Global sites
Solutions
Products
Purchase
Download
Partners
Support
Company
Threat Center
Threat Center
Eset Online scanner
ESET SysInspector
ThreatSense®
ThreatSense.Net®
Security Tips
Threat Level
Threat Dictionary
Threat Encyclopaedia
Update info
Virus Radar on your Website
Antivirus Software NOD32
>
Threat Center
>
Threat Encyclopaedia
>
A
Threat Encyclopaedia
Print this page
Send
Win32/AutoRun.IRCBot.FE
Aliases:
Net-Worm.Win32.Kolab.jpv (Kaspersky), W32/Sdbot.worm!jh (McAfee), W32.IRCBot (Symantec)
Type of infiltration:
Worm
Size:
147248 B
Affected platforms:
Microsoft Windows
Signature database version:
5115 (20100514)
Short description
Win32/AutoRun.IRCBot.FE is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself in some of the the following locations:
%userprofile%\Start Menu\Programs\Startup\wmpkps.exe
%appdata%\Microsoft\Windows\Start Menu\Programs\wmpkps.exe
%windir%\system32\wmpkps.exe
The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\conime.exe]
"Debugger" = "%windir%\system32\wmpkps.exe"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run]
"conime.exe" = "conime.exe"
This causes the worm to be executed on every system start.
The worm creates and runs a new thread with its own program code within the following processes:
explorer.exe
Spreading on removable media
The worm creates the following folders:
%drive%\~RootDir
The worm contains an URL address. It tries to download the other part of the infiltration from the address.
The file is stored in the following location:
%drive%\~RootDir\579467.exe
The HTTP protocol is used.
Other information
The worm quits immediately if the computer name is one of the following:
HOME-OFF-D5F0AC
honey
LAB
Malekal
MORTE+
sandbox
HOME-OFF-D5F0AC
honey
LAB
Malekal
MORTE+
sandbox
VMG_CLIENT
The worm quits immediately if the user name is one of the following:
HOME-OFF-D5F0AC
honey
LAB
Malekal
MORTE+
sandbox
HOME-OFF-D5F0AC
honey
LAB
Malekal
MORTE+
sandbox
VMG_CLIENT
The worm quits immediately if it detects a running process containing one of the following strings in its name:
Ethereal.exe
Filemon.exe
port
procdump.exe
Procmon.exe
Regmon.exe
Ethereal.exe
Filemon.exe
port
procdump.exe
Procmon.exe
Regmon.exe
regshot.exe
squid.exe
TCPView.exe
Tcpview.exe
VBox
vmsrvc
VMware
WireShark.exe
The worm may set the following Registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
AppCompatFlags\Layers]
"%malwarepath%" = "DisableNXShowUI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List]
"%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List]
"%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
AppCompatFlags\Layers]
"%malwarepath%" = "DisableNXShowUI"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List]
"%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List]
"%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\
SystemRestore]
"DisableConfig" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
"DontReportInfectionInformation" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusOverride" = 1
"AntiVirusDisableNotify" = 1
"FirewallOverride" = 1
"FirewallDisableNotify" = 1
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
wscsvc]
"Start" = 4
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
wuauserv]
"Start" = 4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options\%application%]
"Debugger" = "ntsd -d"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\
SystemRestore]
"DisableSR" = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\SuperHidden]
"CheckedValue" = 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\Advanced]
"Hidden" = 2
The %application% is one of the following strings:
AvastSvc.exe
avastUI.exe
avp.exe
bdagent.exe
ccSvcHst.exe
egui.exe
AvastSvc.exe
avastUI.exe
avp.exe
bdagent.exe
ccSvcHst.exe
egui.exe
ekrn.exe
KAV32.exe
livesrv.exe
mrt.exe
mrtstub.exe
msascui.exe
msmpeng.exe
seccenter.exe
symlcsvc.exe
vsserv.exe
The worm may delete the following Registry entries:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Minimal]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
SafeBoot\Network]
The following programs are terminated:
123.COM
123.EXE
A2HIJACKFREESETUP.EXE
AMPAWSMASHERX.EXE
APM.EXE
APORTS.EXE
123.COM
123.EXE
A2HIJACKFREESETUP.EXE
AMPAWSMASHERX.EXE
APM.EXE
APORTS.EXE
APT.EXE
ASVIEWER.EXE
ATF-CLEANER.EXE
ATF-CLEANER.EXE
AUTORUNS.EXE
AVENGER.EXE
AVENGER.EXE
AVG_AVWT_STB_EN_9_40_FREE.EXE
AVGARKT.EXE
AVINSTALL.EXE
AVIRA_ANTIVIR_PERSONAL_EN.EXE
AVZ.EXE
AVZ.EXE
BC5CA6A.EXE
BITDEFENDER_ANTIVIRUS.EXE
BOOTSAFE.EXE
BUSCAREG.EXE
CATCHME.EXE
CF9409.EXE
COMBOFIX.BAT
COMBOFIX.COM
COMBOFIX.EXE
COMBO-FIX.EXE
COMBOFIX.SCR
COMPAQ_PROPIETARIO.EXE
CPF.EXE
CPORTS.EXE
CPROCESS.EXE
CUREIT.EXE
DAFT.EXE
DARKSPY105.EXE
DELAYDELFILE.EXE
DLLCOMPARE.EXE
DLLHOSTS.EXE
DRWEB-600-WIN-PRO-X86.EXE
DUBATOOL_AV_KILLER.EXE
EAV_NT32_ENU.MSI
EAV_NT64_ENU.MSI
ELISTA.EXE
ESCW_90_SA_SFX.EXE
EULALYZERSETUP.EXE
FILEALYZ.EXE
FILEFIND.EXE
FIXBAGLE.EXE
FIXPATH.EXE
FOLDERCURE.EXE
FPORT.EXE
FSB.EXE
FSBL.EXE
GMER.EXE
GUARD.EXE
GUARDXKICKOFF.EXE
GUARDXSERVICE.EXE
HACKMON.EXE
HELIOS.EXE
HIJACKTHIS.EXE
HIJACK-THIS.EXE
HIJACKTHIS_SFX.EXE
HIJACKTHIS_V2.EXE
HJ.EXE
HJTINSTALL.EXE
HJTSETUP.EXE
HOOKANLZ.EXE
HOOKANLZ.EXE
HOSTSFILEREADER.EXE
HOSTSXPERT.EXE
ICESWORD.EXE
IEFIX.EXE
INSTALLWATCHPRO25.EXE
ISSDM_EN_32.EXE
JAJA.EXE
K7TS_SETUP.EXE
KAKASETUPV6.EXE
KILLAUTOPLUS.EXE
KILLBOX.EXE
LISTO.EXE
LORDPE.EXE
MBAM.EXE
MBAM.EXE
MBAM-SETUP.EXE
MBAM-SETUP.EXE
MBR.EXE
MRT.EXE
MRTSTUB.EXE
MSASCUI.EXE
MSMPENG.EXE
MSNCLEANER.EXE
MSNFIX.EXE
MYPHOTOKILLER.EXE
NAV-TW-30-17-1-0-19TBEN.EXE
NETALYZ.EXE
NETMON.EXE
NETSTAT.EXE
NS360S300EN
NTVDM.EXE
OBJMONSETUP.EXE
OLLYDBG.EXE
OTL.EXE
OTM.EXE
OTMOVEIT.EXE
OTMOVEIT3.EXE
P08PROMO.EXE
PAVARK.EXE
PENCLEAN.EXE
PG2.EXE
PGSETUP.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
PREVX.EXE
PREVXCSIFREE.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXP.EXE
PROCMON.EXE
PROCMON.EXE
PROJECTWHOISINSTALLER.EXE
PSKILL.EXE
RAVP.EXE
REANIMATOR.EXE
REG.EXE
REGALYZ.EXE
REGCOOL.EXE
REGEDIT.COM
REGEDIT.SCR
REGISTRAR_LITE.EXE
REGMON.EXE
REGSCANNER.EXE
REGSHOT.EXE
REGSHOT.EXE
REGUNLOCKER.EXE
REGUNLOCKER.EXE
REGX2.EXE
RKD.EXE
ROOTALYZER.EXE
ROOTKIT_DETECTIVE.EXE
ROOTKITBUSTER.EXE
ROOTKITNO.EXE
ROOTKITREVEALER.EXE
ROOTREPEAL.EXE
SAFEBOOTKEYREPAIR.EXE
SDFIX.EXE
SECCENTER.EXE
SEEM.EXE
SETUP_AV_FREE.EXE
SMASH.EXE
SMASH1.EXE
SMASH2.EXE
SMASH3.EXE
SMASH4.EXE
SMASH5.EXE
SMASH6.EXE
SMASH7.EXE
SMSNIFF.EXE
SPF.EXE
SPYBOTSD.EXE
SPYBOTSD160.EXE
SRENGLDR.EXE
SRENGLDR.EXE
SRENGPS.EXE
SRESTORE.EXE
STARTDRECK.EXE
SUPERANTISPYWARE.EXE
SUPERANTISPYWARE.EXE
SUPERKILLER.EXE
SYSANALYZER_SETUP.EXE
TASKKILL.EXE
TASKLIST.EXE
TASKMAN.EXE
TASKMON.EXE
TCPVIEW.EXE
TEATIMER.EXE
TrendMicro_TISPro_16.1_1063_x32.EXE
TSNTEVAL.EXE
UNHACKME.EXE
UNIEXTRACT.EXE
UNLOCKER.EXE
UNLOCKER1.8.7.EXE
UNLOCKER1.8.7.EXE
UNLOCKERASSISTANT.EXE
USBGUARD.EXE
VBA32-PERSONAL-LATEST-ENGLISH.EXE
VIPRE.EXE
VIRUS.EXE
VIRUSUTILITIES.EXE
WINDOWSDEFENDER.MSI
WINDOWS-KB890930-V2.2.EXE
WIRESHARK.EXE
WITSETUP.EXE
XP_TASKMGRENAB.EXE
ZLCLIENT.EXE
The worm executes the following commands:
cmd.exe /C net stop wuauserv
cmd.exe /C sc stop wuauserv
cmd.exe /C sc config wuauserv start= disabled
cmd.exe /C sc delete wuauserv
cmd.exe /C net stop CSIScanner
cmd.exe /C sc stop CSIScanner
cmd.exe /C net stop wuauserv
cmd.exe /C sc stop wuauserv
cmd.exe /C sc config wuauserv start= disabled
cmd.exe /C sc delete wuauserv
cmd.exe /C net stop CSIScanner
cmd.exe /C sc stop CSIScanner
cmd.exe /C sc config CSIScanner start= disabled
cmd.exe /C sc delete CSIScanner
cmd.exe /C net stop MsMpSvc
cmd.exe /C sc stop MsMpSvc
cmd.exe /C sc config MsMpSvc start= disabled
cmd.exe /C sc delete MsMpSvc
cmd.exe /C net stop K7RTScan
cmd.exe /C sc stop K7RTScan
cmd.exe /C sc config K7RTScan start= disabled
cmd.exe /C sc delete K7RTScan
cmd.exe /C net stop K7TSMngr
cmd.exe /C sc stop K7TSMngr
cmd.exe /C sc config K7TSMngr start= disabled
cmd.exe /C sc delete K7TSMngr
cmd.exe /C net stop "avast! Antivirus"
cmd.exe /C sc stop "avast! Antivirus"
cmd.exe /C sc config "avast! Antivirus" start= disabled
cmd.exe /C sc delete "avast! Antivirus"
cmd.exe /C net stop AntiVirService
cmd.exe /C sc stop AntiVirService
cmd.exe /C sc config AntiVirService start= disabled
cmd.exe /C sc delete AntiVirService
cmd.exe /C net stop PASRV
cmd.exe /C sc stop PASRV
cmd.exe /C sc config PASRV start= disabled
cmd.exe /C sc delete PASRV
cmd.exe /C net stop VSSERV
cmd.exe /C sc stop VSSERV
cmd.exe /C sc config VSSERV start= disabled
cmd.exe /C sc delete VSSERV
cmd.exe /C net stop avg8wd
cmd.exe /C sc stop avg8wd
cmd.exe /C sc config avg8wd start= disabled
cmd.exe /C sc delete avg8wd
cmd.exe /C net stop avg9wd
cmd.exe /C sc stop avg9wd
cmd.exe /C sc config avg9wd start= disabled
cmd.exe /C sc delete avg9wd
cmd.exe /C net stop NOD32krn
cmd.exe /C sc stop NOD32krn
cmd.exe /C sc config NOD32krn start= disabled
cmd.exe /C sc delete NOD32krn
cmd.exe /C net stop ekrn
cmd.exe /C sc stop ekrn
cmd.exe /C sc config ekrn start= disabled
cmd.exe /C sc delete ekrn
cmd.exe /C net stop McShield
cmd.exe /C sc stop McShield
cmd.exe /C sc config McShield start= disabled
cmd.exe /C sc delete McShield
cmd.exe /C net stop OutpostFirewall
cmd.exe /C sc stop OutpostFirewall
cmd.exe /C sc config OutpostFirewall start= disabled
cmd.exe /C sc delete OutpostFirewall
cmd.exe /C net stop TmPfw
cmd.exe /C sc stop TmPfw
cmd.exe /C sc config TmPfw start= disabled
cmd.exe /C sc delete TmPfw
cmd.exe /C net stop KPF4
cmd.exe /C sc stop KPF4
cmd.exe /C sc config KPF4 start= disabled
cmd.exe /C sc delete KPF4
cmd.exe /C net stop SmcService
cmd.exe /C sc stop SmcService
cmd.exe /C sc config SmcService start= disabled
cmd.exe /C sc delete SmcService
cmd.exe /C net stop cmd.exeAgent
cmd.exe /C sc stop cmd.exeAgent
cmd.exe /C sc config cmd.exeAgent start= disabled
cmd.exe /C sc delete cmd.exeAgent
cmd.exe /C net stop vsmon
cmd.exe /C sc stop vsmon
cmd.exe /C sc config vsmon start= disabled
cmd.exe /C sc delete vsmon
cmd.exe /C net stop SbPF.Launcher
cmd.exe /C sc stop SbPF.Launcher
cmd.exe /C sc config SbPF.Launcher start= disabled
cmd.exe /C sc delete SbPF.Launcher
cmd.exe /C net stop SPF4
cmd.exe /C sc stop SPF4
cmd.exe /C sc config SPF4 start= disabled
cmd.exe /C sc delete SPF4
cmd.exe /C net stop acssrv
cmd.exe /C sc stop acssrv
cmd.exe /C sc config acssrv start= disabled
cmd.exe /C sc delete acssrv
cmd.exe /C net stop SAVService
cmd.exe /C sc stop SAVService
cmd.exe /C sc config SavService start= disabled
cmd.exe /C sc delete SAVService
cmd.exe /C net stop SAVAdminService
cmd.exe /C sc stop SAVAdminService
cmd.exe /C sc config SAVAdminService start= disabled
cmd.exe /C sc delete SAVAdminService
cmd.exe /C net stop "Sophos AutoUpdate Service"
cmd.exe /C sc stop "Sophos AutoUpdate Service"
cmd.exe /C sc config "Sophos AutoUpdate Service" start=
disabled
cmd.exe /C sc delete "Sophos AutoUpdate Service"
cmd.exe /C net stop "Sophos Client Firewall"
cmd.exe /C sc stop "Sophos Client Firewall"
cmd.exe /C sc config "Sophos Client Firewall" start=
disabled
cmd.exe /C sc delete "Sophos Client Firewall"
cmd.exe /C net stop "Sophos Client Firewall Manager"
cmd.exe /C sc stop "Sophos Client Firewall Manager"
cmd.exe /C sc config "Sophos Client Firewall Manager"
start= disabled
cmd.exe /C sc delete "Sophos Client Firewall Manager"
The following file is modified:
%system%\drivers\etc\hosts
The worm writes the following entries to the file:
97.231.133.14 msnfix.changelog.fr
97.231.133.14 www.incodesolutions.com
97.231.133.14 virusinfo.prevx.com
97.231.133.14 download.bleepingcomputer.com
97.231.133.14 www.dazhizhu.cn
97.231.133.14 foro.noticias3d.com
97.231.133.14 msnfix.changelog.fr
97.231.133.14 www.incodesolutions.com
97.231.133.14 virusinfo.prevx.com
97.231.133.14 download.bleepingcomputer.com
97.231.133.14 www.dazhizhu.cn
97.231.133.14 foro.noticias3d.com
97.231.133.14 www.spybotupdates.com
97.231.133.14 club.myce.com
97.231.133.14 www.k7computing.com
97.231.133.14 softwaresecuritysolutions.com
97.231.133.14 antonbi.web.id
97.231.133.14 www.nabble.com
97.231.133.14 lurker.clamav.net
97.231.133.14 lexikon.ikarus.at
97.231.133.14 research.sunbelt-software.com
97.231.133.14 www.virusdoctor.jp
97.231.133.14 www.elitepvpers.de
97.231.133.14 guru.avg.com
97.231.133.14 downloads.sophos.com
97.231.133.14 share.skype.com
97.231.133.14 myantispyware.com
97.231.133.14 www.computerhilfen.de
97.231.133.14 fgsite.com
97.231.133.14 ca.answers.yahoo.com
97.231.133.14 www.superuser.co.kr
97.231.133.14 ntfaq.co.kr
97.231.133.14 v.dreamwiz.com
97.231.133.14 cit.kookmin.ac.kr
97.231.133.14 forums.whatthetech.com
97.231.133.14 forum.hijackthis.de
97.231.133.14 avg.vo.llnwd.net
97.231.133.14 ftp.drweb.com
97.231.133.14 www.zonealarm.com
97.231.133.14 smadaver.com
97.231.133.14 support.emsisoft.com
97.231.133.14 psychoski.blogspot.com
97.231.133.14 www.corozilla.net
97.231.133.14 www.huaifai.go.th
97.231.133.14 www.mostz.com
97.231.133.14 www.krupunmai.com
97.231.133.14 www.cddchiangmai.net
97.231.133.14 forum.malekal.com
97.231.133.14 tech.pantip.com
97.231.133.14 sapcupgrades.com
97.231.133.14 www.elguruinformatico.com
97.231.133.14 forums.avg.com
97.231.133.14 zastita.com
97.231.133.14 support.kaspersky.com
97.231.133.14 foro.msgpluslive.es
97.231.133.14 www.tongjimba.com
97.231.133.14 www.247fixes.com
97.231.133.14 forum.sysinternals.com
97.231.133.14 forum.telecharger.01net.com
97.231.133.14 sophos.com
97.231.133.14 foros.softonic.com
97.231.133.14 avast-home.uptodown.com
97.231.133.14 dr-web-cureit.softonic.com
97.231.133.14 heavenward.ru
97.231.133.14 forum.smadav.net
97.231.133.14 www.forum.kaspersky.com
97.231.133.14 www.dl4all.com
97.231.133.14 www.freshwap.net
97.231.133.14 www.f-secure.com
97.231.133.14 www.chkrootkit.org
97.231.133.14 diamondcs.com.au
97.231.133.14 www.rootkit.nl
97.231.133.14 www.sysinternals.com
97.231.133.14 z-oleg.com
97.231.133.14 espanol.dir.groups.yahoo.com
97.231.133.14 ftp01net.telechargement.fr
97.231.133.14 modelayu.com
97.231.133.14 vaksin.com
97.231.133.14 bbs.kaspersky.com.cn
97.231.133.14 sf.tapuz.co.il
97.231.133.14 www.downtr.net
97.231.133.14 www.castlecrops.com
97.231.133.14 www.misec.net
97.231.133.14 safecomputing.umn.edu
97.231.133.14 www.antirootkit.com
97.231.133.14 www.greatis.com
97.231.133.14 ar.answers.yahoo.com
97.231.133.14 www.elhacker.org
97.231.133.14 research.pandasecurity.com
97.231.133.14 www.tpu.ro
97.231.133.14 www.pinoyden.com
97.231.133.14 forum.avira.de
97.231.133.14 www.tanya-it.com
97.231.133.14 topsy.com
97.231.133.14 www.rootkit.com
97.231.133.14 www.pctools.com
97.231.133.14 www.pcsupportadvisor.com
97.231.133.14 www.resplendence.com
97.231.133.14 www.personal.psu.edu
97.231.133.14 foro.ethek.com
97.231.133.14 foro.elhacker.net
97.231.133.14 download.zonealarm.com
97.231.133.14 spywarehammer.com
97.231.133.14 www.codelain.com
97.231.133.14 www.thaicert.org
97.231.133.14 wenwen.soso.com
97.231.133.14 vil.nail.com
97.231.133.14 search.mcafee.com
97.231.133.14 wwww.mcafee.com
97.231.133.14 download.nai.com
97.231.133.14 wwww.experts-exchange.com
97.231.133.14 www.bakunos.com
97.231.133.14 www.darkclockers.com
97.231.133.14 www2.gmer.net
97.231.133.14 ariefew.com
97.231.133.14 www.emsisoft.com
97.231.133.14 forum.romeonet.ro
97.231.133.14 www.arenajunkies.com
97.231.133.14 zenovy.com
97.231.133.14 www.removeitpro.net
97.231.133.14 www.Merijn.org
97.231.133.14 www.spywareinfo.com
97.231.133.14 www.spybot.info
97.231.133.14 www.viruslist.com
97.231.133.14 www.hijackthis.de
97.231.133.14 ftp.f-secure.com
97.231.133.14 forum.kaspersky.com
97.231.133.14 es.trendmicro-europe.com
97.231.133.14 www.hvaonline.net
97.231.133.14 forum.lowyat.net
97.231.133.14 kb.eset.com
97.231.133.14 www.pcwelt.de
97.231.133.14 bokwer.com
97.231.133.14 www.mypcsafe.com
97.231.133.14 majorgeeks.com
97.231.133.14 www.avp.com
97.231.133.14 www.virustotal.com
97.231.133.14 www.sophos.com
97.231.133.14 linhadefensiva.uol.com.br
97.231.133.14 cmmings.cn
97.231.133.14 www.sergiwa.com
97.231.133.14 www.el-hacker.com
97.231.133.14 dl2.agnitum.com
97.231.133.14 forum.smadav.net
97.231.133.14 images.malwareremoval.com
97.231.133.14 front.prevx.com
97.231.133.14 ad.harrenmedianetwork.com
97.231.133.14 www.avg-antivirus.net
97.231.133.14 www.kaspersky-labs.com
97.231.133.14 www.kaspersky.com
97.231.133.14 www.bleepingcomputer.com
97.231.133.14 www.free.grisoft.com
97.231.133.14 alerta-antivirus.inteco.es
97.231.133.14 greatis.com
97.231.133.14 www.oprekpc.com
97.231.133.14 www.gmer.net
97.231.133.14 forum.kasperskyclub.com
97.231.133.14 computadoras.migold.com
97.231.133.14 securityresponse.symantec.com
97.231.133.14 www.analysis.seclab.tuwien.ac.at
97.231.133.14 www.symantec.com
97.231.133.14 www.kztechs.com
97.231.133.14 ad-aware-se.uptodown.com
97.231.133.14 stdio-labs.blogspot.com
97.231.133.14 forum.lrytas.lt
97.231.133.14 www.decido.de
97.231.133.14 wap.elakiri.com
97.231.133.14 ot-indo.blogspot.com
97.231.133.14 artsoftdesign.com
97.231.133.14 liveupdate.symantecliveupdate.com
97.231.133.14 liveupdate.symantec.com
97.231.133.14 customer.symantec.com
97.231.133.14 update.symantec.com
97.231.133.14 www.box.net
97.231.133.14 foro.el-hacker.com
97.231.133.14 acs.pandasoftware.com
97.231.133.14 egavisa.blogspot.com
97.231.133.14 angui123.cn
97.231.133.14 beta.eset.com
97.231.133.14 www.ixtorrent.com
97.231.133.14 forum.programosy.pl
97.231.133.14 www.mcafee.com
97.231.133.14 download.mcafee.com
97.231.133.14 mast.mcafee.com
97.231.133.14 www.tecno-soft.com
97.231.133.14 ladooscuro.es
97.231.133.14 ftp.drweb.com
97.231.133.14 download.microsoft.com
97.231.133.14 www.mypcsafe.com
97.231.133.14 www.blindedbytech.com
97.231.133.14 kaspersky.com
97.231.133.14 sis-admin.blogspot.com
97.231.133.14 www.protecus.de
97.231.133.14 pastebin.com
97.231.133.14 guru0.grisoft.cz
97.231.133.14 guru1.grisoft.cz
97.231.133.14 guru2.grisoft.cz
97.231.133.14 guru3.grisoft.cz
97.231.133.14 download.bleepingcomputer.com
97.231.133.14 it.answers.yahoo.com
97.231.133.14 www.softonic.com
97.231.133.14 www.mycity.rs
97.231.133.14 cairopt.net
97.231.133.14 rootrepeal.googlepages.com
97.231.133.14 www.windowexe.com
97.231.133.14 fineartschance.com
97.231.133.14 guru4.grisoft.cz
97.231.133.14 guru5.grisoft.cz
97.231.133.14 www.virusspy.com
97.231.133.14 download.f-secure.com
97.231.133.14 www.malwareremoval.com
97.231.133.14 forums.cnet.com
97.231.133.14 foros.softonic.com
97.231.133.14 www.freedrweb.com
97.231.133.14 www.kaskus.us
97.231.133.14 rootrepeal.psikotick.com
97.231.133.14 thaicert.nectec.or.th
97.231.133.14 rareartonline.com
97.231.133.14 hjt-data.trend-braintree.com
97.231.133.14 www.pantip.com
97.231.133.14 secubox.aldria.com
97.231.133.14 www.forospyware.com
97.231.133.14 www.manuelruvalcaba.com
97.231.133.14 www.zonavirus.com
97.231.133.14 www.leforo.com
97.231.133.14 www.gsmph.com
97.231.133.14 blokvesti.net
97.231.133.14 www.viprasys.org
97.231.133.14 forum.antivir-pe.de
97.231.133.14 www.nhatnghe.com
97.231.133.14 forum.antivirus365.net
97.231.133.14 www.siteadvisor.com
97.231.133.14 blog.threatfire.com
97.231.133.14 www.threatexpert.com
97.231.133.14 blog.hispasec.com
97.231.133.14 www.configurarequipos.com
97.231.133.14 sosvirus.changelog.fr
97.231.133.14 www.psicofxp.com
97.231.133.14 www.gsmph.net
97.231.133.14 www.gyakorikerdesek.hu
97.231.133.14 us.mcafee.com
97.231.133.14 www.malekal.com
97.231.133.14 yourartmuseum.com
97.231.133.14 mailcenter.rising.com.cn
97.231.133.14 mailcenter.rising.com
97.231.133.14 www.rising.com.cn
97.231.133.14 www.rising.com
97.231.133.14 www.babooforum.com.br
97.231.133.14 www.runscanner.net
97.231.133.14 www.blogschapines.com
97.231.133.14 www.zyzoom.org
97.231.133.14 www.avsoft.ru
97.231.133.14 www.elakiri.com
97.231.133.14 forum.telecharger.01net.com
97.231.133.14 www.com-th.net
97.231.133.14 sosvirus.changelog.fr
97.231.133.14 upload.changelog.fr
97.231.133.14 www.raymond.cc
97.231.133.14 changelog.fr
97.231.133.14 www.pcentraide.com
97.231.133.14 atazita.blogspot.com
97.231.133.14 www.thinkpad.cn
97.231.133.14 www.sunbeltsoftware.com
97.231.133.14 cert.inteco.es
97.231.133.14 www.gamexeon.com
97.231.133.14 nod32-antivirus.en.softonic.co
97.231.133.14 www.virus-com.com
97.231.133.14 www.final4ever.com
97.231.133.14 files.filefont.com
97.231.133.14 www.infos-du-net.com
97.231.133.14 www.trendsecure.com
97.231.133.14 forum.hardware.fr
97.231.133.14 www.utilidades-utiles.com
97.231.133.14 blogs.icerocket.com
97.231.133.14 www.spywarefri.dk
97.231.133.14 alfrasha.maktoob.com
97.231.133.14 www.eset.eu
97.231.133.14 quickscan.bitdefender.com
97.231.133.14 www.xmarks.com
97.231.133.14 www.spychecker.com
97.231.133.14 www.geekstogo.com
97.231.133.14 forums.maddoktor2.com
97.231.133.14 www.smokey-services.eu
97.231.133.14 www.clubic.com
97.231.133.14 www.linhadefensiva.org
97.231.133.14 www.rolandovera.com
97.231.133.14 forum.burek.com
97.231.133.14 secure.sophos.com
97.231.133.14 usa.kaspersky.com
97.231.133.14 board.softpedia.com
97.231.133.14 www.pinoytambaygroup.com
97.231.133.14 download.sysinternals.com
97.231.133.14 www.pcguide.com
97.231.133.14 www.thetechguide.com
97.231.133.14 www.ozzu.com
97.231.133.14 www.changedetection.com
97.231.133.14 espanol.groups.yahoo.com
97.231.133.14 www.sunbeltsecurity.com
97.231.133.14 www.quickheal.co.in
97.231.133.14 www.vivalared.com
97.231.133.14 thailand.itmylike.com
97.231.133.14 harrenmedianetwork.com
97.231.133.14 community.thaiware.com
97.231.133.14 www.avpclub.ddns.info
97.231.133.14 www.offensivecomputing.net
97.231.133.14 www.grisoft.com
97.231.133.14 boardreader.com
97.231.133.14 www.guiadohardware.net
97.231.133.14 www.webroot.com
97.231.133.14 www.thehelper.net
97.231.133.14 www.kaldata.com
97.231.133.14 vil.nai.com
97.231.133.14 www.malwarecrypt.com
97.231.133.14 www.latest-virus.com
97.231.133.14 www.msnvirusremoval.com
97.231.133.14 www.cisrt.org
97.231.133.14 fixmyim.com
97.231.133.14 samroeng.hi5.com
97.231.133.14 foro.elhacker.net
97.231.133.14 www.daboweb.com
97.231.133.14 service1.symantec.com
97.231.133.14 us3.download.comodo.com
97.231.133.14 forum.gsmhosting.com
97.231.133.14 www.computerforum.com
97.231.133.14 forum.avast.com
97.231.133.14 www.ixtorrent.com
97.231.133.14 mx.answers.yahoo.com
97.231.133.14 forums.techguy.org
97.231.133.14 www.incodesolutions.com
97.231.133.14 hijackthis.download3000.com
97.231.133.14 www.cybertechhelp.com
97.231.133.14 www.superdicas.com.br
97.231.133.14 www.51nb.com
97.231.133.14 us4.download.comodo.com
97.231.133.14 www.jbtalks.cc
97.231.133.14 ad13.geekstogo.com
97.231.133.14 forums.eternion-wow.com
97.231.133.14 simplyrudz.blogspot.com
97.231.133.14 downloads.andymanchesta.com
97.231.133.14 andymanchesta.com
97.231.133.14 info.prevx.com
97.231.133.14 aknow.prevx.com
97.231.133.14 www.zonavirus.com
97.231.133.14 securitywonks.net
97.231.133.14 www.yoreparo.com
97.231.133.14 www.spywarecease.com
97.231.133.14 forum.dobreprogramy.pl
97.231.133.14 community.mcafee.com
97.231.133.14 board.protecus.de
97.231.133.14 tech.pantip.com
97.231.133.14 www.lavasoft.com
97.231.133.14 www.virscan.org
97.231.133.14 www.eeload.com
97.231.133.14 down.www.kingsoft.com
97.231.133.14 www.file.net
97.231.133.14 onecare.live.com
97.231.133.14 mvps.org
97.231.133.14 www.laneros.com
97.231.133.14 www.pc1news.com
97.231.133.14 forum.avira.com
97.231.133.14 downloads.novirusthanks.org
97.231.133.14 www.pinoyhackers.com
97.231.133.14 www.superadblocker.com
97.231.133.14 www.housecall.trendmicro.com
97.231.133.14 www.avast.com
97.231.133.14 www.free.avg.com
97.231.133.14 www.onlinescan.avast.com
97.231.133.14 www.ewido.net
97.231.133.14 www.trucoswindows.net
97.231.133.14 www.mozilla-hispano.org
97.231.133.14 www.jackbloodforum.com
97.231.133.14 www.kosandpol.elakiri.com
97.231.133.14 www.thaivisa.com
97.231.133.14 forum.bullguard.com
97.231.133.14 www.futurenow.bitdefender.com
97.231.133.14 www.bitdefender.com
97.231.133.14 www.f-prot.com
97.231.133.14 www.trendsecure.com
97.231.133.14 security.symantec.com
97.231.133.14 oldtimer.geekstogo.com
97.231.133.14 sopiansantosa.blogspot.com
97.231.133.14 www.fileresearchcenter.com
97.231.133.14 www.looktr.com
97.231.133.14 www.zone-it.com
97.231.133.14 somostuyyounnuevodiaoficial.obolog.com
97.231.133.14 www.avira.com
97.231.133.14 www.eset.com
97.231.133.14 free.avg.com
97.231.133.14 www.free-av.com
97.231.133.14 kr.ahnlab.com
97.231.133.14 www.eset.com
97.231.133.14 forospyware.com
97.231.133.14 thejokerx.blogspot.com
97.231.133.14 cairopt.net
97.231.133.14 oolbar.cyberdefender.com
97.231.133.14 golpe.dyndns.org
97.231.133.14 forum.aiutamici.com
97.231.133.14 solit.us
97.231.133.14 bisnismudahsaja.blogspot.com
97.231.133.14 www.2-spyware.com
97.231.133.14 www.antivir.es
97.231.133.14 www.prevx.com
97.231.133.14 www.ikarus.net
97.231.133.14 bbs.s-sos.net
97.231.133.14 www.housecall.trendmicro.com
97.231.133.14 www.superdicas.com.br
97.231.133.14 www.superantispyware.com
97.231.133.14 www.unhackme.com
97.231.133.14 www.askmehelpdesk.com
97.231.133.14 forum.zebulon.fr
97.231.133.14 regfixerror.pctools.revenuewire.net
97.231.133.14 www.forums.majorgeeks.com
97.231.133.14 www.castlecops.com
97.231.133.14 www.virusspy.com
97.231.133.14 andymanchesta.com
97.231.133.14 www.kaspersky.es
97.231.133.14 subs.geekstogo.com
97.231.133.14 www.forospanish.com
97.231.133.14 blog.rnsafe.com
97.231.133.14 www.regrun.com
97.231.133.14 irc.snahosting.net
97.231.133.14 danielorza.net
97.231.133.14 www.pchelpforum.com
97.231.133.14 ftp.pcpitstop.com
97.231.133.14 www.trendmicro.com
97.231.133.14 www.fortinet.com
97.231.133.14 www.safer-networking.org
97.231.133.14 www.fortiguardcenter.com
97.231.133.14 www.dougknox.com
97.231.133.14 www.vsantivirus.com
97.231.133.14 static.commentcamarche.net
97.231.133.14 www.gyakorikerdesek.hu
97.231.133.14 www.fixya.com
97.231.133.14 www.alabamawomen.org
97.231.133.14 www.spywareremovalblog.com
97.231.133.14 www.firewallguide.com
97.231.133.14 www.auditmypc.com
97.231.133.14 www.spywaredb.com
97.231.133.14 www.mxttchina.com
97.231.133.14 www.ziggamza.net
97.231.133.14 www.forospyware.es
97.231.133.14 pogonyuto.forospanish.com
97.231.133.14 spywarefiles.prevx.com
97.231.133.14 k2r.th3kings.net
97.231.133.14 www.betterantivirus.com
97.231.133.14 www.365groups.com
97.231.133.14 trialware.norton.com
97.231.133.14 www.antivirus.comodo.com
97.231.133.14 www.spywareterminator.com
97.231.133.14 www.eradicatespyware.net
97.231.133.14 www.freespywareremoval.info
97.231.133.14 www.personalfirewall.comodo.com
97.231.133.14 wakoopa.com
97.231.133.14 forum.drweb.com
97.231.133.14 bb1.th3kings.net
97.231.133.14 www.commentcamarche.net
97.231.133.14 justfane.blogspot.com
97.231.133.14 foros.3dgames.com.ar
97.231.133.14 www.clamav.net
97.231.133.14 www.antivirus.about.com
97.231.133.14 www.pandasecurity.com
97.231.133.14 www.webphand.com
97.231.133.14 mx.answers.yahoo.com
97.231.133.14 www.securitywonks.net
97.231.133.14 www.messengeradictos.com
97.231.133.14 www.geekpolice.net
97.231.133.14 bub.th3kings.net
97.231.133.14 shield.prevx.com
97.231.133.14 www.eudict.com
97.231.133.14 uk.answers.yahoo.com
97.231.133.14 www.sandboxie.com
97.231.133.14 www.clamwin.com
97.231.133.14 www.cwsandbox.org
97.231.133.14 www.ca.com
97.231.133.14 www.arswp.com
97.231.133.14 es.answers.yahoo.com
97.231.133.14 www.trucoswindows.es
97.231.133.14 www.ipaddresser.com
97.231.133.14 www.abgenis.net
97.231.133.14 www.freefixer.com
97.231.133.14 forums.afterdawn.com
97.231.133.14 forum.torrents.ro
97.231.133.14 whois.domaintools.com
97.231.133.14 www.networkworld.com
97.231.133.14 www.cddchiangmai.net
97.231.133.14 www.threatexpert.com
97.231.133.14 www.norman.com
97.231.133.14 espanol.answers.yahoo.com
97.231.133.14 www.tallemu.com
97.231.133.14 foro.portalhacker.net
97.231.133.14 www.groupwhere.org
97.231.133.14 sniff.runescapetube.com
97.231.133.14 forum.p30world.com
97.231.133.14 poolcoversite.com
97.231.133.14 forum.bullguard.com
97.231.133.14 virscan.org
97.231.133.14 www.viruschief.com
97.231.133.14 scanner.virus.org
97.231.133.14 www.hijackthis.de
97.231.133.14 housecall65.trendmicro.com
97.231.133.14 www.guiadohardware.net
97.231.133.14 forums.whatthetech.com
97.231.133.14 mustlovewine.com
97.231.133.14 www3.malekal.com
97.231.133.14 esetnod32antivirus.blogspot.com
97.231.133.14 thedudesemo.blogspot.com
97.231.133.14 hjt.networktechs.com
97.231.133.14 www.techsupportforum.com
97.231.133.14 www.whatthetech.com
97.231.133.14 www.soccersuck.com
97.231.133.14 www.pcentraide.com
97.231.133.14 comunidad.wilkinsonpc.com.co
97.231.133.14 forum.hocit.com
97.231.133.14 forum.smadav.net
97.231.133.14 fgp.e2doo.com
97.231.133.14 community.thaiware.com
97.231.133.14 irc.evoporn.com
97.231.133.14 www.spamhaus.org
97.231.133.14 forum.piriform.com
97.231.133.14 www.tweaksforgeeks.com
97.231.133.14 www.daniweb.com
97.231.133.14 www.geekstogo.com
97.231.133.14 es.answers.yahoo.com
97.231.133.14 www.techsupportforum.com
97.231.133.14 dnl-eu8.kaspersky-labs.com
97.231.133.14 www.oprekpc.com
97.231.133.14 shv4.ath.cx
97.231.133.14 www.pcworld.com
97.231.133.14 in.answers.yahoo.com
97.231.133.14 www.vupen.com
97.231.133.14 www.pchell.com
97.231.133.14 www.spyany.com
97.231.133.14 forums.techguy.org
97.231.133.14 www.experts-exchange.com
97.231.133.14 www.wikio.es
97.231.133.14 www.pandasecurity.com
97.231.133.14 forums.devshed.com
97.231.133.14 devbuilds.kaspersky-labs.com
97.231.133.14 hana-ahmad.blogspot.com
97.231.133.14 www.linkmania.ro
97.231.133.14 www.trojaner-board.de
97.231.133.14 swandog46.geekstogo.com
97.231.133.14 forum.tweaks.com
97.231.133.14 www.wilderssecurity.com
97.231.133.14 www.techspot.com
97.231.133.14 www.thecomputerpitstop.com
97.231.133.14 es.wasalive.com
97.231.133.14 secunia.com
97.231.133.14 www.killtrojan.net
97.231.133.14 www.ulop.net
97.231.133.14 www.eliters.com
97.231.133.14 sip4.voipkosovasite.com
97.231.133.14 www.ftw.ro
97.231.133.14 anggiawan.web.id
97.231.133.14 ba-k.com
97.231.133.14 www.mcanime.net
97.231.133.14 es.kioskea.net
97.231.133.14 www.taringa.net
97.231.133.14 www.cyberdefender.com
97.231.133.14 www.feedage.com
97.231.133.14 new.taringa.net
97.231.133.14 forum.zazana.com
97.231.133.14 forum.clubedohardware.com.br
97.231.133.14 mks.com.pl
97.231.133.14 www.vietcaravan.us
97.231.133.14 trbotnet.sytes.net
97.231.133.14 community.norton.com
97.231.133.14 positiveroot.wordpress.com
97.231.133.14 www.computing.net
97.231.133.14 discussions.virtualdr.com
97.231.133.14 forum.securitycadets.com
97.231.133.14 www.techimo.com
97.231.133.14 13iii.com
97.231.133.14 www.dicasweb.com.br
97.231.133.14 www.javacoolsoftware.net
97.231.133.14 cofradia.org
97.231.133.14 wasteland-bg.com
97.231.133.14 www.windowexe.com
97.231.133.14 malekal.com
97.231.133.14 www.carigold.com
97.231.133.14 answers.yahoo.com
97.231.133.14 www.infosecpodcast.com
97.231.133.14 www.usbcleaner.cn
97.231.133.14 www.net-security.org
97.231.133.14 www.bleedingthreats.net
97.231.133.14 acs.pandasoftware.com
97.231.133.14 www.funkytoad.com
97.231.133.14 malwarebytes.org
97.231.133.14 sabithpocker.blogspot.com
97.231.133.14 comprolive.vox.com
97.231.133.14 www.worton.com
97.231.133.14 www.rss-verzeichnis.de
97.231.133.14 www.bloodzone.net
97.231.133.14 www.360safe.cn
97.231.133.14 www.360safe.com
97.231.133.14 bbs.360safe.cn
97.231.133.14 bbs.360safe.com
97.231.133.14 codehard.wordpress.com
97.231.133.14 forum.clubedohardware.com.br
97.231.133.14 antitrick.com
97.231.133.14 www.configurarequipos.com
97.231.133.14 www.jiwang.org
97.231.133.14
anti-virus-software-review.toptenreviews.com
97.231.133.14 forums.malwarebytes.org
97.231.133.14 www.360.cn
97.231.133.14 www.360.com
97.231.133.14 bbs.360safe.cn
97.231.133.14 bbs.360safe.com
97.231.133.14 www.forospyware.es
97.231.133.14 p3dev.taringa.net
97.231.133.14 www.precisesecurity.com
97.231.133.14 dlpe.antivir.com
97.231.133.14 www.jvme.com
97.231.133.14 share.skype.com
97.231.133.14 comprolive.com
97.231.133.14 gotoknow.org
97.231.133.14 www.forofantasiasmiguel.com
97.231.133.14 www.spywaredemon.com
97.231.133.14 baike.360.cn
97.231.133.14 baike.360.com
97.231.133.14 kaba.360.cn
97.231.133.14 kaba.360.com
97.231.133.14 deckard.geekstogo.com
97.231.133.14 www.taringa.net
97.231.133.14 forums.comodo.com
97.231.133.14 www.mvps.org
97.231.133.14 melcy.wordpress.com
97.231.133.14 forum.softpedia.com
97.231.133.14 pcvids.wordpress.com
97.231.133.14 shop.symantecstore.com
97.231.133.14 banes-pages.blogspot.com
97.231.133.14 down.360safe.cn
97.231.133.14 down.360safe.com
97.231.133.14 x.360safe.com
97.231.133.14 dl.360safe.com
97.231.133.14 ftp.drweb.com
97.231.133.14 www.hotshare.net
97.231.133.14 es.wasalive.com
97.231.133.14 free.antivirus.com
97.231.133.14 forum.hocit.com
97.231.133.14 destavision-forum.com
97.231.133.14 inspiresoft.blogspot.com
97.231.133.14 universomanualidades.foroactivo.com
97.231.133.14 updatem.360safe.com
97.231.133.14 updatem.360safe.cn
97.231.133.14 update.360safe.cn
97.231.133.14 update.360safe.com
97.231.133.14 www.utilidades-utiles.com
97.231.133.14 forum.kaspersky.com
97.231.133.14 www.indowebster.web.id
97.231.133.14 zastita.com
97.231.133.14 www.sz-pet.com
97.231.133.14 foros.abcdatos.com
97.231.133.14 www.elektroda.pl
97.231.133.14 gulaley.blogspot.com
97.231.133.14 bbs.duba.net
97.231.133.14 www.duba.net
97.231.133.14 zhidao.baidu.com
97.231.133.14 hi.baidu.com
97.231.133.14 www.drweb.com.es
97.231.133.14 msncleaner.softonic.com
97.231.133.14 www.javacoolsoftware.com
97.231.133.14 beniono.wordpress.com
97.231.133.14 www.4-gsmteam.com
97.231.133.14 msntubers.freehostia.com
97.231.133.14 store.norton.com
97.231.133.14 social.answers.microsoft.com
97.231.133.14 file.ikaka.com
97.231.133.14 file.ikaka.cn
97.231.133.14 bbs.ikaka.com
97.231.133.14 zhidao.ikaka.com
97.231.133.14 www.eset-la.com
97.231.133.14 download.eset.com
97.231.133.14 software-files.download.com
97.231.133.14 www.faravirusi.com
97.231.133.14 www.winbots.es
97.231.133.14 forum.chip.de
97.231.133.14 www.thailandsusu.com
97.231.133.14 debates.motos.net
97.231.133.14 www.judj.com
97.231.133.14 www.ikaka.com
97.231.133.14 www.ikaka.cn
97.231.133.14 bbs.cfan.com.cn
97.231.133.14 www.cfan.com.cn
97.231.133.14 www.pandasecurity.com
97.231.133.14 es.mcafee.com
97.231.133.14 downloads.malwarebytes.org
97.231.133.14 www.devirusare.com
97.231.133.14 forum.skype.com
97.231.133.14 shitit.net
97.231.133.14 www.webimmune.net
97.231.133.14 forum.swzone.it
97.231.133.14 www.dl4all.com
97.231.133.14 foros.mcanime.net
97.231.133.14 bbs.kafan.cn
97.231.133.14 bbs.kafan.com
97.231.133.14 bbs.kpfans.com
97.231.133.14 bbs.taisha.org
97.231.133.14 www.manuelruvalcaba.com
97.231.133.14 support.f-secure.com
97.231.133.14 bbs.winzheng.com
97.231.133.14 devirusare.com
97.231.133.14 social.microsoft.com
97.231.133.14 www.shitit.net
97.231.133.14 mx.answers.yahoo.com
97.231.133.14 darkzone.in.th
97.231.133.14 www.velocidadmaxima.com
97.231.133.14 alerta-antivirus.inteco.es
97.231.133.14 foros.zonavirus.com
97.231.133.14 alerta-antivirus.red.es
97.231.133.14 www.zonavirus.com
97.231.133.14 www.malwarebytes.org
97.231.133.14 www.commentcamarche.net
97.231.133.14 news.support.veritas.com
97.231.133.14 www.zonealarm.com
97.231.133.14 malwarebytes-anti-malware.softonic.com
97.231.133.14 www.securitystronghold.com
97.231.133.14 www.ewido.net
97.231.133.14 www.infospyware.com
97.231.133.14 www.bitdefender.es
97.231.133.14 housecall.trendmicro.com
97.231.133.14 foros.toxico-pc.com
97.231.133.14 www.identi.es
97.231.133.14 es.kioskea.net
97.231.133.14 virusinfo.info
97.231.133.14 forums.zonealarm.com
97.231.133.14 foro.infiernohacker.com
97.231.133.14 nitroamd.spaces.live.com
97.231.133.14 forums.overclockzone.com
97.231.133.14 www.emsisoft.de
97.231.133.14 www.securitynewsportal.com
97.231.133.14 irc.ekizmedia.com
97.231.133.14 zone.arminboutique.com
97.231.133.14 story.dnsentrymx.com
The worm may execute the following commands:
cmd.exe /C attrib -s -h \"C:\\ntldr\"
cmd.exe /C move \"C:\\ntldr\" \"C:\\dump\"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.exe"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.dll"
cmd.exe /C attrib -s -h \"C:\\ntldr\"
cmd.exe /C move \"C:\\ntldr\" \"C:\\dump\"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.exe"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.dll"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\drvers\*.sys"
cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.*"
cmd.exe /C del /F /S /Q "%WINDIR%\*.*"
cmd.exe /C del /F /S /Q \"C:\\ComboFix.txt\"
ipconfig /flushdns
The worm acquires data and commands from a remote computer or the Internet.
The worm connects to the following addresses:
ns89.nastysurfboards.net
ns94.nastysurfboards.net
ns101.surfthewavesinc.net
ns115.surfthewavesinc.net
ns126.surfingsuppliesco.net
ns133.surfingsuppliesco.net
ns89.nastysurfboards.net
ns94.nastysurfboards.net
ns101.surfthewavesinc.net
ns115.surfthewavesinc.net
ns126.surfingsuppliesco.net
ns133.surfingsuppliesco.net
ns146.radsurfingsupply.net
ns154.radsurfingsupply.net
ns168.saveitallbaby.com
ns175.saveitallbaby.com
ns189.savehugedaily.com
ns192.savehugedaily.com
ns196.magicsavings4all.com
ns207.magicsavings4all.com
ns219.thesavemachine.com
ns227.thesavemachine.com
ns238.jazibmahmoud.com
ns255.gerbertnsvinkle.com
ns261.gerbertnsvinkle.com
ns272.grudvenauctionhouse.net
ns283.grudvenauctionhouse.net
ns308.twnameservers.net
ns313.twnameservers.net
ns294.jpnicregistrar.com
ns236.jpnicregistrar.com
ns328.hotornot-tw.com
ns333.hotornot-tw.com
ns345.romanianxportsvc.com
ns352.romanianxportsvc.com
ns339.l3tsfuck1ts3xy.su
ns341.l3tsfuck1ts3xy.su
ns243.jazibmahmoud.com
ns175.saveitallbaby.com
The IRC protocol is used.
It can execute the following operations:
download files from a remote computer and/or the Internet
run executable files
update itself to a newer version
perform port scanning
spread via IM networks
open a specific URL address
download files from a remote computer and/or the Internet
run executable files
update itself to a newer version
perform port scanning
spread via IM networks
open a specific URL address
connect to remote computers to a specific port
