALS~1TempJET41.tmp
Deteled: C:DOCUME~1xxxLOCALS~1TempJET41.tmp
Deteled: C:DOCUME~1xxxLOCALS~1TempJET200A.tmp
File: hhhh
Size: 120832 Bytes
MD5: DA214414C6CB140A90C571BA64865517
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe
File Properties: CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 312Kb in 0,031 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d
RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
ExeRefs
--------------------------------------------------
File: hhhh_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
Internet Exploreriexplore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
lsass.exe
Raw Strings:
--------------------------------------------------
File: hhhh_dmp.exe_
MD5: 06aa74d1dea550ab154e5c1ce59b16bc
Size: 319490
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1h(
_[^]
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!h(
u3h0
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!h(
u3h0
>CAL
uGh4
=MSG t
=SDG
>MSG u`
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
=pzC
|04+~4
_^[]
SVWP3
QWSVR
=lzC
QPRWS
RPQS
WQRV
_^[]
_^[]
un9F
t2j h
L9_@vI
;_@r
WVPQR
SQRj
STFU
=pzC
A8j@
QWRPV
B0QPV
=4yA
PQRj
PQRj
SVWh
STFU
Vh@P@
L9^8vE
;^8r
=pzC
hpP@
STFU
PL9^(v^
9+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
;^(r
9~0v/
;~0r
9^8v;
:+=pzC
+=pzC
+=pzC
;^8r
9^@v2
:+=pzC
+=pzC
+=pzC
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
j&hx
t}hP
QVWh
95hVA
QVht
8POST
tWWV
PQWj
RPQVW
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
95PWA
;5PWA
95PWA
;5PWA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
QRVP
RVPQ
QRVP
RVPQ
=|[A
Qh~f
SVWP
=|[A
Rh~f
hh)A
h`)A
=|[A
tlWP
=|[A
tlWP
=|[A
Rh~f
=|[A
=|[A
_^[]
h0^A
hh^A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
h0*A
*t2:
VhH*A
Qh4*A
QSV3
j PhxWA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
SVWh
QRPu
PQRu
h ,A
QRhL]A
PhTA
Ph$]A
9Q@w
RRhh
h`]A
h`]A
h`]A
h`]A
Ph0]A
8nu8h
Rh0]A
Qh0]A
Rh0]A
Ph@]A
8nu8h
Rh@]A
Qh@]A
Rh@]A
htXA
h@XA
PVRQhT`A
PQRVh
RQPhT`A
PQRSh
8_^[
hPXA
hXA
hHXA
Rh0]A
Rh0]A
Rh@]A
Qh@]A
h|,A
h|,A
hx,A
QhP_A
Qh|_A
hx,A
h(XA
hp,A
hd,A
h8XA
8httpuM
8:uE
u>8P
PhD,A
$_^[
Qh@`A
_^[
h@,A
h(`A
h|bA
QRPh4,A
h`XA
h4XA
hXXA
hpXA
QRPh4,A
hhXA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
hx]A
Qhl]A
PQh0]A
u(hl
Ph$]A
QRh0]A
SVW3
h -A
t"h<-A
t"h0-A
u5h(-A
Vh$cA
VhDcA
VhdcA
VhpcA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRhTaA
PQhDbA
PRh(aA
QRPh
SVW3
tRh|,A
uBPh
h`]A
h -A
PWQRh
SPQh
PSRhTaA
PhTaA
PRhDbA
Ph(aA
hx,A
tqCh
s[h5
ht.A
SWhl.A
hd.A
t'j j
h<.A
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5$iA
50iA
5<iA
5HiA
5TiA
5`iA
5liA
95$iA
6 iA
taVW
h@0A
hD0A
Ph<_A
|Sj 3
tlSSSSSSSSSShL0A
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
h@3A
;SDG
8SDG
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hl.A
hd.A
hl.A
hd.A
h(mA
h(5A
t!h85A
_^t)
9|:~
:~+w:~
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
-%sMutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host:
POST /%1023s
[%s[%s%s[%s
N%s[%s[%s%s[%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmm
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.scr
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length:
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability:
From:
Content-Length: %d
X-MMS-IM-Format:
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
j.rania-style.com
smart
j.symtec.us
smart
j.idolmovies.com
smart
smart
fbi.gov
]1.1.0.0
30e4}aa1
FvLQ49Il
IyLjj6m
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
F4XA
gGWHXA
5hXA
ZpXA
_ WA
)0WA
u{A<WA
[@WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
SSRR %s 0 0 :%s
KCIK %s
SEND %s %s
PART %s
PPPPMSG %s :%s
QUIT :%s
PPNG %s
PING
PPPPMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread inte
rval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0�s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
7D7L7X77`7d7h7l7p7t7
9(949@9L9X9d9p9|9
:$:0:<:H:T:`:l:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;
4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
8 9,989D9P99h9x9|9
: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:
; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x;
< <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|<
=(=0=8=@=H=T==d=l=
Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Exploreriexplore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.scr
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
sample for analysis here
and here
Xandora scan here
hosting infos:
http://whois.domaintools.com/175.6.1.159