Analysis Date2013-11-11 17:14:06
MD57e7fa22b8281056154f65cf85b7c9732
SHA11af38ebbf0a0b8f130478ff6f1c589eb8b5b03d0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 6ee10eb7599da5e38ec497f92a7166dc sha1: b3f678541c7e604f11e0ef648c4b662b1ed6c960 size: 1024
SectionUPX2 md5: d6f382137853778e88553593419cedab sha1: 3d3140fd904ed495f100f8d161b0df9aa2b26b70 size: 37888
Timestamp2006-02-03 21:52:57
PEhash8878bd29ee19207ec7db856a8e1a7200dc6d2f83
AVavgWin32/Sality
AVmsseVirus:Win32/Sality.G
AVmcafeeW32/Bagle.gen!Sality
AVclamavWorm.Bagle-54
AVaviraWORM/Bagle.FJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsplObjects ➝
C:\WINDOWS\system32\windspl.exe
Creates FileC:\KUKU300a
Creates FileC:\WINDOWS\system32\windspl.exe
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\WINDOWS\system32\wmimgr32.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\wmimgr32.dl_
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Deletes FileC:\KUKU300a
Creates ProcessC:\WINDOWS\system32\windspl.exe
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex'D'r'o'p'p'e'd'S'k'y'N'e't'
Creates Mutex____--->>>>U<<<<--____
Creates MutexMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Creates Mutex_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Creates Mutex[SkyNet.cz]SystemsMutex
Creates MutexAdmSkynetJklS003
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

Process
↳ C:\WINDOWS\system32\windspl.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsplObjects ➝
C:\WINDOWS\system32\windspl.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\WinAmp 6 New!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Windows Sourcecode update.doc.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Office 2003 Crack, Working!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Serials.txt.exe
Creates FileC:\WINDOWS\regisp32.exe
Creates FileC:\WINDOWS\SYSTEM.INI
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\WinAmp 5 Pro Keygen Crack Update.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno pics arhive, xxx.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winghmo4.exe
Creates FileC:\WINDOWS\system32\windspl.exeopen
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Windown Longhorn Beta Leak.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno, sex, oral, anal cool, awesome!!.exe
Creates FileC:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\ADOBE\READER 9.3\SETUP FILES\READER9\Setup.exe
Creates FileC:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\ADOBE\READER 9.3\SETUP FILES\Setup.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\KAV 5.0
Creates FileC:\KUKU300a
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Kaspersky Antivirus 5.0
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Ahead Nero 7.exe
Creates FileC:\WINDOWS\system32\windspl.exeopenopen
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Opera 8 New!.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winhxjhun\\xc3\\x8b.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winocam4.exe
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\ACDSee 9.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Office XP working Crack, Keygen.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winuppv4.exe
Creates FileC:\WINDOWS\system32\wmimgr32.dl_
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Matrix 3 Revolution English Subtitles.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\XXX hardcore images.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Adobe Photoshop 9 full.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno Screensaver.scr
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winocam4.exe
Deletes FileC:\KUKU300a
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winuppv4.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winhxjhun\\xcb.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\winghmo4.exe
Creates ProcessC:\WINDOWS\regisp32.exe
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex'D'r'o'p'p'e'd'S'k'y'N'e't'
Creates Mutex____--->>>>U<<<<--____
Creates MutexMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Creates Mutex_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Creates Mutex[SkyNet.cz]SystemsMutex
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexsmtp_bagla_1000
Creates MutexAdmSkynetJklS003
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
Winsock URLhttp://uppv.egozdq.com/?id211105
Winsock URLhttp://sqea.u7zywp.com/?id211105
Winsock URLhttp://ghmo.fdpgb3.com/?id211105
Winsock URLhttp://mbhwpa.wtcvxu.com/?id211105
Winsock URLhttp://ridggv.5558x7.com/?id211105
Winsock URLhttp://www.invis1blearm3333.com/mrow5/?id211105
Winsock URLhttp://utwp.bpfq02.com/?id211105
Winsock URLhttp://ijj.t35.com/

Process
↳ C:\WINDOWS\regisp32.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\regisp32.exe ➝
C:\WINDOWS\regisp32.exe:*:Enabled:ipsec
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winyjwgr.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winnuphy.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winnptit.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winybfyxe.tmp
Creates Mutexsmtp_bagla_1000
Winsock URLhttp://myphotokool.t235.com/
Winsock URLhttp://dook.zoo.by/
Winsock URLhttp://209.16.85.230/.%20/pr
Winsock URLhttp://ijj.t235.com/
Winsock URLhttp://debut.zoo.com/
Winsock URLhttp://noshit.fateback.com/

Network Details:

DNSlb1.www.ms.akadns.net
Type: A
65.55.57.27
DNSwww.invis1blearm3333.com
Type: A
192.155.89.148
DNSnoshit.fateback.com
Type: A
198.23.52.92
DNSlbr-hosted.inspcloud.com
Type: A
54.229.37.63
DNSmyphotokool.t235.com
Type: A
82.98.86.174
DNSijj.t235.com
Type: A
82.98.86.174
DNSuppv.egozdq.com
Type: A
192.155.89.148
DNSghmo.fdpgb3.com
Type: A
192.155.89.148
DNSsqea.u7zywp.com
Type: A
199.231.184.222
DNSsqea.u7zywp.com
Type: A
176.58.88.83
DNSwww.microsoft.com
Type: A
DNSijj.t35.com
Type: A
DNSdook.zoo.by
Type: A
DNSdebut.zoo.com
Type: A
DNSridggv.5558x7.com
Type: A
DNSmbhwpa.wtcvxu.com
Type: A
DNSutwp.bpfq02.com
Type: A
HTTP GEThttp://www.invis1blearm3333.com/mrow5/?id211105
User-Agent: KUKU v3.04 exp
HTTP GEThttp://noshit.fateback.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://debut.zoo.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://myphotokool.t235.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://ijj.t235.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://209.16.85.230/.%20/pr
User-Agent: DEBUT.TMP
HTTP GEThttp://uppv.egozdq.com/?id211105
User-Agent: KUKU v3.04 exp
HTTP GEThttp://ghmo.fdpgb3.com/?id211105
User-Agent: KUKU v3.04 exp
HTTP GEThttp://sqea.u7zywp.com/?id211105
User-Agent: KUKU v3.04 exp
Flows TCP192.168.1.1:1032 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1034 ➝ 198.23.52.92:80
Flows TCP192.168.1.1:1035 ➝ 54.229.37.63:80
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1037 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1038 ➝ 209.16.85.230:80
Flows TCP192.168.1.1:1039 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1040 ➝ 192.155.89.148:80
Flows TCP192.168.1.1:1043 ➝ 199.231.184.222:80

Raw Pcap
0x00000000 (00000)   47455420 2f6d726f 77352f3f 69643231   GET /mrow5/?id21
0x00000010 (00016)   31313035 20485454 502f312e 310d0a55   1105 HTTP/1.1..U
0x00000020 (00032)   7365722d 4167656e 743a204b 554b5520   ser-Agent: KUKU 
0x00000030 (00048)   76332e30 34206578 700d0a48 6f73743a   v3.04 exp..Host:
0x00000040 (00064)   20777777 2e696e76 69733162 6c656172    www.invis1blear
0x00000050 (00080)   6d333333 332e636f 6d0d0a0d 0a         m3333.com....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 206e6f73   T.TMP..Host: nos
0x00000030 (00048)   6869742e 66617465 6261636b 2e636f6d   hit.fateback.com
0x00000040 (00064)   0d0a0d0a 0d0a436f 6e74656e 742d5479   ......Content-Ty
0x00000050 (00080)   70653a20 74657874 2f68746d 6c0d0a44   pe: text/html..D
0x00000060 (00096)   6174653a 204d6f6e 2c203131 204e6f76   ate: Mon, 11 Nov
0x00000070 (00112)   20323031 33203137 3a30343a 30362047    2013 17:04:06 G
0x00000080 (00128)   4d540d0a 0d0a3c68 746d6c3e 0a20203c   MT....<html>.  <
0x00000090 (00144)   68656164 3e0a2020 20203c74 69746c65   head>.    <title
0x000000a0 (00160)   3e343034 204e6f74 20466f75 6e643c2f   >404 Not Found</
0x000000b0 (00176)   7469746c 653e0a20 203c2f68 6561643e   title>.  </head>
0x000000c0 (00192)   0a20203c 626f6479 3e0a2020 20203c68   .  <body>.    <h
0x000000d0 (00208)   313e4e6f 7420466f 756e643c 2f68313e   1>Not Found</h1>
0x000000e0 (00224)   0a202020 203c703e 596f7572 2062726f   .    <p>Your bro
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 20646562   T.TMP..Host: deb
0x00000030 (00048)   75742e7a 6f6f2e63 6f6d0d0a 0d0a0a43   ut.zoo.com.....C
0x00000040 (00064)   6f6e7465 6e742d4c 656e6774 683a2039   ontent-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 206d7970   T.TMP..Host: myp
0x00000030 (00048)   686f746f 6b6f6f6c 2e743233 352e636f   hotokool.t235.co
0x00000040 (00064)   6d0d0a0d 0a742d4c 656e6774 683a2039   m....t-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 20696a6a   T.TMP..Host: ijj
0x00000030 (00048)   2e743233 352e636f 6d0d0a0d 0a2e636f   .t235.com.....co
0x00000040 (00064)   6d0d0a0d 0a742d4c 656e6774 683a2039   m....t-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f2e2532 302f7072 20485454   GET /.%20/pr HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a2044 45425554 2e544d50 0d0a486f   t: DEBUT.TMP..Ho
0x00000030 (00048)   73743a20 3230392e 31362e38 352e3233   st: 209.16.85.23
0x00000040 (00064)   300d0a0d 0a742d4c 656e6774 683a2039   0....t-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f3f6964 32313131 30352048   GET /?id211105 H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204b554b 55207633 2e303420   ent: KUKU v3.04 
0x00000030 (00048)   6578700d 0a486f73 743a2075 7070762e   exp..Host: uppv.
0x00000040 (00064)   65676f7a 64712e63 6f6d0d0a 0d0a2039   egozdq.com.... 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f3f6964 32313131 30352048   GET /?id211105 H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204b554b 55207633 2e303420   ent: KUKU v3.04 
0x00000030 (00048)   6578700d 0a486f73 743a2067 686d6f2e   exp..Host: ghmo.
0x00000040 (00064)   66647067 62332e63 6f6d0d0a 0d0a2039   fdpgb3.com.... 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.

0x00000000 (00000)   47455420 2f3f6964 32313131 30352048   GET /?id211105 H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 204b554b 55207633 2e303420   ent: KUKU v3.04 
0x00000030 (00048)   6578700d 0a486f73 743a2073 7165612e   exp..Host: sqea.
0x00000040 (00064)   75377a79 77702e63 6f6d0d0a 0d0a2039   u7zywp.com.... 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a204d6f 6e2c2031 31204e6f 76203230   : Mon, 11 Nov 20
0x00000080 (00128)   31332031 373a3034 3a303820 474d540d   13 17:04:08 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)   77736572 2073656e 74206120 72657175   wser sent a requ
0x00000100 (00256)   65737420 74686174 20746869 73207365   est that this se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
,0D2222@HLP0222|xtp22
`1{,G~tY
2003 C
209.16.8
 ,=220
3KM,2f
3've goNhem alreaA
3WnAiB
"`4"[J
5|Ht[b ]
797b8^p3
7bia6p
7c-Typem
,8XT(i
<9v$<A
9viewRZ
+AD$}Q`
ADVAPI;@
advapi32.dll
($aMool
<.a<_t
$aT	! 
AuthQ$29.04
&a!vxHp
ay"H88
}b5w,d>
'b!aK#
\!'^bbTN
cn9'~S
CoInitialize
CPT TO
)CVW36
DCDSR;
DeleteDC
([d\r8sG
'D'r'o'p
Dy(Jm)
e'd'S'k'y'N
e'empP
EgqfOG
-elot	@
:*:Enabl :ip
e]R0k	
!>Er^r!Jw
Faxc{h{%]
F B_QM
FedAc5
 $(FFFF,048fFFF<@D
f'fZf;U
fIA1IY.
ficult worlV
fLiW4-
+ft\W@
G3'D:x
<>g7'\h
gdi32.dll
	GermFy.
GetI<En}K`omd
GetProcAddress
gifjolgw]
Gw$MsI
g'zffb(==7a<
HeCs:-)
HELO %l"
Hfo@AobP
h&Pii",oG
http://ijj
hutdown
hY Bnlk
I9bzA=Cp[
$Id: NRV 0.54 Copyright (C) 1996-1999 Markus F.X.J. Oberhumer $
$Id: UPX 0.61 Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer $
ill be mine!!
image/bmpk[
In a d
InternetOpenA
ion\Ru
ipgpCGpj
j)!v96
?KERNEL32d
kernel32.dll
KERNEL32.DLL
&k:#Ibane
)K.U'n
k-y-N-e-t][
\l+0.u
laIP4&
$License: NRV for UPX is distributed under special license $
LoadLibraryA
lSlNS`&
lY96YRr5
MAIL FROM:<
 MIME-N
!MmYj3/KRk
n09oQ^t_a
nameless =
n(;vMy
oazuf q[$|
~og1lD
_-oOaI|-
oomnixcsd
o surviv
ph$%z*ttc%{!|wxypw
Pl0> U
P^U(wB
QL+S#c
RegCloseKey
~=rstIw
R_	TCC
R)y|?38\k
shell32.dll
ShellExecuteA
sh%KAV'
shlwapi.dll
:SKP:J
SOFTWARE\dispering
So, you
Startup
StrDupA
SYSTEM
.t35.com/7$
t|eKOo-_mO
!This program cannot be run in DOS mode.
TickCf
tole32.dll
UmLi&/
\upldfo
URLDownloadToFileA
urlmon.dll
ur|ntV
~us.dl*G
user32.dll
#usnl1Oo3
UV(DsJ
=-{v7v
vValueEEq
W8S<Poi>
waTP/'y
wininet.dll
wsock32.dll
wsprintfA
xA)K-[k
xm<(bx
Y2&5-P
_^{YAV
YQba~64"B