Jump to content
AlStar

Virus nou

By AlStar, in Off-topic

Recommended Posts

AlStar Rookie

AlStar

Posted
Posted (edited)

Salut!

In mai putin de 5 ore, peste 10 persoane, (10 am eu in lista de messenger), au fost infectate de un virus necunoscut.

Din cate am observat la ceilalti, virusul trimite mass-uri pe Yahoo! Messenger:

Did you see the decorations we setup for Christmas? We went all out this year, take a look. http://c31ac-p.image-myspace.info:85/search.php&Result=3458/DVS-PartyPic008.JPEG.zip

Din ce am vazut pe VirusTotal, nu-l detecteaza decat un Antivirus, ca aplicatie malware, si nu e Kaspersky, Symantec, NOD32 sau BitDefender..

L-am executat, si dupa cateva secunde, Firewall-ul de la NOD32, ma anunta ca aplicatia "nu stiu cum bootloader" vrea sa acceseze un IP. Am dat Deny, si dupa vreo 5 secunde m-a intrebat iar, dar a 3-a oara am dat "Create rule cu Deny" si nu mi-a mai aparut nimic si nici mesajele nu s-au trimis pe messenger.

Mereu m-am intrebat de unde fac altii rost de virusi noi..abia "iesiti din fabrica". Cred ca am descoperit: Yahoo! Messenger.

LE: Cred ca trebuia postat la "Stiri"..ee..my bad..sorry:D

Edited by AlStar
AlStar Rookie

AlStar

Posted
  • Author
Posted (edited)

Dupa cum am spus, l-am executat.

Iata o chestie foarte interesanta:

- scriu in firefox : Forumul Softpedia - apare Google

- scriu in firefox : ESET - Antivirus Software with Spyware and Malware Protection - apare Google

- la fel si in cazul kaspersky.com

Chestia ciudata e ca apare google, da' in bara de adresa tot eset.com scrie ...

Fuck..what am I gonna do with this shit?

Later Edit: Revin cu o noua informatie: Se pot accesa site-urile de mai sus prin intermediul unui webproxy. Eu am incercat prin HideMyAss si se incarca eset-u' fara probleme..

Edited by AlStar
Nytro Mentor

Nytro

Posted
Posted

Vezi /Windows/system32/drivers/etc/hosts.

Cred ca e cryptat, stubul foloseste nume random pentru numele modulelor, cred ca e folosit ceva gen Stub Generator.

Cred ca are si niste EOF data, dar nu e plain text.

AlStar Rookie

AlStar

Posted
  • Author
Posted (edited)

Si ce ar trebui sa vad acolo? 

# Copyright (c) 1993-2001 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

Later edit: am gasit cateva informatii despre el..nu stiu cat sunt de corecte..

http://info.prevx.com/aboutprogramtext.asp?PX5=C7C152BE00C1020860F50335219F6400ADE13D4F

Edited by AlStar
hunter_pass Newbie

hunter_pass

Posted
Posted
Dupa cum am spus, l-am executat.

Iata o chestie foarte interesanta:

- scriu in firefox : Forumul Softpedia - apare Google

- scriu in firefox : ESET - Antivirus Software with Spyware and Malware Protection - apare Google

- la fel si in cazul kaspersky.com

Chestia ciudata e ca apare google, da' in bara de adresa tot eset.com scrie ...

Fuck..what am I gonna do with this shit?

Later Edit: Revin cu o noua informatie: Se pot accesa site-urile de mai sus prin intermediul unui webproxy. Eu am incercat prin HideMyAss si se incarca eset-u' fara probleme..

Sa inteleg ca asa ne-am putea da seama daca suntem infectati sau?Asta fara sa luam toata lista de mesenger si sa dam Hide Recent Messages (F3)

begood Newbie

begood

Posted
Posted

Anubis: Analyzing Unknown Binaries

                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for DVS-PartyPic008.JPEG_www.image-myspace.com
                   MD5: e4fc55ce43a12291fdcd1078a10bc805
[#############################################################################]

Summary: 
    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- DVS-PartyPic008.JPEG_www.image-myspace.com
  a) Registry Activities
 File Activities


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        241 s
        Report created:     01/10/10, 12:26:49 UTC
        Termination reason: Timeout
        Program version:    1.73.0


[#############################################################################]
    2. DVS-PartyPic008.JPEG_www.image-myspace.com
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        DVS-PartyPic008.JPEG_www.image-myspace.com
        MD5:             e4fc55ce43a12291fdcd1078a10bc805
        SHA-1:           8ce5c546dfdfdf03758824ad42ada057891252a3
        File Size:       221184 Bytes
        Command Line:    "C:\DVS-PartyPic008.JPEG_www.image-myspace.com" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
               Base Address: [0x73420000 ], Size: [0x00153000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
               Base Address: [0x7E720000 ], Size: [0x000B0000 ]

[=============================================================================]
    2.a) DVS-PartyPic008.JPEG_www.image-myspace.com - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ], 
             Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 950 ], Value: [ c_950.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times


[=============================================================================]
    2. DVS-PartyPic008.JPEG_www.image-myspace.com - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ]
        File Name: [ C:\WINDOWS\system32\SXS.DLL ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]



[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: anubis@iseclab.org

cand o fi gata si asta :

http://anubis.iseclab.org/?action=result&task_id=1501cabdb98490e14cd17331099fb1bb8

                           ___                __    _                          
         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         
        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        
        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        
        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        
      -:+hhdhyys/-                                           -\syyhdhh+:-      
    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    
   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   
 -+++///////odh/-                                             -+hdo\\\\\\\+++- 
 +++++++++//yy+/:                                             :\+yy\\+++++++++ 
/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\
+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+
+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+


[#############################################################################]
    Analysis Report for MVC-IMAGEN0015.JPG_www.galeriadefotos.com
                   MD5: 53f6fbe013afb5e3d86f0e1a7ab26b02
[#############################################################################]

Summary: 
    - Spawns Processes:
        The executable produces processes during the execution.

    - Performs Registry Activities:
        The executable reads and modifies registry values. It also creates and
        monitors registry keys.

[=============================================================================]
    Table of Contents
[=============================================================================]

- General information
- MVC-IMAGEN0015.JPG_www.galeriadefotos.com
  a) Registry Activities
 File Activities
  c) Process Activities
    - MVC-IMAGEN0015.


[#############################################################################]
    1. General Information
[#############################################################################]
[=============================================================================]
    Information about Anubis' invocation
[=============================================================================]
        Time needed:        241 s
        Report created:     01/10/10, 12:36:57 UTC
        Termination reason: Timeout
        Program version:    1.73.0


[#############################################################################]
    2. MVC-IMAGEN0015.JPG_www.galeriadefotos.com
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Primary Analysis Subject
        Filename:        MVC-IMAGEN0015.JPG_www.galeriadefotos.com
        MD5:             53f6fbe013afb5e3d86f0e1a7ab26b02
        SHA-1:           619f905352997f995c3612a03c9dc008cef93d65
        File Size:       204800 Bytes
        Command Line:    "C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com" 
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]
        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],
               Base Address: [0x7C800000 ], Size: [0x000F6000 ]
        Module Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ],
               Base Address: [0x73420000 ], Size: [0x00153000 ]
        Module Name: [ C:\WINDOWS\system32\USER32.dll ],
               Base Address: [0x7E410000 ], Size: [0x00091000 ]
        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],
               Base Address: [0x77F10000 ], Size: [0x00049000 ]
        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],
               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]
        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],
               Base Address: [0x77E70000 ], Size: [0x00092000 ]
        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],
               Base Address: [0x77FE0000 ], Size: [0x00011000 ]
        Module Name: [ C:\WINDOWS\system32\ole32.dll ],
               Base Address: [0x774E0000 ], Size: [0x0013D000 ]
        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],
               Base Address: [0x77C10000 ], Size: [0x00058000 ]
        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],
               Base Address: [0x77120000 ], Size: [0x0008B000 ]

[=============================================================================]
    Run-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],
               Base Address: [0x74720000 ], Size: [0x0004C000 ]
        Module Name: [ C:\WINDOWS\system32\SXS.DLL ],
               Base Address: [0x7E720000 ], Size: [0x000B0000 ]

[=============================================================================]
    2.a) MVC-IMAGEN0015.JPG_www.galeriadefotos.com - Registry Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Registry Values Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 
             Value Name: [ CUAS ], Value: [ 0 ], 1 time
        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 
             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time
        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ], 
             Value Name: [ AppInit_DLLs ], Value: [  ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ PolicyScope ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 
             Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ ItemSize ], Value: [ 779 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ ItemSize ], Value: [ 517 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ ItemSize ], Value: [ 918 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ ItemSize ], Value: [ 229 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ HashAlg ], Value: [ 32771 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ ItemSize ], Value: [ 370 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time
        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], 
             Value Name: [ SaferFlags ], Value: [ 0 ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 932 ], Value: [ c_932.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 936 ], Value: [ c_936.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 949 ], Value: [ c_949.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Codepage ], 
             Value Name: [ 950 ], Value: [ c_950.nls ], 1 time
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSAppCompat ], Value: [ 0 ], 3 times
        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 
             Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 
             Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times
        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], 
             Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time


[=============================================================================]
    2. MVC-IMAGEN0015.JPG_www.galeriadefotos.com - File Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    File System Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ C:\ ], Control Code: [ 0x00090028 ], 1 time

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Device Control Communication:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Memory Mapped Files:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        File Name: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ]
        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]
        File Name: [ C:\WINDOWS\system32\MSVBVM60.DLL ]
        File Name: [ C:\WINDOWS\system32\SXS.DLL ]
        File Name: [ C:\WINDOWS\system32\imm32.dll ]
        File Name: [ C:\WINDOWS\system32\rpcss.dll ]

[=============================================================================]
    2.c) MVC-IMAGEN0015.JPG_www.galeriadefotos.com - Process Activities
[=============================================================================]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Processes Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Executable: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ], Command Line: [  ]
        Executable: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ], Command Line: [ "C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com"  ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Remote Threads Created:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Affected Process: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Read:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
    Foreign Memory Regions Written:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Process: [ C:\MVC-IMAGEN0015.JPG_www.galeriadefotos.com ]



[#############################################################################]
    3. MVC-IMAGEN0015.
[#############################################################################]
[=============================================================================]
    General information about this executable
[=============================================================================]
        Analysis Reason: Started by MVC-IMAGEN0015.JPG_www.galeriadefotos.com
        Filename:        MVC-IMAGEN0015.
        Process-status
        at analysis end: alive
        Exit Code:       0

[=============================================================================]
    Load-time Dlls
[=============================================================================]
        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],
               Base Address: [0x7C900000 ], Size: [0x000AF000 ]



[#############################################################################]
                       International Secure Systems Lab                        
                            http://www.iseclab.org                             

Vienna University of Technology     Eurecom France            UC Santa Barbara
http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu

                          Contact: anubis@iseclab.org

LE :

MIRROR la ambele:

http://www.2shared.com/file/10579289/b0346600/Downloads.html

pass: 

rstcenter.com

xact Newbie

xact

Posted
Posted

Misto facut...

Lista de stringuri din virus:


jjjj
jjh
jjjj
jjj
jjjjjj
!This program cannot be run in DOS mode.
4Rich
UPX0
`UPX1
`UPX2
UPX!
LXqr
nqBT+=
B|VK
xQwv
IXH
ITU
m/srB
u$?GL<
.diqj
pTD
dE$Y
FBy
t9F<g
Y,NT
8hdY
Twn
S|Vqr
OYE$
Cxz
&'eY%e
UBsM
Q3kQC
JQI
HLb
sKI
lucw
CEm
j8%ED
88GDA
QoT
yAg
wr\EJ
EL3y
L@Dv
Dy3Kon
tCAI
uMT
ivs
GS:3U
Ky!3U
G"u3U
XtD
XtD
hcOD
hMRD
hYUD
tdh
tjh
uPh
xqD
Pht
uZh
xqD
;M`tr
M8Qj
UTRj
jDj
QTR
Qh@A@
hhXD
SVW
;B<sK
h;XD
AuA
Pjl
AuA
PjL
Pjl
SVW
SVW
E0Pje
U0Rje
hXQD
hp.E
hXQD
hp.E
XtD
hXQD
hp.E
XtD
hMRD
h7QD
SVW
TpD
tpD
u*hd
Qhd
u*hh
Rhh
u/hl
Phl
Zu/hp
Qhp
u/ht
Rht
u,hx
Phx
ppD
dpD
DpD
HpD
LpD
PpD
tpD
tAh
lpD
hpD
SVW
SVW
hxOD
hHTD
hHTD
hhTD
hhTD
hHTD
hHTD
h(TD
SVW
SVW
hXQD
hp.E
hHSD
hMRD
Ejj
Ejj
Ejh
jjj
Djj
Bjj
jjj
Ajj
jjj
jjj
jjh
jjjj
jjjj
Djj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
jjj
PsD
jNhp
xsD
uMjXh
LsD
uGj`h
Ljeh$
LsD
PhD
DsD
u;jph\
LsD
*jvh
B(Ph
hhPD
uUh
TsD
uWh
LsD
Phx
xpD
hHbD
LsD
unh
LsD
Phh
LsD
LsD
HsD
h6bD
t(hD
Qhd
t(hh
QhP
Qhd
Qhp
tcj
tWj
uLh
hHSD
hpbD
xpD
xpD
hvVD
hPVD
SVW
yVA
h(VD
hHbD
hHbD
XtD
XtD
h@PD
TSVW
h(SD
SVW
h1PD
tUj
xpD
xqD
TpD
xpD
Phd
xpD
dpD
TpD
PhH
HpD
lpD
lpD
lpD
lpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
hpD
uLh
Qh@uA
HpD
QhH
lpD
hpD
ppD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
ZIz
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
hGr
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
hZO
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
dHA
hk13U
gO3U
TTz
dr3U
LA3U
=Is3U
Ji3U
jjj
jjj
jjj
jjj
jjj
jjj
jjj
Djj
jjjj
Djj
Djj
Bjj
jjh
jjh
Djjj
Djjj
Djjj
jjj
Djjj
jjj
Djjj
jjj
Djjj
jjj
Djjj
jjj
Djjj
jjj
Djjj
Djj
Djjj
Bjj
Djj
Djj
Bjj
jjj
Djjj
jjj
Djjj
Djjj
Djjj
Djjj
Djjj
Djjj
Djjj
Djjj
Djjj
Djjj
jjj
Djjj
Djjj
Djjj
jjj
Djjj
Djjj
Djjj
Djjj
Djjj
jjj
Djjj
Djjj
Djjj
jjj
Djjj
jjj
Djjj
jjj
jjj
Djjj
jjj
Djjj
Djj
Djj
jjj
Djjj
Djjj
Djjj
Djjj
Djjj
jjj
Djjj
jjj
Djjj
Djjj
Djjj
Zvb
px3U
xr/3U
eEs3U
ppD
ppD
oX3U
M8Qj
xqD
U@Rj
xqD
jDj
xqD
xpD
hH\D
h3ZD
SVW
xqD
XpD
hPWD
RhP
Qhd
Phh
Phl
Qhp
Pht
TpD
hHbD
hHbD
xpD
xpD
Qhx
hDHD
SVW
drD
prD
lrD
trD
xrD
SVWj
DsD
dsD
TsD
hx|E
u.hx
Sjoh
PhlwE
Sj;hLwE
(Sj_hh~E
Ph ~E
(Sj`h
$ShC
$Sj?h
Phl
Php
Phy
Sj?h
Ph ~E
(Sj`h
$ShC
$Sj?h
$Sjsh
Sj?h
DsD
dsD
YYj
TsD
hx|E
joh
PhlwE
j;hLwE
Ph ~E
t&hA
uOS
YYW
u$hj
WhT
E@hd
E@hl
YYj
lxE
pxE
txE
LxE
PxE
TxE
LyE
PyE
TyE
dyE
DyE
LzE
PzE
TzE
lzE
pzE
tzE
DzE
VVB
tVB
FWB
dWB
KXB
iXB
YYB
wYB
CZB
SVW3
SGWj
DsD
Ph~f
tsD
TsD
PSS
hsD
TjP
psD
XsD
SVWj
5lsD
=dsD
TjP
psD
XsD
SVWj
=lsD
5dsD
XsD
dsD
dsD
5dsD
dsD
dsD
5lsD
d$PP
d$hP
D$Dh
xpD
YYS
dsD
xpD
t$<hX
d$PP
d$dP
tSS
Phl
xpD
QUVht
5xqD
CTP
QUPhz_B
xpD
QSh
xqD
xqD
xqD
SVjt
jtSV
PsD
xqD
PjZh
PSVh
ui8]xt
QVW
tNQ
wIS
wGQ
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
hhRD
xqD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
h3ZD
xqD
xqD
xqD
xqD
PrD
TrD
xpD
h5W%l
xpD
xpD
xpD
PhD
xpD
xpD
xpD
xpD
xpD
Pht
LrD
QhT
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
ubj
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
xpD
WSV
0WWWWW
DtD
DtD
DtD
DtD
SSSSS
Sj Z
hX%E
uCj
xqD
Hpu
SjL
HpD
PPPPP
hx%E
VVVVV
0WWWWW
PPPPPPPP
PtD
hl`E
XtD
xpD
hptD
h`tD
hpD
uBh9FC
Hpu
Hpu
8csm
QSVW
rwW
SSSSS
SSSSS
VVVVV
VVVVV
SSSSS
@uvV
SSSSS
hX&E
SSSSS
hx&E
VVVVV
@uwS
VVVVV
WWWWW
WWWWW
SSSSS
SSSSS
WWWWW
hBoC
AAf9
BBf
BBFFf
AABBf
jXh
YQPVh
0SSSSS
SSQ
PPPPP
t%HHt
ItU
htD
HHtXHHt
HHty+
itq
gue
RPSW
>If90t
WSj0
FPF
WSj 
SSSSS
SSSSS
SSSSS
SSSSS
ueSj
NCu
hp'C
SVW
9csm
Wj6Y
Fpt"
SSSSS
SVW
SSSSS
PVj@
_trP
,uRP
PPPPP
SSSSS
ChU
5LuD
LuD
PPPPP
>CuW
uQh
VVVVV
PSP
@PVW
VVVVV
VVVVV
PPPPP
uhj
HuD
h vD
LuD
QWS
VVVVV
vSSSh
SSSSS
h8cE
h$vD
hpD
hPvD
hpD
F\p|D
t$h$vD
hpD
hPvD
xqD
uNh
F\=p|D
5hpD
htvD
hhvD
h`vD
tehN<C
tHh
uNSW
GPf
VWj
QQS
hP|D
VVVVV
u&h8|D
PPPPP
VVVVV
VVVVV
VVVVV
pgE
hP(E
hp'C
SVW
hp(E
QQV
vdj
t+Ht
PPPPP
wdS
xqD
SSS
FVP
tMS
QWVP
SSSSS
WWWWW
uaVj
uL9=d
WWWWW
h dE
WPW
WPW
Gpt
0A@@Ju
u8SS3
GWhX
xqD
SSW
t"SS9]
xpD
xpD
xpD
xpD
hP)E
WWWWW
SSSSS
SSSSS
QQSV3
VVVVj
PVV
tTj
tCVV
oV f
of@f
onPf
ov`f
o~pf
oPf
VSP
PRQ
WWWWW
uOV
jThp)E
j@j ^V
VVVVV
<at9<rt,<wt
SSSSS
tVHtG
tEHt1
>=upF
SSSSS
YYF
tIh
SVW
URPQQh
UVWS
SVWj
h/kC
xqD
WWWWW
~,WPV
tVPV
VVVVV
@SuzP
VVVVV
YYG
Lut
dtW
itR
otM
xtH
ntJ
jdZ;
PCS
PCS
PCS
PCS
PCS
PCS
ctN
^F<-uB
GJu
<xtX<XtT
xte
HpD
8csm
>=Yt1j
tNVSP
PPPPP
PSS
5pqD
xqD
SSS+
@PWSS
t!SS
WSS
tqD
hqD
lqD
dqD
xqD
WWWWW
WWWWW
VVVVV
VVVVV
PPj
AAf
VVhU
PVh
xqD
xqD
WWWWW
VVVVV
^SSSSS
WSV
j"^SSSSS
QSWVj
xqD
WSV
PPPPP
t$HHt
ItU
htD
HHtYHHt
HHty+
itm
guf
RPSW
WSj0
FPF
WSj 
VVVV
Qpu
Pj1Q3
F Pj*
F$Pj+
F(Pj,
F,Pj-
F0Pj.
F4Pj/
F8PjD
F<PjE
F@PjF
FDPjG
FHPjH
FLPjI
FPPjJ
FTPjK
FXPjL
F\PjM
F`PjN
FdPjO
FhPj8
FlPj9
FpPj:
FtPj;
FxPj<
F|Pj=
PjA
PjB
PjC
SVW
C PjPV
C$PjQV
C(Pj
C)Pj
C*PjTV
C+PjUV
C,PjVV
C-PjWV
C.PjRV
C/PjSV
QW@Ph
W@Ph
tKP
Qpu
Qpu
0SSSSS
BOu
0SSSSS
|FVW
tNh
Vjx
SVW
TqD
TqD
SVW
Vj@h
TqD
XqD
PqD
PPPPP
j@Sh
C@Ph
FVhX
HqD
xqD
HqD
LqD
tR:Q
PPPPPPPP
SVW
lpD
5hpD
tGP
VVVVV
DqD
DqD
u,VVWV
xqD
t VV9u
WWWWV
t<Vj
t+WWVPV
hX*E
wIVSP
VSj
xqD
FVSj
xqD
SSSSS
SVW3
PWW
xqD
t{~Bj
t1SW
tPj
SSSSS
SSSSS
SSSSS
tSj=V
?sjj
t\VV
@Y@PW
SSSSS
SSSSS
SSSSS
Htt
xqD
Ht$C
xqD
xqD
Ht(f
xqD
hx*E
VVVVV
SSSSS
tGHt.Ht&
^SSSSS
xqD
xqD
tqj
SSS
SSS
ASS
xqD
8VVVVV
SSSSS
SSSSS
r0f;p
r0f;H
SSSSS
SSSSS
SVWUj
SVW
UPj
UQPXY]Y[
VVVVV
uyG
SSSSS
xqD
@WuyV
WWWWW
QVj
xqD
VVj
SSSSS
SSSSS
VVVVV
SSSSS
SSSSS
VVVVV
QSV
^SSSSS
^SSSSS
AVW
SSSSS
SSSSS
SVW3
tYj
skS
xqD
dqD
xqD
VVVVV
PPj
WVS
VND
uXj4
VWr
Wh`pE
h`pE
yND
yND
SVW
SVW
<xt.<Xu,
YPV
RPQV
<xt.<Xu,
YPW
QQV
jjjjj
CfD
mscoree.dll
(null)
KERNEL32.DLL
.php
.zip
.JPG
.JPEG
SVW
%DrD
%hrD
hD,E
QQSVWd
SVW
PPP
QSVW
SVW
SVW
=MOC
=csm
hx,E
8csm
9csm
~SSV
QVj
>csm
taSV
YYPV
t)SV
Hu4j
YYP
YYP
QQV
>MOC
s[S;7|G;w
csm
YYh
csm
SVW
csm
tR99u2
pgE
tgE
xgE
PPPPP
SVW
_VVVVV
SSSSS
SVW
SSSSS
^WWWWW
PSW
SQRP
jdRP
SVW
PPPPP
Wj0V
SVW
SSSSS
SSSSS
EtZ
VVVVV
ppD
hpD
WWWWQ
YYu
SSSSW
SSSSW
0SSSSS
@PWV
PPPPP
WVU3
_VVVVV
5XqE
TqE
XqE
5XqE
PqE
PqE
dqE
dqE
5pqE
lqE
pqE
5pqE
tqE
hqE
tqE
hqE
tqE
xqE
SSSSS
HHt
+t HHt
HHt
VVVVV
VVVVV
SVW
SVW
TtE
%TtE
VC20XC00U
SVWU
tfVU
tLxXj
>csm
hp'C
0SVW
pFE
QVW
jdZ
hy[B
jdW
h%iD
h/iD
h9iD
hCiD
HsD
XtD
B~9|B~+wB~
F~k!C~
B~J!C~
gF~k
qUj
qUS
qIT
S*PwF
KhD
ahD
whD
PdD
pgD
bad allocation
Unknown exception
CorExitProcess
(null)
EEE
xpxxxx
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
csm
runtime error 
TLOSS error
SING error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
- not enough space for locale information
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
- CRT not initialized
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
- not enough space for environment
- not enough space for arguments
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program: 
ccs
UTF-8
UTF-16LE
UNICODE
EEE
`h`hhh
xppwpp
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Dec
Nov
Oct
Sep
Aug
Jul
Jun
May
Apr
Mar
Feb
Jan
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
Sat
Fri
Thu
Wed
Tue
Mon
Sun
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
usa
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
chi
chh
canadian
belgian
australian
american-english
american english
american
ENU
ENU
ENU
ENA
NLB
ENC
ZHH
ZHI
CHS
ZHH
CHS
ZHI
CHT
NLB
ENU
ENA
ENL
ENC
ENB
ENI
ENJ
ENZ
ENS
ENT
ENG
ENU
ENU
FRB
FRC
FRL
FRS
DEA
DEC
DEL
DES
ENI
ITS
NOR
NOR
NON
PTB
ESS
ESB
ESL
ESO
ESC
ESD
ESF
ESE
ESG
ESH
ESM
ESN
ESI
ESA
ESZ
ESR
ESU
ESY
ESV
SVF
DES
ENG
ENU
ENU
USA
GBR
CHN
CZE
GBR
GBR
NLD
HKG
NZL
NZL
CHN
CHN
PRI
SVK
ZAF
KOR
ZAF
KOR
TTO
GBR
GBR
USA
USA
OCP
ACP
Norwegian-Nynorsk
Complete Object Locator'
Class Hierarchy Descriptor'
Base Class Array'
Base Class Descriptor at (
Type Descriptor'
`local static thread guard'
`managed vector copy constructor iterator'
`vector vbase copy constructor iterator'
`vector copy constructor iterator'
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector vbase copy constructor iterator'
`eh vector copy constructor iterator'
`managed vector destructor iterator'
`managed vector constructor iterator'
`placement delete[] closure'
`placement delete closure'
`omni callsig'
delete[]
new[]
`local vftable constructor closure'
`local vftable'
`RTTI
`udt returning'
`copy constructor closure'
`eh vector vbase constructor iterator'
`eh vector destructor iterator'
`eh vector constructor iterator'
`virtual displacement map'
`vector vbase constructor iterator'
`vector destructor iterator'
`vector constructor iterator'
`scalar deleting destructor'
`default constructor closure'
`vector deleting destructor'
`vbase destructor'
`string'
`local static guard'
`typeof'
`vcall'
`vbtable'
`vftable'
operator
delete
new
__unaligned
__restrict
__ptr64
__clrcall
__fastcall
__thiscall
__stdcall
__pascal
__cdecl
__based(
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
string too long
invalid string position
0123456789abcdefghijklmnopqrstuvwxyz
0123456789abcdefghijklmnopqrstuvwxyz
bad exception
bHC
bHC
GAIsProcessorFeaturePresent
KERNEL32
1#QNAN
1#INF
1#IND
1#SNAN
bad allocation
YahooBuddyMain
YTopWindow
ATL:007BF380
SysListView32
Send Message to Group
ATL:007BF380
YIMInputWindow
Button
uNOG
bad allocation
bad allocation
/clear
oeg@hdut
Skype
bad allocation
""%PROGRAMFILES%\Windows Live\Messenger\msnmsgr.exe""
bad allocation
1msp
stopimspreadevent
##ops
PRIVMSG
%s %s :Failed To Start IMSpread Thread! < args are not int >
##ops
PRIVMSG
%s %s :Failed To Start IMSpread Thread! <%d>
##ops
PRIVMSG
%s %s :IMSpread Thread Has Started!
.\IMSpread\IMThread.cpp
hIMEvent is set
##ops
PRIVMSG
%s %s :Stopped IMSpread Thread!
stopping thread
##ops
PRIVMSG
%s %s :Already Stopping IMSpread Thread!
.\IMSpread\IMThread.cpp
Already Stopping IMSpread Thread!
1msp
##ops
PRIVMSG
%s %s :IMSpread Is Not Running! <%d>
.\IMSpread\IMThread.cpp
IMSpread Is Not Running!
##ops
PRIVMSG
%s %s :Failed To Stop IMSpread Thread! <%d>
.\IMSpread\IMThread.cpp
Failed To Stop IMSpread!
##ops
PRIVMSG
%s %s :Stopping IMSpread Thread!
.\IMSpread\IMThread.cpp
Stopping Scanner IMSpread!
bad allocation
bad allocation
Fnf|)\biz
,5-1#g1&?9l+<&5?6 t!9w
bad allocation
lgb
utCUh]Q\W
WYWDKfe
utCUh]Q\W
WYWDKfe
lgb
utCUh]Q\W
WYWDKfe
adY
bad allocation
.\scanner\Scanner.cpp
[+] Connecting to %s
.\scanner\Scanner.cpp
[-] Failed to fconnect
.\scanner\Scanner.cpp
[*] Establishing null session...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive NegotiateRequest Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive SessionSetupAndX1 Response.
.\scanner\Scanner.cpp
[*] Native OS:.. %s
Windows 5.1
Windows 5.0
Windows Server 2003
Service Pack 1
Service Pack 2
Windows Vista (TM)
.\scanner\Scanner.cpp
[*] Sending TreeConnect Request...
.\scanner\Scanner.cpp
[*] Sending PipeRequest \SRVSVC...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper PipeRequest Response.
.\scanner\Scanner.cpp
[*] Sending PipeRequest \BROWSER...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper PipeRequest Response.
.\scanner\Scanner.cpp
[*] Sending PipeRequest \BROWSER...
.\scanner\Scanner.cpp
[+] Connecting to %s
.\scanner\Scanner.cpp
[-] Failed to connect
.\scanner\Scanner.cpp
[*] Establishing null session...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive NegotiateRequest Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive SessionSetupAndX1 Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive SessionSetupAndX2 Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive SessionSetupAndX2 Response.
.\scanner\Scanner.cpp
[*] Sending TreeConnect Request...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper TreeConnectAndX response.
.\scanner\Scanner.cpp
[*] Sending PipeRequest \browser...
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper PipeRequest Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper DceBind Response.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper SMBAndXRead response.
qxzv%d.exe
.\scanner\Scanner.cpp
[-] Shellcode could not be properly encoded.
.\scanner\Scanner.cpp
[-] Send failed
.\scanner\Scanner.cpp
[-] Failed to receive proper SMBAndXRead response.
.\scanner\Scanner.cpp
[*] Happy rooting!
.\scanner\Scanner.cpp
[-] Failed to determine OS
.\scanner\Scanner.cpp
[*] OS is: %d
AUTO
AUTO
CHN
CZE
DEU
ESP
VEN
ARG
FIN
FRA
HUN
ITA
JAP
KOR
NLD
NOR
PLK
PRT
RUS
SVE
TUR
USA
.\scanner\Scanner.cpp
Address: %s
.\scanner\Scanner.cpp
Address: %s
%d.%d.%d.%d
AUTO
.\scanner\Scanner.cpp
%d: Checking: %s
#scan
PRIVMSG
%s %s :Infected IP: %s
\IPC$
.\scanner\Scanner.cpp
%d: Found IP with Port 445 open: %s
.\scanner\Scanner.cpp
%d: IP has Port 445 Closed: %s
.\scanner\Scanner.cpp
Signalled! Stopping Thread %d
.\scanner\Scanner.cpp
Address: %s
.\scanner\Scanner.cpp
%d: Checking: %s
#scan
PRIVMSG
%s %s :Infected IP: %s
\IPC$
.\scanner\Scanner.cpp
%d: Found IP with Port 445 open: %s
.\scanner\Scanner.cpp
%d: IP has Port 445 Closed: %s
.\scanner\Scanner.cpp
Signalled! Stopping Thread %d
asd3r4trwer
.\scanner\Scanner.cpp
Failed to CreateEvent <%d>
.\scanner\Scanner.cpp
Main Scanner thread started.
.\scanner\Scanner.cpp
Started Thread %d
.\scanner\Scanner.cpp
Thread %d Failed To Execute
asd3r4trwer
##ops
PRIVMSG
%s %s :Scanner Is Not Running! <%d>
.\scanner\Scanner.cpp
Scanner Is Not Running!
stopping threads
##ops
PRIVMSG
%s %s :Already Stopping Scanner Thread!
.\scanner\Scanner.cpp
Already Stopping Scanner Thread!
.\scanner\Scanner.cpp
Event is set
##ops
PRIVMSG
%s %s :Failed To Stop Scanner Thread! <%d>
.\scanner\Scanner.cpp
Failed To Stop Scanner!
##ops
PRIVMSG
%s %s :Stopping Scanner Thread!
.\scanner\Scanner.cpp
Stopping Scanner Thread!
asd3r4trwer
##ops
PRIVMSG
%s %s :Scanner Is Already Running! <%d>
.\scanner\Scanner.cpp
Scanner Is Already Running!
AUTO
AUTO
##ops
PRIVMSG
%s %s :Failed To Create Scanner Thread!
.\scanner\Scanner.cpp
Failed To Create Scanner Thread!
##ops
PRIVMSG
%s %s :Scanner Thread Has Started!
.\scanner\Scanner.cpp
Scanner Thread Has Started!
bad allocation
calls in
calls out
packets in
packets out
ncacn_np
bad allocation
IPC$
\pipe\spoolss
bad allocation
rndwindowclass
http://1.img-myspace.info/net/debug.zip
~tmpload
~tmploadx.exe
:\Autorun.inf
~tmploadx.exe
~tmpload
[Autorun]
open=
icon=%windir%\system32\SHELL32.dll,8
action=Open folder to view files using Windows Explorer
shell\open=Open
shell\open\command=
shell\open\default=1
shell\explore=Explore
shell\explore\command=
shell\search=Search...
shell\search\command=
useautoplay=1
\*.exe
bad allocation
##ops
PRIVMSG
tmp
%s %s :Update Failed: BotID is same as new one (maybe updated!)! <%d>
.exe
%temp%
##ops
PRIVMSG
%s %s :Update Failed: Downloading exe Failed!
##ops
PRIVMSG
%s %s :Update Failed: CloseHandle Failed! <%d>
muipcdraotse
##ops
PRIVMSG
%s %s :Update Failed: CreateProcess Failed! <%d>
Mut3x
rbulnanbilnag
##ops
PRIVMSG
%s %s :Updating Thread Is Already Running!
##ops
PRIVMSG
%s %s :Failed To Update!
##ops
PRIVMSG
%s %s :Failed To Start IMSpread Thread! < args are not int >
##ops
PRIVMSG
%s %s :Failed To Create Update Thread!
bad allocation
evcoh
5b(9.Pxvzu
ctfmon.exe
rwk`avZT`hxnhLmlubaODtdvu|n~nnBYISGTEIJwGECHUqj@]P[]dGYQQU_g}HJW/3+9!!
DisableNXShowUI
ctfmon.exe
nuAljqthdZo
PNaadc}
HFwq}[uthASvNHOBH
ctfmon.exe
ctfmon.exe
via|~kyiqcFSC]@[SBkoPT_SJM
wmisftd.exe
wmisftd.exe
ZzBTEDAW
bad allocation
HAI. S1|v`5ecwi:P+IMRNFP
`f{Y_K
rvlt%$f~hy
--Oadxdzf`e5
c7&f$'',"+ml.&0!'uu
*'/LB-O
hai
ECWI
zRIWi)3
*'/LB-O
BOG$*E'{j*oiak{u1BRGG@
091VX;Y
PYQ68[9ix<njpP
tpw`tq
$AM D
C!lfp%usgy*jzj6xt
KDN+#N.aue2``zf7yo}"ky
!. EI$H
P?=7GG
.A#wf&dgglbk-ClCy{vxq6dlxho!=zvS@@OAA
EJL)%H,~m/tt~v`p6Z{Jrryqz
PZ4a17+5f$%-
clf
IDBKGH
R_WuRSYL
IO]OJ
r 7u%#7)z-/011
XQY>0c
FIIN@M
AGUGB
]SH]_RZ$
782WW:Z
KCS
U@XTP\H
rvlt%UeXO$Gmx`lxt`
nbjfv
e5$h*%%*$)o
gt&"6*-g{84->
HAI. S1ap4qs{}m
;OMX+
#,&CK&F
e!qwewr:(mcxmobjt
o#2r7193#=y
f4+i9?#=n
782WW:Z
k"(#%=#tw
rvlt%$Tgybd
-Ozd~Gcptbr8J
ijt}z
hnq#Eprh]ynjxh.\ucdzwp47km{ih >{IRCAH@B
ifh
PPZRL\
oRNW/2b
w`no&
evcoh%Kffhmn~/
_RPY)&ba
YQCJMF[EHIK[1
S{QS 
depfwvct(}e+db}{0
s~qf87]xys
+)oex
w/cy}fxq6u}9q~li>pN
LHCA_COYLB
0-# !!f.&i>#)m(&""&s7::"57z=3120
]YZM%21c%+"g<!/k$"=;p?3>1u%?7,6?|?;
**x|lmj>
75Ws|pnrss
sLX
@KHKBF]Y
A^RK\
"$b**6#5<,.k##n&>5;%=1#64
Zrr?=;3$x6({:223
Gmq$`~feyfn6
kACDEFGHXZYBXZAIE\JCUVWXY
@ABCDV^IZ\D]_C__PQRST
msnfix.changelog.fr
www.incodesolutions.com
virusinfo.prevx.com
download.bleepingcomputer.com
www.dazhizhu.cn
foro.noticias3d.com
www.spybotupdates.com
club.myce.com
www.k7computing.com
www.nabble.com
lurker.clamav.net
lexikon.ikarus.at
research.sunbelt-software.com
www.virusdoctor.jp
www.elitepvpers.de
guru.avg.com
downloads.sophos.com
share.skype.com
myantispyware.com
www.superuser.co.kr
ntfaq.co.kr
v.dreamwiz.com
cit.kookmin.ac.kr
forums.whatthetech.com
forum.hijackthis.de
avg.vo.llnwd.net
ftp.drweb.com
www.zonealarm.com
smadaver.com
support.emsisoft.com
www.huaifai.go.th
www.mostz.com
www.krupunmai.com
www.cddchiangmai.net
forum.malekal.com
tech.pantip.com
sapcupgrades.com
www.elguruinformatico.com
forums.avg.com
zastita.com
www.247fixes.com
forum.sysinternals.com
forum.telecharger.01net.com
sophos.com
foros.softonic.com
avast-home.uptodown.com
dr-web-cureit.softonic.com
heavenward.ru
forum.smadav.net
www.f-secure.com
www.chkrootkit.org
diamondcs.com.au
www.rootkit.nl
www.sysinternals.com
z-oleg.com
espanol.dir.groups.yahoo.com
ftp01net.telechargement.fr
modelayu.com
vaksin.com
www.castlecrops.com
www.misec.net
safecomputing.umn.edu
www.antirootkit.com
www.greatis.com
ar.answers.yahoo.com
www.elhacker.org
research.pandasecurity.com
www.tpu.ro
www.pinoyden.com
www.rootkit.com
www.pctools.com
www.pcsupportadvisor.com
www.resplendence.com
www.personal.psu.edu
foro.ethek.com
foro.elhacker.net
download.zonealarm.com
spywarehammer.com
www.codelain.com
vil.nail.com
search.mcafee.com
wwww.mcafee.com
download.nai.com
wwww.experts-exchange.com
www.bakunos.com
www.darkclockers.com
www2.gmer.net
ariefew.com
www.emsisoft.com
www.Merijn.org
www.spywareinfo.com
www.spybot.info
www.viruslist.com
www.hijackthis.de
ftp.f-secure.com
forum.kaspersky.com
es.trendmicro-europe.com
www.hvaonline.net
forum.lowyat.net
majorgeeks.com
www.avp.com
www.virustotal.com
www.sophos.com
linhadefensiva.uol.com.br
cmmings.cn
www.sergiwa.com
www.el-hacker.com
dl2.agnitum.com
forum.smadav.net
images.malwareremoval.com
www.avg-antivirus.net
www.kaspersky-labs.com
www.kaspersky.com
www.bleepingcomputer.com
www.free.grisoft.com
alerta-antivirus.inteco.es
greatis.com
www.oprekpc.com
www.gmer.net
securityresponse.symantec.com
www.analysis.seclab.tuwien.ac.at
www.symantec.com
www.kztechs.com
ad-aware-se.uptodown.com
stdio-labs.blogspot.com
forum.lrytas.lt
www.decido.de
liveupdate.symantecliveupdate.com
liveupdate.symantec.com
customer.symantec.com
update.symantec.com
www.box.net
foro.el-hacker.com
acs.pandasoftware.com
egavisa.blogspot.com
angui123.cn
www.mcafee.com
www.free.avg.com
download.mcafee.com
mast.mcafee.com
www.tecno-soft.com
ladooscuro.es
ftp.drweb.com
download.microsoft.com
www.mypcsafe.com
www.blindedbytech.com
guru0.grisoft.cz
guru1.grisoft.cz
guru2.grisoft.cz
guru3.grisoft.cz
download.bleepingcomputer.com
it.answers.yahoo.com
www.softonic.com
www.mycity.rs
cairopt.net
rootrepeal.googlepages.com
guru4.grisoft.cz
guru5.grisoft.cz
www.virusspy.com
download.f-secure.com
www.malwareremoval.com
forums.cnet.com
foros.softonic.com
www.freedrweb.com
www.kaskus.us
rootrepeal.psikotick.com
hjt-data.trend-braintree.com
www.pantip.com
secubox.aldria.com
www.forospyware.com
www.manuelruvalcaba.com
www.zonavirus.com
www.leforo.com
www.gsmph.com
blokvesti.net
www.siteadvisor.com
blog.threatfire.com
www.threatexpert.com
blog.hispasec.com
www.configurarequipos.com
sosvirus.changelog.fr
www.psicofxp.com
www.gsmph.net
www.gyakorikerdesek.hu
mailcenter.rising.com.cn
mailcenter.rising.com
www.rising.com.cn
www.rising.com
www.babooforum.com.br
www.runscanner.net
www.blogschapines.com
www.zyzoom.org
www.avsoft.ru
sosvirus.changelog.fr
upload.changelog.fr
www.raymond.cc
changelog.fr
www.pcentraide.com
atazita.blogspot.com
www.thinkpad.cn
www.sunbeltsoftware.com
cert.inteco.es
www.gamexeon.com
www.final4ever.com
files.filefont.com
www.infos-du-net.com
www.trendsecure.com
forum.hardware.fr
www.utilidades-utiles.com
blogs.icerocket.com
www.spywarefri.dk
alfrasha.maktoob.com
www.spychecker.com
www.geekstogo.com
forums.maddoktor2.com
www.smokey-services.eu
www.clubic.com
www.linhadefensiva.org
www.rolandovera.com
forum.burek.com
secure.sophos.com
download.sysinternals.com
www.pcguide.com
www.thetechguide.com
www.ozzu.com
www.changedetection.com
espanol.groups.yahoo.com
www.sunbeltsecurity.com
www.quickheal.co.in
www.vivalared.com
community.thaiware.com
www.avpclub.ddns.info
www.offensivecomputing.net
www.grisoft.com
boardreader.com
www.guiadohardware.net
www.webroot.com
www.thehelper.net
www.kaldata.com
www.msnvirusremoval.com
www.cisrt.org
fixmyim.com
samroeng.hi5.com
foro.elhacker.net
www.daboweb.com
service1.symantec.com
us3.download.comodo.com
forum.gsmhosting.com
forums.techguy.org
www.incodesolutions.com
hijackthis.download3000.com
www.cybertechhelp.com
www.superdicas.com.br
www.51nb.com
us4.download.comodo.com
www.jbtalks.cc
ad13.geekstogo.com
downloads.andymanchesta.com
andymanchesta.com
info.prevx.com
aknow.prevx.com
www.zonavirus.com
securitywonks.net
www.yoreparo.com
www.spywarecease.com 
forum.dobreprogramy.pl
www.lavasoft.com
www.virscan.org
www.eeload.com
down.www.kingsoft.com
www.file.net
onecare.live.com
mvps.org
www.laneros.com
www.pc1news.com
forum.avira.com
downloads.novirusthanks.org
www.housecall.trendmicro.com
www.avast.com
www.free.avg.com
www.onlinescan.avast.com
www.ewido.net
www.trucoswindows.net
www.mozilla-hispano.org
www.jackbloodforum.com
www.kosandpol.elakiri.com
www.futurenow.bitdefender.com
www.bitdefender.com
www.f-prot.com
www.trendsecure.com
security.symantec.com
oldtimer.geekstogo.com
sopiansantosa.blogspot.com
www.fileresearchcenter.com
www.avira.com
www.eset.com
www.free.avg.com
www.free-av.com
kr.ahnlab.com
www.eset.com
forospyware.com
thejokerx.blogspot.com
cairopt.net
oolbar.cyberdefender.com
golpe.dyndns.org
www.2-spyware.com
www.antivir.es
www.prevx.com
www.ikarus.net
bbs.s-sos.net
www.housecall.trendmicro.com
www.superdicas.com.br
www.superantispyware.com
www.unhackme.com
www.forums.majorgeeks.com
www.castlecops.com
www.virusspy.com
andymanchesta.com
www.kaspersky.es
subs.geekstogo.com
www.forospanish.com
blog.rnsafe.com
www.regrun.com
irc.snahosting.net
www.trendmicro.com
www.fortinet.com
www.safer-networking.org
www.fortiguardcenter.com
www.dougknox.com
www.vsantivirus.com
static.commentcamarche.net
www.gyakorikerdesek.hu
www.firewallguide.com
www.auditmypc.com
www.spywaredb.com
www.mxttchina.com
www.ziggamza.net
www.forospyware.es
pogonyuto.forospanish.com
spywarefiles.prevx.com
k2r.th3kings.net
www.antivirus.comodo.com
www.spywareterminator.com
www.eradicatespyware.net
www.freespywareremoval.info
www.personalfirewall.comodo.com
wakoopa.com
forum.drweb.com
bb1.th3kings.net
www.clamav.net
www.antivirus.about.com
www.pandasecurity.com
www.webphand.com
mx.answers.yahoo.com
www.securitywonks.net
www.messengeradictos.com
www.geekpolice.net
bub.th3kings.net
www.sandboxie.com
www.clamwin.com
www.cwsandbox.org
www.ca.com
www.arswp.com
es.answers.yahoo.com
www.trucoswindows.es
www.ipaddresser.com
www.abgenis.net
www.freefixer.com
www.networkworld.com
www.cddchiangmai.net
www.threatexpert.com
www.norman.com
espanol.answers.yahoo.com
www.tallemu.com
foro.portalhacker.net
www.groupwhere.org
sniff.runescapetube.com
virscan.org
www.viruschief.com
scanner.virus.org
www.hijackthis.de
housecall65.trendmicro.com
www.guiadohardware.net
forums.whatthetech.com
mustlovewine.com
www3.malekal.com
hjt.networktechs.com
www.techsupportforum.com
www.whatthetech.com
www.soccersuck.com
www.pcentraide.com
comunidad.wilkinsonpc.com.co
forum.hocit.com
forum.smadav.net
fgp.e2doo.com
forum.piriform.com
www.tweaksforgeeks.com
www.daniweb.com
www.geekstogo.com
es.answers.yahoo.com
www.techsupportforum.com
dnl-eu8.kaspersky-labs.com
www.oprekpc.com
shv4.ath.cx
www.pchell.com
www.spyany.com
forums.techguy.org
www.experts-exchange.com
www.wikio.es
www.pandasecurity.com
forums.devshed.com
devbuilds.kaspersky-labs.com
hana-ahmad.blogspot.com
forum.tweaks.com
www.wilderssecurity.com
www.techspot.com
www.thecomputerpitstop.com
es.wasalive.com
secunia.com
www.killtrojan.net
www.ulop.net
www.eliters.com
sip4.voipkosovasite.com
es.kioskea.net
www.taringa.net
www.cyberdefender.com
www.feedage.com
new.taringa.net
forum.zazana.com
forum.clubedohardware.com.br
mks.com.pl
www.vietcaravan.us
trbotnet.sytes.net
www.computing.net
discussions.virtualdr.com
forum.securitycadets.com
www.techimo.com
13iii.com
www.dicasweb.com.br
www.javacoolsoftware.net
cofradia.org
wasteland-bg.com
www.infosecpodcast.com
www.usbcleaner.cn
www.net-security.org
www.bleedingthreats.net
acs.pandasoftware.com
www.funkytoad.com
malwarebytes.org
sabithpocker.blogspot.com
comprolive.vox.com
www.360safe.cn
www.360safe.com
bbs.360safe.cn
bbs.360safe.com
codehard.wordpress.com
forum.clubedohardware.com.br
antitrick.com
www.configurarequipos.com
www.jiwang.org
www.360.cn
www.360.com
bbs.360safe.cn
bbs.360safe.com
www.forospyware.es
p3dev.taringa.net
www.precisesecurity.com
dlpe.antivir.com
www.jvme.com
share.skype.com
comprolive.com
baike.360.cn
baike.360.com
kaba.360.cn
kaba.360.com
deckard.geekstogo.com
www.taringa.net
forums.comodo.com
www.mvps.org
melcy.wordpress.com
forum.softpedia.com
pcvids.wordpress.com
down.360safe.cn
down.360safe.com
x.360safe.com
dl.360safe.com
ftp.drweb.com
www.hotshare.net
es.wasalive.com
free.antivirus.com
forum.hocit.com
destavision-forum.com
updatem.360safe.com
updatem.360safe.cn
update.360safe.cn
update.360safe.com
www.utilidades-utiles.com
forum.kaspersky.com
www.indowebster.web.id
zastita.com
www.sz-pet.com
bbs.duba.net
www.duba.net
zhidao.baidu.com
hi.baidu.com
www.drweb.com.es
msncleaner.softonic.com
www.javacoolsoftware.com
beniono.wordpress.com
www.4-gsmteam.com
msntubers.freehostia.com
file.ikaka.com
file.ikaka.cn
bbs.ikaka.com
zhidao.ikaka.com
www.eset-la.com
download.eset.com
software-files.download.com
www.faravirusi.com
www.winbots.es
forum.chip.de
www.ikaka.com
www.ikaka.cn
bbs.cfan.com.cn
www.cfan.com.cn
www.pandasecurity.com
es.mcafee.com
downloads.malwarebytes.org
www.devirusare.com
forum.skype.com
shitit.net
bbs.kafan.cn
bbs.kafan.com
bbs.kpfans.com
bbs.taisha.org
www.manuelruvalcaba.com
support.f-secure.com
bbs.winzheng.com
devirusare.com
social.microsoft.com
www.shitit.net
alerta-antivirus.inteco.es
foros.zonavirus.com
alerta-antivirus.red.es
www.zonavirus.com
www.malwarebytes.org
www.commentcamarche.net
news.support.veritas.com
www.zonealarm.com
www.ewido.net
www.infospyware.com
www.bitdefender.es
housecall.trendmicro.com
foros.toxico-pc.com
www.identi.es
es.kioskea.net
virusinfo.info
forums.zonealarm.com
www.emsisoft.de
www.securitynewsportal.com
irc.ekizmedia.com
zone.arminboutique.com
story.dnsentrymx.com
MSMPENG.EXE
MSASCUI.EXE
GUARDXKICKOFF.EXE
GUARDXSERVICE.EXE
VIRUSUTILITIES.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
WITSETUP.EXE
AVINSTALL.EXE
K7TS_SETUP.EXE
P08PROMO.EXE
ISSDM_EN_32.EXE
VIPRE.EXE
UNLOCKER.EXE
UNLOCKERASSISTANT.EXE
UNLOCKER1.8.7.EXE
REGUNLOCKER.EXE
COMPAQ_PROPIETARIO.EXE
ATF-CLEANER.EXE
SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE
VIRUS.EXE
HIJACK-THIS.EXE
MRT.EXE
MRTSTUB.EXE
WINDOWS-KB890930-V2.2.EXE
HJ.EXE
ELISTA.EXE
PENCLEAN.EXE
MBAM-SETUP.EXE
MBAM.EXE
AVZ.EXE
JAJA.EXE
OTMOVEIT.EXEMBAM-SETUP.EXE
REGMON.EXE
COMBO-FIX.EXE
COMBOFIX.BAT
COMBOFIX.SCR
COMBOFIX.COM
CMD.EXE
COMMAND.COM
NTVDM.EXE
GUARD.EXE
LISTO.EXE
TCPVIEW.EXE
REGEDIT.COM
REGEDIT.SCR
FOLDERCURE.EXE
KILLAUTOPLUS.EXE
MYPHOTOKILLER.EXE
REG.EXE
TASKKILL.EXE
AUTORUNS.EXE
SRENGPS.EXE
COMBOFIX.EXE
SDFIX.EXE
CATCHME.EXE
GMER.EXE
MBR.EXE
CF9409.EXE
REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE
SUPERANTISPYWARE.EXE
BOOTSAFE.EXE
SRESTORE.EXE
MSNCLEANER.EXE
BUSCAREG.EXE
KAKASETUPV6.EXE
SUPERKILLER.EXE
DUBATOOL_AV_KILLER.EXE
DELAYDELFILE.EXE
SEEM.EXE
BC5CA6A.EXE
ROOTALYZER.EXE
ROOTKITBUSTER.EXE
HELIOS.EXE
DARKSPY105.EXE
HOOKANLZ.EXE
PAVARK.EXE
SRENGLDR.EXE
APORTS.EXE
FPORT.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
NETSTAT.EXE
OLLYDBG.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS.EXE
HIJACKTHIS_V2.EXE
MSNFIX.EXE
PROCEXP.EXE
TASKMAN.EXE
TASKLIST.EXE
TASKMON.EXE
PSKILL.EXE
ROOTKITREVEALER.EXE
FSBL.EXE
FSB.EXE
AVGARKT.EXE
ROOTKIT_DETECTIVE.EXE
UNHACKME.EXE
HACKMON.EXE
RKD.EXE
ROOTKITNO.EXE
REANIMATOR.EXE
HOOKANLZ.EXE
WORKGROUPlQPxf2ISQgEV1bGK
iFHnlN
kvDsvCpTq
\..\..\AOHLMXY
Windows NT Remote Printers
Impresoras remotas Windows NT
Stampanti remote di Window
Imprimantes distantes NT
Remotedrucker
Impr
remotas Windows NT
Imp
remotas do Windows NT
voli nyomtat
tulostimet
Externe printers voor NT
Fjernprintere
Zdalne drukarki
Yaz
lar
PEAL.EXE
ICESWORD.EXE
LORDPE.EXE
PG2.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
SPYBOTSD160.EXE
TEATIMER.EXE
SPYBOTSD.EXE
WIRESHARK.EXE
APM.EXE
APT.EXE
ASVIEWER.EXE
CPORTS.EXE
CPROCESS.EXE
DLLCOMPARE.EXE
A2HIJACKFREESETUP.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXPATH.EXE
HOSTSFILEREADER.EXE
IEFIX.EXE
AVENGER.EXE
INSTALLWATCHPRO25.EXE
KILLBOX.EXE
NETALYZ.EXE
OBJMONSETUP.EXE
PGSETUP.EXE
FIXBAGLE.EXE
CUREIT.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
REGALYZ.EXE
REGCOOL.EXE
REGISTRAR_LITE.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGX2.EXE
SPF.EXE
SRENGLDR.EXE
STARTDRECK.EXE
SYSANALYZER_SETUP.EXE
UNIEXTRACT.EXE
UNLOCKER1.8.7.EXE
RAVP.EXE
MBAM.EXE
USBGUARD.EXE
AVZ.EXE
OTL.EXE
CPF.EXE
ZLCLIENT.EXE
123.COM
123.EXE
nuplhYUfnlHdcyRBy
wj`s
hxnp`GLB^A\RAj`QW^TKN
AetbjfccTOeghh|SCdbvf]
MPfuubv`zjAJXD_BH[lf[]PZADdzOINXPK
itzii~
VIA\^KYIQ^`|xqzqfJZqzhtorxk|lpw
cIIKFNhnab
bad allocation
test
SeDebugPrivilege
ntdll.dll
KeServiceDescriptorTable
PsInitialSystemProcess
bad allocation
kernel32.dll
User32.dll
Advapi32.dll
wininet.dll
OpenMutexA
Beep
GetFileAttributesA
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetCloseHandle
WriteFile
Sleep
CreateFileA
CreateMutexA
GetLastError
ReleaseMutex
CloseHandle
ExitThread
MessageBoxA
WinExec
CreateProcessA
rbulnanbilnag
http://1.img-myspace.info/net/debug.zip
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
muipcdraotse
SeDebugPrivilege
Shell_TrayWnd
.\persistance.cpp
Process ID: %d - Process Filename: %s
bad allocation
W32.NytemareV2 says "Your kung-fu is no good!"
Mut3x
open
ctfmon.exe
APPDATA
\Microsoft\Windows\Start Menu\Programs\Startup\
wmisftd.exe
USERPROFILE
\Start Menu\Programs\Startup\
wmisftd.exe
SystemRoot
\system32\
wmisftd.exe
muipcdraotse
open
open
.\Main.cpp
Create USB Spread Thread Failed
explorer.exe
explorer.exe
Mut3x
bad allocation
9BBD1622
DDEA5F3F8307044AA33A2801748A8EA1DBF1
C8FA447A85475342FB37321665D185AA93F7DE60E1
9ABE1725D0
CAE05272884F5342FB37321665D185AA93F7DE60E1
9DBD1622D2
CDFA4965CE4D505CB93B291673C1C9A6D3F8DF
9CB91628D5
C4FA4E7299041B08AF21281764C682E1D4F0D669
DEFA546299041B08AF21281764C682E1D4F0D669
C3EA4866CE4C505CB93B291673C1C9A6D3F8DF
CDE04A65D0041908AF21281764C682E1D4F0D669
9BBD1622
CAEA4478855E5341FB37321665D185AA93F7DE60E1
C0EA52658F445341FB37321665D185AA93F7DE60E1
9ABE1725D0
C3EA4479CE49505CB93B291673C1C9A6D3F8DF
9DBD1622D2
CAEA532198041E08AF21281764C682E1D4F0D669
9CB91628D5
CBFA557ECE48505CB93B291673C1C9A6D3F8DF
CDE04A21CE48505CB93B291673C1C9A6D3F8DF
DEFB553F8207044AA33A2801748A8EA1DBF1
CDE04669CE4B505CB93B291673C1C9A6D3F8DF
9BBD1622
DDFF466B8D041C08AF21281764C682E1D4F0D669
CDEA4965924F5344FB37321665D185AA93F7DE60E1
F6AE6164B843295F963932117CCC88A3D8B0DA76E20667E7F21C11FA0F7A
.\IRCHandler.cpp
InitWinSock is: %d
.\IRCHandler.cpp
getaddrinfo suceeded
.\IRCHandler.cpp
getaddrinfo failed: TRY_ANOTHER_DNS
.\IRCHandler.cpp
getaddrinfo failed: %d
.\IRCHandler.cpp
CreateSocket Failed: %d
.\IRCHandler.cpp
CreateSocket Suceeded: %d
.\IRCHandler.cpp
Trying Another DNS:
.\IRCHandler.cpp
Failed To Resolve:
server: %s
port: %s
.\IRCHandler.cpp
Unable To Connect To Server: %d
.\IRCHandler.cpp
Connected to server!
send
send
.\IRCHandler.cpp
Failed To Send: 
.\IRCHandler.cpp
Sent: 
.\IRCHandler.cpp
Connection Closed: %d
.\IRCHandler.cpp
Starting Again: %d
.\IRCHandler.cpp
Connection Error: %d
PING
PONG
NICK
##ops
JOIN
%s %s %s
##ops
JOIN
%s %s %s
##ops
JOIN
%s %s %s
JOIN
KICK
JOIN
%s %s %s
PRIVMSG
.\IRCHandler.cpp
Decoding Input:
down_exec
down
update
start-scan
stop-scan
IMSTOP
visit
open
join
JOIN %s
part
PART %s
ipconfig /flushdns
ipconfig /flushdns
PASS %s
NICK %s
SPX
USER %s %s %s :%s
bad allocation
ctfmon.exe
qxzv
VISTA
VISTA
Error
http://
COMSPEC
/c del 
> nul
Open
CheckTokenMembership
advapi32.dll
bad allocation
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
.\Download.cpp
InternetOpenA Failed %d
.\Download.cpp
InternetOpenUrlA Failed %d
.\Download.cpp
Downloaded File: %d bytes
%temp%
rand
.exe
##ops
PRIVMSG
%s %s :Download done!
##ops
PRIVMSG
%s %s :Download failed
##ops
PRIVMSG
%s %s :Failed To Create Download Thread!
##ops
PRIVMSG
%s %s :Download Thread Has Started!
OWHNK]
kxt
@A]DT
Kfdlaj`
nPHNO
zyumznx
false
true
ios_base::badbit set
ios_base::failbit set
ios_base::eofbit set
bad cast
0123456789abcdefABCDEF
vector<T> too long
DdM
raB3G
hpE
hpE
XtE
XtE
xtE
xtE
xuE
xuE
AHC
fnC
DND
LND
qND
hpE
GOD
UOD
pOD
PPD
XPD
PQD
pQD
xQD
rRD
zRD
hSD
pSD
xSD
CUD
NUD
cUD
nUD
yUD
HVD
kVD
EWD
hWD
pWD
xWD
PXD
XXD
rXD
zXD
XYD
cYD
xZD
HAE
TBE
CaD
jaD
hbD
JcD
TcD
hcD
rcD
XEE
ZLD
nLD
PtD
.?AVtype_info@@
hzD
lyD
DyD
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
PST
PDT
PtD
.?AV_Locimp@locale@std@@
PtD
.?AVout_of_range@std@@
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
PtD
.?AV_com_error@@
PtD
.?AVbad_exception@std@@
HMXB
S;uD
z?aUY
zc%C1
NKeb
PtD
.?AV?$numpunct@D@std@@
PtD
.?AV?$num_put@DV?$ostreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@
PtD
.?AV?$ctype@D@std@@
PtD
.?AUctype_base@std@@
PtD
.?AVfacet@locale@std@@
PtD
.?AV?$basic_stringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
PtD
.?AV?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
PtD
.?AV?$basic_iostream@DU?$char_traits@D@std@@@std@@
PtD
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@
PtD
.?AV?$basic_istream@DU?$char_traits@D@std@@@std@@
PtD
.?AV?$basic_streambuf@DU?$char_traits@D@std@@@std@@
PtD
.?AV?$basic_ios@DU?$char_traits@D@std@@@std@@
PtD
.?AV?$_Iosb@H@std@@
PtD
.?AVios_base@std@@
SMBu
IPC$
D CKFDENECFDEFFCFGEFFCCACACACACACA
EKEDFEEIEDCACACACACACACACACACAAA
SMBr
PC NETWORK PROGRAM 1.0
LANMAN1.0
Windows for Workgroups 3.1a
LM1.2X002
LANMAN2.1
NT LM 0.12
SMBs
9NTLMSSP
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
SMBs
NTLMSSP
Windows 2000 2195
Windows 2000 5.0
SMBs
WORKGROUP
Windows 2000 2195
Windows 2000 5.0
SMB
\BROWSER
SMB
\SRVSVC
SMB/
&Pp}M
O2Kp
xZG
SMB.
SMB/
SMB/
SMB/
FUnMLEvdNzjntXznAvcOSDvcUlULLFJmCPCmjgeXpbDCIAtjDTRPAxyXItXCfDxvjRXtWSyACqcPrzWHeaUKfrohnEuSyZUzPzbeC
Dkh
Bkh
kGJpyk
kA}2q
kGD
wDD
~uDB
wDD
uDB
kAy
kApDD
qDBh
PITH
IFJUOUTEPUWKXMWXUGHMIEKCYENBAQPLZEDNOOBGMW
bMZCTWLHYWI
onQhurlmT
UVd
SUVW
English
Chinese
zSbpS:g
ChineseT
zpSh
Spanish
Italian
French
German
Portugese-brazilian
Portguese
Hungarian
Finnish
Dutch
Swedish
Polish
Czech
Vzd
len
tisk
rny
Turkish
Japanese
Korean
Russian
Unknown
PtD
.?AVruntime_error@std@@
PtD
.?AVexception@std@@
PtD
.?AVfailure@ios_base@std@@
PtD
.?AVbad_cast@std@@
PtD
.?AVbad_alloc@std@@
PtD
.?AV?$num_get@DV?$istreambuf_iterator@DU?$char_traits@D@std@@@std@@@std@@
PtD
.?AV?$basic_istringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@
PtD
.?AVlogic_error@std@@
PtD
.?AVlength_error@std@@
C:\Documents and Settings\x\Desktop\DVS-PartyPic008.JPEG_www.image-myspace.com
CreateThread
ExitProcess
SetPriorityClass
GetLocaleInfoA
MoveFileExA
GetCurrentProcess
GetCurrentThread
SetProcessPriorityBoost
GetDriveTypeA
GetFileAttributesA
GetEnvironmentVariableA
SetThreadPriority
GetShortPathNameA
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVersionExA
Sleep
OpenMutexA
CreateMutexA
ReleaseMutex
WinExec
GetWindowsDirectoryA
CopyFileA
SetFileAttributesA
GetCurrentProcessId
DeleteFileA
lstrlenA
FreeLibrary
CreateRemoteThread
OpenProcess
VirtualFreeEx
VirtualAllocEx
WriteProcessMemory
TerminateProcess
GetSystemDirectoryA
lstrcmpiA
CreateDirectoryA
FindFirstFileA
GetLogicalDriveStringsA
FindClose
FindNextFileA
SetLastError
GetTempPathA
GetTickCount
InitializeCriticalSectionAndSpinCount
CreateEventA
LeaveCriticalSection
ExitThread
EnterCriticalSection
OpenEventA
WaitForMultipleObjects
DeleteCriticalSection
MultiByteToWideChar
SetUnhandledExceptionFilter
LocalFree
InitializeCriticalSection
GetProcessHeap
SetEndOfFile
WriteConsoleW
GetConsoleOutputCP
WriteConsoleA
FlushFileBuffers
SetStdHandle
ReadFile
SetEnvironmentVariableA
CompareStringW
CompareStringA
GetLocaleInfoW
GetStringTypeW
GetStringTypeA
IsValidLocale
EnumSystemLocalesA
GetUserDefaultLCID
GetConsoleMode
GetConsoleCP
SetFilePointer
GetSystemTimeAsFileTime
QueryPerformanceCounter
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetLastError
CreateProcessA
WaitForSingleObject
WriteFile
CreateFileA
CloseHandle
CreateToolhelp32Snapshot
GetModuleFileNameA
Process32Next
Process32First
GetComputerNameA
IsDebuggerPresent
GetModuleHandleW
HeapAlloc
GetCommandLineA
UnhandledExceptionFilter
HeapFree
SetEvent
VirtualQuery
GetEnvironmentStrings
FreeEnvironmentStringsA
RtlUnwind
GetFileType
HeapCreate
VirtualFree
SetHandleCount
HeapSize
LCMapStringW
WideCharToMultiByte
LCMapStringA
IsValidCodePage
GetOEMCP
GetACP
GetCPInfo
InterlockedExchange
GetStdHandle
RaiseException
GetCurrentThreadId
TlsFree
TlsSetValue
TlsAlloc
TlsGetValue
InterlockedDecrement
InterlockedIncrement
HeapReAlloc
VirtualAlloc
GetStartupInfoA
AdjustTokenPrivileges
IsTextUnicode
RegCloseKey
RegCreateKeyExA
RegSetValueExA
GetUserNameA
LookupPrivilegeValueA
OpenProcessToken
FreeSid
AllocateAndInitializeSid
WNetCancelConnectionA
WNetUseConnectionA
WNetCancelConnection2A
WNetGetLastErrorA
NtQuerySystemInformation
ZwSystemDebugControl
CoInitialize
CoUninitialize
CoCreateInstance
RpcBindingFromStringBindingA
RpcMgmtIsServerListening
RpcMgmtSetComTimeout
NdrClientCall2
RpcMgmtInqStats
RpcStringFreeA
RpcMgmtStatsVectorFree
RpcBindingFree
RpcStringBindingComposeA
ShellExecuteA
ShellExecuteExA
SHChangeNotify
SHDeleteKeyA
MessageBoxA
GetWindowThreadProcessId
FindWindowA
IsCharAlphaNumericA
IsCharAlphaA
RegisterDeviceNotificationA
UpdateWindow
DispatchMessageA
ShowWindow
DefWindowProcA
CreateWindowExA
TranslateMessage
PostQuitMessage
RegisterClassExA
GetMessageA
DestroyWindow
GetForegroundWindow
IsWindow
BlockInput
GetWindowTextA
SendMessageA
FindWindowExA
keybd_event
RealGetWindowClassA
SetFocus
SetForegroundWindow
VkKeyScanA
SwitchToThisWindow
IsWindowVisible
VkKeyScanW
SendInput
InternetOpenUrlA
InternetReadFile
InternetOpenA
InternetCloseHandle
freeaddrinfo
getaddrinfo
.text
`.rdata
@.data
2sn1A
oCc
f)Q\i
TJI
e|eZ$
PTK;-_
ifFjX
soM
zK$Yh
OQQ
M=TR3'
wdg
HEOg
tAE
FqB
CjF
SLW
p}2UQe
W}oi
xdw
N7-T'!a
GdN
0Fr6m
nWY
w)[NF
kYq>JQ
KUR
S}RW
:t[Ul
YYQ
kJ]uk
aLK
JS A
W?vd
nh\F
x95Ug%
XGEA
fvYR
,LrCb
oCUY
e*NN\
mrOe
dBs
WP+yr
LjO
u)/jY
IGb+
hXw
FZu
PYm
&Z.Gt
ihD
|fU+N
OE[T
LtJ
tMvW
ysO
ZSL
UET%c
]}vq^L41
UF:a
Q$<FhF
EGZ@
,~Pui
pcV
]niE
NnAY
Vz7p
TSf
HX{R
Ggg
aUd
JuhG
hj<t
eFv[
uyJ
xXOT
M<ab
OE|X
JWi
D=dk
r{TC
FFShF
ShQ
UWVS
9L$ts
D$xf
t$t#t$l
D$Hf
T$sf
D$t#D$h
D$t+D$\
D$Hf
D$Hf
L$xf
D$t+D$\
T$Df
t$Hf
D$Hf
D$Hf
D$Hf
t$\tY
D$tIt
9l$tr
GPG
PTj
XPTPSW
S*Pw
KERNEL32.DLL
ADVAPI32.dll
COMCTL32.dll
MPR.dll
ntdll.dll
ole32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
FreeSid
WNetGetLastErrorA
ZwSystemDebugControl
CoInitialize
NdrClientCall2
ShellExecuteA
SHDeleteKeyA
IsWindow
InternetOpenA

LE:

Nenorocitul detecteaza vmware-ul, dar dupa cateva incercari am reusit sa-l fac sa treaca peste:

http://www.myupload.dk/showfile/403290c080c.rar/ - toate fisierele la care face dump(inclusiv drivere .sys), parola:

rst

pastebin - xact - post number 1746227 - toate modificarile de sistem.

Cel mai probabil e un TDSS.

Have fun!

AlStar Rookie

AlStar

Posted
  • Author
Posted

Eu am gasit in system32 WMISFTD.EXE si scria ceva de Nytemare Kernel Boot Loader. Acesta dorea acces la internet, dar nu i-am dat voie. Am incercat sa-l sterg, dar primeam eroare ca e folosit de alt program, asa ca l-am sters prin Ubuntu, dar tot n-am scapat de el...

Eu citisem aici: Prevx 3.0 solutions for business , dupa care am intra in ESET sa vad ce aplicatie era aia de vroia acces la internet, si era wmisftpd.exe.

xact Newbie

xact

Posted
Posted

Verifica in postul meu de pe prima pagina, am pus un link spre pastebin cu toate modificarile care le face. Ca sa scapi de tot de el sterge cu Ubuntu toate astea :


----------------------------------
Files added:44
----------------------------------
C:\Documents and Settings\<user>\bulsus.exe
C:\Documents and Settings\<user>\cwwc.exe
C:\WINDOWS\system32\drivers\ndisvvan.sys
C:\WINDOWS\system32\drivers\qwxkqsvf.sys
C:\WINDOWS\system32\secupdat.dat
C:\WINDOWS\system32\wmisftd.exe

AlStar Rookie

AlStar

Posted
  • Author
Posted

xact, inafara de \system32\wmisftd.exe , care l-am sters de mult timp, nu am mai gasit vreun alt fisier din cele 6 mentionate de tine si nici de virus nu am scapat.. Creca pan' la urma trec pe Linux, ca incepe sa ma enerveze..

loki Newbie

loki

Posted
Posted

poti cauta in safe mode exe-uri care au aceeasi dimensiune cu viermele, le izolezi si le compari continutul (ca sa nu stergi ce nu trebuie). Total commander e util, daca dai F3 pe amandoua iti dai seama dintr-o privire daca sunt identice. Daca nu, pentru siguranta poti folosi MD5summer Acesta iti genereaza hash-uri pe fisiere (iti creeaza fisiere cu extensia md5 pe care le vezi in notepad) si daca sunt identice atunci si continutul e identic. Stergi tot ce seamana.

diablo2323 Newbie

diablo2323

Posted
Posted (edited)

spui ca nu il detecteza niciunul dintre antivirusuriile renumite. care antivirus il detecteaza? eu am nod32 si din cate am vazut nu detecteaza ardamax keyloggeru si nici alte prostii de astea.si care antivirus il recomandati , care e cel mai bun si de ce?

am vazut intr-un post din "securitate" asa:

" Eu unul stiam ca avira a iesit cel mai bun antivirus.

A luat fata nod-ului si bitdefenderului...o.O "

e adevarat?

Edited by diablo2323

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...