Win32/AutoRun.IRCBot [Threat Name] go to Threat

Win32/AutoRun.IRCBot.FE [Threat Variant Name]

Category worm
Size 147248 B
Aliases Net-Worm.Win32.Kolab.jpv (Kaspersky)
  W32/Sdbot.worm!jh (McAfee)
  W32.IRCBot (Symantec)
Short description

Win32/AutoRun.IRCBot.FE is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %userprofile%\­Start Menu\­Programs\­Startup\­wmpkps.exe
  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­wmpkps.exe
  • %windir%\­system32\­wmpkps.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­conime.exe]
    • "Debugger" = "%windir%\­system32\­wmpkps.exe"
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "conime.exe" = "conime.exe"

This causes the worm to be executed on every system start.


The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe
Spreading on removable media

The worm creates the following folders:

  • %drive%\­~RootDir

The worm contains an URL address. It tries to download the other part of the infiltration from the address.


The file is stored in the following location:

  • %drive%\­~RootDir\­579467.exe

The HTTP protocol is used.

Other information

The worm quits immediately if the computer name is one of the following:

  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • VMG_CLIENT

The worm quits immediately if the Windows user name is one of the following:

  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • VMG_CLIENT

The worm quits immediately if it detects a running process containing one of the following strings in its name:

  • Ethereal.exe
  • Filemon.exe
  • port
  • procdump.exe
  • Procmon.exe
  • Regmon.exe
  • regshot.exe
  • squid.exe
  • TCPView.exe
  • Tcpview.exe
  • VBox
  • vmsrvc
  • VMware
  • WireShark.exe

The worm may set the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­AppCompatFlags\­Layers]
    • "%malwarepath%" = "DisableNXShowUI"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­DomainProfile\­AuthorizedApplications\­List]
    • "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­Windows NT\­SystemRestore]
    • "DisableConfig" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Policies\­Microsoft\­MRT]
    • "DontReportInfectionInformation" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusOverride" = 1
    • "AntiVirusDisableNotify" = 1
    • "FirewallOverride" = 1
    • "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wscsvc]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­wuauserv]
    • "Start" = 4
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Image File Execution Options\­%application%]
    • "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­SystemRestore]
    • "DisableSR" = 1
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced\­Folder\­SuperHidden]
    • "CheckedValue" = 1
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2

The %application% is one of the following strings:

  • AvastSvc.exe
  • avastUI.exe
  • avp.exe
  • bdagent.exe
  • ccSvcHst.exe
  • egui.exe
  • ekrn.exe
  • KAV32.exe
  • livesrv.exe
  • mrt.exe
  • mrtstub.exe
  • msascui.exe
  • msmpeng.exe
  • seccenter.exe
  • symlcsvc.exe
  • vsserv.exe

The worm may delete the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Minimal]
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Control\­SafeBoot\­Network]

The following programs are terminated:

  • 123.COM
  • 123.EXE
  • A2HIJACKFREESETUP.EXE
  • AMPAWSMASHERX.EXE
  • APM.EXE
  • APORTS.EXE
  • APT.EXE
  • ASVIEWER.EXE
  • ATF-CLEANER.EXE
  • ATF-CLEANER.EXE
  • AUTORUNS.EXE
  • AVENGER.EXE
  • AVENGER.EXE
  • AVG_AVWT_STB_EN_9_40_FREE.EXE
  • AVGARKT.EXE
  • AVINSTALL.EXE
  • AVIRA_ANTIVIR_PERSONAL_EN.EXE
  • AVZ.EXE
  • AVZ.EXE
  • BC5CA6A.EXE
  • BITDEFENDER_ANTIVIRUS.EXE
  • BOOTSAFE.EXE
  • BUSCAREG.EXE
  • CATCHME.EXE
  • CF9409.EXE
  • COMBOFIX.BAT
  • COMBOFIX.COM
  • COMBOFIX.EXE
  • COMBO-FIX.EXE
  • COMBOFIX.SCR
  • COMPAQ_PROPIETARIO.EXE
  • CPF.EXE
  • CPORTS.EXE
  • CPROCESS.EXE
  • CUREIT.EXE
  • DAFT.EXE
  • DARKSPY105.EXE
  • DELAYDELFILE.EXE
  • DLLCOMPARE.EXE
  • DLLHOSTS.EXE
  • DRWEB-600-WIN-PRO-X86.EXE
  • DUBATOOL_AV_KILLER.EXE
  • EAV_NT32_ENU.MSI
  • EAV_NT64_ENU.MSI
  • ELISTA.EXE
  • ESCW_90_SA_SFX.EXE
  • EULALYZERSETUP.EXE
  • FILEALYZ.EXE
  • FILEFIND.EXE
  • FIXBAGLE.EXE
  • FIXPATH.EXE
  • FOLDERCURE.EXE
  • FPORT.EXE
  • FSB.EXE
  • FSBL.EXE
  • GMER.EXE
  • GUARD.EXE
  • GUARDXKICKOFF.EXE
  • GUARDXSERVICE.EXE
  • HACKMON.EXE
  • HELIOS.EXE
  • HIJACKTHIS.EXE
  • HIJACK-THIS.EXE
  • HIJACKTHIS_SFX.EXE
  • HIJACKTHIS_V2.EXE
  • HJ.EXE
  • HJTINSTALL.EXE
  • HJTSETUP.EXE
  • HOOKANLZ.EXE
  • HOOKANLZ.EXE
  • HOSTSFILEREADER.EXE
  • HOSTSXPERT.EXE
  • ICESWORD.EXE
  • IEFIX.EXE
  • INSTALLWATCHPRO25.EXE
  • ISSDM_EN_32.EXE
  • JAJA.EXE
  • K7TS_SETUP.EXE
  • KAKASETUPV6.EXE
  • KILLAUTOPLUS.EXE
  • KILLBOX.EXE
  • LISTO.EXE
  • LORDPE.EXE
  • MBAM.EXE
  • MBAM.EXE
  • MBAM-SETUP.EXE
  • MBAM-SETUP.EXE
  • MBR.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • MSASCUI.EXE
  • MSMPENG.EXE
  • MSNCLEANER.EXE
  • MSNFIX.EXE
  • MYPHOTOKILLER.EXE
  • NAV-TW-30-17-1-0-19TBEN.EXE
  • NETALYZ.EXE
  • NETMON.EXE
  • NETSTAT.EXE
  • NS360S300EN
  • NTVDM.EXE
  • OBJMONSETUP.EXE
  • OLLYDBG.EXE
  • OTL.EXE
  • OTM.EXE
  • OTMOVEIT.EXE
  • OTMOVEIT3.EXE
  • P08PROMO.EXE
  • PAVARK.EXE
  • PENCLEAN.EXE
  • PG2.EXE
  • PGSETUP.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PREVX.EXE
  • PREVXCSIFREE.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXP.EXE
  • PROCMON.EXE
  • PROCMON.EXE
  • PROJECTWHOISINSTALLER.EXE
  • PSKILL.EXE
  • RAVP.EXE
  • REANIMATOR.EXE
  • REG.EXE
  • REGALYZ.EXE
  • REGCOOL.EXE
  • REGEDIT.COM
  • REGEDIT.SCR
  • REGISTRAR_LITE.EXE
  • REGMON.EXE
  • REGSCANNER.EXE
  • REGSHOT.EXE
  • REGSHOT.EXE
  • REGUNLOCKER.EXE
  • REGUNLOCKER.EXE
  • REGX2.EXE
  • RKD.EXE
  • ROOTALYZER.EXE
  • ROOTKIT_DETECTIVE.EXE
  • ROOTKITBUSTER.EXE
  • ROOTKITNO.EXE
  • ROOTKITREVEALER.EXE
  • ROOTREPEAL.EXE
  • SAFEBOOTKEYREPAIR.EXE
  • SDFIX.EXE
  • SECCENTER.EXE
  • SEEM.EXE
  • SETUP_AV_FREE.EXE
  • SMASH.EXE
  • SMASH1.EXE
  • SMASH2.EXE
  • SMASH3.EXE
  • SMASH4.EXE
  • SMASH5.EXE
  • SMASH6.EXE
  • SMASH7.EXE
  • SMSNIFF.EXE
  • SPF.EXE
  • SPYBOTSD.EXE
  • SPYBOTSD160.EXE
  • SRENGLDR.EXE
  • SRENGLDR.EXE
  • SRENGPS.EXE
  • SRESTORE.EXE
  • STARTDRECK.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERKILLER.EXE
  • SYSANALYZER_SETUP.EXE
  • TASKKILL.EXE
  • TASKLIST.EXE
  • TASKMAN.EXE
  • TASKMON.EXE
  • TCPVIEW.EXE
  • TEATIMER.EXE
  • TrendMicro_TISPro_16.1_1063_x32.EXE
  • TSNTEVAL.EXE
  • UNHACKME.EXE
  • UNIEXTRACT.EXE
  • UNLOCKER.EXE
  • UNLOCKER1.8.7.EXE
  • UNLOCKER1.8.7.EXE
  • UNLOCKERASSISTANT.EXE
  • USBGUARD.EXE
  • VBA32-PERSONAL-LATEST-ENGLISH.EXE
  • VIPRE.EXE
  • VIRUS.EXE
  • VIRUSUTILITIES.EXE
  • WINDOWSDEFENDER.MSI
  • WINDOWS-KB890930-V2.2.EXE
  • WIRESHARK.EXE
  • WITSETUP.EXE
  • XP_TASKMGRENAB.EXE
  • ZLCLIENT.EXE

The worm executes the following commands:

  • cmd.exe /C net stop wuauserv
  • cmd.exe /C sc stop wuauserv
  • cmd.exe /C sc config wuauserv start= disabled
  • cmd.exe /C sc delete wuauserv
  • cmd.exe /C net stop CSIScanner
  • cmd.exe /C sc stop CSIScanner
  • cmd.exe /C sc config CSIScanner start= disabled
  • cmd.exe /C sc delete CSIScanner
  • cmd.exe /C net stop MsMpSvc
  • cmd.exe /C sc stop MsMpSvc
  • cmd.exe /C sc config MsMpSvc start= disabled
  • cmd.exe /C sc delete MsMpSvc
  • cmd.exe /C net stop K7RTScan
  • cmd.exe /C sc stop K7RTScan
  • cmd.exe /C sc config K7RTScan start= disabled
  • cmd.exe /C sc delete K7RTScan
  • cmd.exe /C net stop K7TSMngr
  • cmd.exe /C sc stop K7TSMngr
  • cmd.exe /C sc config K7TSMngr start= disabled
  • cmd.exe /C sc delete K7TSMngr
  • cmd.exe /C net stop "avast! Antivirus"
  • cmd.exe /C sc stop "avast! Antivirus"
  • cmd.exe /C sc config "avast! Antivirus" start= disabled
  • cmd.exe /C sc delete "avast! Antivirus"
  • cmd.exe /C net stop AntiVirService
  • cmd.exe /C sc stop AntiVirService
  • cmd.exe /C sc config AntiVirService start= disabled
  • cmd.exe /C sc delete AntiVirService
  • cmd.exe /C net stop PASRV
  • cmd.exe /C sc stop PASRV
  • cmd.exe /C sc config PASRV start= disabled
  • cmd.exe /C sc delete PASRV
  • cmd.exe /C net stop VSSERV
  • cmd.exe /C sc stop VSSERV
  • cmd.exe /C sc config VSSERV start= disabled
  • cmd.exe /C sc delete VSSERV
  • cmd.exe /C net stop avg8wd
  • cmd.exe /C sc stop avg8wd
  • cmd.exe /C sc config avg8wd start= disabled
  • cmd.exe /C sc delete avg8wd
  • cmd.exe /C net stop avg9wd
  • cmd.exe /C sc stop avg9wd
  • cmd.exe /C sc config avg9wd start= disabled
  • cmd.exe /C sc delete avg9wd
  • cmd.exe /C net stop NOD32krn
  • cmd.exe /C sc stop NOD32krn
  • cmd.exe /C sc config NOD32krn start= disabled
  • cmd.exe /C sc delete NOD32krn
  • cmd.exe /C net stop ekrn
  • cmd.exe /C sc stop ekrn
  • cmd.exe /C sc config ekrn start= disabled
  • cmd.exe /C sc delete ekrn
  • cmd.exe /C net stop McShield
  • cmd.exe /C sc stop McShield
  • cmd.exe /C sc config McShield start= disabled
  • cmd.exe /C sc delete McShield
  • cmd.exe /C net stop OutpostFirewall
  • cmd.exe /C sc stop OutpostFirewall
  • cmd.exe /C sc config OutpostFirewall start= disabled
  • cmd.exe /C sc delete OutpostFirewall
  • cmd.exe /C net stop TmPfw
  • cmd.exe /C sc stop TmPfw
  • cmd.exe /C sc config TmPfw start= disabled
  • cmd.exe /C sc delete TmPfw
  • cmd.exe /C net stop KPF4
  • cmd.exe /C sc stop KPF4
  • cmd.exe /C sc config KPF4 start= disabled
  • cmd.exe /C sc delete KPF4
  • cmd.exe /C net stop SmcService
  • cmd.exe /C sc stop SmcService
  • cmd.exe /C sc config SmcService start= disabled
  • cmd.exe /C sc delete SmcService
  • cmd.exe /C net stop cmd.exeAgent
  • cmd.exe /C sc stop cmd.exeAgent
  • cmd.exe /C sc config cmd.exeAgent start= disabled
  • cmd.exe /C sc delete cmd.exeAgent
  • cmd.exe /C net stop vsmon
  • cmd.exe /C sc stop vsmon
  • cmd.exe /C sc config vsmon start= disabled
  • cmd.exe /C sc delete vsmon
  • cmd.exe /C net stop SbPF.Launcher
  • cmd.exe /C sc stop SbPF.Launcher
  • cmd.exe /C sc config SbPF.Launcher start= disabled
  • cmd.exe /C sc delete SbPF.Launcher
  • cmd.exe /C net stop SPF4
  • cmd.exe /C sc stop SPF4
  • cmd.exe /C sc config SPF4 start= disabled
  • cmd.exe /C sc delete SPF4
  • cmd.exe /C net stop acssrv
  • cmd.exe /C sc stop acssrv
  • cmd.exe /C sc config acssrv start= disabled
  • cmd.exe /C sc delete acssrv
  • cmd.exe /C net stop SAVService
  • cmd.exe /C sc stop SAVService
  • cmd.exe /C sc config SavService start= disabled
  • cmd.exe /C sc delete SAVService
  • cmd.exe /C net stop SAVAdminService
  • cmd.exe /C sc stop SAVAdminService
  • cmd.exe /C sc config SAVAdminService start= disabled
  • cmd.exe /C sc delete SAVAdminService
  • cmd.exe /C net stop "Sophos AutoUpdate Service"
  • cmd.exe /C sc stop "Sophos AutoUpdate Service"
  • cmd.exe /C sc config "Sophos AutoUpdate Service" start= disabled
  • cmd.exe /C sc delete "Sophos AutoUpdate Service"
  • cmd.exe /C net stop "Sophos Client Firewall"
  • cmd.exe /C sc stop "Sophos Client Firewall"
  • cmd.exe /C sc config "Sophos Client Firewall" start= disabled
  • cmd.exe /C sc delete "Sophos Client Firewall"
  • cmd.exe /C net stop "Sophos Client Firewall Manager"
  • cmd.exe /C sc stop "Sophos Client Firewall Manager"
  • cmd.exe /C sc config "Sophos Client Firewall Manager" start= disabled
  • cmd.exe /C sc delete "Sophos Client Firewall Manager"

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 97.231.133.14   msnfix.changelog.fr
  • 97.231.133.14   www.incodesolutions.com
  • 97.231.133.14   virusinfo.prevx.com
  • 97.231.133.14   download.bleepingcomputer.com
  • 97.231.133.14   www.dazhizhu.cn
  • 97.231.133.14   foro.noticias3d.com
  • 97.231.133.14   www.spybotupdates.com
  • 97.231.133.14   club.myce.com
  • 97.231.133.14   www.k7computing.com
  • 97.231.133.14   softwaresecuritysolutions.com
  • 97.231.133.14   antonbi.web.id
  • 97.231.133.14   www.nabble.com
  • 97.231.133.14   lurker.clamav.net
  • 97.231.133.14   lexikon.ikarus.at
  • 97.231.133.14   research.sunbelt-software.com
  • 97.231.133.14   www.virusdoctor.jp
  • 97.231.133.14   www.elitepvpers.de
  • 97.231.133.14   guru.avg.com
  • 97.231.133.14   downloads.sophos.com
  • 97.231.133.14   share.skype.com
  • 97.231.133.14   myantispyware.com
  • 97.231.133.14   www.computerhilfen.de
  • 97.231.133.14   fgsite.com
  • 97.231.133.14   ca.answers.yahoo.com
  • 97.231.133.14   www.superuser.co.kr
  • 97.231.133.14   ntfaq.co.kr
  • 97.231.133.14   v.dreamwiz.com
  • 97.231.133.14   cit.kookmin.ac.kr
  • 97.231.133.14   forums.whatthetech.com
  • 97.231.133.14   forum.hijackthis.de
  • 97.231.133.14   avg.vo.llnwd.net
  • 97.231.133.14   ftp.drweb.com
  • 97.231.133.14   www.zonealarm.com
  • 97.231.133.14   smadaver.com
  • 97.231.133.14   support.emsisoft.com
  • 97.231.133.14   psychoski.blogspot.com
  • 97.231.133.14   www.corozilla.net
  • 97.231.133.14   www.huaifai.go.th
  • 97.231.133.14   www.mostz.com
  • 97.231.133.14   www.krupunmai.com
  • 97.231.133.14   www.cddchiangmai.net
  • 97.231.133.14   forum.malekal.com
  • 97.231.133.14   tech.pantip.com
  • 97.231.133.14   sapcupgrades.com
  • 97.231.133.14   www.elguruinformatico.com
  • 97.231.133.14   forums.avg.com
  • 97.231.133.14   zastita.com
  • 97.231.133.14   support.kaspersky.com
  • 97.231.133.14   foro.msgpluslive.es
  • 97.231.133.14   www.tongjimba.com
  • 97.231.133.14   www.247fixes.com
  • 97.231.133.14   forum.sysinternals.com
  • 97.231.133.14   forum.telecharger.01net.com
  • 97.231.133.14   sophos.com
  • 97.231.133.14   foros.softonic.com
  • 97.231.133.14   avast-home.uptodown.com
  • 97.231.133.14   dr-web-cureit.softonic.com
  • 97.231.133.14   heavenward.ru
  • 97.231.133.14   forum.smadav.net
  • 97.231.133.14   www.forum.kaspersky.com
  • 97.231.133.14   www.dl4all.com
  • 97.231.133.14   www.freshwap.net
  • 97.231.133.14   www.f-secure.com
  • 97.231.133.14   www.chkrootkit.org
  • 97.231.133.14   diamondcs.com.au
  • 97.231.133.14   www.rootkit.nl
  • 97.231.133.14   www.sysinternals.com
  • 97.231.133.14   z-oleg.com
  • 97.231.133.14   espanol.dir.groups.yahoo.com
  • 97.231.133.14   ftp01net.telechargement.fr
  • 97.231.133.14   modelayu.com
  • 97.231.133.14   vaksin.com
  • 97.231.133.14   bbs.kaspersky.com.cn
  • 97.231.133.14   sf.tapuz.co.il
  • 97.231.133.14   www.downtr.net
  • 97.231.133.14   www.castlecrops.com
  • 97.231.133.14   www.misec.net
  • 97.231.133.14   safecomputing.umn.edu
  • 97.231.133.14   www.antirootkit.com
  • 97.231.133.14   www.greatis.com
  • 97.231.133.14   ar.answers.yahoo.com
  • 97.231.133.14   www.elhacker.org
  • 97.231.133.14   research.pandasecurity.com
  • 97.231.133.14   www.tpu.ro
  • 97.231.133.14   www.pinoyden.com
  • 97.231.133.14   forum.avira.de
  • 97.231.133.14   www.tanya-it.com
  • 97.231.133.14   topsy.com
  • 97.231.133.14   www.rootkit.com
  • 97.231.133.14   www.pctools.com
  • 97.231.133.14   www.pcsupportadvisor.com
  • 97.231.133.14   www.resplendence.com
  • 97.231.133.14   www.personal.psu.edu
  • 97.231.133.14   foro.ethek.com
  • 97.231.133.14   foro.elhacker.net
  • 97.231.133.14   download.zonealarm.com
  • 97.231.133.14   spywarehammer.com
  • 97.231.133.14   www.codelain.com
  • 97.231.133.14   www.thaicert.org
  • 97.231.133.14   wenwen.soso.com
  • 97.231.133.14   vil.nail.com
  • 97.231.133.14   search.mcafee.com
  • 97.231.133.14   wwww.mcafee.com
  • 97.231.133.14   download.nai.com
  • 97.231.133.14   wwww.experts-exchange.com
  • 97.231.133.14   www.bakunos.com
  • 97.231.133.14   www.darkclockers.com
  • 97.231.133.14   www2.gmer.net
  • 97.231.133.14   ariefew.com
  • 97.231.133.14   www.emsisoft.com
  • 97.231.133.14   forum.romeonet.ro
  • 97.231.133.14   www.arenajunkies.com
  • 97.231.133.14   zenovy.com
  • 97.231.133.14   www.removeitpro.net
  • 97.231.133.14   www.Merijn.org
  • 97.231.133.14   www.spywareinfo.com
  • 97.231.133.14   www.spybot.info
  • 97.231.133.14   www.viruslist.com
  • 97.231.133.14   www.hijackthis.de
  • 97.231.133.14   ftp.f-secure.com
  • 97.231.133.14   forum.kaspersky.com
  • 97.231.133.14   es.trendmicro-europe.com
  • 97.231.133.14   www.hvaonline.net
  • 97.231.133.14   forum.lowyat.net
  • 97.231.133.14   kb.eset.com
  • 97.231.133.14   www.pcwelt.de
  • 97.231.133.14   bokwer.com
  • 97.231.133.14   www.mypcsafe.com
  • 97.231.133.14   majorgeeks.com
  • 97.231.133.14   www.avp.com
  • 97.231.133.14   www.virustotal.com
  • 97.231.133.14   www.sophos.com
  • 97.231.133.14   linhadefensiva.uol.com.br
  • 97.231.133.14   cmmings.cn
  • 97.231.133.14   www.sergiwa.com
  • 97.231.133.14   www.el-hacker.com
  • 97.231.133.14   dl2.agnitum.com
  • 97.231.133.14   forum.smadav.net
  • 97.231.133.14   images.malwareremoval.com
  • 97.231.133.14   front.prevx.com
  • 97.231.133.14   ad.harrenmedianetwork.com
  • 97.231.133.14   www.avg-antivirus.net
  • 97.231.133.14   www.kaspersky-labs.com
  • 97.231.133.14   www.kaspersky.com
  • 97.231.133.14   www.bleepingcomputer.com
  • 97.231.133.14   www.free.grisoft.com
  • 97.231.133.14   alerta-antivirus.inteco.es
  • 97.231.133.14   greatis.com
  • 97.231.133.14   www.oprekpc.com
  • 97.231.133.14   www.gmer.net
  • 97.231.133.14   forum.kasperskyclub.com
  • 97.231.133.14   computadoras.migold.com
  • 97.231.133.14   securityresponse.symantec.com
  • 97.231.133.14   www.analysis.seclab.tuwien.ac.at
  • 97.231.133.14   www.symantec.com
  • 97.231.133.14   www.kztechs.com
  • 97.231.133.14   ad-aware-se.uptodown.com
  • 97.231.133.14   stdio-labs.blogspot.com
  • 97.231.133.14   forum.lrytas.lt
  • 97.231.133.14   www.decido.de
  • 97.231.133.14   wap.elakiri.com
  • 97.231.133.14   ot-indo.blogspot.com
  • 97.231.133.14   artsoftdesign.com
  • 97.231.133.14   liveupdate.symantecliveupdate.com
  • 97.231.133.14   liveupdate.symantec.com
  • 97.231.133.14   customer.symantec.com
  • 97.231.133.14   update.symantec.com
  • 97.231.133.14   www.box.net
  • 97.231.133.14   foro.el-hacker.com
  • 97.231.133.14   acs.pandasoftware.com
  • 97.231.133.14   egavisa.blogspot.com
  • 97.231.133.14   angui123.cn
  • 97.231.133.14   beta.eset.com
  • 97.231.133.14   www.ixtorrent.com
  • 97.231.133.14   forum.programosy.pl
  • 97.231.133.14   www.mcafee.com
  • 97.231.133.14   download.mcafee.com
  • 97.231.133.14   mast.mcafee.com
  • 97.231.133.14   www.tecno-soft.com
  • 97.231.133.14   ladooscuro.es
  • 97.231.133.14   ftp.drweb.com
  • 97.231.133.14   download.microsoft.com
  • 97.231.133.14   www.mypcsafe.com
  • 97.231.133.14   www.blindedbytech.com
  • 97.231.133.14   kaspersky.com
  • 97.231.133.14   sis-admin.blogspot.com
  • 97.231.133.14   www.protecus.de
  • 97.231.133.14   pastebin.com
  • 97.231.133.14   guru0.grisoft.cz
  • 97.231.133.14   guru1.grisoft.cz
  • 97.231.133.14   guru2.grisoft.cz
  • 97.231.133.14   guru3.grisoft.cz
  • 97.231.133.14   download.bleepingcomputer.com
  • 97.231.133.14   it.answers.yahoo.com
  • 97.231.133.14   www.softonic.com
  • 97.231.133.14   www.mycity.rs
  • 97.231.133.14   cairopt.net
  • 97.231.133.14   rootrepeal.googlepages.com
  • 97.231.133.14   www.windowexe.com
  • 97.231.133.14   fineartschance.com
  • 97.231.133.14   guru4.grisoft.cz
  • 97.231.133.14   guru5.grisoft.cz
  • 97.231.133.14   www.virusspy.com
  • 97.231.133.14   download.f-secure.com
  • 97.231.133.14   www.malwareremoval.com
  • 97.231.133.14   forums.cnet.com
  • 97.231.133.14   foros.softonic.com
  • 97.231.133.14   www.freedrweb.com
  • 97.231.133.14   www.kaskus.us
  • 97.231.133.14   rootrepeal.psikotick.com
  • 97.231.133.14   thaicert.nectec.or.th
  • 97.231.133.14   rareartonline.com
  • 97.231.133.14   hjt-data.trend-braintree.com
  • 97.231.133.14   www.pantip.com
  • 97.231.133.14   secubox.aldria.com
  • 97.231.133.14   www.forospyware.com
  • 97.231.133.14   www.manuelruvalcaba.com
  • 97.231.133.14   www.zonavirus.com
  • 97.231.133.14   www.leforo.com
  • 97.231.133.14   www.gsmph.com
  • 97.231.133.14   blokvesti.net
  • 97.231.133.14   www.viprasys.org
  • 97.231.133.14   forum.antivir-pe.de
  • 97.231.133.14   www.nhatnghe.com
  • 97.231.133.14   forum.antivirus365.net
  • 97.231.133.14   www.siteadvisor.com
  • 97.231.133.14   blog.threatfire.com
  • 97.231.133.14   www.threatexpert.com
  • 97.231.133.14   blog.hispasec.com
  • 97.231.133.14   www.configurarequipos.com
  • 97.231.133.14   sosvirus.changelog.fr
  • 97.231.133.14   www.psicofxp.com
  • 97.231.133.14   www.gsmph.net
  • 97.231.133.14   www.gyakorikerdesek.hu
  • 97.231.133.14   us.mcafee.com
  • 97.231.133.14   www.malekal.com
  • 97.231.133.14   yourartmuseum.com
  • 97.231.133.14   mailcenter.rising.com.cn
  • 97.231.133.14   mailcenter.rising.com
  • 97.231.133.14   www.rising.com.cn
  • 97.231.133.14   www.rising.com
  • 97.231.133.14   www.babooforum.com.br
  • 97.231.133.14   www.runscanner.net
  • 97.231.133.14   www.blogschapines.com
  • 97.231.133.14   www.zyzoom.org
  • 97.231.133.14   www.avsoft.ru
  • 97.231.133.14   www.elakiri.com
  • 97.231.133.14   forum.telecharger.01net.com
  • 97.231.133.14   www.com-th.net
  • 97.231.133.14   sosvirus.changelog.fr
  • 97.231.133.14   upload.changelog.fr
  • 97.231.133.14   www.raymond.cc
  • 97.231.133.14   changelog.fr
  • 97.231.133.14   www.pcentraide.com
  • 97.231.133.14   atazita.blogspot.com
  • 97.231.133.14   www.thinkpad.cn
  • 97.231.133.14   www.sunbeltsoftware.com
  • 97.231.133.14   cert.inteco.es
  • 97.231.133.14   www.gamexeon.com
  • 97.231.133.14   nod32-antivirus.en.softonic.co
  • 97.231.133.14   www.virus-com.com
  • 97.231.133.14   www.final4ever.com
  • 97.231.133.14   files.filefont.com
  • 97.231.133.14   www.infos-du-net.com
  • 97.231.133.14   www.trendsecure.com
  • 97.231.133.14   forum.hardware.fr
  • 97.231.133.14   www.utilidades-utiles.com
  • 97.231.133.14   blogs.icerocket.com
  • 97.231.133.14   www.spywarefri.dk
  • 97.231.133.14   alfrasha.maktoob.com
  • 97.231.133.14   www.eset.eu
  • 97.231.133.14   quickscan.bitdefender.com
  • 97.231.133.14   www.xmarks.com
  • 97.231.133.14   www.spychecker.com
  • 97.231.133.14   www.geekstogo.com
  • 97.231.133.14   forums.maddoktor2.com
  • 97.231.133.14   www.smokey-services.eu
  • 97.231.133.14   www.clubic.com
  • 97.231.133.14   www.linhadefensiva.org
  • 97.231.133.14   www.rolandovera.com
  • 97.231.133.14   forum.burek.com
  • 97.231.133.14   secure.sophos.com
  • 97.231.133.14   usa.kaspersky.com
  • 97.231.133.14   board.softpedia.com
  • 97.231.133.14   www.pinoytambaygroup.com
  • 97.231.133.14   download.sysinternals.com
  • 97.231.133.14   www.pcguide.com
  • 97.231.133.14   www.thetechguide.com
  • 97.231.133.14   www.ozzu.com
  • 97.231.133.14   www.changedetection.com
  • 97.231.133.14   espanol.groups.yahoo.com
  • 97.231.133.14   www.sunbeltsecurity.com
  • 97.231.133.14   www.quickheal.co.in
  • 97.231.133.14   www.vivalared.com
  • 97.231.133.14   thailand.itmylike.com
  • 97.231.133.14   harrenmedianetwork.com
  • 97.231.133.14   community.thaiware.com
  • 97.231.133.14   www.avpclub.ddns.info
  • 97.231.133.14   www.offensivecomputing.net
  • 97.231.133.14   www.grisoft.com
  • 97.231.133.14   boardreader.com
  • 97.231.133.14   www.guiadohardware.net
  • 97.231.133.14   www.webroot.com
  • 97.231.133.14   www.thehelper.net
  • 97.231.133.14   www.kaldata.com
  • 97.231.133.14   vil.nai.com
  • 97.231.133.14   www.malwarecrypt.com
  • 97.231.133.14   www.latest-virus.com
  • 97.231.133.14   www.msnvirusremoval.com
  • 97.231.133.14   www.cisrt.org
  • 97.231.133.14   fixmyim.com
  • 97.231.133.14   samroeng.hi5.com
  • 97.231.133.14   foro.elhacker.net
  • 97.231.133.14   www.daboweb.com
  • 97.231.133.14   service1.symantec.com
  • 97.231.133.14   us3.download.comodo.com
  • 97.231.133.14   forum.gsmhosting.com
  • 97.231.133.14   www.computerforum.com
  • 97.231.133.14   forum.avast.com
  • 97.231.133.14   www.ixtorrent.com
  • 97.231.133.14   mx.answers.yahoo.com
  • 97.231.133.14   forums.techguy.org
  • 97.231.133.14   www.incodesolutions.com
  • 97.231.133.14   hijackthis.download3000.com
  • 97.231.133.14   www.cybertechhelp.com
  • 97.231.133.14   www.superdicas.com.br
  • 97.231.133.14   www.51nb.com
  • 97.231.133.14   us4.download.comodo.com
  • 97.231.133.14   www.jbtalks.cc
  • 97.231.133.14   ad13.geekstogo.com
  • 97.231.133.14   forums.eternion-wow.com
  • 97.231.133.14   simplyrudz.blogspot.com
  • 97.231.133.14   downloads.andymanchesta.com
  • 97.231.133.14   andymanchesta.com
  • 97.231.133.14   info.prevx.com
  • 97.231.133.14   aknow.prevx.com
  • 97.231.133.14   www.zonavirus.com
  • 97.231.133.14   securitywonks.net
  • 97.231.133.14   www.yoreparo.com
  • 97.231.133.14   www.spywarecease.com
  • 97.231.133.14   forum.dobreprogramy.pl
  • 97.231.133.14   community.mcafee.com
  • 97.231.133.14   board.protecus.de
  • 97.231.133.14   tech.pantip.com
  • 97.231.133.14   www.lavasoft.com
  • 97.231.133.14   www.virscan.org
  • 97.231.133.14   www.eeload.com
  • 97.231.133.14   down.www.kingsoft.com
  • 97.231.133.14   www.file.net
  • 97.231.133.14   onecare.live.com
  • 97.231.133.14   mvps.org
  • 97.231.133.14   www.laneros.com
  • 97.231.133.14   www.pc1news.com
  • 97.231.133.14   forum.avira.com
  • 97.231.133.14   downloads.novirusthanks.org
  • 97.231.133.14   www.pinoyhackers.com
  • 97.231.133.14   www.superadblocker.com
  • 97.231.133.14   www.housecall.trendmicro.com
  • 97.231.133.14   www.avast.com
  • 97.231.133.14   www.free.avg.com
  • 97.231.133.14   www.onlinescan.avast.com
  • 97.231.133.14   www.ewido.net
  • 97.231.133.14   www.trucoswindows.net
  • 97.231.133.14   www.mozilla-hispano.org
  • 97.231.133.14   www.jackbloodforum.com
  • 97.231.133.14   www.kosandpol.elakiri.com
  • 97.231.133.14   www.thaivisa.com
  • 97.231.133.14   forum.bullguard.com
  • 97.231.133.14   www.futurenow.bitdefender.com
  • 97.231.133.14   www.bitdefender.com
  • 97.231.133.14   www.f-prot.com
  • 97.231.133.14   www.trendsecure.com
  • 97.231.133.14   security.symantec.com
  • 97.231.133.14   oldtimer.geekstogo.com
  • 97.231.133.14   sopiansantosa.blogspot.com
  • 97.231.133.14   www.fileresearchcenter.com
  • 97.231.133.14   www.looktr.com
  • 97.231.133.14   www.zone-it.com
  • 97.231.133.14   somostuyyounnuevodiaoficial.obolog.com
  • 97.231.133.14   www.avira.com
  • 97.231.133.14   www.eset.com
  • 97.231.133.14   free.avg.com
  • 97.231.133.14   www.free-av.com
  • 97.231.133.14   kr.ahnlab.com
  • 97.231.133.14   www.eset.com
  • 97.231.133.14   forospyware.com
  • 97.231.133.14   thejokerx.blogspot.com
  • 97.231.133.14   cairopt.net
  • 97.231.133.14   oolbar.cyberdefender.com
  • 97.231.133.14   golpe.dyndns.org
  • 97.231.133.14   forum.aiutamici.com
  • 97.231.133.14   solit.us
  • 97.231.133.14   bisnismudahsaja.blogspot.com
  • 97.231.133.14   www.2-spyware.com
  • 97.231.133.14   www.antivir.es
  • 97.231.133.14   www.prevx.com
  • 97.231.133.14   www.ikarus.net
  • 97.231.133.14   bbs.s-sos.net
  • 97.231.133.14   www.housecall.trendmicro.com
  • 97.231.133.14   www.superdicas.com.br
  • 97.231.133.14   www.superantispyware.com
  • 97.231.133.14   www.unhackme.com
  • 97.231.133.14   www.askmehelpdesk.com
  • 97.231.133.14   forum.zebulon.fr
  • 97.231.133.14   regfixerror.pctools.revenuewire.net
  • 97.231.133.14   www.forums.majorgeeks.com
  • 97.231.133.14   www.castlecops.com
  • 97.231.133.14   www.virusspy.com
  • 97.231.133.14   andymanchesta.com
  • 97.231.133.14   www.kaspersky.es
  • 97.231.133.14   subs.geekstogo.com
  • 97.231.133.14   www.forospanish.com
  • 97.231.133.14   blog.rnsafe.com
  • 97.231.133.14   www.regrun.com
  • 97.231.133.14   irc.snahosting.net
  • 97.231.133.14   danielorza.net
  • 97.231.133.14   www.pchelpforum.com
  • 97.231.133.14   ftp.pcpitstop.com
  • 97.231.133.14   www.trendmicro.com
  • 97.231.133.14   www.fortinet.com
  • 97.231.133.14   www.safer-networking.org
  • 97.231.133.14   www.fortiguardcenter.com
  • 97.231.133.14   www.dougknox.com
  • 97.231.133.14   www.vsantivirus.com
  • 97.231.133.14   static.commentcamarche.net
  • 97.231.133.14   www.gyakorikerdesek.hu
  • 97.231.133.14   www.fixya.com
  • 97.231.133.14   www.alabamawomen.org
  • 97.231.133.14   www.spywareremovalblog.com
  • 97.231.133.14   www.firewallguide.com
  • 97.231.133.14   www.auditmypc.com
  • 97.231.133.14   www.spywaredb.com
  • 97.231.133.14   www.mxttchina.com
  • 97.231.133.14   www.ziggamza.net
  • 97.231.133.14   www.forospyware.es
  • 97.231.133.14   pogonyuto.forospanish.com
  • 97.231.133.14   spywarefiles.prevx.com
  • 97.231.133.14   k2r.th3kings.net
  • 97.231.133.14   www.betterantivirus.com
  • 97.231.133.14   www.365groups.com
  • 97.231.133.14   trialware.norton.com
  • 97.231.133.14   www.antivirus.comodo.com
  • 97.231.133.14   www.spywareterminator.com
  • 97.231.133.14   www.eradicatespyware.net
  • 97.231.133.14   www.freespywareremoval.info
  • 97.231.133.14   www.personalfirewall.comodo.com
  • 97.231.133.14   wakoopa.com
  • 97.231.133.14   forum.drweb.com
  • 97.231.133.14   bb1.th3kings.net
  • 97.231.133.14   www.commentcamarche.net
  • 97.231.133.14   justfane.blogspot.com
  • 97.231.133.14   foros.3dgames.com.ar
  • 97.231.133.14   www.clamav.net
  • 97.231.133.14   www.antivirus.about.com
  • 97.231.133.14   www.pandasecurity.com
  • 97.231.133.14   www.webphand.com
  • 97.231.133.14   mx.answers.yahoo.com
  • 97.231.133.14   www.securitywonks.net
  • 97.231.133.14   www.messengeradictos.com
  • 97.231.133.14   www.geekpolice.net
  • 97.231.133.14   bub.th3kings.net
  • 97.231.133.14   shield.prevx.com
  • 97.231.133.14   www.eudict.com
  • 97.231.133.14   uk.answers.yahoo.com
  • 97.231.133.14   www.sandboxie.com
  • 97.231.133.14   www.clamwin.com
  • 97.231.133.14   www.cwsandbox.org
  • 97.231.133.14   www.ca.com
  • 97.231.133.14   www.arswp.com
  • 97.231.133.14   es.answers.yahoo.com
  • 97.231.133.14   www.trucoswindows.es
  • 97.231.133.14   www.ipaddresser.com
  • 97.231.133.14   www.abgenis.net
  • 97.231.133.14   www.freefixer.com
  • 97.231.133.14   forums.afterdawn.com
  • 97.231.133.14   forum.torrents.ro
  • 97.231.133.14   whois.domaintools.com
  • 97.231.133.14   www.networkworld.com
  • 97.231.133.14   www.cddchiangmai.net
  • 97.231.133.14   www.threatexpert.com
  • 97.231.133.14   www.norman.com
  • 97.231.133.14   espanol.answers.yahoo.com
  • 97.231.133.14   www.tallemu.com
  • 97.231.133.14   foro.portalhacker.net
  • 97.231.133.14   www.groupwhere.org
  • 97.231.133.14   sniff.runescapetube.com
  • 97.231.133.14   forum.p30world.com
  • 97.231.133.14   poolcoversite.com
  • 97.231.133.14   forum.bullguard.com
  • 97.231.133.14   virscan.org
  • 97.231.133.14   www.viruschief.com
  • 97.231.133.14   scanner.virus.org
  • 97.231.133.14   www.hijackthis.de
  • 97.231.133.14   housecall65.trendmicro.com
  • 97.231.133.14   www.guiadohardware.net
  • 97.231.133.14   forums.whatthetech.com
  • 97.231.133.14   mustlovewine.com
  • 97.231.133.14   www3.malekal.com
  • 97.231.133.14   esetnod32antivirus.blogspot.com
  • 97.231.133.14   thedudesemo.blogspot.com
  • 97.231.133.14   hjt.networktechs.com
  • 97.231.133.14   www.techsupportforum.com
  • 97.231.133.14   www.whatthetech.com
  • 97.231.133.14   www.soccersuck.com
  • 97.231.133.14   www.pcentraide.com
  • 97.231.133.14   comunidad.wilkinsonpc.com.co
  • 97.231.133.14   forum.hocit.com
  • 97.231.133.14   forum.smadav.net
  • 97.231.133.14   fgp.e2doo.com
  • 97.231.133.14   community.thaiware.com
  • 97.231.133.14   irc.evoporn.com
  • 97.231.133.14   www.spamhaus.org
  • 97.231.133.14   forum.piriform.com
  • 97.231.133.14   www.tweaksforgeeks.com
  • 97.231.133.14   www.daniweb.com
  • 97.231.133.14   www.geekstogo.com
  • 97.231.133.14   es.answers.yahoo.com
  • 97.231.133.14   www.techsupportforum.com
  • 97.231.133.14   dnl-eu8.kaspersky-labs.com
  • 97.231.133.14   www.oprekpc.com
  • 97.231.133.14   shv4.ath.cx
  • 97.231.133.14   www.pcworld.com
  • 97.231.133.14   in.answers.yahoo.com
  • 97.231.133.14   www.vupen.com
  • 97.231.133.14   www.pchell.com
  • 97.231.133.14   www.spyany.com
  • 97.231.133.14   forums.techguy.org
  • 97.231.133.14   www.experts-exchange.com
  • 97.231.133.14   www.wikio.es
  • 97.231.133.14   www.pandasecurity.com
  • 97.231.133.14   forums.devshed.com
  • 97.231.133.14   devbuilds.kaspersky-labs.com
  • 97.231.133.14   hana-ahmad.blogspot.com
  • 97.231.133.14   www.linkmania.ro
  • 97.231.133.14   www.trojaner-board.de
  • 97.231.133.14   swandog46.geekstogo.com
  • 97.231.133.14   forum.tweaks.com
  • 97.231.133.14   www.wilderssecurity.com
  • 97.231.133.14   www.techspot.com
  • 97.231.133.14   www.thecomputerpitstop.com
  • 97.231.133.14   es.wasalive.com
  • 97.231.133.14   secunia.com
  • 97.231.133.14   www.killtrojan.net
  • 97.231.133.14   www.ulop.net
  • 97.231.133.14   www.eliters.com
  • 97.231.133.14   sip4.voipkosovasite.com
  • 97.231.133.14   www.ftw.ro
  • 97.231.133.14   anggiawan.web.id
  • 97.231.133.14   ba-k.com
  • 97.231.133.14   www.mcanime.net
  • 97.231.133.14   es.kioskea.net
  • 97.231.133.14   www.taringa.net
  • 97.231.133.14   www.cyberdefender.com
  • 97.231.133.14   www.feedage.com
  • 97.231.133.14   new.taringa.net
  • 97.231.133.14   forum.zazana.com
  • 97.231.133.14   forum.clubedohardware.com.br
  • 97.231.133.14   mks.com.pl
  • 97.231.133.14   www.vietcaravan.us
  • 97.231.133.14   trbotnet.sytes.net
  • 97.231.133.14   community.norton.com
  • 97.231.133.14   positiveroot.wordpress.com
  • 97.231.133.14   www.computing.net
  • 97.231.133.14   discussions.virtualdr.com
  • 97.231.133.14   forum.securitycadets.com
  • 97.231.133.14   www.techimo.com
  • 97.231.133.14   13iii.com
  • 97.231.133.14   www.dicasweb.com.br
  • 97.231.133.14   www.javacoolsoftware.net
  • 97.231.133.14   cofradia.org
  • 97.231.133.14   wasteland-bg.com
  • 97.231.133.14   www.windowexe.com
  • 97.231.133.14   malekal.com
  • 97.231.133.14   www.carigold.com
  • 97.231.133.14   answers.yahoo.com
  • 97.231.133.14   www.infosecpodcast.com
  • 97.231.133.14   www.usbcleaner.cn
  • 97.231.133.14   www.net-security.org
  • 97.231.133.14   www.bleedingthreats.net
  • 97.231.133.14   acs.pandasoftware.com
  • 97.231.133.14   www.funkytoad.com
  • 97.231.133.14   malwarebytes.org
  • 97.231.133.14   sabithpocker.blogspot.com
  • 97.231.133.14   comprolive.vox.com
  • 97.231.133.14   www.worton.com
  • 97.231.133.14   www.rss-verzeichnis.de
  • 97.231.133.14   www.bloodzone.net
  • 97.231.133.14   www.360safe.cn
  • 97.231.133.14   www.360safe.com
  • 97.231.133.14   bbs.360safe.cn
  • 97.231.133.14   bbs.360safe.com
  • 97.231.133.14   codehard.wordpress.com
  • 97.231.133.14   forum.clubedohardware.com.br
  • 97.231.133.14   antitrick.com
  • 97.231.133.14   www.configurarequipos.com
  • 97.231.133.14   www.jiwang.org
  • 97.231.133.14   anti-virus-software-review.toptenreviews.com
  • 97.231.133.14   forums.malwarebytes.org
  • 97.231.133.14   www.360.cn
  • 97.231.133.14   www.360.com
  • 97.231.133.14   bbs.360safe.cn
  • 97.231.133.14   bbs.360safe.com
  • 97.231.133.14   www.forospyware.es
  • 97.231.133.14   p3dev.taringa.net
  • 97.231.133.14   www.precisesecurity.com
  • 97.231.133.14   dlpe.antivir.com
  • 97.231.133.14   www.jvme.com
  • 97.231.133.14   share.skype.com
  • 97.231.133.14   comprolive.com
  • 97.231.133.14   gotoknow.org
  • 97.231.133.14   www.forofantasiasmiguel.com
  • 97.231.133.14   www.spywaredemon.com
  • 97.231.133.14   baike.360.cn
  • 97.231.133.14   baike.360.com
  • 97.231.133.14   kaba.360.cn
  • 97.231.133.14   kaba.360.com
  • 97.231.133.14   deckard.geekstogo.com
  • 97.231.133.14   www.taringa.net
  • 97.231.133.14   forums.comodo.com
  • 97.231.133.14   www.mvps.org
  • 97.231.133.14   melcy.wordpress.com
  • 97.231.133.14   forum.softpedia.com
  • 97.231.133.14   pcvids.wordpress.com
  • 97.231.133.14   shop.symantecstore.com
  • 97.231.133.14   banes-pages.blogspot.com
  • 97.231.133.14   down.360safe.cn
  • 97.231.133.14   down.360safe.com
  • 97.231.133.14   x.360safe.com
  • 97.231.133.14   dl.360safe.com
  • 97.231.133.14   ftp.drweb.com
  • 97.231.133.14   www.hotshare.net
  • 97.231.133.14   es.wasalive.com
  • 97.231.133.14   free.antivirus.com
  • 97.231.133.14   forum.hocit.com
  • 97.231.133.14   destavision-forum.com
  • 97.231.133.14   inspiresoft.blogspot.com
  • 97.231.133.14   universomanualidades.foroactivo.com
  • 97.231.133.14   updatem.360safe.com
  • 97.231.133.14   updatem.360safe.cn
  • 97.231.133.14   update.360safe.cn
  • 97.231.133.14   update.360safe.com
  • 97.231.133.14   www.utilidades-utiles.com
  • 97.231.133.14   forum.kaspersky.com
  • 97.231.133.14   www.indowebster.web.id
  • 97.231.133.14   zastita.com
  • 97.231.133.14   www.sz-pet.com
  • 97.231.133.14   foros.abcdatos.com
  • 97.231.133.14   www.elektroda.pl
  • 97.231.133.14   gulaley.blogspot.com
  • 97.231.133.14   bbs.duba.net
  • 97.231.133.14   www.duba.net
  • 97.231.133.14   zhidao.baidu.com
  • 97.231.133.14   hi.baidu.com
  • 97.231.133.14   www.drweb.com.es
  • 97.231.133.14   msncleaner.softonic.com
  • 97.231.133.14   www.javacoolsoftware.com
  • 97.231.133.14   beniono.wordpress.com
  • 97.231.133.14   www.4-gsmteam.com
  • 97.231.133.14   msntubers.freehostia.com
  • 97.231.133.14   store.norton.com
  • 97.231.133.14   social.answers.microsoft.com
  • 97.231.133.14   file.ikaka.com
  • 97.231.133.14   file.ikaka.cn
  • 97.231.133.14   bbs.ikaka.com
  • 97.231.133.14   zhidao.ikaka.com
  • 97.231.133.14   www.eset-la.com
  • 97.231.133.14   download.eset.com
  • 97.231.133.14   software-files.download.com
  • 97.231.133.14   www.faravirusi.com
  • 97.231.133.14   www.winbots.es
  • 97.231.133.14   forum.chip.de
  • 97.231.133.14   www.thailandsusu.com
  • 97.231.133.14   debates.motos.net
  • 97.231.133.14   www.judj.com
  • 97.231.133.14   www.ikaka.com
  • 97.231.133.14   www.ikaka.cn
  • 97.231.133.14   bbs.cfan.com.cn
  • 97.231.133.14   www.cfan.com.cn
  • 97.231.133.14   www.pandasecurity.com
  • 97.231.133.14   es.mcafee.com
  • 97.231.133.14   downloads.malwarebytes.org
  • 97.231.133.14   www.devirusare.com
  • 97.231.133.14   forum.skype.com
  • 97.231.133.14   shitit.net
  • 97.231.133.14   www.webimmune.net
  • 97.231.133.14   forum.swzone.it
  • 97.231.133.14   www.dl4all.com
  • 97.231.133.14   foros.mcanime.net
  • 97.231.133.14   bbs.kafan.cn
  • 97.231.133.14   bbs.kafan.com
  • 97.231.133.14   bbs.kpfans.com
  • 97.231.133.14   bbs.taisha.org
  • 97.231.133.14   www.manuelruvalcaba.com
  • 97.231.133.14   support.f-secure.com
  • 97.231.133.14   bbs.winzheng.com
  • 97.231.133.14   devirusare.com
  • 97.231.133.14   social.microsoft.com
  • 97.231.133.14   www.shitit.net
  • 97.231.133.14   mx.answers.yahoo.com
  • 97.231.133.14   darkzone.in.th
  • 97.231.133.14   www.velocidadmaxima.com
  • 97.231.133.14   alerta-antivirus.inteco.es
  • 97.231.133.14   foros.zonavirus.com
  • 97.231.133.14   alerta-antivirus.red.es
  • 97.231.133.14   www.zonavirus.com
  • 97.231.133.14   www.malwarebytes.org
  • 97.231.133.14   www.commentcamarche.net
  • 97.231.133.14   news.support.veritas.com
  • 97.231.133.14   www.zonealarm.com
  • 97.231.133.14   malwarebytes-anti-malware.softonic.com
  • 97.231.133.14   www.securitystronghold.com
  • 97.231.133.14   www.ewido.net
  • 97.231.133.14   www.infospyware.com
  • 97.231.133.14   www.bitdefender.es
  • 97.231.133.14   housecall.trendmicro.com
  • 97.231.133.14   foros.toxico-pc.com
  • 97.231.133.14   www.identi.es
  • 97.231.133.14   es.kioskea.net
  • 97.231.133.14   virusinfo.info
  • 97.231.133.14   forums.zonealarm.com
  • 97.231.133.14   foro.infiernohacker.com
  • 97.231.133.14   nitroamd.spaces.live.com
  • 97.231.133.14   forums.overclockzone.com
  • 97.231.133.14   www.emsisoft.de
  • 97.231.133.14   www.securitynewsportal.com
  • 97.231.133.14   irc.ekizmedia.com
  • 97.231.133.14   zone.arminboutique.com
  • 97.231.133.14   story.dnsentrymx.com

The worm may execute the following commands:

  • cmd.exe /C attrib -s -h\­"C:\­\­ntldr\­"
  • cmd.exe /C move\­"C:\­\­ntldr\­"\­"C:\­\­dump\­"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­*.exe"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­*.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­drvers\­*.sys"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­system32\­*.*"
  • cmd.exe /C del /F /S /Q "%WINDIR%\­*.*"
  • cmd.exe /C del /F /S /Q\­"C:\­\­ComboFix.txt\­"
  • ipconfig /flushdns

The worm acquires data and commands from a remote computer or the Internet.


The worm connects to the following addresses:

  • ns89.nastysurfboards.net
  • ns94.nastysurfboards.net
  • ns101.surfthewavesinc.net
  • ns115.surfthewavesinc.net
  • ns126.surfingsuppliesco.net
  • ns133.surfingsuppliesco.net
  • ns146.radsurfingsupply.net
  • ns154.radsurfingsupply.net
  • ns168.saveitallbaby.com
  • ns175.saveitallbaby.com
  • ns189.savehugedaily.com
  • ns192.savehugedaily.com
  • ns196.magicsavings4all.com
  • ns207.magicsavings4all.com
  • ns219.thesavemachine.com
  • ns227.thesavemachine.com
  • ns238.jazibmahmoud.com
  • ns255.gerbertnsvinkle.com
  • ns261.gerbertnsvinkle.com
  • ns272.grudvenauctionhouse.net
  • ns283.grudvenauctionhouse.net
  • ns308.twnameservers.net
  • ns313.twnameservers.net
  • ns294.jpnicregistrar.com
  • ns236.jpnicregistrar.com
  • ns328.hotornot-tw.com
  • ns333.hotornot-tw.com
  • ns345.romanianxportsvc.com
  • ns352.romanianxportsvc.com
  • ns339.l3tsfuck1ts3xy.su
  • ns341.l3tsfuck1ts3xy.su
  • ns243.jazibmahmoud.com
  • ns175.saveitallbaby.com

The IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform port scanning
  • spread via IM networks
  • open a specific URL address
  • connect to remote computers to a specific port

Please enable Javascript to ensure correct displaying of this content and refresh this page.