分类: 网络与安全
2011-09-09 15:39:39
04 AUG 2011 |
|
Table of contents Today we will have a closer look at ngrBot, an IRC bot with rootkit capabilities. The core of ngrBot is an advanced ring3 (usermode) system-wide injection and hooking engine similar to ZeuS and SpyEye. NgrBot will inject code into almost every running process on the computer and is able to terminate processes. It will install to the user’s Application Data folder under a randomly generated filename using the HDD serial number as the initial key. The bot is also able to block access to certain domains and redirect domains / IP’s to others. It’s able to spread via USB devices and Windows Live Messenger. More recently ngrBot has been spotted on Facebook but also on Twitter, using the micro blogging service to spread itself. Modules and FeaturesRootkit The rootkit module will attempt to hide the bot’s registry startup key as well as the bot file. RuskillThe Ruskill module will, if enabled for a download command, monitor the downloaded file as it executes. Ruskill will flag any files that it copies itself to or creates to be deleted at the next system reboot. Proactive defenseThe PDef module is an advanced threat detection and removal system. It monitors a range of file and networking API’s to detect and neutralize other threats that are running on the system. Currently this module can detect, block and remove malware that spreads via USB drives, browser exploit packs, and bots that use IRC to communicate. DNS ModifierThis module can block domains from being accessed and redirect domains/IP addresses to others. SlowlorisThis module is for web servers running Apache HTTPd. It’s designed to use low bandwidth and to maintain connections as long as possible, thus consuming all available resources. Syn FloodThe syn flood module is good for web servers that Slowloris fails to take down. UDP FloodThis module is ideal for taking home connections offline. Internet Explorer Login GrabberThis module hooks wininet.dll and analyses POST requests made by the IE web browser to capture usernames and passwords on the fly. Firefox Login GrabberThis module hooks nspr4.dll and analyses POST requests made by the Firefox web browser to capture usernames and passwords on the fly. FTP Login GrabberThis module hooks ws2_32!send to grab the FTP logins as they are used. USB SpreaderWaits for USB devices to be inserted and then attemps to infect them using multiple .lnk methods and obfuscated autorun. MSN SpreaderThis module hooks ws2_32!send to detect MSN messages being send. It will then monitor outgoing messages and wait for the spoofed number of messages to be sent before replacing one with the set spread message. It has been tested with the msnp10 and msnp21 protocols with msnmsgr.exe, wlcomm.exe, pidgin.exe and msmsgs.exe. Commands
The full package containing all the modules is sold for $400. NgrBot can also be obtained a la carte, meaning no modules, pick and choose which modules you want to include. Analysis of ngrBot Upon execution facebook-pic0008422012.exe copies itself under a random name based on the HDD serial number (vgbkbf.exe in our analysis), using Kernel32.GetVolumeInformationW, to the C:\Documents and Settings\[username]\Application Data\ folder. The newly created process vgbkbf.exe will attempt to inject code into the memory space of all running processes. NgrBot will initiate a communication with its C&C located at update.jebac.net through IRC. The domain api.wipmania.com is used to retrieve the country code based on the victim’s IP. The HTTP / MSN spread message followed by a link to the binary is transmitted via IRC and Instructions are given to download a list of blocked domains from data.fuskbugg.se and a new binary called milkway.exe (saved as 1.tmp) from RapidShare. The bot will report back to the C&C if the download was succesful or not and if the file was executed. The file 1.tmp will request internet access in order to download a binary called memory.exe from RapidShare. The file will be saved under a random name in the %temp% folder. Upon execution the file copies itself as windows.exe to the C:\Documents and Settings\[username]\Application Data\ folder. Once windows.exe started, ngrBot marks its presence in the infected system with a mutex named hex-Mutex and WeAreWeAre. The Internet Explorer Home page has been modified to redirecturls.info which redirects to another domain. Examples are: NgrBot will periodically download milkway.exe and memory.exe from RapidShare in order to always run the latest version of the bot. List of blocked domainsdnl-cd14.kaspersky-labs.com | dnl-kr14.kaspersky-labs.com | download657.avast.com | dl3.antivir-pe.com | sophos3.ucd.ie | updates1.kaspersky-labs.com | diamondcs.fileburst.com | bitdefender.fr | sophos4.ucd.ie | updates2.kaspersky-labs.com | dispatch.mcafee.com | bkav.com.vn | sophos5.ucd.ie | updates3.kaspersky-labs.com | blackice.iss.net | sophos6.ucd.ie | updates4.kaspersky-labs.com | dl1.antivir.de | ca.com | avg.de | | download.microsoft.com | go.microsoft.com | msdn.microsoft.com | office.microsoft.com | windowsupdate.microsoft.com | avp.ru | kaspersky.ru | kaspersky.com | kaspersky-labs.com | downloads1.kaspersky-labs.com | downloads2.kaspersky-labs.com | downloads3.kaspersky-labs.com | downloads4.kaspersky-labs.com | downloads5.kaspersky-labs.com | viruslist.com | viruslist.ru | symantec.com | customer.symantec.com | liveupdate.symantec.com | liveupdate.symantecliveupdate.com | securityresponse.symantec.com | service1.symantec.com | updates.symantec.com | ad.doubleclick.net | ad.fastclick.net | ads.fastclick.net | ar.atwola.com | atdmt.com | avp.ch | avp.com | awaps.net | banner.fastclick.net | banners.fastclick.net | click.atdmt.com | clicks.atdmt.com | download.mcafee.com | downloads.microsoft.com | engine.awaps.net | fastclick.net | f-secure.com | ftp.f-secure.com | ftp.sophos.com | mast.mcafee.com | mcafee.com | media.fastclick.net | my-etrust.com | nai.com | networkassociates.com | phx.corporate-ir.net | secure.nai.com | sophos.com | spd.atdmt.com | support.microsoft.com | update.symantec.com | us.mcafee.com | vil.nai.com | trendmicro.com | us.trendmicro.com | www3.ca.com | ids.kaspersky-labs.com | rads.mcafee.com | grisoft.com | avira.com | bitdefender.com | dl2.antivir.de | dl3.antivir.de | dl4.antivir.de | downloads-us1.kaspersky-labs.com | downloads-us2.kaspersky-labs.com | downloads-us3.kaspersky-labs.com | drweb.com | eset.com | esetindia.com | free-av.com | ftp.downloads2.kaspersky-labs.com | ftp.kasperskylab.ru | microsoft.com | updates5.kaspersky-labs.com | virusscan.jotti.org | virustotal.com | update.ikaka.com | msnfix.changelog.fr | incodesolutions.com | virusinfo.prevx.com | download.bleepingcomputer.com | dazhizhu.cn | foro.noticias3d.com | nabble.com | lurker.clamav.net | lexikon.ikarus.at | research.sunbelt-software.com | virusdoctor.jp | elitepvpers.de | guru.avg.com | superuser.co.kr | ntfaq.co.kr | v.dreamwiz.com | cit.kookmin.ac.kr | forums.whatthetech.com | forum.hijackthis.de | avg.vo.llnwd.net | huaifai.go.th | mostz.com | krupunmai.com | cddchiangmai.net | forum.malekal.com | tech.pantip.com | sapcupgrades.com | 247fixes.com | forum.sysinternals.com | forum.telecharger.01net.com | foros.softonic.com | avast-home.uptodown.com | dr-web-cureit.softonic.com | chkrootkit.org | diamondcs.com.au | rootkit.nl | sysinternals.com | z-oleg.com | espanol.dir.groups.yahoo.com | castlecrops.com | misec.net | safecomputing.umn.edu | antirootkit.com | greatis.com | ar.answers.yahoo.com | elhacker.org | rootkit.com | pctools.com | pcsupportadvisor.com | resplendence.com | personal.psu.edu | foro.ethek.com | foro.elhacker.net | vil.nail.com | search.mcafee.com | wmcafee.com | download.nai.com | wexperts-exchange.com | bakunos.com | darkclockers.com | Merijn.org | spywareinfo.com | spybot.info | hijackthis.de | forum.kaspersky.com | majorgeeks.com | linhadefensiva.uol.com.br | cmmings.cn | sergiwa.com | el-hacker.com | avg-antivirus.net | bleepingcomputer.com | free.grisoft.com | alerta-antivirus.inteco.es | analysis.seclab.tuwien.ac.at | kztechs.com | ad-aware-se.uptodown.com | stdio-labs.blogspot.com | box.net | foro.el-hacker.com | free.avg.com | tecno-soft.com | ladooscuro.es | ftp.drweb.com | download.microsoft.comguru0.grisoft.cz | guru1.grisoft.cz | guru2.grisoft.cz | guru3.grisoft.cz | it.answers.yahoo.com | softonic.com | guru4.grisoft.cz | guru5.grisoft.cz | virusspy.com | download.f-secure.com | malwareremoval.com | forums.cnet.com | hjt-data.trend-braintree.com | pantip.com | secubox.aldria.com | forospyware.com | manuelruvalcaba.com | zonavirus.com | leforo.com | siteadvisor.com | blog.threatfire.com | threatexpert.com | blog.hispasec.com | configurarequipos.com | sosvirus.changelog.fr | psicofxp.com | mailcenter.rising.com.cn | mailcenter.rising.com | rising.com.cn | rising.com | babooforum.com.br | runscanner.net | blogschapines.com | upload.changelog.fr | raymond.cc | changelog.fr | pcentraide.com | atazita.blogspot.com | thinkpad.cn | final4ever.com | files.filefont.com | infos-du-net.com | trendsecure.com | forum.hardware.fr | utilidades-utiles.com | blogs.icerocket.com | spychecker.com | geekstogo.com | forums.maddoktor2.com | smokey-services.eu | clubic.com | linhadefensiva.org | rolandovera.com | download.sysinternals.com | pcguide.com | thetechguide.com | ozzu.com | changedetection.com | espanol.groups.yahoo.com | sunbeltsecurity.com | community.thaiware.com | avpclub.ddns.info | offensivecomputing.net | boardreader.com | guiadohardware.net | msnvirusremoval.com | cisrt.org | fixmyim.com | samroeng.hi5.com | daboweb.com | forums.techguy.org | hijackthis.download3000.com | cybertechhelp.com | superdicas.com.br | 51nb.com | downloads.andymanchesta.com | andymanchesta.com | info.prevx.com | aknow.prevx.com | securitywonks.net | yoreparo.com | lavasoft.com | virscan.org | eeload.com | file.net | onecare.live.com | mvps.org | laneros.com | housecall.trendmicro.com | avast.com | onlinescan.avast.com | ewido.net | trucoswindows.net | mozilla-hispano.org | futurenow.bitdefender.com | f-prot.com | security.symantec.com | oldtimer.geekstogo.com | kr.ahnlab.com | thejokerx.blogspot.com | 2-spyware.com | antivir.es | prevx.com | ikarus.net | bbs.s-sos.net | forums.majorgeeks.com | castlecops.com | kaspersky.es | subs.geekstogo.com | forospanish.com | fortinet.com | safer-networking.org | fortiguardcenter.com | dougknox.com | vsantivirus.com | firewallguide.com | auditmypc.com | spywaredb.com | mxttchina.com | ziggamza.net | forospyware.es | pogonyuto.forospanish.com | antivirus.comodo.com | spywareterminator.com | eradicatespyware.net | freespywareremoval.info | personalfirewall.comodo.com | clamav.net | clamwin.com | antivirus.about.com | pandasecurity.com | webphand.com | mx.answers.yahoo.com | sandboxie.com | clamwin.com | cwsandbox.org | arswp.com | es.answers.yahoo.com | trucoswindows.es | networkworld.com | norman.com | espanol.answers.yahoo.com | tallemu.com | viruschief.com | scanner.virus.org | housecall65.trendmicro.com | hjt.networktechs.com | techsupportforum.com | whatthetech.com | soccersuck.com | comunidad.wilkinsonpc.com.co | forum.piriform.com | tweaksforgeeks.com | daniweb.com | pchell.com | spyany.com | experts-exchange.com | wikio.es | forums.devshed.com | forum.tweaks.com | wilderssecurity.com | techspot.com | thecomputerpitstop.com | es.wasalive.com | secunia.com | es.kioskea.net | taringa.net | cyberdefender.com | feedage.com | new.taringa.net | forum.zazana.com | forum.clubedohardware.com.br | computing.net | discussions.virtualdr.com | forum.securitycadets.com | techimo.com | 13iii.com | dicasweb.com.br | infosecpodcast.com | usbcleaner.cn | net-security.org | bleedingthreats.net | acs.pandasoftware.com | funkytoad.com | 360safe.cn | 360safe.com | bbs.360safe.cn | bbs.360safe.com | codehard.wordpress.com | 360.cn | 360.com | p3dev.taringa.net | precisesecurity.com | baike.360.cn | baike.360.com | kaba.360.cn | kaba.360.com | deckard.geekstogo.com | forums.comodo.com | down.360safe.cn | down.360safe.com | x.360safe.com | dl.360safe.com | hotshare.net | free.antivirus.com | updatem.360safe.com | updatem.360safe.cn | update.360safe.cn | update.360safe.com | bbs.duba.net | duba.net | zhidao.baidu.com | hi.baidu.com | drweb.com.es | msncleaner.softonic.com | javacoolsoftware.com | file.ikaka.com | file.ikaka.cn | bbs.ikaka.com | zhidao.ikaka.com | eset-la.com | software-files.download.com | ikaka.com | ikaka.cn | bbs.cfan.com.cn | cfan.com.cn | es.mcafee.com | downloads.malwarebytes.org | bbs.kafan.cn | bbs.kafan.com | bbs.kpfans.com | bbs.taisha.org | support.f-secure.com | bbs.winzheng.com | foros.zonavirus.com | alerta-antivirus.red.es | malwarebytes.org | commentcamarche.net | infospyware.com | bitdefender.es | foros.toxico-pc.com | emsisoft.de | securitynewsportal.com | secuser.com | a188.x.akamai.net | liveupdate.symantec.d4p.net | ftp.nai.com | grisoft.cz | free.grisoft.cz | tds.diamondcs.com.au | ieupdate.gdata.de | ieupdate6.gdata.de | ieupdate5.gdata.de | ieupdate4.gdata.de | ieupdate3.gdata.de | ieupdate2.gdata.de | ieupdate1.gdata.de | iavs.cz | download7.avast.com | download6.avast.com | download5.avast.com | download4.avast.com | download3.avast.com | download2.avast.com | download1.avast.com | upgrade.bitdefender.com | lavasoftusa.com | a-2.org | updates.a-2.org | niuone.norman.no | attechnical.com | zeylstra.nl | fractus.mat.uson.mx | toonbox.de | radius.turvamies.com | downloads.My-eTrust.com | v4.windowsupdate.microsoft.com | v5.windowsupdate.microsoft.com | NoAdware.net | nod32.com | nod32.de | nod32.ch | nod32.nl | nod32.com.au | nod32.nankai.edu.cn | eset.co.th | nod32adria.com | update.eset.com | nod32.smartantivirus.ca | | gxrg.org | eset.sk | avu.zonelabs.com | retail.sp.f-secure.com | retail01.sp.f-secure.com | retail02.sp.f-secure.com | moosoft.com | secuser.model-fx.com | viruslab.ca | downloads-eu1.kaspersky-labs.com | pccreg.antivirus.com | updates.sald.com | k-otik.com | megasecurity.org | fr.mcafee.com | antivirus.cai.com | pandasoftware.com | securitoo.com | Kaspersky-FR.com | thaikaspersky.com | kavkisfile.com | avgfrance.com | antivirus-online.de | ftp.esafe.com | ftp.microworldsystems.com | ftp.europe.f-secure.com | ftp.ca.co | ftp.symantec.com | files.trendmicro-europe.com | akamai.net | inline-software.de | ravantivirus.com | drsolomon.com | openantivirus.org | pandasoftware.es | dialognauka.ru | viguard.com | nod32.lu | zonelabs.fr | anti-virus-software-review.com | vet.com.au | eicar.org | anti-virus.com | microsoft.fr | trendmicro.fr | fr.bitdefender.com | sophos.fr | nsclean.com | antiviraldp.com | pestpatrol.com | agnitum.com | simplysup.com | centralcommand.com | www1.my-etrust.com | authentium.com | finjan.com | psnw.com | gwava.nl | gecadsoftware.com | pspl.com | safetynet.com | stiller.com | sybari.com | wildlist.com | mcaffee.com | antivirus.nmt.edu | buymcafeenow.com | deerfield.com | kerio.com | looknstop.com | mcafee-at-home.com | sygate.com | tinysoftware.com | visualizesoftware.com | zonelabs.com | zonelog.co.uk | webroot.com | lavasoft.nu | spywareguide.com | aluriasoftware.com | spyblocker-software.com | spycop.com | wilderssecurity.net | trapware.com | winpatrol.com | liutilities.com | x-cleaner.com | shop.symantec.com | kaspersky.co.uk | housecall.com | sophos7.ucd.ie | dl1.antivir-pe.com | sophos8.ucd.ie | dl1.antivir-pe.de | sophos9.ucd.ie | dl1.avgate.net | sos.rising.com.cn | dl10.freeav.net | spftrl.digitalriver.com | store.digitalriver.com | stats.norton.com | dl2.antivir-pe.com | sucop.com | dl2.antivir-pe.de | sunbeltsoftware.com | dl2.avgate.net | download.com | sunbelt-software.com | vrv.com.cn | download.com.vn | dl3.antivir-pe.de | symantec-ese.baynote.net | dl3.avgate.net | u19.eset.com | u38.eset.com | mmsk.cn | u91.eset.com | eset.ro | download516.avast.com | avastedition.com | | 9down.com | dl7.avgate.net | u63.eset.com | dnl-ru1.kaspersky-labs.com | tool.ikaka.com | moneybookers.com | eset.nl | u25.eset.com | u98.eset.com | download925.avast.com | download94.avast.com | download.cnet.com | kaspersky.ca | bbs.kaspersky.com.cn | download926.avast.com | download940.avast.com | bbs.mcafeefans.com | download927.avast.com | download941.avast.com | bbs.sucop.com | download928.avast.com | download942.avast.com | bbs.trendmicro.com.cn | download929.avast.com | download943.avast.com | download93.avast.com | download944.avast.com | bitdefender.de | bitdefender.com.ua | download930.avast.com | download945.avast.com | download931.avast.com | download946.avast.com | buddy.bitdefender.com | download932.avast.com | download947.avast.com | buy.rising.com.cn | download933.avast.com | download948.avast.com | download934.avast.com | download949.avast.com | cdn.atwola.com | download935.avast.com | download95.avast.com | center.rising.com.cn | download936.avast.com | download950.avast.com | cert.org | download937.avast.com | download951.avast.com | download938.avast.com | download952.avast.com | download939.avast.com | download953.avast.com | download954.avast.com | download955.avast.com | cn.mcafee.com | download956.avast.com | download957.avast.com | cn.trendmicro.com | download958.avast.com | download959.avast.com | comodo.com | download96.avast.com | download960.avast.com | coresecurity.com | download961.avast.com | download962.avast.com | cpsecure.com | download963.avast.com | download964.avast.com | csc.rising.com.cn | download965.avast.com | download966.avast.com | download967.avast.com | download968.avast.com | download969.avast.com | download97.avast.com | download970.avast.com | download971.avast.com | dl4.antivir-pe.com | download972.avast.com | download973.avast.com | dl4.antivir-pe.de | download974.avast.com | download975.avast.com | dl4.avgate.net | download976.avast.com | download977.avast.com | dl5.avgate.net | download978.avast.com | download979.avast.com | dl6.avgate.net | download98.avast.com | download980.avast.com | dl8.avgate.net | download99.avast.com | dl8.freeav.net | dl9.avgate.net | dl9.freeav.net | kaspersky.it | dnl-cd1.kaspersky-labs.com | dnl-cd10.kaspersky-labs.com | dswlab.com | eeye.com | dnl-cd11.kaspersky-labs.com | emsisoft.com | dnl-cd12.kaspersky-labs.com | esafe.com | download684.avast.com | dnl-cd4.kaspersky-labs.com | downloads-eu2.kaspersky-labs.com | dnl-us9.kaspersky-labs.com | download649.avast.com | dnl-cn15.kaspersky-labs.com | download618.avast.com | download695.avast.com | download603.avast.com | download685.avast.com | avast.it | dnl-cd5.kaspersky-labs.com | downloads-eu3.kaspersky-labs.com | download.avg.com | akamai.avg.com.edgesuite.net | akamai.grisoft.com.edgesuite.net | akamai.avg.com | akamai.grisoft.com | akamai.avg.cz.edgesuite.net | akamai.avg.cz | akamai.grisoft.cz.edgesuite.net | akamai.grisoft.cz | download.avg.cz | backup.grisoft.cz | backup.avg.cz | download650.avast.com | download619.avast.com | fw.rising.com.cn | shudoo.com | download696.avast.com | download604.avast.com | download686.avast.com | dnl-cd6.kaspersky-labs.com | downloads-eu4.kaspersky-labs.com | download651.avast.com | download620.avast.com | fx.dk | download697.avast.com | bbs.janmeng.com | download605.avast.com | download687.avast.com | dnl-cd7.kaspersky-labs.com | download.eset.com | eset.fi | download652.avast.com | download621.avast.com | gdata.de | download698.avast.com | dnl-cd13.kaspersky-labs.com | download606.avast.com | download688.avast.com | filseclab.com | dnl-cd8.kaspersky-labs.com | download653.avast.com | download622.avast.com | download699.avast.com | dnl-cd2.kaspersky-labs.com | download607.avast.com | download689.avast.com | dnl-cd9.kaspersky-labs.com | download654.avast.com | download623.avast.com | go.rising.com.cn | dnl-cd3.kaspersky-labs.com | download608.avast.com | download690.avast.com | forum.ikaka.com | dnl-cn1.kaspersky-labs.com | downloads-us4.kaspersky-labs.com | download.norman.no | download655.avast.com | download624.avast.com | download7.quickheal.com | dnl-cn10.kaspersky-labs.com | download609.avast.com | download691.avast.com | forum.jiangmin.com | dnl-cn11.kaspersky-labs.com | sandbox.norman.com | download.rising.com.cn | download656.avast.com | download625.avast.com | download700.avast.com | dnl-cn12.kaspersky-labs.com | download617.avast.com | download692.avast.com | dnl-cn13.kaspersky-labs.com | scanner.novirusthanks.org | ftp.updates1.kaspersky-labs.com | fr.drweb.com | download.softpedia.com | u2.eset.com | u56.eset.com | ftp.updates2.kaspersky-labs.com | download0.avast.com | u20.eset.com | u57.eset.com | ftp.updates3.kaspersky-labs.com | fr1.drweb.com | u21.eset.com | u58.eset.com | ftp.updates4.kaspersky-labs.com | fr2.drweb.com | download1.quickheal.com | u22.eset.com | u59.eset.com | ftp.us.mcafee.com | fr3.drweb.com | download10.quickheal.com | u23.eset.com | u6.eset.com | ftp.viruslist.com | fr4.drweb.com | download100.avast.com | bitdefender.secyber.net | u24.eset.com | u60.eset.com | fr5.drweb.com | download1us.softpedia.com | u26.eset.com | u61.eset.com | fr6.drweb.com | u27.eset.com | u62.eset.com | symantecliveupdate.com | fr7.drweb.com | download2.quickheal.com | u28.eset.com | u64.eset.com | symatec.com | download200.avast.com | u29.eset.com | u65.eset.com | hacksoft.com.pe | download201.avast.com | u3.eset.com | u66.eset.com | hauri.net | download202.avast.com | u30.eset.com | u67.eset.com | help.rising.com.cn | download203.avast.com | u31.eset.com | u68.eset.com | freeav.com | download204.avast.com | u32.eset.com | u69.eset.com | trendmicro.com.cn | download205.avast.com | u33.eset.com | u7.eset.com | ikarus.at | freeav.net | download206.avast.com | iss.net | u34.eset.com | u70.eset.com | uk.trendmicro-europe.com | jetico.com | free-av.net | download207.avast.com | k7computing.com | u35.eset.com | u71.eset.com | ftp.avp.com | download641.avast.com | download920.avast.com | dnl-kr7.kaspersky-labs.com | kaspersky.gr | anti-virus.by | ftp.bitdefender.com | update.sophos.com | dnl-us5.kaspersky-labs.com | JUSTFACEBOOK.NET | download214.avast.com | download81.avast.com | mcafeefans.com | mirror02.gdata.de | msk.drweb.com | msk1.drweb.com | msk2.drweb.com | msk3.drweb.com | msk4.drweb.com | msk5.drweb.com | msk6.drweb.com | msk7.drweb.com | niueight.norman.no | niufive.norman.no | niufour.norman.no | niunine.norman.no | niuseven.norman.no | niusix.norman.no | niuthree.norman.no | niutwo.norman.no | nod32.co.uk | nod32.datsec.de | nod32.ru | norton.com | notifier.antivir-pe.de | online.jiangmin.com | online.rising.com.cn | outpost.pl | pccreg.trendmicro.com | pcinternetpatrol.com | quickheal.co.in | reg.rising.com.cn | renewalcenter.symantec.com | safe.qq.com | scan.kingsoft.com | secdreg.org | securecomputing.com | shadow.grisoft.cz | shadu.baidu.com | shadu.duba.net | sophos1.ucd.ie | sophos10.ucd.ie | sophos2.ucd.ie | u0.eset.com | u1.eset.com | u10.eset.com | u100.eset.com | u11.eset.com | u12.eset.com | u13.eset.com | u36.eset.com | u78.eset.com | kaspersky.co.jp | download211.avast.com | kpfans.com | download208.avast.com | dnl-cn14.kaspersky-labs.com | download659.avast.com | ftp.ca.com | download693.avast.com | dnl-us2.kaspersky-labs.com | u36eset.com | u79.eset.com | download212.avast.com | kvup.jiangmin.com | download209.avast.com | download660.avast.com | ftp.customer.symantec.com | download694.avast.com | dnl-us3.kaspersky-labs.com | kaspersky.com.cn | kaspersky.de | eset.co.uk | u37.eset.com | u8.eset.com | kaspersky.dk | download213.avast.com | download210.avast.com | download661.avast.com | ftp.dispatch.mcafee.com | download701.avast.com | dnl-us4.kaspersky-labs.com | kaspersky.pl | eset.at | u37eset.com | u80.eset.com | download3.quickheal.com | download662.avast.com | ftp.download.mcafee.com | download702.avast.com | dnl-us6.kaspersky-labs.com | kaspersky.se | u39.eset.com | u81.eset.com | kasperskylab.co.kr | download4.quickheal.com | download663.avast.com | ftp.downloads1.kaspersky-labs.com | download703.avast.com | dnl-us7.kaspersky-labs.com | kasperskylab.nl | u4.eset.com | u82.eset.com | download5.quickheal.com | download664.avast.com | download704.avast.com | dnl-us8.kaspersky-labs.com | kav.ru | u40.eset.com | u83.eset.com | kav.zonelabs.com | download501.avast.com | malwaredomainlist.com | download502.avast.com | download665.avast.com | ftp.downloads3.kaspersky-labs.com | download705.avast.com | download503.avast.com | kb.bitdefender.com | u41.eset.com | u84.eset.com | download504.avast.com | download505.avast.com | download666.avast.com | ftp.downloads4.kaspersky-labs.com | download706.avast.com | download511.avast.com | u42.eset.com | u85.eset.com | u14.eset.com | download512.avast.com | u15.eset.com | ftp.downloads-eu1.kaspersky-labs.com | download82.avast.com | ftp.downloads-eu2.kaspersky-labs.com | download658.avast.com | download513.avast.com | zeustracker.abuse.ch | dnl-us11.kaspersky-labs.com | ftp.downloads-eu3.kaspersky-labs.com | download75.avast.com | u43.eset.com | download626.avast.com | download514.avast.com | ftp.downloads-eu4.kaspersky-labs.com | download667.avast.com | download515.avast.com | zonealarm.com | dnl-us12.kaspersky-labs.com | ftp.downloads-us1.kaspersky-labs.com | download76.avast.com | zs.kingsoft.com | u44.eset.com | download627.avast.com | ftp.downloads-us2.kaspersky-labs.com | download668.avast.com | download6.quickheal.com | bitcity.info | dnl-us13.kaspersky-labs.com | ftp.downloads-us3.kaspersky-labs.com | download77.avast.com | bitcity.org | u45.eset.com | download628.avast.com | download600.avast.com | ftp.downloads-us4.kaspersky-labs.com | download669.avast.com | download601.avast.com | ilove.tigolbittys.info | dnl-us14.kaspersky-labs.com | download78.avast.com | ulove.tigolbittys.info | u46.eset.com | download629.avast.com | download602.avast.com | download670.avast.com | download630.avast.com | free.tinypicbox.com | dnl-us15.kaspersky-labs.com | ftp.f-prot.com | download79.avast.com | one.tinypicbox.com | u47.eset.com | download631.avast.com | download632.avast.com | download671.avast.com | download633.avast.com | gangbang.mytijn.org | download634.avast.com | ftp.grisoft.com | download8.quickheal.com | irc.bigshitsandwich.org | u48.eset.com | download635.avast.com | download636.avast.com | ftp.kaspersky.com | download672.avast.com | download637.avast.com | l33t.shadow-mods.net | download638.avast.com | ftp.kaspersky-labs.com | download80.avast.com | irc.metraiciono.com | u49.eset.com | download639.avast.com | download640.avast.com | ftp.liveupdate.symantec.com | download673.avast.com | download642.avast.com | download643.avast.com | ftp.liveupdate.symantecliveupdate.com | download83.avast.com | lovings.technigoyous.net | u5.eset.com | download644.avast.com | download645.avast.com | ftp.mast.mcafee.com | download674.avast.com | download646.avast.com | download647.avast.com | ftp.mcafee.com | download84.avast.com | u50.eset.com | download648.avast.com | download675.avast.com | download676.avast.com | download677.avast.com | download678.avast.com | ftp.my-etrust.com | download85.avast.com | u51.eset.com | download679.avast.com | download680.avast.com | download681.avast.com | download682.avast.com | download683.avast.com | ftp.networkassociates.com | download9.quickheal.com | u52.eset.com | download707.avast.com | u53.eset.com | download922.avast.com | ftp.norton.com | ftp.rads.mcafee.com | ftp.sandbox.norman.com | dnl-ru13.kaspersky-labs.com | u54.eset.com | download923.avast.com | ftp.secure.nai.com | ftp.securityresponse.symantec.com | dnl-ru14.kaspersky-labs.com | u55.eset.com | download924.avast.com | ftp.symantecliveupdate.com | ftp.symatec.com | ftp.trendmicro.com | dnl-ru15.kaspersky-labs.com | u72.eset.com | ftp.uk.trendmicro-europe.com | ftp.update.symantec.com | ftp.updates.symantec.com | u16.eset.com | dnl-ru2.kaspersky-labs.com | u73.eset.com | u17.eset.com | u18.eset.com | u74.eset.com | u75.eset.com | dnl-ru3.kaspersky-labs.com | u76.eset.com | u77.eset.com | u86.eset.com | u87.eset.com | u88.eset.com | dnl-ru4.kaspersky-labs.com | u89.eset.com | u9.eset.com | u90.eset.com | pcav.cn | u92.eset.com | u93.eset.com | dnl-ru5.kaspersky-labs.com | u94.eset.com | u95.eset.com | u96.eset.com | u97.eset.com | u99.eset.com | dnl-ru6.kaspersky-labs.com | up.duba.net | up.rising.com.cn | abuse.ch | up1.nod123.cn | upd.zonelabs.com | dnl-ru7.kaspersky-labs.com | update.aladdin.com | update.authentium.com | update.avg.com | backup.avg.cz | backup.grisoft.cz | download.avg.cz | update.avgfrance.com | dnl-ru8.kaspersky-labs.com | update.bitdefender.com | update.drweb.com | update.ewido.com | agfirewall.ru | update.grisoft.com | update.grisoft.cz | dnl-ru9.kaspersky-labs.com | update.hispasec.com | update.ikarus-software.at | update.quickheal.com | update.rising.com.cn | dnl-us1.kaspersky-labs.com | update.trendmicro.com | update7.jiangmin.com | agnitum.de | updates.drweb.com | dnl-us10.kaspersky-labs.com | updates.f-prot.com | agnitum.fr | download708.avast.com | upgrade1.bitdefender.com | upgrade2.bitdefender.com | agnitum.ru | download709.avast.com | upgrade3.bitdefender.com | upgrade4.bitdefender.com | ahnlab.com | download72.avast.com | download73.avast.com | download74.avast.com | download900.avast.com | download901.avast.com | download902.avast.com | download903.avast.com | ahn.com.cn | download904.avast.com | vncsvr.com | download905.avast.com | download906.avast.com | download907.avast.com | download908.avast.com | download909.avast.com | virusbuster.hu | download91.avast.com | download910.avast.com | download911.avast.com | download912.avast.com | download913.avast.com | download914.avast.com | atwola.com | download915.avast.com | download916.avast.com | download917.avast.com | download918.avast.com | download919.avast.com | download92.avast.com | bitdefender.co.uk | download921.avast.com | jotti.org | alert.rising.com.cn | antispy.ru | arcabit.com | arcabit.pl | ashampoo.com | avast.ru | avg.com | avgate.net | dnl-eu10.kaspersky-labs.com | bbs.360.cn | dnl-jp14.kaspersky-labs.com | bbs.cpcw.com | bbs.dswlab.com | neuber.com | processlibrary.com | dnl-jp15.kaspersky-labs.com | dnl-cn2.kaspersky-labs.com | dnl-jp2.kaspersky-labs.com | dnl-cn3.kaspersky-labs.com | dnl-jp3.kaspersky-labs.com | dnl-cn4.kaspersky-labs.com | dnl-jp4.kaspersky-labs.com | dnl-cn5.kaspersky-labs.com | dnl-cn6.kaspersky-labs.com | dnl-jp5.kaspersky-labs.com | dnl-cn7.kaspersky-labs.com | dnl-cn8.kaspersky-labs.com | dnl-cn9.kaspersky-labs.com | dnl-jp6.kaspersky-labs.com | dnl-eu1.kaspersky-labs.com | dnl-eu11.kaspersky-labs.com | dnl-eu12.kaspersky-labs.com | dnl-jp7.kaspersky-labs.com | dnl-eu13.kaspersky-labs.com | dnl-eu14.kaspersky-labs.com | dnl-eu15.kaspersky-labs.com | dnl-jp8.kaspersky-labs.com | dnl-eu2.kaspersky-labs.com | dnl-eu3.kaspersky-labs.com | dnl-eu4.kaspersky-labs.com | dnl-jp9.kaspersky-labs.com | dnl-eu5.kaspersky-labs.com | dnl-eu6.kaspersky-labs.com | dnl-eu7.kaspersky-labs.com | dnl-kr1.kaspersky-labs.com | dnl-eu8.kaspersky-labs.com | dnl-eu9.kaspersky-labs.com | dnl-jp1.kaspersky-labs.com | dnl-kr10.kaspersky-labs.com | dnl-jp10.kaspersky-labs.com | dnl-jp11.kaspersky-labs.com | dnl-jp12.kaspersky-labs.com | dnl-kr11.kaspersky-labs.com | dnl-jp13.kaspersky-labs.com | dnl-kr12.kaspersky-labs.com | dnl-kr13.kaspersky-labs.com | dnl-kr15.kaspersky-labs.com | dnl-kr2.kaspersky-labs.com | dnl-kr3.kaspersky-labs.com | dnl-kr4.kaspersky-labs.com | dnl-kr5.kaspersky-labs.com | dnl-kr6.kaspersky-labs.com | dnl-kr8.kaspersky-labs.com | dnl-kr9.kaspersky-labs.com | dnl-ru10.kaspersky-labs.com | dnl-ru11.kaspersky-labs.com | dnl-ru12.kaspersky-labs.com Gmer ScanI left only 2 processes in the scan to reduce the size of the log. ngrBot Commands |
Additional information |
---|
MD5: 617fc475c1f0120571d8f21493f60959 |
SHA1: e3fcfa0fe9ac759be324479e0a861f8a303b9ff1 |
SHA256:128f4e7f429a8a8c785f3d3f46829ee756ce2f8d7cd509c326183966c5d318ae |
File size: 169472 bytes |
Scan date: 2011-08-03 13:21:51 (UTC) |
Antivirus | Version | Last update | Result |
---|---|---|---|
AhnLab-V3 | 2011.08.03.02 | 2011.08.03 | - |
AntiVir | 7.11.12.200 | 2011.08.03 | - |
Antiy-AVL | 2.0.3.7 | 2011.08.03 | - |
Avast | 4.8.1351.0 | 2011.08.03 | - |
Avast5 | 5.0.677.0 | 2011.08.03 | - |
AVG | 10.0.0.1190 | 2011.08.03 | SHeur3.CMHH |
BitDefender | 7.2 | 2011.08.03 | Gen:Variant.FakeAlert.75 |
CAT-QuickHeal | 11.00 | 2011.08.03 | - |
ClamAV | 0.97.0.0 | 2011.08.03 | - |
Commtouch | 5.3.2.6 | 2011.08.03 | - |
Comodo | 9614 | 2011.08.03 | - |
DrWeb | 5.0.2.03300 | 2011.08.03 | - |
Emsisoft | 5.1.0.8 | 2011.08.03 | - |
eSafe | 7.0.17.0 | 2011.08.03 | - |
eTrust-Vet | 36.1.8479 | 2011.08.02 | - |
F-Prot | 4.6.2.117 | 2011.08.03 | - |
F-Secure | 9.0.16440.0 | 2011.08.03 | Gen:Variant.FakeAlert.75 |
Fortinet | 4.2.257.0 | 2011.08.03 | - |
GData | 22 | 2011.08.03 | Gen:Variant.FakeAlert.75 |
Ikarus | T3.1.1.104.0 | 2011.08.03 | - |
Jiangmin | 13.0.900 | 2011.08.02 | - |
K7AntiVirus | 9.109.4973 | 2011.08.02 | - |
Kaspersky | 9.0.0.837 | 2011.08.03 | UDS:DangerousObject.Multi.Generic |
McAfee | 5.400.0.1158 | 2011.08.03 | - |
McAfee-GW-Edition | 2010.1D | 2011.08.03 | Heuristic.LooksLike.Win32.Suspicious.C |
Microsoft | 1.7104 | 2011.08.03 | - |
NOD32 | 6346 | 2011.08.03 | a variant of Win32/Injector.IIF |
Norman | 6.07.10 | 2011.08.03 | - |
nProtect | 2011-08-03.04 | 2011.08.03 | Gen:Variant.FakeAlert.75 |
Panda | 10.0.3.5 | 2011.08.03 | Suspicious file |
PCTools | 8.0.0.5 | 2011.08.03 | - |
Prevx | 3.0 | 2011.08.03 | - |
Rising | 23.69.02.03 | 2011.08.03 | Suspicious |
Sophos | 4.67.0 | 2011.08.03 | - |
SUPERAntiSpyware | 4.40.0.1006 | 2011.08.03 | Trojan.Agent/Gen-Falcomp |
Symantec | 20111.1.0.186 | 2011.08.03 | - |
TheHacker | 6.7.0.1.269 | 2011.08.03 | - |
TrendMicro | 9.200.0.1012 | 2011.08.03 | - |
TrendMicro-HouseCall | 9.200.0.1012 | 2011.08.03 | - |
VBA32 | 3.12.16.4 | 2011.08.03 | - |
VIPRE | 10051 | 2011.08.03 | - |
ViRobot | 2011.8.3.4603 | 2011.08.03 | - |
VirusBuster | 14.0.150.0 | 2011.08.02 | - |
Additional information |
---|
MD5: a17c070c23a4b8be33466d735b460551 |
SHA1: 8d861e95525081603101b0fc129ed9c135bd226f |
SHA256:960c2aa3408c6729d557337893cfba65b6565551c32f1a506e50e1fc72279397 |
File size: 118784 bytes |
Scan date: 2011-08-03 16:36:48 (UTC) |
Antivirus | Version | Last update | Result |
---|---|---|---|
AntiVir | 7.11.12.202 | 2011.08.03 | - |
Antiy-AVL | 2.0.3.7 | 2011.08.03 | - |
Avast | 4.8.1351.0 | 2011.08.03 | - |
Avast5 | 5.0.677.0 | 2011.08.03 | - |
CAT-QuickHeal | 11.00 | 2011.08.03 | - |
ClamAV | 0.97.0.0 | 2011.08.03 | - |
Commtouch | 5.3.2.6 | 2011.08.03 | - |
Comodo | 9617 | 2011.08.03 | - |
eSafe | 7.0.17.0 | 2011.08.03 | - |
eTrust-Vet | 36.1.8481 | 2011.08.03 | - |
F-Prot | 4.6.2.117 | 2011.08.03 | - |
Fortinet | 4.2.257.0 | 2011.08.03 | W32/Injector.HCR!tr |
Ikarus | T3.1.1.104.0 | 2011.08.03 | - |
Jiangmin | 13.0.900 | 2011.08.03 | - |
K7AntiVirus | 9.109.4973 | 2011.08.02 | - |
Kaspersky | 9.0.0.837 | 2011.08.03 | Trojan-Dropper.Win32.Injector.ahk |
McAfee | 5.400.0.1158 | 2011.08.03 | - |
McAfee-GW-Edition | 2010.1D | 2011.08.03 | - |
Microsoft | 1.7104 | 2011.08.03 | - |
NOD32 | 6347 | 2011.08.03 | - |
Norman | 6.07.10 | 2011.08.03 | - |
nProtect | 2011-08-03.04 | 2011.08.03 | - |
PCTools | 8.0.0.5 | 2011.08.03 | - |
Prevx | 3.0 | 2011.08.03 | - |
Rising | 23.69.02.03 | 2011.08.03 | - |
Sophos | 4.67.0 | 2011.08.03 | - |
SUPERAntiSpyware | 4.40.0.1006 | 2011.08.03 | - |
Symantec | 20111.1.0.186 | 2011.08.03 | - |
TheHacker | 6.7.0.1.269 | 2011.08.03 | - |
TrendMicro | 9.200.0.1012 | 2011.08.03 | - |
TrendMicro-HouseCall | 9.200.0.1012 | 2011.08.03 | - |
VBA32 | 3.12.16.4 | 2011.08.03 | - |
VIPRE | 10053 | 2011.08.03 | Trojan.Win32.Generic.pak!cobra |
ViRobot | 2011.8.3.4603 | 2011.08.03 | - |
VirusBuster | 14.0.150.0 | 2011.08.02 | - |
Additional information |
---|
MD5: 0d8da66c26b7c8ab1c0b447f8fbcbf07 |
SHA1: b0c1b7f366173d1c455f53d641a28b5b5c0563bf |
SHA256:fdc8db0fea65a7d81e3bc151b19f05f93ab278f095fc7a88545f36497f8459da |
File size: 122880 bytes |
Scan date: 2011-08-03 11:22:09 (UTC) |
Antivirus | Version | Last update | Result |
---|---|---|---|
AhnLab-V3 | 2011.08.03.01 | 2011.08.03 | - |
AntiVir | 7.11.12.200 | 2011.08.03 | - |
Antiy-AVL | 2.0.3.7 | 2011.08.03 | - |
Avast | 4.8.1351.0 | 2011.08.02 | - |
Avast5 | 5.0.677.0 | 2011.08.02 | - |
AVG | 10.0.0.1190 | 2011.08.03 | - |
BitDefender | 7.2 | 2011.08.03 | - |
CAT-QuickHeal | 11.00 | 2011.08.03 | - |
ClamAV | 0.97.0.0 | 2011.08.03 | - |
Commtouch | 5.3.2.6 | 2011.08.03 | - |
Comodo | 9611 | 2011.08.03 | - |
DrWeb | 5.0.2.03300 | 2011.08.03 | - |
Emsisoft | 5.1.0.8 | 2011.08.03 | - |
eSafe | 7.0.17.0 | 2011.08.03 | - |
eTrust-Vet | 36.1.8479 | 2011.08.02 | - |
F-Prot | 4.6.2.117 | 2011.08.03 | - |
F-Secure | 9.0.16440.0 | 2011.08.03 | - |
Fortinet | 4.2.257.0 | 2011.08.03 | W32/Injector.HCR!tr |
GData | 22 | 2011.08.03 | - |
Ikarus | T3.1.1.104.0 | 2011.08.03 | - |
Jiangmin | 13.0.900 | 2011.08.02 | - |
K7AntiVirus | 9.109.4973 | 2011.08.02 | - |
Kaspersky | 9.0.0.837 | 2011.08.03 | - |
McAfee | 5.400.0.1158 | 2011.08.03 | - |
McAfee-GW-Edition | 2010.1D | 2011.08.03 | - |
Microsoft | 1.7104 | 2011.08.03 | - |
NOD32 | 6346 | 2011.08.03 | - |
Norman | 6.07.10 | 2011.08.03 | - |
nProtect | 2011-08-03.04 | 2011.08.03 | - |
Panda | 10.0.3.5 | 2011.08.02 | - |
PCTools | 8.0.0.5 | 2011.08.03 | - |
Prevx | 3.0 | 2011.08.03 | - |
Rising | 23.69.02.03 | 2011.08.03 | - |
Sophos | 4.67.0 | 2011.08.03 | - |
SUPERAntiSpyware | 4.40.0.1006 | 2011.08.03 | - |
Symantec | 20111.1.0.186 | 2011.08.03 | - |
TheHacker | 6.7.0.1.267 | 2011.08.02 | - |
TrendMicro | 9.200.0.1012 | 2011.08.03 | - |
TrendMicro-HouseCall | 9.200.0.1012 | 2011.08.03 | - |
VBA32 | 3.12.16.4 | 2011.08.02 | - |
VIPRE | 10050 | 2011.08.03 | - |
ViRobot | 2011.8.3.4603 | 2011.08.03 | - |
VirusBuster | 14.0.150.0 | 2011.08.02 | - |