Win32/AutoRun.IRCBot [Threat Name] go to Threat
Win32/AutoRun.IRCBot.FE [Threat Variant Name]
Category | worm |
Size | 147248 B |
Aliases | Net-Worm.Win32.Kolab.jpv (Kaspersky) |
W32/Sdbot.worm!jh (McAfee) | |
W32.IRCBot (Symantec) |
Short description
Win32/AutoRun.IRCBot.FE is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.
Installation
When executed, the worm copies itself in some of the the following locations:
- %userprofile%\Start Menu\Programs\Startup\wmpkps.exe
- %appdata%\Microsoft\Windows\Start Menu\Programs\wmpkps.exe
- %windir%\system32\wmpkps.exe
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\conime.exe]
- "Debugger" = "%windir%\system32\wmpkps.exe"
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
- "conime.exe" = "conime.exe"
This causes the worm to be executed on every system start.
The worm creates and runs a new thread with its own program code within the following processes:
- explorer.exe
Spreading on removable media
The worm creates the following folders:
- %drive%\~RootDir
The worm contains an URL address. It tries to download the other part of the infiltration from the address.
The file is stored in the following location:
- %drive%\~RootDir\579467.exe
The HTTP protocol is used.
Other information
The worm quits immediately if the computer name is one of the following:
- HOME-OFF-D5F0AC
- honey
- LAB
- Malekal
- MORTE+
- sandbox
- VMG_CLIENT
The worm quits immediately if the Windows user name is one of the following:
- HOME-OFF-D5F0AC
- honey
- LAB
- Malekal
- MORTE+
- sandbox
- VMG_CLIENT
The worm quits immediately if it detects a running process containing one of the following strings in its name:
- Ethereal.exe
- Filemon.exe
- port
- procdump.exe
- Procmon.exe
- Regmon.exe
- regshot.exe
- squid.exe
- TCPView.exe
- Tcpview.exe
- VBox
- vmsrvc
- VMware
- WireShark.exe
The worm may set the following Registry entries:
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers]
- "%malwarepath%" = "DisableNXShowUI"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
- "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
- "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]
- "DisableConfig" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT]
- "DontReportInfectionInformation" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
- "AntiVirusOverride" = 1
- "AntiVirusDisableNotify" = 1
- "FirewallOverride" = 1
- "FirewallDisableNotify" = 1
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
- "Start" = 4
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%application%]
- "Debugger" = "ntsd -d"
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
- "DisableSR" = 1
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden]
- "CheckedValue" = 1
- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
- "Hidden" = 2
The %application% is one of the following strings:
- AvastSvc.exe
- avastUI.exe
- avp.exe
- bdagent.exe
- ccSvcHst.exe
- egui.exe
- ekrn.exe
- KAV32.exe
- livesrv.exe
- mrt.exe
- mrtstub.exe
- msascui.exe
- msmpeng.exe
- seccenter.exe
- symlcsvc.exe
- vsserv.exe
The worm may delete the following Registry entries:
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal]
- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network]
The following programs are terminated:
- 123.COM
- 123.EXE
- A2HIJACKFREESETUP.EXE
- AMPAWSMASHERX.EXE
- APM.EXE
- APORTS.EXE
- APT.EXE
- ASVIEWER.EXE
- ATF-CLEANER.EXE
- ATF-CLEANER.EXE
- AUTORUNS.EXE
- AVENGER.EXE
- AVENGER.EXE
- AVG_AVWT_STB_EN_9_40_FREE.EXE
- AVGARKT.EXE
- AVINSTALL.EXE
- AVIRA_ANTIVIR_PERSONAL_EN.EXE
- AVZ.EXE
- AVZ.EXE
- BC5CA6A.EXE
- BITDEFENDER_ANTIVIRUS.EXE
- BOOTSAFE.EXE
- BUSCAREG.EXE
- CATCHME.EXE
- CF9409.EXE
- COMBOFIX.BAT
- COMBOFIX.COM
- COMBOFIX.EXE
- COMBO-FIX.EXE
- COMBOFIX.SCR
- COMPAQ_PROPIETARIO.EXE
- CPF.EXE
- CPORTS.EXE
- CPROCESS.EXE
- CUREIT.EXE
- DAFT.EXE
- DARKSPY105.EXE
- DELAYDELFILE.EXE
- DLLCOMPARE.EXE
- DLLHOSTS.EXE
- DRWEB-600-WIN-PRO-X86.EXE
- DUBATOOL_AV_KILLER.EXE
- EAV_NT32_ENU.MSI
- EAV_NT64_ENU.MSI
- ELISTA.EXE
- ESCW_90_SA_SFX.EXE
- EULALYZERSETUP.EXE
- FILEALYZ.EXE
- FILEFIND.EXE
- FIXBAGLE.EXE
- FIXPATH.EXE
- FOLDERCURE.EXE
- FPORT.EXE
- FSB.EXE
- FSBL.EXE
- GMER.EXE
- GUARD.EXE
- GUARDXKICKOFF.EXE
- GUARDXSERVICE.EXE
- HACKMON.EXE
- HELIOS.EXE
- HIJACKTHIS.EXE
- HIJACK-THIS.EXE
- HIJACKTHIS_SFX.EXE
- HIJACKTHIS_V2.EXE
- HJ.EXE
- HJTINSTALL.EXE
- HJTSETUP.EXE
- HOOKANLZ.EXE
- HOOKANLZ.EXE
- HOSTSFILEREADER.EXE
- HOSTSXPERT.EXE
- ICESWORD.EXE
- IEFIX.EXE
- INSTALLWATCHPRO25.EXE
- ISSDM_EN_32.EXE
- JAJA.EXE
- K7TS_SETUP.EXE
- KAKASETUPV6.EXE
- KILLAUTOPLUS.EXE
- KILLBOX.EXE
- LISTO.EXE
- LORDPE.EXE
- MBAM.EXE
- MBAM.EXE
- MBAM-SETUP.EXE
- MBAM-SETUP.EXE
- MBR.EXE
- MRT.EXE
- MRTSTUB.EXE
- MSASCUI.EXE
- MSMPENG.EXE
- MSNCLEANER.EXE
- MSNFIX.EXE
- MYPHOTOKILLER.EXE
- NAV-TW-30-17-1-0-19TBEN.EXE
- NETALYZ.EXE
- NETMON.EXE
- NETSTAT.EXE
- NS360S300EN
- NTVDM.EXE
- OBJMONSETUP.EXE
- OLLYDBG.EXE
- OTL.EXE
- OTM.EXE
- OTMOVEIT.EXE
- OTMOVEIT3.EXE
- P08PROMO.EXE
- PAVARK.EXE
- PENCLEAN.EXE
- PG2.EXE
- PGSETUP.EXE
- PORTDETECTIVE.EXE
- PORTMONITOR.EXE
- PREVX.EXE
- PREVXCSIFREE.EXE
- PROCDUMP.EXE
- PROCESSMONITOR.EXE
- PROCEXP.EXE
- PROCMON.EXE
- PROCMON.EXE
- PROJECTWHOISINSTALLER.EXE
- PSKILL.EXE
- RAVP.EXE
- REANIMATOR.EXE
- REG.EXE
- REGALYZ.EXE
- REGCOOL.EXE
- REGEDIT.COM
- REGEDIT.SCR
- REGISTRAR_LITE.EXE
- REGMON.EXE
- REGSCANNER.EXE
- REGSHOT.EXE
- REGSHOT.EXE
- REGUNLOCKER.EXE
- REGUNLOCKER.EXE
- REGX2.EXE
- RKD.EXE
- ROOTALYZER.EXE
- ROOTKIT_DETECTIVE.EXE
- ROOTKITBUSTER.EXE
- ROOTKITNO.EXE
- ROOTKITREVEALER.EXE
- ROOTREPEAL.EXE
- SAFEBOOTKEYREPAIR.EXE
- SDFIX.EXE
- SECCENTER.EXE
- SEEM.EXE
- SETUP_AV_FREE.EXE
- SMASH.EXE
- SMASH1.EXE
- SMASH2.EXE
- SMASH3.EXE
- SMASH4.EXE
- SMASH5.EXE
- SMASH6.EXE
- SMASH7.EXE
- SMSNIFF.EXE
- SPF.EXE
- SPYBOTSD.EXE
- SPYBOTSD160.EXE
- SRENGLDR.EXE
- SRENGLDR.EXE
- SRENGPS.EXE
- SRESTORE.EXE
- STARTDRECK.EXE
- SUPERANTISPYWARE.EXE
- SUPERANTISPYWARE.EXE
- SUPERKILLER.EXE
- SYSANALYZER_SETUP.EXE
- TASKKILL.EXE
- TASKLIST.EXE
- TASKMAN.EXE
- TASKMON.EXE
- TCPVIEW.EXE
- TEATIMER.EXE
- TrendMicro_TISPro_16.1_1063_x32.EXE
- TSNTEVAL.EXE
- UNHACKME.EXE
- UNIEXTRACT.EXE
- UNLOCKER.EXE
- UNLOCKER1.8.7.EXE
- UNLOCKER1.8.7.EXE
- UNLOCKERASSISTANT.EXE
- USBGUARD.EXE
- VBA32-PERSONAL-LATEST-ENGLISH.EXE
- VIPRE.EXE
- VIRUS.EXE
- VIRUSUTILITIES.EXE
- WINDOWSDEFENDER.MSI
- WINDOWS-KB890930-V2.2.EXE
- WIRESHARK.EXE
- WITSETUP.EXE
- XP_TASKMGRENAB.EXE
- ZLCLIENT.EXE
The worm executes the following commands:
- cmd.exe /C net stop wuauserv
- cmd.exe /C sc stop wuauserv
- cmd.exe /C sc config wuauserv start= disabled
- cmd.exe /C sc delete wuauserv
- cmd.exe /C net stop CSIScanner
- cmd.exe /C sc stop CSIScanner
- cmd.exe /C sc config CSIScanner start= disabled
- cmd.exe /C sc delete CSIScanner
- cmd.exe /C net stop MsMpSvc
- cmd.exe /C sc stop MsMpSvc
- cmd.exe /C sc config MsMpSvc start= disabled
- cmd.exe /C sc delete MsMpSvc
- cmd.exe /C net stop K7RTScan
- cmd.exe /C sc stop K7RTScan
- cmd.exe /C sc config K7RTScan start= disabled
- cmd.exe /C sc delete K7RTScan
- cmd.exe /C net stop K7TSMngr
- cmd.exe /C sc stop K7TSMngr
- cmd.exe /C sc config K7TSMngr start= disabled
- cmd.exe /C sc delete K7TSMngr
- cmd.exe /C net stop "avast! Antivirus"
- cmd.exe /C sc stop "avast! Antivirus"
- cmd.exe /C sc config "avast! Antivirus" start= disabled
- cmd.exe /C sc delete "avast! Antivirus"
- cmd.exe /C net stop AntiVirService
- cmd.exe /C sc stop AntiVirService
- cmd.exe /C sc config AntiVirService start= disabled
- cmd.exe /C sc delete AntiVirService
- cmd.exe /C net stop PASRV
- cmd.exe /C sc stop PASRV
- cmd.exe /C sc config PASRV start= disabled
- cmd.exe /C sc delete PASRV
- cmd.exe /C net stop VSSERV
- cmd.exe /C sc stop VSSERV
- cmd.exe /C sc config VSSERV start= disabled
- cmd.exe /C sc delete VSSERV
- cmd.exe /C net stop avg8wd
- cmd.exe /C sc stop avg8wd
- cmd.exe /C sc config avg8wd start= disabled
- cmd.exe /C sc delete avg8wd
- cmd.exe /C net stop avg9wd
- cmd.exe /C sc stop avg9wd
- cmd.exe /C sc config avg9wd start= disabled
- cmd.exe /C sc delete avg9wd
- cmd.exe /C net stop NOD32krn
- cmd.exe /C sc stop NOD32krn
- cmd.exe /C sc config NOD32krn start= disabled
- cmd.exe /C sc delete NOD32krn
- cmd.exe /C net stop ekrn
- cmd.exe /C sc stop ekrn
- cmd.exe /C sc config ekrn start= disabled
- cmd.exe /C sc delete ekrn
- cmd.exe /C net stop McShield
- cmd.exe /C sc stop McShield
- cmd.exe /C sc config McShield start= disabled
- cmd.exe /C sc delete McShield
- cmd.exe /C net stop OutpostFirewall
- cmd.exe /C sc stop OutpostFirewall
- cmd.exe /C sc config OutpostFirewall start= disabled
- cmd.exe /C sc delete OutpostFirewall
- cmd.exe /C net stop TmPfw
- cmd.exe /C sc stop TmPfw
- cmd.exe /C sc config TmPfw start= disabled
- cmd.exe /C sc delete TmPfw
- cmd.exe /C net stop KPF4
- cmd.exe /C sc stop KPF4
- cmd.exe /C sc config KPF4 start= disabled
- cmd.exe /C sc delete KPF4
- cmd.exe /C net stop SmcService
- cmd.exe /C sc stop SmcService
- cmd.exe /C sc config SmcService start= disabled
- cmd.exe /C sc delete SmcService
- cmd.exe /C net stop cmd.exeAgent
- cmd.exe /C sc stop cmd.exeAgent
- cmd.exe /C sc config cmd.exeAgent start= disabled
- cmd.exe /C sc delete cmd.exeAgent
- cmd.exe /C net stop vsmon
- cmd.exe /C sc stop vsmon
- cmd.exe /C sc config vsmon start= disabled
- cmd.exe /C sc delete vsmon
- cmd.exe /C net stop SbPF.Launcher
- cmd.exe /C sc stop SbPF.Launcher
- cmd.exe /C sc config SbPF.Launcher start= disabled
- cmd.exe /C sc delete SbPF.Launcher
- cmd.exe /C net stop SPF4
- cmd.exe /C sc stop SPF4
- cmd.exe /C sc config SPF4 start= disabled
- cmd.exe /C sc delete SPF4
- cmd.exe /C net stop acssrv
- cmd.exe /C sc stop acssrv
- cmd.exe /C sc config acssrv start= disabled
- cmd.exe /C sc delete acssrv
- cmd.exe /C net stop SAVService
- cmd.exe /C sc stop SAVService
- cmd.exe /C sc config SavService start= disabled
- cmd.exe /C sc delete SAVService
- cmd.exe /C net stop SAVAdminService
- cmd.exe /C sc stop SAVAdminService
- cmd.exe /C sc config SAVAdminService start= disabled
- cmd.exe /C sc delete SAVAdminService
- cmd.exe /C net stop "Sophos AutoUpdate Service"
- cmd.exe /C sc stop "Sophos AutoUpdate Service"
- cmd.exe /C sc config "Sophos AutoUpdate Service" start= disabled
- cmd.exe /C sc delete "Sophos AutoUpdate Service"
- cmd.exe /C net stop "Sophos Client Firewall"
- cmd.exe /C sc stop "Sophos Client Firewall"
- cmd.exe /C sc config "Sophos Client Firewall" start= disabled
- cmd.exe /C sc delete "Sophos Client Firewall"
- cmd.exe /C net stop "Sophos Client Firewall Manager"
- cmd.exe /C sc stop "Sophos Client Firewall Manager"
- cmd.exe /C sc config "Sophos Client Firewall Manager" start= disabled
- cmd.exe /C sc delete "Sophos Client Firewall Manager"
The worm modifies the following file:
- %system%\drivers\etc\hosts
The worm writes the following entries to the file:
- 97.231.133.14 msnfix.changelog.fr
- 97.231.133.14 www.incodesolutions.com
- 97.231.133.14 virusinfo.prevx.com
- 97.231.133.14 download.bleepingcomputer.com
- 97.231.133.14 www.dazhizhu.cn
- 97.231.133.14 foro.noticias3d.com
- 97.231.133.14 www.spybotupdates.com
- 97.231.133.14 club.myce.com
- 97.231.133.14 www.k7computing.com
- 97.231.133.14 softwaresecuritysolutions.com
- 97.231.133.14 antonbi.web.id
- 97.231.133.14 www.nabble.com
- 97.231.133.14 lurker.clamav.net
- 97.231.133.14 lexikon.ikarus.at
- 97.231.133.14 research.sunbelt-software.com
- 97.231.133.14 www.virusdoctor.jp
- 97.231.133.14 www.elitepvpers.de
- 97.231.133.14 guru.avg.com
- 97.231.133.14 downloads.sophos.com
- 97.231.133.14 share.skype.com
- 97.231.133.14 myantispyware.com
- 97.231.133.14 www.computerhilfen.de
- 97.231.133.14 fgsite.com
- 97.231.133.14 ca.answers.yahoo.com
- 97.231.133.14 www.superuser.co.kr
- 97.231.133.14 ntfaq.co.kr
- 97.231.133.14 v.dreamwiz.com
- 97.231.133.14 cit.kookmin.ac.kr
- 97.231.133.14 forums.whatthetech.com
- 97.231.133.14 forum.hijackthis.de
- 97.231.133.14 avg.vo.llnwd.net
- 97.231.133.14 ftp.drweb.com
- 97.231.133.14 www.zonealarm.com
- 97.231.133.14 smadaver.com
- 97.231.133.14 support.emsisoft.com
- 97.231.133.14 psychoski.blogspot.com
- 97.231.133.14 www.corozilla.net
- 97.231.133.14 www.huaifai.go.th
- 97.231.133.14 www.mostz.com
- 97.231.133.14 www.krupunmai.com
- 97.231.133.14 www.cddchiangmai.net
- 97.231.133.14 forum.malekal.com
- 97.231.133.14 tech.pantip.com
- 97.231.133.14 sapcupgrades.com
- 97.231.133.14 www.elguruinformatico.com
- 97.231.133.14 forums.avg.com
- 97.231.133.14 zastita.com
- 97.231.133.14 support.kaspersky.com
- 97.231.133.14 foro.msgpluslive.es
- 97.231.133.14 www.tongjimba.com
- 97.231.133.14 www.247fixes.com
- 97.231.133.14 forum.sysinternals.com
- 97.231.133.14 forum.telecharger.01net.com
- 97.231.133.14 sophos.com
- 97.231.133.14 foros.softonic.com
- 97.231.133.14 avast-home.uptodown.com
- 97.231.133.14 dr-web-cureit.softonic.com
- 97.231.133.14 heavenward.ru
- 97.231.133.14 forum.smadav.net
- 97.231.133.14 www.forum.kaspersky.com
- 97.231.133.14 www.dl4all.com
- 97.231.133.14 www.freshwap.net
- 97.231.133.14 www.f-secure.com
- 97.231.133.14 www.chkrootkit.org
- 97.231.133.14 diamondcs.com.au
- 97.231.133.14 www.rootkit.nl
- 97.231.133.14 www.sysinternals.com
- 97.231.133.14 z-oleg.com
- 97.231.133.14 espanol.dir.groups.yahoo.com
- 97.231.133.14 ftp01net.telechargement.fr
- 97.231.133.14 modelayu.com
- 97.231.133.14 vaksin.com
- 97.231.133.14 bbs.kaspersky.com.cn
- 97.231.133.14 sf.tapuz.co.il
- 97.231.133.14 www.downtr.net
- 97.231.133.14 www.castlecrops.com
- 97.231.133.14 www.misec.net
- 97.231.133.14 safecomputing.umn.edu
- 97.231.133.14 www.antirootkit.com
- 97.231.133.14 www.greatis.com
- 97.231.133.14 ar.answers.yahoo.com
- 97.231.133.14 www.elhacker.org
- 97.231.133.14 research.pandasecurity.com
- 97.231.133.14 www.tpu.ro
- 97.231.133.14 www.pinoyden.com
- 97.231.133.14 forum.avira.de
- 97.231.133.14 www.tanya-it.com
- 97.231.133.14 topsy.com
- 97.231.133.14 www.rootkit.com
- 97.231.133.14 www.pctools.com
- 97.231.133.14 www.pcsupportadvisor.com
- 97.231.133.14 www.resplendence.com
- 97.231.133.14 www.personal.psu.edu
- 97.231.133.14 foro.ethek.com
- 97.231.133.14 foro.elhacker.net
- 97.231.133.14 download.zonealarm.com
- 97.231.133.14 spywarehammer.com
- 97.231.133.14 www.codelain.com
- 97.231.133.14 www.thaicert.org
- 97.231.133.14 wenwen.soso.com
- 97.231.133.14 vil.nail.com
- 97.231.133.14 search.mcafee.com
- 97.231.133.14 wwww.mcafee.com
- 97.231.133.14 download.nai.com
- 97.231.133.14 wwww.experts-exchange.com
- 97.231.133.14 www.bakunos.com
- 97.231.133.14 www.darkclockers.com
- 97.231.133.14 www2.gmer.net
- 97.231.133.14 ariefew.com
- 97.231.133.14 www.emsisoft.com
- 97.231.133.14 forum.romeonet.ro
- 97.231.133.14 www.arenajunkies.com
- 97.231.133.14 zenovy.com
- 97.231.133.14 www.removeitpro.net
- 97.231.133.14 www.Merijn.org
- 97.231.133.14 www.spywareinfo.com
- 97.231.133.14 www.spybot.info
- 97.231.133.14 www.viruslist.com
- 97.231.133.14 www.hijackthis.de
- 97.231.133.14 ftp.f-secure.com
- 97.231.133.14 forum.kaspersky.com
- 97.231.133.14 es.trendmicro-europe.com
- 97.231.133.14 www.hvaonline.net
- 97.231.133.14 forum.lowyat.net
- 97.231.133.14 kb.eset.com
- 97.231.133.14 www.pcwelt.de
- 97.231.133.14 bokwer.com
- 97.231.133.14 www.mypcsafe.com
- 97.231.133.14 majorgeeks.com
- 97.231.133.14 www.avp.com
- 97.231.133.14 www.virustotal.com
- 97.231.133.14 www.sophos.com
- 97.231.133.14 linhadefensiva.uol.com.br
- 97.231.133.14 cmmings.cn
- 97.231.133.14 www.sergiwa.com
- 97.231.133.14 www.el-hacker.com
- 97.231.133.14 dl2.agnitum.com
- 97.231.133.14 forum.smadav.net
- 97.231.133.14 images.malwareremoval.com
- 97.231.133.14 front.prevx.com
- 97.231.133.14 ad.harrenmedianetwork.com
- 97.231.133.14 www.avg-antivirus.net
- 97.231.133.14 www.kaspersky-labs.com
- 97.231.133.14 www.kaspersky.com
- 97.231.133.14 www.bleepingcomputer.com
- 97.231.133.14 www.free.grisoft.com
- 97.231.133.14 alerta-antivirus.inteco.es
- 97.231.133.14 greatis.com
- 97.231.133.14 www.oprekpc.com
- 97.231.133.14 www.gmer.net
- 97.231.133.14 forum.kasperskyclub.com
- 97.231.133.14 computadoras.migold.com
- 97.231.133.14 securityresponse.symantec.com
- 97.231.133.14 www.analysis.seclab.tuwien.ac.at
- 97.231.133.14 www.symantec.com
- 97.231.133.14 www.kztechs.com
- 97.231.133.14 ad-aware-se.uptodown.com
- 97.231.133.14 stdio-labs.blogspot.com
- 97.231.133.14 forum.lrytas.lt
- 97.231.133.14 www.decido.de
- 97.231.133.14 wap.elakiri.com
- 97.231.133.14 ot-indo.blogspot.com
- 97.231.133.14 artsoftdesign.com
- 97.231.133.14 liveupdate.symantecliveupdate.com
- 97.231.133.14 liveupdate.symantec.com
- 97.231.133.14 customer.symantec.com
- 97.231.133.14 update.symantec.com
- 97.231.133.14 www.box.net
- 97.231.133.14 foro.el-hacker.com
- 97.231.133.14 acs.pandasoftware.com
- 97.231.133.14 egavisa.blogspot.com
- 97.231.133.14 angui123.cn
- 97.231.133.14 beta.eset.com
- 97.231.133.14 www.ixtorrent.com
- 97.231.133.14 forum.programosy.pl
- 97.231.133.14 www.mcafee.com
- 97.231.133.14 download.mcafee.com
- 97.231.133.14 mast.mcafee.com
- 97.231.133.14 www.tecno-soft.com
- 97.231.133.14 ladooscuro.es
- 97.231.133.14 ftp.drweb.com
- 97.231.133.14 download.microsoft.com
- 97.231.133.14 www.mypcsafe.com
- 97.231.133.14 www.blindedbytech.com
- 97.231.133.14 kaspersky.com
- 97.231.133.14 sis-admin.blogspot.com
- 97.231.133.14 www.protecus.de
- 97.231.133.14 pastebin.com
- 97.231.133.14 guru0.grisoft.cz
- 97.231.133.14 guru1.grisoft.cz
- 97.231.133.14 guru2.grisoft.cz
- 97.231.133.14 guru3.grisoft.cz
- 97.231.133.14 download.bleepingcomputer.com
- 97.231.133.14 it.answers.yahoo.com
- 97.231.133.14 www.softonic.com
- 97.231.133.14 www.mycity.rs
- 97.231.133.14 cairopt.net
- 97.231.133.14 rootrepeal.googlepages.com
- 97.231.133.14 www.windowexe.com
- 97.231.133.14 fineartschance.com
- 97.231.133.14 guru4.grisoft.cz
- 97.231.133.14 guru5.grisoft.cz
- 97.231.133.14 www.virusspy.com
- 97.231.133.14 download.f-secure.com
- 97.231.133.14 www.malwareremoval.com
- 97.231.133.14 forums.cnet.com
- 97.231.133.14 foros.softonic.com
- 97.231.133.14 www.freedrweb.com
- 97.231.133.14 www.kaskus.us
- 97.231.133.14 rootrepeal.psikotick.com
- 97.231.133.14 thaicert.nectec.or.th
- 97.231.133.14 rareartonline.com
- 97.231.133.14 hjt-data.trend-braintree.com
- 97.231.133.14 www.pantip.com
- 97.231.133.14 secubox.aldria.com
- 97.231.133.14 www.forospyware.com
- 97.231.133.14 www.manuelruvalcaba.com
- 97.231.133.14 www.zonavirus.com
- 97.231.133.14 www.leforo.com
- 97.231.133.14 www.gsmph.com
- 97.231.133.14 blokvesti.net
- 97.231.133.14 www.viprasys.org
- 97.231.133.14 forum.antivir-pe.de
- 97.231.133.14 www.nhatnghe.com
- 97.231.133.14 forum.antivirus365.net
- 97.231.133.14 www.siteadvisor.com
- 97.231.133.14 blog.threatfire.com
- 97.231.133.14 www.threatexpert.com
- 97.231.133.14 blog.hispasec.com
- 97.231.133.14 www.configurarequipos.com
- 97.231.133.14 sosvirus.changelog.fr
- 97.231.133.14 www.psicofxp.com
- 97.231.133.14 www.gsmph.net
- 97.231.133.14 www.gyakorikerdesek.hu
- 97.231.133.14 us.mcafee.com
- 97.231.133.14 www.malekal.com
- 97.231.133.14 yourartmuseum.com
- 97.231.133.14 mailcenter.rising.com.cn
- 97.231.133.14 mailcenter.rising.com
- 97.231.133.14 www.rising.com.cn
- 97.231.133.14 www.rising.com
- 97.231.133.14 www.babooforum.com.br
- 97.231.133.14 www.runscanner.net
- 97.231.133.14 www.blogschapines.com
- 97.231.133.14 www.zyzoom.org
- 97.231.133.14 www.avsoft.ru
- 97.231.133.14 www.elakiri.com
- 97.231.133.14 forum.telecharger.01net.com
- 97.231.133.14 www.com-th.net
- 97.231.133.14 sosvirus.changelog.fr
- 97.231.133.14 upload.changelog.fr
- 97.231.133.14 www.raymond.cc
- 97.231.133.14 changelog.fr
- 97.231.133.14 www.pcentraide.com
- 97.231.133.14 atazita.blogspot.com
- 97.231.133.14 www.thinkpad.cn
- 97.231.133.14 www.sunbeltsoftware.com
- 97.231.133.14 cert.inteco.es
- 97.231.133.14 www.gamexeon.com
- 97.231.133.14 nod32-antivirus.en.softonic.co
- 97.231.133.14 www.virus-com.com
- 97.231.133.14 www.final4ever.com
- 97.231.133.14 files.filefont.com
- 97.231.133.14 www.infos-du-net.com
- 97.231.133.14 www.trendsecure.com
- 97.231.133.14 forum.hardware.fr
- 97.231.133.14 www.utilidades-utiles.com
- 97.231.133.14 blogs.icerocket.com
- 97.231.133.14 www.spywarefri.dk
- 97.231.133.14 alfrasha.maktoob.com
- 97.231.133.14 www.eset.eu
- 97.231.133.14 quickscan.bitdefender.com
- 97.231.133.14 www.xmarks.com
- 97.231.133.14 www.spychecker.com
- 97.231.133.14 www.geekstogo.com
- 97.231.133.14 forums.maddoktor2.com
- 97.231.133.14 www.smokey-services.eu
- 97.231.133.14 www.clubic.com
- 97.231.133.14 www.linhadefensiva.org
- 97.231.133.14 www.rolandovera.com
- 97.231.133.14 forum.burek.com
- 97.231.133.14 secure.sophos.com
- 97.231.133.14 usa.kaspersky.com
- 97.231.133.14 board.softpedia.com
- 97.231.133.14 www.pinoytambaygroup.com
- 97.231.133.14 download.sysinternals.com
- 97.231.133.14 www.pcguide.com
- 97.231.133.14 www.thetechguide.com
- 97.231.133.14 www.ozzu.com
- 97.231.133.14 www.changedetection.com
- 97.231.133.14 espanol.groups.yahoo.com
- 97.231.133.14 www.sunbeltsecurity.com
- 97.231.133.14 www.quickheal.co.in
- 97.231.133.14 www.vivalared.com
- 97.231.133.14 thailand.itmylike.com
- 97.231.133.14 harrenmedianetwork.com
- 97.231.133.14 community.thaiware.com
- 97.231.133.14 www.avpclub.ddns.info
- 97.231.133.14 www.offensivecomputing.net
- 97.231.133.14 www.grisoft.com
- 97.231.133.14 boardreader.com
- 97.231.133.14 www.guiadohardware.net
- 97.231.133.14 www.webroot.com
- 97.231.133.14 www.thehelper.net
- 97.231.133.14 www.kaldata.com
- 97.231.133.14 vil.nai.com
- 97.231.133.14 www.malwarecrypt.com
- 97.231.133.14 www.latest-virus.com
- 97.231.133.14 www.msnvirusremoval.com
- 97.231.133.14 www.cisrt.org
- 97.231.133.14 fixmyim.com
- 97.231.133.14 samroeng.hi5.com
- 97.231.133.14 foro.elhacker.net
- 97.231.133.14 www.daboweb.com
- 97.231.133.14 service1.symantec.com
- 97.231.133.14 us3.download.comodo.com
- 97.231.133.14 forum.gsmhosting.com
- 97.231.133.14 www.computerforum.com
- 97.231.133.14 forum.avast.com
- 97.231.133.14 www.ixtorrent.com
- 97.231.133.14 mx.answers.yahoo.com
- 97.231.133.14 forums.techguy.org
- 97.231.133.14 www.incodesolutions.com
- 97.231.133.14 hijackthis.download3000.com
- 97.231.133.14 www.cybertechhelp.com
- 97.231.133.14 www.superdicas.com.br
- 97.231.133.14 www.51nb.com
- 97.231.133.14 us4.download.comodo.com
- 97.231.133.14 www.jbtalks.cc
- 97.231.133.14 ad13.geekstogo.com
- 97.231.133.14 forums.eternion-wow.com
- 97.231.133.14 simplyrudz.blogspot.com
- 97.231.133.14 downloads.andymanchesta.com
- 97.231.133.14 andymanchesta.com
- 97.231.133.14 info.prevx.com
- 97.231.133.14 aknow.prevx.com
- 97.231.133.14 www.zonavirus.com
- 97.231.133.14 securitywonks.net
- 97.231.133.14 www.yoreparo.com
- 97.231.133.14 www.spywarecease.com
- 97.231.133.14 forum.dobreprogramy.pl
- 97.231.133.14 community.mcafee.com
- 97.231.133.14 board.protecus.de
- 97.231.133.14 tech.pantip.com
- 97.231.133.14 www.lavasoft.com
- 97.231.133.14 www.virscan.org
- 97.231.133.14 www.eeload.com
- 97.231.133.14 down.www.kingsoft.com
- 97.231.133.14 www.file.net
- 97.231.133.14 onecare.live.com
- 97.231.133.14 mvps.org
- 97.231.133.14 www.laneros.com
- 97.231.133.14 www.pc1news.com
- 97.231.133.14 forum.avira.com
- 97.231.133.14 downloads.novirusthanks.org
- 97.231.133.14 www.pinoyhackers.com
- 97.231.133.14 www.superadblocker.com
- 97.231.133.14 www.housecall.trendmicro.com
- 97.231.133.14 www.avast.com
- 97.231.133.14 www.free.avg.com
- 97.231.133.14 www.onlinescan.avast.com
- 97.231.133.14 www.ewido.net
- 97.231.133.14 www.trucoswindows.net
- 97.231.133.14 www.mozilla-hispano.org
- 97.231.133.14 www.jackbloodforum.com
- 97.231.133.14 www.kosandpol.elakiri.com
- 97.231.133.14 www.thaivisa.com
- 97.231.133.14 forum.bullguard.com
- 97.231.133.14 www.futurenow.bitdefender.com
- 97.231.133.14 www.bitdefender.com
- 97.231.133.14 www.f-prot.com
- 97.231.133.14 www.trendsecure.com
- 97.231.133.14 security.symantec.com
- 97.231.133.14 oldtimer.geekstogo.com
- 97.231.133.14 sopiansantosa.blogspot.com
- 97.231.133.14 www.fileresearchcenter.com
- 97.231.133.14 www.looktr.com
- 97.231.133.14 www.zone-it.com
- 97.231.133.14 somostuyyounnuevodiaoficial.obolog.com
- 97.231.133.14 www.avira.com
- 97.231.133.14 www.eset.com
- 97.231.133.14 free.avg.com
- 97.231.133.14 www.free-av.com
- 97.231.133.14 kr.ahnlab.com
- 97.231.133.14 www.eset.com
- 97.231.133.14 forospyware.com
- 97.231.133.14 thejokerx.blogspot.com
- 97.231.133.14 cairopt.net
- 97.231.133.14 oolbar.cyberdefender.com
- 97.231.133.14 golpe.dyndns.org
- 97.231.133.14 forum.aiutamici.com
- 97.231.133.14 solit.us
- 97.231.133.14 bisnismudahsaja.blogspot.com
- 97.231.133.14 www.2-spyware.com
- 97.231.133.14 www.antivir.es
- 97.231.133.14 www.prevx.com
- 97.231.133.14 www.ikarus.net
- 97.231.133.14 bbs.s-sos.net
- 97.231.133.14 www.housecall.trendmicro.com
- 97.231.133.14 www.superdicas.com.br
- 97.231.133.14 www.superantispyware.com
- 97.231.133.14 www.unhackme.com
- 97.231.133.14 www.askmehelpdesk.com
- 97.231.133.14 forum.zebulon.fr
- 97.231.133.14 regfixerror.pctools.revenuewire.net
- 97.231.133.14 www.forums.majorgeeks.com
- 97.231.133.14 www.castlecops.com
- 97.231.133.14 www.virusspy.com
- 97.231.133.14 andymanchesta.com
- 97.231.133.14 www.kaspersky.es
- 97.231.133.14 subs.geekstogo.com
- 97.231.133.14 www.forospanish.com
- 97.231.133.14 blog.rnsafe.com
- 97.231.133.14 www.regrun.com
- 97.231.133.14 irc.snahosting.net
- 97.231.133.14 danielorza.net
- 97.231.133.14 www.pchelpforum.com
- 97.231.133.14 ftp.pcpitstop.com
- 97.231.133.14 www.trendmicro.com
- 97.231.133.14 www.fortinet.com
- 97.231.133.14 www.safer-networking.org
- 97.231.133.14 www.fortiguardcenter.com
- 97.231.133.14 www.dougknox.com
- 97.231.133.14 www.vsantivirus.com
- 97.231.133.14 static.commentcamarche.net
- 97.231.133.14 www.gyakorikerdesek.hu
- 97.231.133.14 www.fixya.com
- 97.231.133.14 www.alabamawomen.org
- 97.231.133.14 www.spywareremovalblog.com
- 97.231.133.14 www.firewallguide.com
- 97.231.133.14 www.auditmypc.com
- 97.231.133.14 www.spywaredb.com
- 97.231.133.14 www.mxttchina.com
- 97.231.133.14 www.ziggamza.net
- 97.231.133.14 www.forospyware.es
- 97.231.133.14 pogonyuto.forospanish.com
- 97.231.133.14 spywarefiles.prevx.com
- 97.231.133.14 k2r.th3kings.net
- 97.231.133.14 www.betterantivirus.com
- 97.231.133.14 www.365groups.com
- 97.231.133.14 trialware.norton.com
- 97.231.133.14 www.antivirus.comodo.com
- 97.231.133.14 www.spywareterminator.com
- 97.231.133.14 www.eradicatespyware.net
- 97.231.133.14 www.freespywareremoval.info
- 97.231.133.14 www.personalfirewall.comodo.com
- 97.231.133.14 wakoopa.com
- 97.231.133.14 forum.drweb.com
- 97.231.133.14 bb1.th3kings.net
- 97.231.133.14 www.commentcamarche.net
- 97.231.133.14 justfane.blogspot.com
- 97.231.133.14 foros.3dgames.com.ar
- 97.231.133.14 www.clamav.net
- 97.231.133.14 www.antivirus.about.com
- 97.231.133.14 www.pandasecurity.com
- 97.231.133.14 www.webphand.com
- 97.231.133.14 mx.answers.yahoo.com
- 97.231.133.14 www.securitywonks.net
- 97.231.133.14 www.messengeradictos.com
- 97.231.133.14 www.geekpolice.net
- 97.231.133.14 bub.th3kings.net
- 97.231.133.14 shield.prevx.com
- 97.231.133.14 www.eudict.com
- 97.231.133.14 uk.answers.yahoo.com
- 97.231.133.14 www.sandboxie.com
- 97.231.133.14 www.clamwin.com
- 97.231.133.14 www.cwsandbox.org
- 97.231.133.14 www.ca.com
- 97.231.133.14 www.arswp.com
- 97.231.133.14 es.answers.yahoo.com
- 97.231.133.14 www.trucoswindows.es
- 97.231.133.14 www.ipaddresser.com
- 97.231.133.14 www.abgenis.net
- 97.231.133.14 www.freefixer.com
- 97.231.133.14 forums.afterdawn.com
- 97.231.133.14 forum.torrents.ro
- 97.231.133.14 whois.domaintools.com
- 97.231.133.14 www.networkworld.com
- 97.231.133.14 www.cddchiangmai.net
- 97.231.133.14 www.threatexpert.com
- 97.231.133.14 www.norman.com
- 97.231.133.14 espanol.answers.yahoo.com
- 97.231.133.14 www.tallemu.com
- 97.231.133.14 foro.portalhacker.net
- 97.231.133.14 www.groupwhere.org
- 97.231.133.14 sniff.runescapetube.com
- 97.231.133.14 forum.p30world.com
- 97.231.133.14 poolcoversite.com
- 97.231.133.14 forum.bullguard.com
- 97.231.133.14 virscan.org
- 97.231.133.14 www.viruschief.com
- 97.231.133.14 scanner.virus.org
- 97.231.133.14 www.hijackthis.de
- 97.231.133.14 housecall65.trendmicro.com
- 97.231.133.14 www.guiadohardware.net
- 97.231.133.14 forums.whatthetech.com
- 97.231.133.14 mustlovewine.com
- 97.231.133.14 www3.malekal.com
- 97.231.133.14 esetnod32antivirus.blogspot.com
- 97.231.133.14 thedudesemo.blogspot.com
- 97.231.133.14 hjt.networktechs.com
- 97.231.133.14 www.techsupportforum.com
- 97.231.133.14 www.whatthetech.com
- 97.231.133.14 www.soccersuck.com
- 97.231.133.14 www.pcentraide.com
- 97.231.133.14 comunidad.wilkinsonpc.com.co
- 97.231.133.14 forum.hocit.com
- 97.231.133.14 forum.smadav.net
- 97.231.133.14 fgp.e2doo.com
- 97.231.133.14 community.thaiware.com
- 97.231.133.14 irc.evoporn.com
- 97.231.133.14 www.spamhaus.org
- 97.231.133.14 forum.piriform.com
- 97.231.133.14 www.tweaksforgeeks.com
- 97.231.133.14 www.daniweb.com
- 97.231.133.14 www.geekstogo.com
- 97.231.133.14 es.answers.yahoo.com
- 97.231.133.14 www.techsupportforum.com
- 97.231.133.14 dnl-eu8.kaspersky-labs.com
- 97.231.133.14 www.oprekpc.com
- 97.231.133.14 shv4.ath.cx
- 97.231.133.14 www.pcworld.com
- 97.231.133.14 in.answers.yahoo.com
- 97.231.133.14 www.vupen.com
- 97.231.133.14 www.pchell.com
- 97.231.133.14 www.spyany.com
- 97.231.133.14 forums.techguy.org
- 97.231.133.14 www.experts-exchange.com
- 97.231.133.14 www.wikio.es
- 97.231.133.14 www.pandasecurity.com
- 97.231.133.14 forums.devshed.com
- 97.231.133.14 devbuilds.kaspersky-labs.com
- 97.231.133.14 hana-ahmad.blogspot.com
- 97.231.133.14 www.linkmania.ro
- 97.231.133.14 www.trojaner-board.de
- 97.231.133.14 swandog46.geekstogo.com
- 97.231.133.14 forum.tweaks.com
- 97.231.133.14 www.wilderssecurity.com
- 97.231.133.14 www.techspot.com
- 97.231.133.14 www.thecomputerpitstop.com
- 97.231.133.14 es.wasalive.com
- 97.231.133.14 secunia.com
- 97.231.133.14 www.killtrojan.net
- 97.231.133.14 www.ulop.net
- 97.231.133.14 www.eliters.com
- 97.231.133.14 sip4.voipkosovasite.com
- 97.231.133.14 www.ftw.ro
- 97.231.133.14 anggiawan.web.id
- 97.231.133.14 ba-k.com
- 97.231.133.14 www.mcanime.net
- 97.231.133.14 es.kioskea.net
- 97.231.133.14 www.taringa.net
- 97.231.133.14 www.cyberdefender.com
- 97.231.133.14 www.feedage.com
- 97.231.133.14 new.taringa.net
- 97.231.133.14 forum.zazana.com
- 97.231.133.14 forum.clubedohardware.com.br
- 97.231.133.14 mks.com.pl
- 97.231.133.14 www.vietcaravan.us
- 97.231.133.14 trbotnet.sytes.net
- 97.231.133.14 community.norton.com
- 97.231.133.14 positiveroot.wordpress.com
- 97.231.133.14 www.computing.net
- 97.231.133.14 discussions.virtualdr.com
- 97.231.133.14 forum.securitycadets.com
- 97.231.133.14 www.techimo.com
- 97.231.133.14 13iii.com
- 97.231.133.14 www.dicasweb.com.br
- 97.231.133.14 www.javacoolsoftware.net
- 97.231.133.14 cofradia.org
- 97.231.133.14 wasteland-bg.com
- 97.231.133.14 www.windowexe.com
- 97.231.133.14 malekal.com
- 97.231.133.14 www.carigold.com
- 97.231.133.14 answers.yahoo.com
- 97.231.133.14 www.infosecpodcast.com
- 97.231.133.14 www.usbcleaner.cn
- 97.231.133.14 www.net-security.org
- 97.231.133.14 www.bleedingthreats.net
- 97.231.133.14 acs.pandasoftware.com
- 97.231.133.14 www.funkytoad.com
- 97.231.133.14 malwarebytes.org
- 97.231.133.14 sabithpocker.blogspot.com
- 97.231.133.14 comprolive.vox.com
- 97.231.133.14 www.worton.com
- 97.231.133.14 www.rss-verzeichnis.de
- 97.231.133.14 www.bloodzone.net
- 97.231.133.14 www.360safe.cn
- 97.231.133.14 www.360safe.com
- 97.231.133.14 bbs.360safe.cn
- 97.231.133.14 bbs.360safe.com
- 97.231.133.14 codehard.wordpress.com
- 97.231.133.14 forum.clubedohardware.com.br
- 97.231.133.14 antitrick.com
- 97.231.133.14 www.configurarequipos.com
- 97.231.133.14 www.jiwang.org
- 97.231.133.14 anti-virus-software-review.toptenreviews.com
- 97.231.133.14 forums.malwarebytes.org
- 97.231.133.14 www.360.cn
- 97.231.133.14 www.360.com
- 97.231.133.14 bbs.360safe.cn
- 97.231.133.14 bbs.360safe.com
- 97.231.133.14 www.forospyware.es
- 97.231.133.14 p3dev.taringa.net
- 97.231.133.14 www.precisesecurity.com
- 97.231.133.14 dlpe.antivir.com
- 97.231.133.14 www.jvme.com
- 97.231.133.14 share.skype.com
- 97.231.133.14 comprolive.com
- 97.231.133.14 gotoknow.org
- 97.231.133.14 www.forofantasiasmiguel.com
- 97.231.133.14 www.spywaredemon.com
- 97.231.133.14 baike.360.cn
- 97.231.133.14 baike.360.com
- 97.231.133.14 kaba.360.cn
- 97.231.133.14 kaba.360.com
- 97.231.133.14 deckard.geekstogo.com
- 97.231.133.14 www.taringa.net
- 97.231.133.14 forums.comodo.com
- 97.231.133.14 www.mvps.org
- 97.231.133.14 melcy.wordpress.com
- 97.231.133.14 forum.softpedia.com
- 97.231.133.14 pcvids.wordpress.com
- 97.231.133.14 shop.symantecstore.com
- 97.231.133.14 banes-pages.blogspot.com
- 97.231.133.14 down.360safe.cn
- 97.231.133.14 down.360safe.com
- 97.231.133.14 x.360safe.com
- 97.231.133.14 dl.360safe.com
- 97.231.133.14 ftp.drweb.com
- 97.231.133.14 www.hotshare.net
- 97.231.133.14 es.wasalive.com
- 97.231.133.14 free.antivirus.com
- 97.231.133.14 forum.hocit.com
- 97.231.133.14 destavision-forum.com
- 97.231.133.14 inspiresoft.blogspot.com
- 97.231.133.14 universomanualidades.foroactivo.com
- 97.231.133.14 updatem.360safe.com
- 97.231.133.14 updatem.360safe.cn
- 97.231.133.14 update.360safe.cn
- 97.231.133.14 update.360safe.com
- 97.231.133.14 www.utilidades-utiles.com
- 97.231.133.14 forum.kaspersky.com
- 97.231.133.14 www.indowebster.web.id
- 97.231.133.14 zastita.com
- 97.231.133.14 www.sz-pet.com
- 97.231.133.14 foros.abcdatos.com
- 97.231.133.14 www.elektroda.pl
- 97.231.133.14 gulaley.blogspot.com
- 97.231.133.14 bbs.duba.net
- 97.231.133.14 www.duba.net
- 97.231.133.14 zhidao.baidu.com
- 97.231.133.14 hi.baidu.com
- 97.231.133.14 www.drweb.com.es
- 97.231.133.14 msncleaner.softonic.com
- 97.231.133.14 www.javacoolsoftware.com
- 97.231.133.14 beniono.wordpress.com
- 97.231.133.14 www.4-gsmteam.com
- 97.231.133.14 msntubers.freehostia.com
- 97.231.133.14 store.norton.com
- 97.231.133.14 social.answers.microsoft.com
- 97.231.133.14 file.ikaka.com
- 97.231.133.14 file.ikaka.cn
- 97.231.133.14 bbs.ikaka.com
- 97.231.133.14 zhidao.ikaka.com
- 97.231.133.14 www.eset-la.com
- 97.231.133.14 download.eset.com
- 97.231.133.14 software-files.download.com
- 97.231.133.14 www.faravirusi.com
- 97.231.133.14 www.winbots.es
- 97.231.133.14 forum.chip.de
- 97.231.133.14 www.thailandsusu.com
- 97.231.133.14 debates.motos.net
- 97.231.133.14 www.judj.com
- 97.231.133.14 www.ikaka.com
- 97.231.133.14 www.ikaka.cn
- 97.231.133.14 bbs.cfan.com.cn
- 97.231.133.14 www.cfan.com.cn
- 97.231.133.14 www.pandasecurity.com
- 97.231.133.14 es.mcafee.com
- 97.231.133.14 downloads.malwarebytes.org
- 97.231.133.14 www.devirusare.com
- 97.231.133.14 forum.skype.com
- 97.231.133.14 shitit.net
- 97.231.133.14 www.webimmune.net
- 97.231.133.14 forum.swzone.it
- 97.231.133.14 www.dl4all.com
- 97.231.133.14 foros.mcanime.net
- 97.231.133.14 bbs.kafan.cn
- 97.231.133.14 bbs.kafan.com
- 97.231.133.14 bbs.kpfans.com
- 97.231.133.14 bbs.taisha.org
- 97.231.133.14 www.manuelruvalcaba.com
- 97.231.133.14 support.f-secure.com
- 97.231.133.14 bbs.winzheng.com
- 97.231.133.14 devirusare.com
- 97.231.133.14 social.microsoft.com
- 97.231.133.14 www.shitit.net
- 97.231.133.14 mx.answers.yahoo.com
- 97.231.133.14 darkzone.in.th
- 97.231.133.14 www.velocidadmaxima.com
- 97.231.133.14 alerta-antivirus.inteco.es
- 97.231.133.14 foros.zonavirus.com
- 97.231.133.14 alerta-antivirus.red.es
- 97.231.133.14 www.zonavirus.com
- 97.231.133.14 www.malwarebytes.org
- 97.231.133.14 www.commentcamarche.net
- 97.231.133.14 news.support.veritas.com
- 97.231.133.14 www.zonealarm.com
- 97.231.133.14 malwarebytes-anti-malware.softonic.com
- 97.231.133.14 www.securitystronghold.com
- 97.231.133.14 www.ewido.net
- 97.231.133.14 www.infospyware.com
- 97.231.133.14 www.bitdefender.es
- 97.231.133.14 housecall.trendmicro.com
- 97.231.133.14 foros.toxico-pc.com
- 97.231.133.14 www.identi.es
- 97.231.133.14 es.kioskea.net
- 97.231.133.14 virusinfo.info
- 97.231.133.14 forums.zonealarm.com
- 97.231.133.14 foro.infiernohacker.com
- 97.231.133.14 nitroamd.spaces.live.com
- 97.231.133.14 forums.overclockzone.com
- 97.231.133.14 www.emsisoft.de
- 97.231.133.14 www.securitynewsportal.com
- 97.231.133.14 irc.ekizmedia.com
- 97.231.133.14 zone.arminboutique.com
- 97.231.133.14 story.dnsentrymx.com
The worm may execute the following commands:
- cmd.exe /C attrib -s -h\"C:\\ntldr\"
- cmd.exe /C move\"C:\\ntldr\"\"C:\\dump\"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\hal.dll"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.exe"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.dll"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\drvers\*.sys"
- cmd.exe /C del /F /S /Q "%WINDIR%\system32\*.*"
- cmd.exe /C del /F /S /Q "%WINDIR%\*.*"
- cmd.exe /C del /F /S /Q\"C:\\ComboFix.txt\"
- ipconfig /flushdns
The worm acquires data and commands from a remote computer or the Internet.
The worm connects to the following addresses:
- ns89.nastysurfboards.net
- ns94.nastysurfboards.net
- ns101.surfthewavesinc.net
- ns115.surfthewavesinc.net
- ns126.surfingsuppliesco.net
- ns133.surfingsuppliesco.net
- ns146.radsurfingsupply.net
- ns154.radsurfingsupply.net
- ns168.saveitallbaby.com
- ns175.saveitallbaby.com
- ns189.savehugedaily.com
- ns192.savehugedaily.com
- ns196.magicsavings4all.com
- ns207.magicsavings4all.com
- ns219.thesavemachine.com
- ns227.thesavemachine.com
- ns238.jazibmahmoud.com
- ns255.gerbertnsvinkle.com
- ns261.gerbertnsvinkle.com
- ns272.grudvenauctionhouse.net
- ns283.grudvenauctionhouse.net
- ns308.twnameservers.net
- ns313.twnameservers.net
- ns294.jpnicregistrar.com
- ns236.jpnicregistrar.com
- ns328.hotornot-tw.com
- ns333.hotornot-tw.com
- ns345.romanianxportsvc.com
- ns352.romanianxportsvc.com
- ns339.l3tsfuck1ts3xy.su
- ns341.l3tsfuck1ts3xy.su
- ns243.jazibmahmoud.com
- ns175.saveitallbaby.com
The IRC protocol is used.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- update itself to a newer version
- perform port scanning
- spread via IM networks
- open a specific URL address
- connect to remote computers to a specific port