Backdoor.Win32.Xtrat_2aa3138e37

by malwarelabrobot on May 7th, 2014 in Malware Descriptions.

Trojan.Win32.Llac.duoa (Kaspersky), Gen:Variant.Symmi.27111 (AdAware), Backdoor.Win32.Xtrat.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2aa3138e37c58b1797a7bb34aff89b1a
SHA1: 5a3b64c3c8057fed536a4b341054485c783d263d
SHA256: ae2c492dc0a568ba53cf2200d59513d3bcc8bc0e14c637894ad68d2fc496ba1a
SSDeep: 49152:8kwkn9IMHea6yyD6rNIZT2pP5S/7T0/TcbSAF2VmahK0wQm2NWaPCS:3dnVCArNIkxc7ITIn PC
Size: 2833408 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-01-25 11:23:05
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:1488

The Backdoor injects its code into the following process(es):

Win7 Activator 5.0.exe:528
calc.exe:1156
svchost.exe:308

File activity

The process %original file name%.exe:1488 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2113 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Win7 Activator 5.0.exe (17894 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (11529 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\svchost.exe (601 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process Win7 Activator 5.0.exe:528 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\popup[1].js (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\download01[1].png (1340 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@analytics.hosting24[1].txt (165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[2].css (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbox[2].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\chat[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (445 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmyv0TK[1].png (15410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\count[1].php (960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[2].js (1958 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\online[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\online[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (1050 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.min[1].js (4372 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (214 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].htm (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (487 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_popup[1].png (4 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@imgur[1].txt (217 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hostinger-600x400-2[1].gif (18292 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (0 bytes)

The process calc.exe:1156 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%WinDir%\InstallDir\svchost.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process %original file name%.exe:1488 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 1F 35 F9 6F 33 2A 34 63 67 9E 24 C1 36 81 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process Win7 Activator 5.0.exe:528 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CachePrefix" = ":2014050620140507:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014050620140507\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 57 FA A5 85 DE 14 16 19 EA 6C B9 E6 0E A8 BA"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014050620140507]
"CacheRepair" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process calc.exe:1156 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 19 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "998081552"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}]
"StubPath" = "%WinDir%\InstallDir\svchost.exe restart"

[HKCU\Software\1r8Uw1LlJrXpZi]
"ServerName" = "%WinDir%\InstallDir\svchost.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC E7 E5 FD A4 CA B9 63 91 FE 2B 6C 9A 95 D8 17"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "calc.exe"

[HKCU\Software\1r8Uw1LlJrXpZi]
"ServerStarted" = "06/05/2014 18:34:16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "%WinDir%\InstallDir\svchost.exe"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "%WinDir%\InstallDir\svchost.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
aa0faead19646182544dcf22875ea2af c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Win7 Activator 5.0.exe
b5959ef1b80f0fa4a8d61f06213feb61 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\svchost.exe
b5959ef1b80f0fa4a8d61f06213feb61 c:\Documents and Settings\"%CurrentUserName%"\Start Menu\Programs\Startup\svchost.exe
b5959ef1b80f0fa4a8d61f06213feb61 c:\WINDOWS\InstallDir\svchost.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: H&F
Product Name: Win7 Activator 5.0
Product Version: 5.0.0.0
Legal Copyright: (c) 2010-2013
Legal Trademarks: HwNL & Fabianator
Original Filename: Win7 Activator 5.0.exe
Internal Name: Win7 Activator 5.0.exe
File Version: 5.0.0.0
File Description: Win7 Activator
Comments: System Tools Pack
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 573044 573440 4.63126 74af66fa540568c59b3868e78900e476
.rdata 577536 182122 182272 4.0072 576c856afaad699ad9fe099fc6a9ce33
.data 761856 40756 25088 1.38934 e6d2e204147f7cdc3055011093632f54
.rsrc 802816 2008807 2009088 5.33894 11a73226ee4f1bfe2d8253ed049460b4
.reloc 2813952 42082 42496 3.63105 c2f6ddaeef894b7510c3be928eeae5dd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://win7activator.netai.net/net/online.html 31.170.161.116
hxxp://win7activator.netai.net/tools/chat.html 31.170.161.116
hxxp://myhomepage.altervista.org/net/online.html
hxxp://myhomepage.altervista.org/tools/chat.html
hxxp://win7activator.netai.net/app/online.html 31.170.161.116
hxxp://myhomepage.altervista.org/tools/online.html
hxxp://myhomepage.altervista.org/tools/download01.png
hxxp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=main
hxxp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form
hxxp://i.imgur.com/tmyv0TK.png 103.31.6.35
hxxp://analytics.hosting24.com/count.php
hxxp://www4.cbox.ws/styles/v4s5_2.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.8.3/jquery.min.js
hxxp://hostinger.com.ua/banners/ru/hostinger-600x400-2.gif
hxxp://analytics.hosting24.com/popup/bg_popup.png
hxxp://analytics.hosting24.com/popup/popup.js
hxxp://www4.cbox.ws/js/jsc_compact_696.js
hxxp://www.hostinger.com.ua/banners/ru/hostinger-600x400-2.gif
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.8.3/jquery.min.js 173.194.69.95
hxxp://www.cbox.ws/styles/v4s5_2.css
hxxp://stats.hosting24.com/popup/bg_popup.png
hxxp://stats.hosting24.com/popup/popup.js
hxxp://static.cbox.ws/js/jsc_compact_696.js 162.159.243.249
narare.dyndns.org 41.37.33.183


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /app/online.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: win7activator.netai.net
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Tue, 06 May 2014 15:34:23 GMT
Server: Apache
Location: hXXp://myhomepage.altervista.org/tools/online.html
Content-Length: 258
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://myhomepage.altervista.org/tools/o
nline.html">here</a>.</p>.</body></html>...


GET /net/online.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: myhomepage.altervista.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:24 GMT
Server: Apache
Last-Modified: Fri, 31 May 2013 15:45:48 GMT
ETag: "14da6a3-566-4de05823bc300"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 761
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
..........}TQS.6.~....>..`.pm..}3.....a.3)O.......Hk.K.....]!@..,..
.v..]...?-....RC.......Z..2.u.`.8?&...?~ {QLr... ......).5@.06.C4."c .
.f..k..o.!.AF%.t..c..Fi.=B.wpp0...../.....;..['......!.......2........
....:X.o(a.......JjArc.K.d.R.k%. .-K....y..KS.w......< .26!......7.
.7/yqUY..2.x.f.......W..j.............C}B'.\m<.........X.!....4.D[.
m%u..MH..n.HJ.s....m........jpu...]}.a).c.o.'.b....)J.y.k..{...M/....I
X..... {. .G.../.z[.]...,.|5../8.....Oq..(..ve#3.W.............<...
.y.. [ .....N.%..d..[u...`..>.B..j.%.. .#z..h....e.............W...
/^b.7Ai.......9Q.Agw.}.cd.(|..0......:.8{......"$....P..v..rZ...s/m...
.F.i.%.3..H.]b.Wt..."..[....M....8......$^a..(yF..{..n.....M.%...?/...
.............K.....\.....Oq...N....../dB..b..?.....2..W..........C..:$
=0f...HTTP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Server: Ap
ache..Last-Modified: Fri, 31 May 2013 15:45:48 GMT..ETag: "14da6a3-566
-4de05823bc300"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-
Encoding: gzip..Content-Length: 761..Keep-Alive: timeout=1, max=100..C
onnection: Keep-Alive..Content-Type: text/html............}TQS.6.~....
>..`.pm..}3.....a.3)O.......Hk.K.....]!@..,...v..]...?-....RC......
.Z..2.u.`.8?&...?~ {QLr... ......).5@.06.C4."c ..f..k..o.!.AF%.t..c..F
i.=B.wpp0...../.....;..['......!.......2............:X.o(a.......JjArc
.K.d.R.k%. .-K....y..KS.w......< .26!......7..7/yqUY..2.x.f.......W
..j.............C}B'.\m<.........X.!....4.D[.m%u..MH..n.HJ.s....m..
......jpu...]}.a).c.o.'.b....)J.y.k..{...M/....IX..... {. .G.../.z

<<< skipped >>>

GET /tools/online.html HTTP/1.1

Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: myhomepage.altervista.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:24 GMT
Server: Apache
Last-Modified: Tue, 22 Jan 2013 13:59:36 GMT
ETag: "14da679-4aa-4d3e0fce76200"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 686
Keep-Alive: timeout=1, max=99
Connection: Keep-Alive
Content-Type: text/html
...........S]o.0.}&...Hl..GW.mi....L.....O.M.............P..yI..{.=...
.`<....N......oo.G.\._.G.?.........y..%..j*8f.?."@..u.....[.=!..~.o
,W......Cz..P.Dm.M......]^^v.6....*.1.\.|o.*F#.5...ok. ..b..F..;...R..
7:w/...ES.H.8.F~wt"....6,O.T)[..u./W..y..r7..e......>.w...y .......
yt.".Z.........T0!Cx...w.':;........l....kB.R...,.A.2...QA.........X)V
D.....N5].gd.....N....8Q.\..2k..!..x.....c.N..irw.=..._. ..&..n..R....
wQo..~ ..(YP~.C .k!!R5.;..6Pr..F..&.B..N.^..zbV ./...G.....9.q{.......
5g.g^k=.X..=...a........0d..>...5.....t..;...N..)....%....M.5/..i..
..^.{..|ct.............N. .T...O.JZk0E...f....w.f.y.S....w.y.h.ptl.Bs8
" ..y.Fk....^cF.>:.{u...N.N&..... .(b.....0....q.i...@...6z.*....HT
TP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Server: Apache..La
st-Modified: Tue, 22 Jan 2013 13:59:36 GMT..ETag: "14da679-4aa-4d3e0fc
e76200"..Accept-Ranges: bytes..Vary: Accept-Encoding..Content-Encoding
: gzip..Content-Length: 686..Keep-Alive: timeout=1, max=99..Connection
: Keep-Alive..Content-Type: text/html.............S]o.0.}&...Hl..GW.mi
....L.....O.M.............P..yI..{.=....`<....N......oo.G.\._.G.?..
.......y..%..j*8f.?."@..u.....[.=!..~.o,W......Cz..P.Dm.M......]^^v.6.
...*.1.\.|o.*F#.5...ok. ..b..F..;...R..7:w/...ES.H.8.F~wt"....6,O.T)[.
.u./W..y..r7..e......>.w...y .......yt.".Z.........T0!Cx...w.':;...
.....l....kB.R...,.A.2...QA.........X)VD.....N5].gd.....N....8Q.\..2k.
.!..x.....c.N..irw.=..._. ..&..n..R....wQo..~ ..(YP~.C .k!!R5.;..6Pr..
F..&.B..N.^..zbV ./...G.....9.q{.......5g.g^k=.X..=...a........0d.

<<< skipped >>>

GET /tools/download01.png HTTP/1.1

Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/online.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: myhomepage.altervista.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
Last-Modified: Tue, 22 Jan 2013 13:59:36 GMT
ETag: "14da698-20a2-4d3e0fce76200"
Accept-Ranges: bytes
Content-Length: 8354
Cache-Control: max-age=2592000
Expires: Thu, 05 Jun 2014 15:34:25 GMT
Keep-Alive: timeout=1, max=98
Connection: Keep-Alive
Content-Type: image/png
.PNG........IHDR... ...6.....g{D.....tEXtSoftware.Adobe ImageReadyq.e&
lt;.. DIDATx..].t.E......HB....H..YC...... ..@p...7"<TF...tt.3(0O.s
|.....s..q......qT.K.............W.uW......{....N..vWUWUW}...--.....'I
...L.F.WH..\q....rG..:..UU..$I..:..vH......A............&.<...y...|
..!5..@.>...V.W\qn..QQ.s.sAE.F......_.....-.0..E...e..,a.4........
...58K.<N@.Y..W..$rXu.....x...$..re/9*n%s....G.....<:..90.m5....
....[.w0...MQXC...>....?.......?......#.bx.X............O...!Z..t~.
............zd....0..R7~.....K.M"@...q,.5..O.......r . ...@<.......
...5V..B.?:.T.5.iX~...6,<.....c........./.....a........o..!.Q$.y.f.
.s...E..w......Z@.{.K.h.9.=i*...$..[.\q%V5.:......*f&..4...0...F...Vx.
.....o.l.9.'>...~.s./.>..K.h3.a0k~D=..(..P..<:.S...ar?.......
.O.g.2...o%...U.V&W\i... ......B.`H-..V........ ._.|xp..0>..^.`1...
...o...-.....Z5..W..GV5...;.B.c|].n........@./.Hn.H<..J.. .......PP
. .......*.o...,...H...Q-....]....ggGb.E..c@..@$:...M@....c...BD..t..{
.{...v.&7..}.... Q......W...a.fv d@...1 .lx...f...>#...ND.L|..0.\x
.....E...HF;..@2....Ys.B. T...7....(......G...V..l@..h@.,...e.`.....\.
...Z.)~.J.....3.v]T..kN....l1..48....I. .....d..#..C.V.ner........mIgA
.@H.C.4.H.f..1 .`d.......3.. .3%..x.7.0'.b..g..........n.2.Gg@..A...e1
.... m.!.....b.2 )...3.........0`.........9.......1(.O~~>\....zyy9l
...jkk.o?A.;U..?~.8l........c.. E. .U0.@. 4...... ....s%..S;P@.#6,....
.DV!.^.s....GA...e...t...={L..c/....!C.W.......Bhnn.O?..2/...aE..N.:..
.m......F....#..K...B...MQ`..u...PP.$.. .......#.2k.j......N..#.D.

<<< skipped >>>

GET /popup/bg_popup.png HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.hosting24.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
Last-Modified: Fri, 18 Jan 2013 14:36:32 GMT
Accept-Ranges: bytes
Content-Length: 4356
Connection: close
Content-Type: image/png
.PNG........IHDR..............e)....dPLTE.............................
...................................................................555
......000HHH.........MMM[[[.........xxx...............................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..........................&...ftRNS...................................
#%((* -036<EGMNOTUVVXYkmo........................................
.N4.....IDATx....{......~...rv..a... ..Y.v.(..F7...r.#,.)l.......iR...
.yA..M ....:.].<[<.}8..q....,...|....v...]...qA.m..E>4..8....
.>...E.A].....8.~.@./....q..>...<...P..Cy(...<...P..Cy.{..
A.K* ..m.%1.g...u._. ....I.....................q.R.3y&...<.g.L..3y&
...<.g.L....&..v..Zxm....3.ZF...^W.Z.w.........q...S.:...q.h......w
...._.z...y..Y.W......=....S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;..S.;
..S.;..S.;..S.;..Sk..t.w\Hc...Y...;9s.. .X./../._... ....hI...y..s.Brq
.o%..\.]...."q*...<q.XT.........../...rfdO..k..fJ.q|..W...x.uI_3.5q
.e..Q|.....~..}f.!..=^......6..~*.?3oYP...3%8S.3.8S.3.8S.3.8S.3.8S.3.8
S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.3.8S.V..
.L..T.L%.T.L%.T.L%.T.L%.T.L%.T.=../s)..t.......Kg.fi.k.b..:...k.g.

<<< skipped >>>

GET /tmyv0TK.png HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/net/online.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: i.imgur.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:25 GMT
Content-Type: image/png
Content-Length: 59415
Connection: keep-alive
Set-Cookie: __cfduid=d8172cf6349b6fefb4fc7dd406da2e96d1399390465107; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.imgur.com; HttpOnly
Last-Modified: Fri, 31 May 2013 15:31:29 GMT
ETag: "7d7858532e4707885ac3ac63c3692be2"
CF-Cache-Status: HIT
Expires: Wed, 06 May 2015 15:34:25 GMT
Cache-Control: public, max-age=31536000
Accept-Ranges: bytes
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
CF-RAY: 12663de6eea30c1d-AMS
.PNG........IHDR.............e=.$....pHYs................ cHRM..z%....
..........u0...`..:....o._.F....IDATx...y.\U...>..Z..z.;{.......4..
.:...3J.#.#Q...q.3#D..y~..0.8..3:c.. t@.B.eMwH.$.![wW.[U.v.9.?.....$@.
...^.tW.......|.......y..G.y...q... .<..#.<...G.y..G.y..#.<..
#.<a..G.y..G.0..#.<..#O.y..G.y..'.<..#.<......B...J..j..%.
y........3.G.y..G.y.i.SJ.....%r./.H........$..~..;.L.....G.y.....0.Q.Y
$.I.B..4....S.RJ...VJ!.h........R.M..!....#.<...da.1...i.......R..H
ebY&.X.T*E,..J......:..........C....p3..=...;.K.......G.y..G.0.(.sF...
4.i.L&..........UWOUU.e%....)-......D"...=..C....A.uJJJ.....>...M.y
e.G.y.....0].D.....)-...\t.E..mo.....={6........e..4...2S.<x..;w...
....v.....B..~..]...2..#.<........[..b.Ai.......s.U...K......3.6.:.
U. I...`..)......~~.._.......~...<.e&Q..G.y.....0]..B...hhh...}/---
......tlb.../....t.:H..a....7{..#..b1.. ...f..F.]|>..v....2.b<..
....G?..]]]..~/26O.y..G.y...S.$...TTT..w\..W\Aum..@........!~..Wt.....
pa...B|F.MJNo\B......e<.g26...(*%(.......]W.....'TX.@:. ...._n...~I
t2.4-.....s@]E.i......:J..i....&.t"o......Q...,....*..:JY......4.wab).
M.4l..D .B)..... ..9..........Xx.y.....K.%,t.GY&...(.f!.......).r,....
...Wf........@w.G".......b`..u.[.{...m...z.D..Z...@J..4....G`....H{..q
Qh.LT...c..^......uk(e..K.. .X=........t(.X....k..b:.'..!M............
.g......Bw..<...-C.....BPY^..%....K8..%...P.(.p......x...QX.d....T.
....,.....~.G&8m....9Jdp..Iw_.Dz.x<..D.......S[U._..:../?IMe-.d...&
gt;....C........Igr.f.p.T...B..... ..Ai...-...#d..G.G....%|6A.....

<<< skipped >>>

GET /popup/popup.js HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.hosting24.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
Last-Modified: Fri, 18 Jan 2013 14:10:44 GMT
Accept-Ranges: bytes
Content-Length: 3556
Connection: close
Content-Type: application/javascript
/*********************************************************************
************.. * @name: bPopup.. * @author: (c)Bjoern Klinggaard (http
://dinbror.dk/bpopup - twitter@bklinggaard).. * @version: 0.8.0.min..
**********************************************************************
***********/..(function(b){b.fn.bPopup=b.bPopup=function(r,u){function
s(){j=v(c,a.amsl);f=l?a.position[1]:j[1];g=m?a.position[0]:j[0];t=w()
;a.modal&&b('<div class="bModal ' d '"></div>').css({"back
ground-color":a.modalColor,height:"100%",left:0,opacity:0,position:"fi
xed",top:0,width:"100%","z-index":a.zIndex n}).each(function(){a.appen
ding&&b(this).appendTo(a.appendTo)}).fadeTo(a.fadeSpeed,a.opacity);c.d
ata("bPopup",a).data("id",d).css({left:!(!a.follow[0]&&m||k)?g h.scrol
lLeft():g,position:a.positionStyle||"absolute",top:!(!a.follow[1]&&l||
k)?f h.scrollTop():f,"z-index":a.zIndex n 1}).each(function(){a.append
ing&&b(this).appendTo(a.appendTo)}).fadeIn(a.fadeSpeed,function(){p(u)
;e.data("bPopup",n);c.delegate("." a.closeClass,"click." d,q);a.modalC
lose&&b(".bModal." d).css("cursor","pointer").bind("click",q);!x&&(a.f
ollow[0]||a.follow[1])&&e.bind("scroll." d,function(){t&&c.stop().anim
ate({left:a.follow[0]&&!k?g h.scrollLeft():g,top:a.follow[1]&&!k?f h.s
crollTop():f},a.followSpeed)}).bind("resize." d,function(){if(t=w())j=
v(c,a.amsl),a.follow[0]&&(g=m?g:j[0]),a.follow[1]&&(f=l?f:j[1]),c.stop
().each(function(){k?b(this).css({left:g,top:f}):b(this).animate({left
:!m?g h.scrollLeft():g,top:!l?f h.scrollTop():f},a.followSpeed)})}

<<< skipped >>>

GET /net/online.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: win7activator.netai.net
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Tue, 06 May 2014 15:34:23 GMT
Server: Apache
Location: hXXp://myhomepage.altervista.org/net/online.html
Content-Length: 256
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://myhomepage.altervista.org/net/onl
ine.html">here</a>.</p>.</body></html>...


GET /count.php HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: analytics.hosting24.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
X-Powered-By: PHP/5.2.17
Set-Cookie: a_visited_already=true; expires=Tue, 13-May-2014 15:34:25 GMT
Content-Length: 960
Connection: close
Content-Type: application/javascript
document.write('<script src="hXXp://ajax.googleapis.com/ajax/libs/j
query/1.8.3/jquery.min.js"></script>');document.write('<sc
ript src="hXXp://stats.hosting24.com/popup/popup.js"></script>
;');document.write('<style media="screen" type="text/css">.popup
{display:block;width:666px;height: 474px;background-image:url(hXXp://
stats.hosting24.com/popup/bg_popup.png);background-position: center to
p;background-repeat: no-repeat;} .popup a.close {display:block;float:r
ight;width:44px;height:44px;} .ikuruzkrauti{margin:30px;}</style>
;');document.write('<div id="visas_style_div" style="display:none;"
class="popup"><a href="" class="close bClose"></a><
div class="ikuruzkrauti"><a href="hXXp://hostinger.com.ua">&l
t;img src="hXXp://hostinger.com.ua/banners/ru/hostinger-600x400-2.gif"
border="0" /></a></div></div>');document.write('
<script type="text/javascript">$(document).ready(function(){$("#
visas_style_div").bPopup({contentContainer:".ikuruzkrauti"});});</s
cript>');..


GET /tools/chat.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: win7activator.netai.net
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Tue, 06 May 2014 15:34:23 GMT
Server: Apache
Location: hXXp://myhomepage.altervista.org/tools/chat.html
Content-Length: 256
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://myhomepage.altervista.org/tools/c
hat.html">here</a>.</p>.</body></html>...


GET /js/jsc_compact_696.js HTTP/1.1
Accept: */*
Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.cbox.ws
Connection: Keep-Alive
Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:25 GMT
Content-Type: application/x-javascript
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Fri, 03 May 2024 15:34:25 GMT
Cache-Control: public, max-age=315360000
CF-Cache-Status: HIT
CF-RAY: 12663dea67de08bd-FRA
Content-Encoding: gzip
203a.............=iw........./K."H..1..i...O.km.IvF...P........i.....t
..$'..$..}TWWW.......n..}.9.....{x.;.*....E..7[..(..A...1.~......u.x.n
..."L..7...0..{s.O..2...<..y..%..^..2..w.87A.%.]...].05..4..6...6!.
....*A.}h..w.U...'l.U..9...@T.j..j[(..{....@....sw...Sd......^..Dy.Y..
8c..'S.=...a..Et.........I......)/.0.y..5...-j...T..s.oa.P..Lq.#H2.2..
..`..n..b......1..p..7..\K...N...a...............90&<.4.0b.yj....".
u............A..x....M.V.h....]4*..`a..\.e.*^.:K..h....(.......<>
;.<.{.AT..^.E...:...F.=A.z.z......m......"..b..n..M......]..!m.,J..
...cX.%\7Mb...,...Fo;............R9..$...........}(.0...z.~~r..~0[.L.~
....q....V.[.o.31.......$R...F........JK!....kL.&...;F[C....8........(
...9..6.o.E........A2.w:e..$m;S\.....0'{[HT=...%......,.L...{8.@...T..
` dA%M.w5:.5..j....v.W.7N..@dA..b);....]....:.v9.1./.....h.bH[...5:...
.3=...Q..}.B...r.l.d.MO...Am.Bp..D.s/pX;y...a..._B.X..Xl.-.........q..
.........4.d.....h0....~.[.$.i .F......a...\zu.gSo.xw.=q...........Ya.
..Th$.Q..Z.....T.H..\E.......b.sp..`.I...!.A.v:ZAqD..,.Gn.{..6?.M.oX@w
....?..U.wL.a...=..[.w.-...~`.7...._..y..C........C.[...4........k)..4
.........].....c..F......I..:.1.....5.".[w......o.| .$....'v.w...P.c-.
&...<....y.r..d.ls..W7......... ..b....2...............m.......j.v.
.=.>.m..B...$.B...b...N.A.".&.....w.i..d......o........Y.N`.....Z..
.Y.fK:g.[.(..{.J...@...t......0...hc...f..`.Z..,]Jc.......*.M........[
....I .BN6.,..Q......S..L..A.b...o.aG.[.9r,.M......[..Y>Y.....iu...
..?.'V.H..../....H.eZ9#.wG...2.A6Y>Di!..|..:D.Tv%.J...........T

<<< skipped >>>

GET /banners/ru/hostinger-600x400-2.gif HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: VVV.hostinger.com.ua


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
Last-Modified: Wed, 22 Feb 2012 11:18:04 GMT
Accept-Ranges: bytes
Content-Length: 67322
Connection: close
Content-Type: image/gif
GIF89aX...................,....r,........................r.@..(.~.....
.Q.....,..w.....@.......................c.j.........1........\.l*....9
.Z..................x'....qF.....i...........y.j...8.....[..!....H.z..
..<.....x.......f....../....G4G.t..>.&&&....5.c.........Y.......
...b4..n......................]......S........S.dWe..m....r........I..
........T......z._4c...Z............Z........N.......z2...y......S.w.5
..u...........l....s.k...[.....F.l...B.f._..A....&.>...............
......h ..r.?.W.<....H.lc4.....%.o...m..F.W.x..........e.....i.^$..
.....U'kr......b.............|:...._............#...........F.I.b.....
.u.....i.]L.j.t......................G.e.{.C.^......M.r....O.N.mx...H.
.............o.......X..I.^....^..2..8..[.........................N.}X
...p..Q............|...!..NETSCAPE2.0.....!.......,....X.......#..H...
...*\......#J.H.....3j...... C.4.....(K.Jy.....R....f.GHp...s.N]@..M..
h..H.*].FD..D.....*..l..t*...._E.. ....e.....mZ.p.....,.".... ....{...
.......*>.aWa.E.E.Lf.....T ..r.j..T#....j.N..4..kNd...].....9....v.
..~....w....'W...s....Q..z.=5.h.......!(..O......._...{..F..O......../
I..........h...&..@....J>=.RI\...N).a.<..C..<...NH.$TPF....Jq
...-.%BV......l...^....d.%.[B....f.QU.JV.$]M..$`~.E.]T.v...a.....VDed.
ifh.5..a.I..gdV.....v.k...[j..v.....'n......%..r.=.....W.r.UZ........v
W.{..*......~....}......*.(.......&.....z...OlaD.......&k..?....r<.
..EUkTQG..".J..I.W]5.&H<..Q\u...^....`...[..i..m-)WU.5.._.<..3x.
yW..#\Y..W..a..&qg.)Lg..e|1..ul.l..6..$.l....L.., .r....h..uj.....

<<< skipped >>>

GET /styles/v4s5_2.css HTTP/1.1
Accept: */*
Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=form
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cbox.ws
Connection: Keep-Alive
Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:25 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Fri, 03 May 2024 15:34:25 GMT
Cache-Control: public, max-age=315360000
CF-Cache-Status: HIT
CF-RAY: 12663de9477d08bd-FRA
Content-Encoding: gzip
1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT
....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h
..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD...
.G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d.
.\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......
}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.
W..P.EE * ....Q_.b..>... ....>....'K.....0..HTTP/1.1 200 OK..Ser
ver: cloudflare-nginx..Date: Tue, 06 May 2014 15:34:25 GMT..Content-Ty
pe: text/css..Transfer-Encoding: chunked..Connection: keep-alive..Expi
res: Fri, 03 May 2024 15:34:25 GMT..Cache-Control: public, max-age=315
360000..CF-Cache-Status: HIT..CF-RAY: 12663de9477d08bd-FRA..Content-En
coding: gzip..1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.cc
Zrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R...
..*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z
.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$...
...jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._.
..(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5..
...=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..

<<< skipped >>>

GET /tools/chat.html HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: myhomepage.altervista.org
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 06 May 2014 15:34:24 GMT
Server: Apache
Last-Modified: Tue, 22 Jan 2013 13:59:35 GMT
ETag: "14da678-8d4-4d3e0fcd81fc0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 1033
Keep-Alive: timeout=1, max=100
Connection: Keep-Alive
Content-Type: text/html
...........UYo.6.~.~...l..D....].E.>."..w..(...(..D...j.....w....&g
t;t.....7.o...O.'..?.An..>.9..q....v0..tz.w.... .|.j&ka...........F
...Ko9.......,V`...k6,..$........u..Lptt.Z....v]..Z ..H.*a)....X0..'.a
.>).*...x..l....w|..|.!p..JpM...~....\o.......0..0..{&.E...h....pq9
...1s..R.7.1....XDd......u....[D._.j.....kn..I.C..Q.0.?.".5.S..K4.i...
k..8........!..L%.]....~s^..Pz.o............. ..Vc..Q..3d".j........M.
JQ.G0e.*..\p.....=..Z..Y2....<5#.-|/2..F2S....>8...F.8[r...!..Y.
M......!....GU....Xif...H..,..rbm.B....X.&W....@....:.....a?.}S9.I.qH.
.rB....X..@.d6g.&. [.V..N.2...~c..."..y....v.......c.E{V......-6....c.
-F..$].yJ.j^.D-e..l.l<.7.vrv...&'.w..m.x.V.......mG$b."....{..9.zuY
!2.....,.n.%.'..q(R.J..s.4....`{'&...?$..E$8.G|.o..a....~...fpppp8<
.be5F.aYT.......<.J&$..J{..^...w.C..x..67.. ..l.Y.4..:"k^...}KB....
.h..o~.T .U!.1y$....hy..e...... jR...Q#..1-.?..~hF...?hj..LS..r=.:....
%.g...(i..k/........`....SE.Rf1....\:....c...[.Y.j....{.T.F.5zIxk.....
cc.<)..[{....7..4.K.xU^Y.....R...'x..~..v..^......O....*mZB...K.L.:
}......R.....HTTP/1.1 200 OK..Date: Tue, 06 May 2014 15:34:24 GMT..Ser
ver: Apache..Last-Modified: Tue, 22 Jan 2013 13:59:35 GMT..ETag: "14da
678-8d4-4d3e0fcd81fc0"..Accept-Ranges: bytes..Vary: Accept-Encoding..C
ontent-Encoding: gzip..Content-Length: 1033..Keep-Alive: timeout=1, ma
x=100..Connection: Keep-Alive..Content-Type: text/html.............UYo
.6.~.~...l..D....].E.>."..w..(...(..D...j.....w....>t.....7.o...
O.'..?.An..>.9..q....v0..tz.w.... .|.j&ka...........F...Ko9....

<<< skipped >>>

GET /box/?boxid=3777848&boxtag=l1g6f7&sec=form HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: www4.cbox.ws
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d86e67632ee52c86b4c9fb49693f0166f1399390464816; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.cbox.ws; HttpOnly
P3P: CP="NOI DSP COR NID CURa OUR NOR"
Expires: Wed, 06 May 2015 15:34:24 GMT
Cache-Control: public, max-age=31536000
CF-RAY: 12663de51eec01af-FRA
Content-Encoding: gzip
7c6..............ks...s. ..$.&...[...s..\;..2.p..,........D .... )....
.....X,.o..&.K..D.h>....8W...k..y.:w2w._... .V3.........a.t.O...]z5
.\dr...hg...Z..|.B.c...Dz.\*...~.. x..|.........*.K...)d4.......b.n..[
..[...s[...%....'}}...z.{.?.c....C.........~......t..i<p.%....A..'.
Y.M.M.t.1{2.......k.\.~.>.K....7...~...|jC..w........[.a .....K...}
..?...%0......n.u`.Q...{.pr2i1..e....WW...)..Z&..5..Z.~. ....#H.......
....w\..:*...7.rb9K.........UL.....H.L.).=.s.=..B...p. ...'.t..P.#..|.
.Q....O......^...]....C..P.............a..W<xxXf....Tk......N.H|...
._PQ...?.s.-..:C...tw.$...C..\.f*.:.f..e..x!nJ.M.S6j|.......Q#v.k.m...
M..=........8j.)&5/.0..}QQ2..@..`..H....T.NC....-7$4.:-F...J,e.zAU2}..
.f&..,....1.....L~F........&%.9!?...b*.6?..........M..b.s,.|.e.a.w.h.6
...3.bm....3.!.....,w{.1.6.....V..e.KI.a...-U.bcp...A*.z(.(.b)T..u.u.2
q!.-...0.9tD. ...wV.F.........^.P........../...\...F.h.@u...%..".I....
Qe. l.U.P..;c..J..*$..N Qn.]l.3[..6.......50...G.6.I8..!....0Fl......z
Xzf*...LP....Hl../K)W..:..;.......D?.T.J...w".Oh1.p.,Le....R.......v.*
7....x_.K#"...x8. ...q.!....l..G...U..Ek#...oK...9...8..xB.,7.t..h.V..
.A(..>bO........:;........G..C;.\.(..Xp[..H..Hp..b.=....{.&.i......
.|...5..w[..........Pg.........Z...>O..i..-.)..... .z.s#..B.....t&.
..h.......%...^......W..q..../.......#u.}"S......f.W.F.06..S..0......D
...r.....if....4-D...vk.Vh...f.p0x.....zE........S..|.W.>HE..5..3o.
]......FJ...I...X.....(e.%...~...u...]o]...W<_I ..1.m...?G.s....h..
...H.r.W....:..#\.Z.9c<$dp@....y.#.jcU......2.dy.stdifS7.F.....

<<< skipped >>>

GET /ajax/libs/jquery/1.8.3/jquery.min.js HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Tue, 13 Nov 2012 19:53:02 GMT
Date: Thu, 01 May 2014 18:13:39 GMT
Expires: Fri, 01 May 2015 18:13:39 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 33471
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 422446
Alternate-Protocol: 80:quic
............{w.F./..].~.....f...d.=.`..v&..kb.$....HPBL..........Uu7. 
.x....!...guu.........Iq.t{>....G.....<_.m.M^\...y...........u6.
.<..U......?..n......&..a7.......Q..o.dTnVi....."...i6..g.@U;[..x..
.!].E.E..q2..E..~....4.F."...o...d.......N..{........e\&~0..dt.T/..H..
*..`L.WT_.<.6...d......("4.UE.x..Y.w.xU..\n.z..&........b2,.W.*) ..
&..M\.._.|.....n.W4.e......z...*.NT;=iE3...../......(..............zS.
.{.k2..dZ..`.gU....t......H3.s..M.m/....... ..S...=.<.n....d.7.X..{
.Z?....XZ.GI.~..n.U.'..........%..p.U...F.....X......F...............T
b[J...N ....*4...:...U....".....5iRSZ.|.#[..*!.....`\E..`.A..i.^.E|...
<:..7s...M>..~..^.2.\."...U>.......5~}.r...^%x...W.U.]W7A.5..
..?...5}.J..............7..j..g3@_..$..%5. ...eIaz.m3pF.B..Zv. ....&._
..5.0...>V.*i........T..T.....=......*....j...D..5.'.z..^..,.3.F5.J
=i.."...ap .........L.Y.......rA}I.W4...N.#w...!.P.{.7#.i[%qa.hy|...'T
>Z'.u...y..."i...F....J.....$,".!U...(.x..W.z.:P....l....T.../Wy.x$
.2)r|L H]XS..a.U...)..!.$.6uE....}.]...l.,.zU..I.....h...sE.q..j.d"W.
_.'..|...&...<.....x...].n...........O].{ _..".`4...........=..H..m
.l>.hC..;...s..iL..5..Wg..4K.......zAh.aBDF../V.n.....t.t...^g.h.Iw
...9c......5..m......@s..0...!-!h'.<Pt.....Ay..KONpp........v.=.._:
...^Bp?/iG)o..^....)..~.q.(.8.........'....E..a.3Bd..8......%...B..r..
..QY......7..f..W..9UM.......F...6.O....f.8..I........*4.&..B...*.k..;
U..n...............V..........z..z^(......Y.H(.. .....8s......f....g..
..N.... ..........t..L.lH&`...xWy.H...FJ ...OB.M..Eu.M..3@..Nz..8.

<<< skipped >>>

GET /box/?boxid=3777848&boxtag=l1g6f7&sec=main HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: www4.cbox.ws
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:24 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.cbox.ws; HttpOnly
P3P: CP="NOI DSP COR NID CURa OUR NOR"
Expires: Wed, 17 Nov 2004 05:00:00 GMT
Cache-Control: private, must-revalidate, max-age=0
Last-Modified: Tue, 06 May 2014 15:34:24 GMT
CF-RAY: 12663de5050001af-FRA
Content-Encoding: gzip
2b7.............V[o.0.~...`Y.....%.R`.Y MZ.n.....&....nH...$M.....CS?.
.s..9...OM.C?e..~....1E...e....0L....`....@.V.U.. N....?./zS.q!p...$.F
......VG@.Dr.K.o2.Y8#r..f..L,@.X.@.......Z.2...`...Q.EgQt...E....../..
...o...~w.....1...R.3B.!B.(.B....(..X...cY...rA.6....Ys.S..V.f2.......
..\...r./5j......._..>....w>.t.2.@B..i...`.j.6..\2.X.=|g$...&..V
..B..L.p`.....4...:......}_f..............U..cg0....jh.2....r.E.....k0
t..`..#.]..j.>.*...B.hCa...3......=... ..C.ON..~.......%.....Y..xo.
?y..siR.>..T....*.v.PE.2IZ..:U.9.Q....o4....^...\.q..............X.
..?..U..L.W.iU'bab...oL.>_._y......T.iI..X....^}..O......U..o.....C
K|.._~piwm$...n......mr.....p....7Y,*.f.:.R-.K2...E.......a4.$.X.VH...
=P..Lv.6.........86.......0.._%R.......c.SE".rM.....U..}>.p..V.u..q
.%.|.Li=oR...ZNC.....Z.m....a.;b......F...G..}_%.R......(..,...0.b..bC
F..7..p.............6f.."%h..SR,S.MR.R.R...S.R...SR.|`R.LI1HINI%3h.sJp
......_........bH.../WHN.S.T(-NU(..,.%.rhi`. }...A8................132
...XMK.0.......m..t......... .G...3m$..)E..NZ.....d&.......#.2.KL0..c\
..3.x..c...E$..A&q..._...........z.=.........O..U.VE.'.*z..#.g..#[.t..
V.;....T.38SAS6iV...q.$..bJY'..g.....\..T=L.w.\W"m..C...x>s>.8..
.E..~..(;>.C..........t.Z.L......'..ZS.g/`.(.<..{P...j..D..2....
..Zw..9.,\....e..jJ..X...P.].6l.1.~.......1d9..tXMo.0.=._Lrhm..@h..\*.
......[%.4.|d.H.......(.6\.g.y....44U5...(.o...]]a.....].."t....m.s...
.4.IG]..I..A.R?....Vu1.f./.e)..R.l.X...5.;..4.K...=......F~C...l).C.!~
..a>.-_^...y......]...a...R....m...B..*.k.]../..u.d...Q.!... ..

<<< skipped >>>

GET /styles/v4s5_2.css HTTP/1.1
Accept: */*
Referer: hXXp://www4.cbox.ws/box/?boxid=3777848&boxtag=l1g6f7&sec=main
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.cbox.ws
Connection: Keep-Alive
Cookie: __cfduid=d7ba6d745d3634ce89bc7fe7e1f52bf251399390464804


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Tue, 06 May 2014 15:34:25 GMT
Content-Type: text/css
Transfer-Encoding: chunked
Connection: keep-alive
Expires: Fri, 03 May 2024 15:34:25 GMT
Cache-Control: public, max-age=315360000
CF-Cache-Status: HIT
CF-RAY: 12663de762e208bd-FRA
Content-Encoding: gzip
1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.ccZrh..9..sA..IT
....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R.....*...a.0<h
..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z.n7g..j .nD...
.G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$......jj.:.c.w.d.
.\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._...(d.g.N......
}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5.....=2...R.i@Q.
W..P.EE * ....Q_.b..>... ....>....'K.....0..HTTP/1.1 200 OK..Ser
ver: cloudflare-nginx..Date: Tue, 06 May 2014 15:34:25 GMT..Content-Ty
pe: text/css..Transfer-Encoding: chunked..Connection: keep-alive..Expi
res: Fri, 03 May 2024 15:34:25 GMT..Cache-Control: public, max-age=315
360000..CF-Cache-Status: HIT..CF-RAY: 12663de762e208bd-FRA..Content-En
coding: gzip..1bd.............SMo.0..O.? .J. . ...?.&m-..J.-C..K..:.cc
Zrh..9..sA..IT....}rG..3..2Q.9...af.Z....A.....4....).t.~..:...V..R...
..*...a.0<h..l...z..J..yR..R..,_..>_V....~......n.)....h.E.?[x}z
.n7g..j .nD....G@.f.|....../:Fn...I.t8!.fF.qO<.V ...S.q...i.c.=$...
...jj.:.c.w.d..\u..../....n.Q.sPW`C..-w..4@'.... =....H..Pn.$y.h...._.
..(d.g.N......}.j.P.........C.......$..q...B.F..$...5.^...0....A.I.5..
...=2...R.i@Q.W..P.EE * ....Q_.b..>... ....>....'K.....0..

<<< skipped >>>

GET /banners/ru/hostinger-600x400-2.gif HTTP/1.1
Accept: */*
Referer: hXXp://myhomepage.altervista.org/tools/chat.html
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: hostinger.com.ua
Connection: Keep-Alive


HTTP/1.1 301 Moved Permanently
Date: Tue, 06 May 2014 15:34:25 GMT
Server: Apache
Location: hXXp://VVV.hostinger.com.ua/banners/ru/hostinger-600x400-2.gif
Content-Length: 270
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>301 Moved Permanently</title>.</head
><body>.<h1>Moved Permanently</h1>.<p>The d
ocument has moved <a href="hXXp://VVV.hostinger.com.ua/banners/ru/h
ostinger-600x400-2.gif">here</a>.</p>.</body><
/html>...


The Backdoor connects to the servers at the folowing location(s):

svchost.exe_308:

.rsrc
.Xk:<
y.cc[X
=wv%f
Hr.kD
o/Y.Xdij
.CE|U
.bO]S
&''&$%&##
KERNEL32.DLL
MSVBVM60.DLL
mmmmm.exe

svchost.exe_308_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
http://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
2.5.29.46
2.5.29.30
0.9.2342.19200300.100.1.25
CertDllVerifyCTLUsage
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TSErverKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
.html
XtremeKeYlogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
Autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
narare.dyndns.org
ftpuser
calc.exe
{5460C4DF-B266-909E-CB58-E32B79832EB2}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ftp.ftpserver.com

calc.exe_1156:

.text
`.data
.rsrc
SHELL32.dll
msvcrt.dll
ADVAPI32.dll
KERNEL32.dll
GDI32.dll
USER32.dll
hhctrl.ocx
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
calc.pdb
j.OXO
_acmdln
RegCloseKey
RegOpenKeyExA
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
Windows Shell
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
CalcMsgPumpWnd
The requested operation may take a very long time to complete.
Do you want to let the calculation continue, or stop the operation now?
Windows Calculator application file
5.1.2600.0 (xpclient.010817-1148)
CALC.EXE
Windows
Operating System
5.1.2600.0
Operation was canceled.-Calc does not have enough memory to continue.eThe requested function may take a very long time to complete.
Do you want to abort the operation now?
calc.hlp
Cannot open Clipboard.TThere is not enough memory for data.
calc.chm

calc.exe_1156_rwx_10000000_0004A000:

.idata
.rdata
P.reloc
P.rsrc
ServerKeyloggerU
789:;<&'()* ,-./12345
%SERVER%
URLMON.DLL
shell32.dll
http://
advapi32.dll
kernel32.dll
mpr.dll
version.dll
comctl32.dll
gdi32.dll
opengl32.dll
user32.dll
wintrust.dll
msimg32.dll
2.5.29.46
2.5.29.30
0.9.2342.19200300.100.1.25
CertDllVerifyCTLUsage
GetKeyboardType
RegOpenKeyExA
RegCloseKey
oleaut32.dll
RegOpenKeyExW
RegCreateKeyW
GetWindowsDirectoryW
UnhookWindowsHookEx
SetWindowsHookExW
MapVirtualKeyW
GetKeyboardLayout
GetKeyState
shlwapi.dll
SHDeleteKeyW
FindExecutableW
URLDownloadToCacheFileW
wininet.dll
FtpPutFileW
FtpSetCurrentDirectoryW
GetKeyboardState
ShellExecuteW
ntdll.dll
1 1$1(1,10141
KWindows
TSErverKeylogger
x.html
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_CURRENT_CONFIG
[Execute]
KeyDelBackspace
.html
XtremeKeYlogger
Software\Microsoft\Windows\CurrentVersion\Run
.functions
icon=shell32.dll,4
shellexecute=
Autorun.inf
\Microsoft\Windows\
ÞFAULTBROWSER%
svchost.exe
narare.dyndns.org
ftpuser
calc.exe
{5460C4DF-B266-909E-CB58-E32B79832EB2}
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ftp.ftpserver.com
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\svchost.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1488

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut1.tmp (2113 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Win7 Activator 5.0.exe (17894 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (11529 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\popup[1].js (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[1].css (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\download01[1].png (1340 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@analytics.hosting24[1].txt (165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\v4s5_2[2].css (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cbox[2].txt (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\chat[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[1].css (445 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\tmyv0TK[1].png (15410 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\box[1].htm (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\count[1].php (960 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1] (544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[2].js (1958 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\online[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\online[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jsc_compact_696[1].js (1050 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\jquery.min[1].js (4372 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@cbox[1].txt (214 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\v4s5_2[2].css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].htm (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\box[1] (487 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (3856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\bg_popup[1].png (4 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@imgur[1].txt (217 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\hostinger-600x400-2[1].gif (18292 bytes)
    %WinDir%\InstallDir\svchost.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HKLM" = "%WinDir%\InstallDir\svchost.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "HKCU" = "%WinDir%\InstallDir\svchost.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.