Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/AutoRun.IRCBot.FE

Aliases:Net-Worm.Win32.Kolab.jpv (Kaspersky), W32/Sdbot.worm!jh (McAfee), W32.IRCBot (Symantec) 
Type of infiltration:Worm  
Size:147248 B 
Affected platforms:Microsoft Windows 
Signature database version:5115 (20100514) 

Short description

Win32/AutoRun.IRCBot.FE is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself in some of the the following locations:
  • %userprofile%Start MenuProgramsStartupwmpkps.exe
  • %appdata%MicrosoftWindowsStart MenuProgramswmpkps.exe
  • %windir%system32wmpkps.exe
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Optionsconime.exe]
    "Debugger" = "%windir%system32wmpkps.exe"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "conime.exe" = "conime.exe"
This causes the worm to be executed on every system start.

The worm creates and runs a new thread with its own program code within the following processes:
  • explorer.exe

Spreading on removable media

The worm creates the following folders:
  • %drive%~RootDir
The worm contains an URL address. It tries to download the other part of the infiltration from the address.

The file is stored in the following location:
  • %drive%~RootDir579467.exe
The HTTP protocol is used.

Other information

The worm quits immediately if the computer name is one of the following:
  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • VMG_CLIENT
The worm quits immediately if the user name is one of the following:
  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • HOME-OFF-D5F0AC
  • honey
  • LAB
  • Malekal
  • MORTE+
  • sandbox
  • VMG_CLIENT
The worm quits immediately if it detects a running process containing one of the following strings in its name:
  • Ethereal.exe
  • Filemon.exe
  • port
  • procdump.exe
  • Procmon.exe
  • Regmon.exe
  • Ethereal.exe
  • Filemon.exe
  • port
  • procdump.exe
  • Procmon.exe
  • Regmon.exe
  • regshot.exe
  • squid.exe
  • TCPView.exe
  • Tcpview.exe
  • VBox
  • vmsrvc
  • VMware
  • WireShark.exe
The worm may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    AppCompatFlagsLayers]
    "%malwarepath%" = "DisableNXShowUI"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyDomainProfile
    AuthorizedApplicationsList]
    "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    AppCompatFlagsLayers]
    "%malwarepath%" = "DisableNXShowUI"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyDomainProfile
    AuthorizedApplicationsList]
    "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%malwarepath%" = "%malwarepath%:*:Enabled:LAN Router"
  • [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindows NT
    SystemRestore]
    "DisableConfig" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftMRT]
    "DontReportInfectionInformation" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
    "AntiVirusOverride" = 1
    "AntiVirusDisableNotify" = 1
    "FirewallOverride" = 1
    "FirewallDisableNotify" = 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    wscsvc]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    wuauserv]
    "Start" = 4
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    Image File Execution Options%application%]
    "Debugger" = "ntsd -d"
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    SystemRestore]
    "DisableSR" = 1
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerAdvancedFolderSuperHidden]
    "CheckedValue" = 1
  • [HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersion
    ExplorerAdvanced]
    "Hidden" = 2
The %application% is one of the following strings:
  • AvastSvc.exe
  • avastUI.exe
  • avp.exe
  • bdagent.exe
  • ccSvcHst.exe
  • egui.exe
  • AvastSvc.exe
  • avastUI.exe
  • avp.exe
  • bdagent.exe
  • ccSvcHst.exe
  • egui.exe
  • ekrn.exe
  • KAV32.exe
  • livesrv.exe
  • mrt.exe
  • mrtstub.exe
  • msascui.exe
  • msmpeng.exe
  • seccenter.exe
  • symlcsvc.exe
  • vsserv.exe
The worm may delete the following Registry entries:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    SafeBootMinimal]
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    SafeBootNetwork]
The following programs are terminated:
  • 123.COM
  • 123.EXE
  • A2HIJACKFREESETUP.EXE
  • AMPAWSMASHERX.EXE
  • APM.EXE
  • APORTS.EXE
  • 123.COM
  • 123.EXE
  • A2HIJACKFREESETUP.EXE
  • AMPAWSMASHERX.EXE
  • APM.EXE
  • APORTS.EXE
  • APT.EXE
  • ASVIEWER.EXE
  • ATF-CLEANER.EXE
  • ATF-CLEANER.EXE
  • AUTORUNS.EXE
  • AVENGER.EXE
  • AVENGER.EXE
  • AVG_AVWT_STB_EN_9_40_FREE.EXE
  • AVGARKT.EXE
  • AVINSTALL.EXE
  • AVIRA_ANTIVIR_PERSONAL_EN.EXE
  • AVZ.EXE
  • AVZ.EXE
  • BC5CA6A.EXE
  • BITDEFENDER_ANTIVIRUS.EXE
  • BOOTSAFE.EXE
  • BUSCAREG.EXE
  • CATCHME.EXE
  • CF9409.EXE
  • COMBOFIX.BAT
  • COMBOFIX.COM
  • COMBOFIX.EXE
  • COMBO-FIX.EXE
  • COMBOFIX.SCR
  • COMPAQ_PROPIETARIO.EXE
  • CPF.EXE
  • CPORTS.EXE
  • CPROCESS.EXE
  • CUREIT.EXE
  • DAFT.EXE
  • DARKSPY105.EXE
  • DELAYDELFILE.EXE
  • DLLCOMPARE.EXE
  • DLLHOSTS.EXE
  • DRWEB-600-WIN-PRO-X86.EXE
  • DUBATOOL_AV_KILLER.EXE
  • EAV_NT32_ENU.MSI
  • EAV_NT64_ENU.MSI
  • ELISTA.EXE
  • ESCW_90_SA_SFX.EXE
  • EULALYZERSETUP.EXE
  • FILEALYZ.EXE
  • FILEFIND.EXE
  • FIXBAGLE.EXE
  • FIXPATH.EXE
  • FOLDERCURE.EXE
  • FPORT.EXE
  • FSB.EXE
  • FSBL.EXE
  • GMER.EXE
  • GUARD.EXE
  • GUARDXKICKOFF.EXE
  • GUARDXSERVICE.EXE
  • HACKMON.EXE
  • HELIOS.EXE
  • HIJACKTHIS.EXE
  • HIJACK-THIS.EXE
  • HIJACKTHIS_SFX.EXE
  • HIJACKTHIS_V2.EXE
  • HJ.EXE
  • HJTINSTALL.EXE
  • HJTSETUP.EXE
  • HOOKANLZ.EXE
  • HOOKANLZ.EXE
  • HOSTSFILEREADER.EXE
  • HOSTSXPERT.EXE
  • ICESWORD.EXE
  • IEFIX.EXE
  • INSTALLWATCHPRO25.EXE
  • ISSDM_EN_32.EXE
  • JAJA.EXE
  • K7TS_SETUP.EXE
  • KAKASETUPV6.EXE
  • KILLAUTOPLUS.EXE
  • KILLBOX.EXE
  • LISTO.EXE
  • LORDPE.EXE
  • MBAM.EXE
  • MBAM.EXE
  • MBAM-SETUP.EXE
  • MBAM-SETUP.EXE
  • MBR.EXE
  • MRT.EXE
  • MRTSTUB.EXE
  • MSASCUI.EXE
  • MSMPENG.EXE
  • MSNCLEANER.EXE
  • MSNFIX.EXE
  • MYPHOTOKILLER.EXE
  • NAV-TW-30-17-1-0-19TBEN.EXE
  • NETALYZ.EXE
  • NETMON.EXE
  • NETSTAT.EXE
  • NS360S300EN
  • NTVDM.EXE
  • OBJMONSETUP.EXE
  • OLLYDBG.EXE
  • OTL.EXE
  • OTM.EXE
  • OTMOVEIT.EXE
  • OTMOVEIT3.EXE
  • P08PROMO.EXE
  • PAVARK.EXE
  • PENCLEAN.EXE
  • PG2.EXE
  • PGSETUP.EXE
  • PORTDETECTIVE.EXE
  • PORTMONITOR.EXE
  • PREVX.EXE
  • PREVXCSIFREE.EXE
  • PROCDUMP.EXE
  • PROCESSMONITOR.EXE
  • PROCEXP.EXE
  • PROCMON.EXE
  • PROCMON.EXE
  • PROJECTWHOISINSTALLER.EXE
  • PSKILL.EXE
  • RAVP.EXE
  • REANIMATOR.EXE
  • REG.EXE
  • REGALYZ.EXE
  • REGCOOL.EXE
  • REGEDIT.COM
  • REGEDIT.SCR
  • REGISTRAR_LITE.EXE
  • REGMON.EXE
  • REGSCANNER.EXE
  • REGSHOT.EXE
  • REGSHOT.EXE
  • REGUNLOCKER.EXE
  • REGUNLOCKER.EXE
  • REGX2.EXE
  • RKD.EXE
  • ROOTALYZER.EXE
  • ROOTKIT_DETECTIVE.EXE
  • ROOTKITBUSTER.EXE
  • ROOTKITNO.EXE
  • ROOTKITREVEALER.EXE
  • ROOTREPEAL.EXE
  • SAFEBOOTKEYREPAIR.EXE
  • SDFIX.EXE
  • SECCENTER.EXE
  • SEEM.EXE
  • SETUP_AV_FREE.EXE
  • SMASH.EXE
  • SMASH1.EXE
  • SMASH2.EXE
  • SMASH3.EXE
  • SMASH4.EXE
  • SMASH5.EXE
  • SMASH6.EXE
  • SMASH7.EXE
  • SMSNIFF.EXE
  • SPF.EXE
  • SPYBOTSD.EXE
  • SPYBOTSD160.EXE
  • SRENGLDR.EXE
  • SRENGLDR.EXE
  • SRENGPS.EXE
  • SRESTORE.EXE
  • STARTDRECK.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERANTISPYWARE.EXE
  • SUPERKILLER.EXE
  • SYSANALYZER_SETUP.EXE
  • TASKKILL.EXE
  • TASKLIST.EXE
  • TASKMAN.EXE
  • TASKMON.EXE
  • TCPVIEW.EXE
  • TEATIMER.EXE
  • TrendMicro_TISPro_16.1_1063_x32.EXE
  • TSNTEVAL.EXE
  • UNHACKME.EXE
  • UNIEXTRACT.EXE
  • UNLOCKER.EXE
  • UNLOCKER1.8.7.EXE
  • UNLOCKER1.8.7.EXE
  • UNLOCKERASSISTANT.EXE
  • USBGUARD.EXE
  • VBA32-PERSONAL-LATEST-ENGLISH.EXE
  • VIPRE.EXE
  • VIRUS.EXE
  • VIRUSUTILITIES.EXE
  • WINDOWSDEFENDER.MSI
  • WINDOWS-KB890930-V2.2.EXE
  • WIRESHARK.EXE
  • WITSETUP.EXE
  • XP_TASKMGRENAB.EXE
  • ZLCLIENT.EXE
The worm executes the following commands:
  • cmd.exe /C net stop wuauserv
  • cmd.exe /C sc stop wuauserv
  • cmd.exe /C sc config wuauserv start= disabled
  • cmd.exe /C sc delete wuauserv
  • cmd.exe /C net stop CSIScanner
  • cmd.exe /C sc stop CSIScanner
  • cmd.exe /C net stop wuauserv
  • cmd.exe /C sc stop wuauserv
  • cmd.exe /C sc config wuauserv start= disabled
  • cmd.exe /C sc delete wuauserv
  • cmd.exe /C net stop CSIScanner
  • cmd.exe /C sc stop CSIScanner
  • cmd.exe /C sc config CSIScanner start= disabled
  • cmd.exe /C sc delete CSIScanner
  • cmd.exe /C net stop MsMpSvc
  • cmd.exe /C sc stop MsMpSvc
  • cmd.exe /C sc config MsMpSvc start= disabled
  • cmd.exe /C sc delete MsMpSvc
  • cmd.exe /C net stop K7RTScan
  • cmd.exe /C sc stop K7RTScan
  • cmd.exe /C sc config K7RTScan start= disabled
  • cmd.exe /C sc delete K7RTScan
  • cmd.exe /C net stop K7TSMngr
  • cmd.exe /C sc stop K7TSMngr
  • cmd.exe /C sc config K7TSMngr start= disabled
  • cmd.exe /C sc delete K7TSMngr
  • cmd.exe /C net stop "avast! Antivirus"
  • cmd.exe /C sc stop "avast! Antivirus"
  • cmd.exe /C sc config "avast! Antivirus" start= disabled
  • cmd.exe /C sc delete "avast! Antivirus"
  • cmd.exe /C net stop AntiVirService
  • cmd.exe /C sc stop AntiVirService
  • cmd.exe /C sc config AntiVirService start= disabled
  • cmd.exe /C sc delete AntiVirService
  • cmd.exe /C net stop PASRV
  • cmd.exe /C sc stop PASRV
  • cmd.exe /C sc config PASRV start= disabled
  • cmd.exe /C sc delete PASRV
  • cmd.exe /C net stop VSSERV
  • cmd.exe /C sc stop VSSERV
  • cmd.exe /C sc config VSSERV start= disabled
  • cmd.exe /C sc delete VSSERV
  • cmd.exe /C net stop avg8wd
  • cmd.exe /C sc stop avg8wd
  • cmd.exe /C sc config avg8wd start= disabled
  • cmd.exe /C sc delete avg8wd
  • cmd.exe /C net stop avg9wd
  • cmd.exe /C sc stop avg9wd
  • cmd.exe /C sc config avg9wd start= disabled
  • cmd.exe /C sc delete avg9wd
  • cmd.exe /C net stop NOD32krn
  • cmd.exe /C sc stop NOD32krn
  • cmd.exe /C sc config NOD32krn start= disabled
  • cmd.exe /C sc delete NOD32krn
  • cmd.exe /C net stop ekrn
  • cmd.exe /C sc stop ekrn
  • cmd.exe /C sc config ekrn start= disabled
  • cmd.exe /C sc delete ekrn
  • cmd.exe /C net stop McShield
  • cmd.exe /C sc stop McShield
  • cmd.exe /C sc config McShield start= disabled
  • cmd.exe /C sc delete McShield
  • cmd.exe /C net stop OutpostFirewall
  • cmd.exe /C sc stop OutpostFirewall
  • cmd.exe /C sc config OutpostFirewall start= disabled
  • cmd.exe /C sc delete OutpostFirewall
  • cmd.exe /C net stop TmPfw
  • cmd.exe /C sc stop TmPfw
  • cmd.exe /C sc config TmPfw start= disabled
  • cmd.exe /C sc delete TmPfw
  • cmd.exe /C net stop KPF4
  • cmd.exe /C sc stop KPF4
  • cmd.exe /C sc config KPF4 start= disabled
  • cmd.exe /C sc delete KPF4
  • cmd.exe /C net stop SmcService
  • cmd.exe /C sc stop SmcService
  • cmd.exe /C sc config SmcService start= disabled
  • cmd.exe /C sc delete SmcService
  • cmd.exe /C net stop cmd.exeAgent
  • cmd.exe /C sc stop cmd.exeAgent
  • cmd.exe /C sc config cmd.exeAgent start= disabled
  • cmd.exe /C sc delete cmd.exeAgent
  • cmd.exe /C net stop vsmon
  • cmd.exe /C sc stop vsmon
  • cmd.exe /C sc config vsmon start= disabled
  • cmd.exe /C sc delete vsmon
  • cmd.exe /C net stop SbPF.Launcher
  • cmd.exe /C sc stop SbPF.Launcher
  • cmd.exe /C sc config SbPF.Launcher start= disabled
  • cmd.exe /C sc delete SbPF.Launcher
  • cmd.exe /C net stop SPF4
  • cmd.exe /C sc stop SPF4
  • cmd.exe /C sc config SPF4 start= disabled
  • cmd.exe /C sc delete SPF4
  • cmd.exe /C net stop acssrv
  • cmd.exe /C sc stop acssrv
  • cmd.exe /C sc config acssrv start= disabled
  • cmd.exe /C sc delete acssrv
  • cmd.exe /C net stop SAVService
  • cmd.exe /C sc stop SAVService
  • cmd.exe /C sc config SavService start= disabled
  • cmd.exe /C sc delete SAVService
  • cmd.exe /C net stop SAVAdminService
  • cmd.exe /C sc stop SAVAdminService
  • cmd.exe /C sc config SAVAdminService start= disabled
  • cmd.exe /C sc delete SAVAdminService
  • cmd.exe /C net stop "Sophos AutoUpdate Service"
  • cmd.exe /C sc stop "Sophos AutoUpdate Service"
  • cmd.exe /C sc config "Sophos AutoUpdate Service" start=
    disabled
  • cmd.exe /C sc delete "Sophos AutoUpdate Service"
  • cmd.exe /C net stop "Sophos Client Firewall"
  • cmd.exe /C sc stop "Sophos Client Firewall"
  • cmd.exe /C sc config "Sophos Client Firewall" start=
    disabled
  • cmd.exe /C sc delete "Sophos Client Firewall"
  • cmd.exe /C net stop "Sophos Client Firewall Manager"
  • cmd.exe /C sc stop "Sophos Client Firewall Manager"
  • cmd.exe /C sc config "Sophos Client Firewall Manager"
    start= disabled
  • cmd.exe /C sc delete "Sophos Client Firewall Manager"
The following file is modified:
  • %system%driversetchosts
The worm writes the following entries to the file:
  • 97.231.133.14 msnfix.changelog.fr
  • 97.231.133.14 www.incodesolutions.com
  • 97.231.133.14 virusinfo.prevx.com
  • 97.231.133.14 download.bleepingcomputer.com
  • 97.231.133.14 www.dazhizhu.cn
  • 97.231.133.14 foro.noticias3d.com
  • 97.231.133.14 msnfix.changelog.fr
  • 97.231.133.14 www.incodesolutions.com
  • 97.231.133.14 virusinfo.prevx.com
  • 97.231.133.14 download.bleepingcomputer.com
  • 97.231.133.14 www.dazhizhu.cn
  • 97.231.133.14 foro.noticias3d.com
  • 97.231.133.14 www.spybotupdates.com
  • 97.231.133.14 club.myce.com
  • 97.231.133.14 www.k7computing.com
  • 97.231.133.14 softwaresecuritysolutions.com
  • 97.231.133.14 antonbi.web.id
  • 97.231.133.14 www.nabble.com
  • 97.231.133.14 lurker.clamav.net
  • 97.231.133.14 lexikon.ikarus.at
  • 97.231.133.14 research.sunbelt-software.com
  • 97.231.133.14 www.virusdoctor.jp
  • 97.231.133.14 www.elitepvpers.de
  • 97.231.133.14 guru.avg.com
  • 97.231.133.14 downloads.sophos.com
  • 97.231.133.14 share.skype.com
  • 97.231.133.14 myantispyware.com
  • 97.231.133.14 www.computerhilfen.de
  • 97.231.133.14 fgsite.com
  • 97.231.133.14 ca.answers.yahoo.com
  • 97.231.133.14 www.superuser.co.kr
  • 97.231.133.14 ntfaq.co.kr
  • 97.231.133.14 v.dreamwiz.com
  • 97.231.133.14 cit.kookmin.ac.kr
  • 97.231.133.14 forums.whatthetech.com
  • 97.231.133.14 forum.hijackthis.de
  • 97.231.133.14 avg.vo.llnwd.net
  • 97.231.133.14 ftp.drweb.com
  • 97.231.133.14 www.zonealarm.com
  • 97.231.133.14 smadaver.com
  • 97.231.133.14 support.emsisoft.com
  • 97.231.133.14 psychoski.blogspot.com
  • 97.231.133.14 www.corozilla.net
  • 97.231.133.14 www.huaifai.go.th
  • 97.231.133.14 www.mostz.com
  • 97.231.133.14 www.krupunmai.com
  • 97.231.133.14 www.cddchiangmai.net
  • 97.231.133.14 forum.malekal.com
  • 97.231.133.14 tech.pantip.com
  • 97.231.133.14 sapcupgrades.com
  • 97.231.133.14 www.elguruinformatico.com
  • 97.231.133.14 forums.avg.com
  • 97.231.133.14 zastita.com
  • 97.231.133.14 support.kaspersky.com
  • 97.231.133.14 foro.msgpluslive.es
  • 97.231.133.14 www.tongjimba.com
  • 97.231.133.14 www.247fixes.com
  • 97.231.133.14 forum.sysinternals.com
  • 97.231.133.14 forum.telecharger.01net.com
  • 97.231.133.14 sophos.com
  • 97.231.133.14 foros.softonic.com
  • 97.231.133.14 avast-home.uptodown.com
  • 97.231.133.14 dr-web-cureit.softonic.com
  • 97.231.133.14 heavenward.ru
  • 97.231.133.14 forum.smadav.net
  • 97.231.133.14 www.forum.kaspersky.com
  • 97.231.133.14 www.dl4all.com
  • 97.231.133.14 www.freshwap.net
  • 97.231.133.14 www.f-secure.com
  • 97.231.133.14 www.chkrootkit.org
  • 97.231.133.14 diamondcs.com.au
  • 97.231.133.14 www.rootkit.nl
  • 97.231.133.14 www.sysinternals.com
  • 97.231.133.14 z-oleg.com
  • 97.231.133.14 espanol.dir.groups.yahoo.com
  • 97.231.133.14 ftp01net.telechargement.fr
  • 97.231.133.14 modelayu.com
  • 97.231.133.14 vaksin.com
  • 97.231.133.14 bbs.kaspersky.com.cn
  • 97.231.133.14 sf.tapuz.co.il
  • 97.231.133.14 www.downtr.net
  • 97.231.133.14 www.castlecrops.com
  • 97.231.133.14 www.misec.net
  • 97.231.133.14 safecomputing.umn.edu
  • 97.231.133.14 www.antirootkit.com
  • 97.231.133.14 www.greatis.com
  • 97.231.133.14 ar.answers.yahoo.com
  • 97.231.133.14 www.elhacker.org
  • 97.231.133.14 research.pandasecurity.com
  • 97.231.133.14 www.tpu.ro
  • 97.231.133.14 www.pinoyden.com
  • 97.231.133.14 forum.avira.de
  • 97.231.133.14 www.tanya-it.com
  • 97.231.133.14 topsy.com
  • 97.231.133.14 www.rootkit.com
  • 97.231.133.14 www.pctools.com
  • 97.231.133.14 www.pcsupportadvisor.com
  • 97.231.133.14 www.resplendence.com
  • 97.231.133.14 www.personal.psu.edu
  • 97.231.133.14 foro.ethek.com
  • 97.231.133.14 foro.elhacker.net
  • 97.231.133.14 download.zonealarm.com
  • 97.231.133.14 spywarehammer.com
  • 97.231.133.14 www.codelain.com
  • 97.231.133.14 www.thaicert.org
  • 97.231.133.14 wenwen.soso.com
  • 97.231.133.14 vil.nail.com
  • 97.231.133.14 search.mcafee.com
  • 97.231.133.14 wwww.mcafee.com
  • 97.231.133.14 download.nai.com
  • 97.231.133.14 wwww.experts-exchange.com
  • 97.231.133.14 www.bakunos.com
  • 97.231.133.14 www.darkclockers.com
  • 97.231.133.14 www2.gmer.net
  • 97.231.133.14 ariefew.com
  • 97.231.133.14 www.emsisoft.com
  • 97.231.133.14 forum.romeonet.ro
  • 97.231.133.14 www.arenajunkies.com
  • 97.231.133.14 zenovy.com
  • 97.231.133.14 www.removeitpro.net
  • 97.231.133.14 www.Merijn.org
  • 97.231.133.14 www.spywareinfo.com
  • 97.231.133.14 www.spybot.info
  • 97.231.133.14 www.viruslist.com
  • 97.231.133.14 www.hijackthis.de
  • 97.231.133.14 ftp.f-secure.com
  • 97.231.133.14 forum.kaspersky.com
  • 97.231.133.14 es.trendmicro-europe.com
  • 97.231.133.14 www.hvaonline.net
  • 97.231.133.14 forum.lowyat.net
  • 97.231.133.14 kb.eset.com
  • 97.231.133.14 www.pcwelt.de
  • 97.231.133.14 bokwer.com
  • 97.231.133.14 www.mypcsafe.com
  • 97.231.133.14 majorgeeks.com
  • 97.231.133.14 www.avp.com
  • 97.231.133.14 www.virustotal.com
  • 97.231.133.14 www.sophos.com
  • 97.231.133.14 linhadefensiva.uol.com.br
  • 97.231.133.14 cmmings.cn
  • 97.231.133.14 www.sergiwa.com
  • 97.231.133.14 www.el-hacker.com
  • 97.231.133.14 dl2.agnitum.com
  • 97.231.133.14 forum.smadav.net
  • 97.231.133.14 images.malwareremoval.com
  • 97.231.133.14 front.prevx.com
  • 97.231.133.14 ad.harrenmedianetwork.com
  • 97.231.133.14 www.avg-antivirus.net
  • 97.231.133.14 www.kaspersky-labs.com
  • 97.231.133.14 www.kaspersky.com
  • 97.231.133.14 www.bleepingcomputer.com
  • 97.231.133.14 www.free.grisoft.com
  • 97.231.133.14 alerta-antivirus.inteco.es
  • 97.231.133.14 greatis.com
  • 97.231.133.14 www.oprekpc.com
  • 97.231.133.14 www.gmer.net
  • 97.231.133.14 forum.kasperskyclub.com
  • 97.231.133.14 computadoras.migold.com
  • 97.231.133.14 securityresponse.symantec.com
  • 97.231.133.14 www.analysis.seclab.tuwien.ac.at
  • 97.231.133.14 www.symantec.com
  • 97.231.133.14 www.kztechs.com
  • 97.231.133.14 ad-aware-se.uptodown.com
  • 97.231.133.14 stdio-labs.blogspot.com
  • 97.231.133.14 forum.lrytas.lt
  • 97.231.133.14 www.decido.de
  • 97.231.133.14 wap.elakiri.com
  • 97.231.133.14 ot-indo.blogspot.com
  • 97.231.133.14 artsoftdesign.com
  • 97.231.133.14 liveupdate.symantecliveupdate.com
  • 97.231.133.14 liveupdate.symantec.com
  • 97.231.133.14 customer.symantec.com
  • 97.231.133.14 update.symantec.com
  • 97.231.133.14 www.box.net
  • 97.231.133.14 foro.el-hacker.com
  • 97.231.133.14 acs.pandasoftware.com
  • 97.231.133.14 egavisa.blogspot.com
  • 97.231.133.14 angui123.cn
  • 97.231.133.14 beta.eset.com
  • 97.231.133.14 www.ixtorrent.com
  • 97.231.133.14 forum.programosy.pl
  • 97.231.133.14 www.mcafee.com
  • 97.231.133.14 download.mcafee.com
  • 97.231.133.14 mast.mcafee.com
  • 97.231.133.14 www.tecno-soft.com
  • 97.231.133.14 ladooscuro.es
  • 97.231.133.14 ftp.drweb.com
  • 97.231.133.14 download.microsoft.com
  • 97.231.133.14 www.mypcsafe.com
  • 97.231.133.14 www.blindedbytech.com
  • 97.231.133.14 kaspersky.com
  • 97.231.133.14 sis-admin.blogspot.com
  • 97.231.133.14 www.protecus.de
  • 97.231.133.14 pastebin.com
  • 97.231.133.14 guru0.grisoft.cz
  • 97.231.133.14 guru1.grisoft.cz
  • 97.231.133.14 guru2.grisoft.cz
  • 97.231.133.14 guru3.grisoft.cz
  • 97.231.133.14 download.bleepingcomputer.com
  • 97.231.133.14 it.answers.yahoo.com
  • 97.231.133.14 www.softonic.com
  • 97.231.133.14 www.mycity.rs
  • 97.231.133.14 cairopt.net
  • 97.231.133.14 rootrepeal.googlepages.com
  • 97.231.133.14 www.windowexe.com
  • 97.231.133.14 fineartschance.com
  • 97.231.133.14 guru4.grisoft.cz
  • 97.231.133.14 guru5.grisoft.cz
  • 97.231.133.14 www.virusspy.com
  • 97.231.133.14 download.f-secure.com
  • 97.231.133.14 www.malwareremoval.com
  • 97.231.133.14 forums.cnet.com
  • 97.231.133.14 foros.softonic.com
  • 97.231.133.14 www.freedrweb.com
  • 97.231.133.14 www.kaskus.us
  • 97.231.133.14 rootrepeal.psikotick.com
  • 97.231.133.14 thaicert.nectec.or.th
  • 97.231.133.14 rareartonline.com
  • 97.231.133.14 hjt-data.trend-braintree.com
  • 97.231.133.14 www.pantip.com
  • 97.231.133.14 secubox.aldria.com
  • 97.231.133.14 www.forospyware.com
  • 97.231.133.14 www.manuelruvalcaba.com
  • 97.231.133.14 www.zonavirus.com
  • 97.231.133.14 www.leforo.com
  • 97.231.133.14 www.gsmph.com
  • 97.231.133.14 blokvesti.net
  • 97.231.133.14 www.viprasys.org
  • 97.231.133.14 forum.antivir-pe.de
  • 97.231.133.14 www.nhatnghe.com
  • 97.231.133.14 forum.antivirus365.net
  • 97.231.133.14 www.siteadvisor.com
  • 97.231.133.14 blog.threatfire.com
  • 97.231.133.14 www.threatexpert.com
  • 97.231.133.14 blog.hispasec.com
  • 97.231.133.14 www.configurarequipos.com
  • 97.231.133.14 sosvirus.changelog.fr
  • 97.231.133.14 www.psicofxp.com
  • 97.231.133.14 www.gsmph.net
  • 97.231.133.14 www.gyakorikerdesek.hu
  • 97.231.133.14 us.mcafee.com
  • 97.231.133.14 www.malekal.com
  • 97.231.133.14 yourartmuseum.com
  • 97.231.133.14 mailcenter.rising.com.cn
  • 97.231.133.14 mailcenter.rising.com
  • 97.231.133.14 www.rising.com.cn
  • 97.231.133.14 www.rising.com
  • 97.231.133.14 www.babooforum.com.br
  • 97.231.133.14 www.runscanner.net
  • 97.231.133.14 www.blogschapines.com
  • 97.231.133.14 www.zyzoom.org
  • 97.231.133.14 www.avsoft.ru
  • 97.231.133.14 www.elakiri.com
  • 97.231.133.14 forum.telecharger.01net.com
  • 97.231.133.14 www.com-th.net
  • 97.231.133.14 sosvirus.changelog.fr
  • 97.231.133.14 upload.changelog.fr
  • 97.231.133.14 www.raymond.cc
  • 97.231.133.14 changelog.fr
  • 97.231.133.14 www.pcentraide.com
  • 97.231.133.14 atazita.blogspot.com
  • 97.231.133.14 www.thinkpad.cn
  • 97.231.133.14 www.sunbeltsoftware.com
  • 97.231.133.14 cert.inteco.es
  • 97.231.133.14 www.gamexeon.com
  • 97.231.133.14 nod32-antivirus.en.softonic.co
  • 97.231.133.14 www.virus-com.com
  • 97.231.133.14 www.final4ever.com
  • 97.231.133.14 files.filefont.com
  • 97.231.133.14 www.infos-du-net.com
  • 97.231.133.14 www.trendsecure.com
  • 97.231.133.14 forum.hardware.fr
  • 97.231.133.14 www.utilidades-utiles.com
  • 97.231.133.14 blogs.icerocket.com
  • 97.231.133.14 www.spywarefri.dk
  • 97.231.133.14 alfrasha.maktoob.com
  • 97.231.133.14 www.eset.eu
  • 97.231.133.14 quickscan.bitdefender.com
  • 97.231.133.14 www.xmarks.com
  • 97.231.133.14 www.spychecker.com
  • 97.231.133.14 www.geekstogo.com
  • 97.231.133.14 forums.maddoktor2.com
  • 97.231.133.14 www.smokey-services.eu
  • 97.231.133.14 www.clubic.com
  • 97.231.133.14 www.linhadefensiva.org
  • 97.231.133.14 www.rolandovera.com
  • 97.231.133.14 forum.burek.com
  • 97.231.133.14 secure.sophos.com
  • 97.231.133.14 usa.kaspersky.com
  • 97.231.133.14 board.softpedia.com
  • 97.231.133.14 www.pinoytambaygroup.com
  • 97.231.133.14 download.sysinternals.com
  • 97.231.133.14 www.pcguide.com
  • 97.231.133.14 www.thetechguide.com
  • 97.231.133.14 www.ozzu.com
  • 97.231.133.14 www.changedetection.com
  • 97.231.133.14 espanol.groups.yahoo.com
  • 97.231.133.14 www.sunbeltsecurity.com
  • 97.231.133.14 www.quickheal.co.in
  • 97.231.133.14 www.vivalared.com
  • 97.231.133.14 thailand.itmylike.com
  • 97.231.133.14 harrenmedianetwork.com
  • 97.231.133.14 community.thaiware.com
  • 97.231.133.14 www.avpclub.ddns.info
  • 97.231.133.14 www.offensivecomputing.net
  • 97.231.133.14 www.grisoft.com
  • 97.231.133.14 boardreader.com
  • 97.231.133.14 www.guiadohardware.net
  • 97.231.133.14 www.webroot.com
  • 97.231.133.14 www.thehelper.net
  • 97.231.133.14 www.kaldata.com
  • 97.231.133.14 vil.nai.com
  • 97.231.133.14 www.malwarecrypt.com
  • 97.231.133.14 www.latest-virus.com
  • 97.231.133.14 www.msnvirusremoval.com
  • 97.231.133.14 www.cisrt.org
  • 97.231.133.14 fixmyim.com
  • 97.231.133.14 samroeng.hi5.com
  • 97.231.133.14 foro.elhacker.net
  • 97.231.133.14 www.daboweb.com
  • 97.231.133.14 service1.symantec.com
  • 97.231.133.14 us3.download.comodo.com
  • 97.231.133.14 forum.gsmhosting.com
  • 97.231.133.14 www.computerforum.com
  • 97.231.133.14 forum.avast.com
  • 97.231.133.14 www.ixtorrent.com
  • 97.231.133.14 mx.answers.yahoo.com
  • 97.231.133.14 forums.techguy.org
  • 97.231.133.14 www.incodesolutions.com
  • 97.231.133.14 hijackthis.download3000.com
  • 97.231.133.14 www.cybertechhelp.com
  • 97.231.133.14 www.superdicas.com.br
  • 97.231.133.14 www.51nb.com
  • 97.231.133.14 us4.download.comodo.com
  • 97.231.133.14 www.jbtalks.cc
  • 97.231.133.14 ad13.geekstogo.com
  • 97.231.133.14 forums.eternion-wow.com
  • 97.231.133.14 simplyrudz.blogspot.com
  • 97.231.133.14 downloads.andymanchesta.com
  • 97.231.133.14 andymanchesta.com
  • 97.231.133.14 info.prevx.com
  • 97.231.133.14 aknow.prevx.com
  • 97.231.133.14 www.zonavirus.com
  • 97.231.133.14 securitywonks.net
  • 97.231.133.14 www.yoreparo.com
  • 97.231.133.14 www.spywarecease.com
  • 97.231.133.14 forum.dobreprogramy.pl
  • 97.231.133.14 community.mcafee.com
  • 97.231.133.14 board.protecus.de
  • 97.231.133.14 tech.pantip.com
  • 97.231.133.14 www.lavasoft.com
  • 97.231.133.14 www.virscan.org
  • 97.231.133.14 www.eeload.com
  • 97.231.133.14 down.www.kingsoft.com
  • 97.231.133.14 www.file.net
  • 97.231.133.14 onecare.live.com
  • 97.231.133.14 mvps.org
  • 97.231.133.14 www.laneros.com
  • 97.231.133.14 www.pc1news.com
  • 97.231.133.14 forum.avira.com
  • 97.231.133.14 downloads.novirusthanks.org
  • 97.231.133.14 www.pinoyhackers.com
  • 97.231.133.14 www.superadblocker.com
  • 97.231.133.14 www.housecall.trendmicro.com
  • 97.231.133.14 www.avast.com
  • 97.231.133.14 www.free.avg.com
  • 97.231.133.14 www.onlinescan.avast.com
  • 97.231.133.14 www.ewido.net
  • 97.231.133.14 www.trucoswindows.net
  • 97.231.133.14 www.mozilla-hispano.org
  • 97.231.133.14 www.jackbloodforum.com
  • 97.231.133.14 www.kosandpol.elakiri.com
  • 97.231.133.14 www.thaivisa.com
  • 97.231.133.14 forum.bullguard.com
  • 97.231.133.14 www.futurenow.bitdefender.com
  • 97.231.133.14 www.bitdefender.com
  • 97.231.133.14 www.f-prot.com
  • 97.231.133.14 www.trendsecure.com
  • 97.231.133.14 security.symantec.com
  • 97.231.133.14 oldtimer.geekstogo.com
  • 97.231.133.14 sopiansantosa.blogspot.com
  • 97.231.133.14 www.fileresearchcenter.com
  • 97.231.133.14 www.looktr.com
  • 97.231.133.14 www.zone-it.com
  • 97.231.133.14 somostuyyounnuevodiaoficial.obolog.com
  • 97.231.133.14 www.avira.com
  • 97.231.133.14 www.eset.com
  • 97.231.133.14 free.avg.com
  • 97.231.133.14 www.free-av.com
  • 97.231.133.14 kr.ahnlab.com
  • 97.231.133.14 www.eset.com
  • 97.231.133.14 forospyware.com
  • 97.231.133.14 thejokerx.blogspot.com
  • 97.231.133.14 cairopt.net
  • 97.231.133.14 oolbar.cyberdefender.com
  • 97.231.133.14 golpe.dyndns.org
  • 97.231.133.14 forum.aiutamici.com
  • 97.231.133.14 solit.us
  • 97.231.133.14 bisnismudahsaja.blogspot.com
  • 97.231.133.14 www.2-spyware.com
  • 97.231.133.14 www.antivir.es
  • 97.231.133.14 www.prevx.com
  • 97.231.133.14 www.ikarus.net
  • 97.231.133.14 bbs.s-sos.net
  • 97.231.133.14 www.housecall.trendmicro.com
  • 97.231.133.14 www.superdicas.com.br
  • 97.231.133.14 www.superantispyware.com
  • 97.231.133.14 www.unhackme.com
  • 97.231.133.14 www.askmehelpdesk.com
  • 97.231.133.14 forum.zebulon.fr
  • 97.231.133.14 regfixerror.pctools.revenuewire.net
  • 97.231.133.14 www.forums.majorgeeks.com
  • 97.231.133.14 www.castlecops.com
  • 97.231.133.14 www.virusspy.com
  • 97.231.133.14 andymanchesta.com
  • 97.231.133.14 www.kaspersky.es
  • 97.231.133.14 subs.geekstogo.com
  • 97.231.133.14 www.forospanish.com
  • 97.231.133.14 blog.rnsafe.com
  • 97.231.133.14 www.regrun.com
  • 97.231.133.14 irc.snahosting.net
  • 97.231.133.14 danielorza.net
  • 97.231.133.14 www.pchelpforum.com
  • 97.231.133.14 ftp.pcpitstop.com
  • 97.231.133.14 www.trendmicro.com
  • 97.231.133.14 www.fortinet.com
  • 97.231.133.14 www.safer-networking.org
  • 97.231.133.14 www.fortiguardcenter.com
  • 97.231.133.14 www.dougknox.com
  • 97.231.133.14 www.vsantivirus.com
  • 97.231.133.14 static.commentcamarche.net
  • 97.231.133.14 www.gyakorikerdesek.hu
  • 97.231.133.14 www.fixya.com
  • 97.231.133.14 www.alabamawomen.org
  • 97.231.133.14 www.spywareremovalblog.com
  • 97.231.133.14 www.firewallguide.com
  • 97.231.133.14 www.auditmypc.com
  • 97.231.133.14 www.spywaredb.com
  • 97.231.133.14 www.mxttchina.com
  • 97.231.133.14 www.ziggamza.net
  • 97.231.133.14 www.forospyware.es
  • 97.231.133.14 pogonyuto.forospanish.com
  • 97.231.133.14 spywarefiles.prevx.com
  • 97.231.133.14 k2r.th3kings.net
  • 97.231.133.14 www.betterantivirus.com
  • 97.231.133.14 www.365groups.com
  • 97.231.133.14 trialware.norton.com
  • 97.231.133.14 www.antivirus.comodo.com
  • 97.231.133.14 www.spywareterminator.com
  • 97.231.133.14 www.eradicatespyware.net
  • 97.231.133.14 www.freespywareremoval.info
  • 97.231.133.14 www.personalfirewall.comodo.com
  • 97.231.133.14 wakoopa.com
  • 97.231.133.14 forum.drweb.com
  • 97.231.133.14 bb1.th3kings.net
  • 97.231.133.14 www.commentcamarche.net
  • 97.231.133.14 justfane.blogspot.com
  • 97.231.133.14 foros.3dgames.com.ar
  • 97.231.133.14 www.clamav.net
  • 97.231.133.14 www.antivirus.about.com
  • 97.231.133.14 www.pandasecurity.com
  • 97.231.133.14 www.webphand.com
  • 97.231.133.14 mx.answers.yahoo.com
  • 97.231.133.14 www.securitywonks.net
  • 97.231.133.14 www.messengeradictos.com
  • 97.231.133.14 www.geekpolice.net
  • 97.231.133.14 bub.th3kings.net
  • 97.231.133.14 shield.prevx.com
  • 97.231.133.14 www.eudict.com
  • 97.231.133.14 uk.answers.yahoo.com
  • 97.231.133.14 www.sandboxie.com
  • 97.231.133.14 www.clamwin.com
  • 97.231.133.14 www.cwsandbox.org
  • 97.231.133.14 www.ca.com
  • 97.231.133.14 www.arswp.com
  • 97.231.133.14 es.answers.yahoo.com
  • 97.231.133.14 www.trucoswindows.es
  • 97.231.133.14 www.ipaddresser.com
  • 97.231.133.14 www.abgenis.net
  • 97.231.133.14 www.freefixer.com
  • 97.231.133.14 forums.afterdawn.com
  • 97.231.133.14 forum.torrents.ro
  • 97.231.133.14 whois.domaintools.com
  • 97.231.133.14 www.networkworld.com
  • 97.231.133.14 www.cddchiangmai.net
  • 97.231.133.14 www.threatexpert.com
  • 97.231.133.14 www.norman.com
  • 97.231.133.14 espanol.answers.yahoo.com
  • 97.231.133.14 www.tallemu.com
  • 97.231.133.14 foro.portalhacker.net
  • 97.231.133.14 www.groupwhere.org
  • 97.231.133.14 sniff.runescapetube.com
  • 97.231.133.14 forum.p30world.com
  • 97.231.133.14 poolcoversite.com
  • 97.231.133.14 forum.bullguard.com
  • 97.231.133.14 virscan.org
  • 97.231.133.14 www.viruschief.com
  • 97.231.133.14 scanner.virus.org
  • 97.231.133.14 www.hijackthis.de
  • 97.231.133.14 housecall65.trendmicro.com
  • 97.231.133.14 www.guiadohardware.net
  • 97.231.133.14 forums.whatthetech.com
  • 97.231.133.14 mustlovewine.com
  • 97.231.133.14 www3.malekal.com
  • 97.231.133.14 esetnod32antivirus.blogspot.com
  • 97.231.133.14 thedudesemo.blogspot.com
  • 97.231.133.14 hjt.networktechs.com
  • 97.231.133.14 www.techsupportforum.com
  • 97.231.133.14 www.whatthetech.com
  • 97.231.133.14 www.soccersuck.com
  • 97.231.133.14 www.pcentraide.com
  • 97.231.133.14 comunidad.wilkinsonpc.com.co
  • 97.231.133.14 forum.hocit.com
  • 97.231.133.14 forum.smadav.net
  • 97.231.133.14 fgp.e2doo.com
  • 97.231.133.14 community.thaiware.com
  • 97.231.133.14 irc.evoporn.com
  • 97.231.133.14 www.spamhaus.org
  • 97.231.133.14 forum.piriform.com
  • 97.231.133.14 www.tweaksforgeeks.com
  • 97.231.133.14 www.daniweb.com
  • 97.231.133.14 www.geekstogo.com
  • 97.231.133.14 es.answers.yahoo.com
  • 97.231.133.14 www.techsupportforum.com
  • 97.231.133.14 dnl-eu8.kaspersky-labs.com
  • 97.231.133.14 www.oprekpc.com
  • 97.231.133.14 shv4.ath.cx
  • 97.231.133.14 www.pcworld.com
  • 97.231.133.14 in.answers.yahoo.com
  • 97.231.133.14 www.vupen.com
  • 97.231.133.14 www.pchell.com
  • 97.231.133.14 www.spyany.com
  • 97.231.133.14 forums.techguy.org
  • 97.231.133.14 www.experts-exchange.com
  • 97.231.133.14 www.wikio.es
  • 97.231.133.14 www.pandasecurity.com
  • 97.231.133.14 forums.devshed.com
  • 97.231.133.14 devbuilds.kaspersky-labs.com
  • 97.231.133.14 hana-ahmad.blogspot.com
  • 97.231.133.14 www.linkmania.ro
  • 97.231.133.14 www.trojaner-board.de
  • 97.231.133.14 swandog46.geekstogo.com
  • 97.231.133.14 forum.tweaks.com
  • 97.231.133.14 www.wilderssecurity.com
  • 97.231.133.14 www.techspot.com
  • 97.231.133.14 www.thecomputerpitstop.com
  • 97.231.133.14 es.wasalive.com
  • 97.231.133.14 secunia.com
  • 97.231.133.14 www.killtrojan.net
  • 97.231.133.14 www.ulop.net
  • 97.231.133.14 www.eliters.com
  • 97.231.133.14 sip4.voipkosovasite.com
  • 97.231.133.14 www.ftw.ro
  • 97.231.133.14 anggiawan.web.id
  • 97.231.133.14 ba-k.com
  • 97.231.133.14 www.mcanime.net
  • 97.231.133.14 es.kioskea.net
  • 97.231.133.14 www.taringa.net
  • 97.231.133.14 www.cyberdefender.com
  • 97.231.133.14 www.feedage.com
  • 97.231.133.14 new.taringa.net
  • 97.231.133.14 forum.zazana.com
  • 97.231.133.14 forum.clubedohardware.com.br
  • 97.231.133.14 mks.com.pl
  • 97.231.133.14 www.vietcaravan.us
  • 97.231.133.14 trbotnet.sytes.net
  • 97.231.133.14 community.norton.com
  • 97.231.133.14 positiveroot.wordpress.com
  • 97.231.133.14 www.computing.net
  • 97.231.133.14 discussions.virtualdr.com
  • 97.231.133.14 forum.securitycadets.com
  • 97.231.133.14 www.techimo.com
  • 97.231.133.14 13iii.com
  • 97.231.133.14 www.dicasweb.com.br
  • 97.231.133.14 www.javacoolsoftware.net
  • 97.231.133.14 cofradia.org
  • 97.231.133.14 wasteland-bg.com
  • 97.231.133.14 www.windowexe.com
  • 97.231.133.14 malekal.com
  • 97.231.133.14 www.carigold.com
  • 97.231.133.14 answers.yahoo.com
  • 97.231.133.14 www.infosecpodcast.com
  • 97.231.133.14 www.usbcleaner.cn
  • 97.231.133.14 www.net-security.org
  • 97.231.133.14 www.bleedingthreats.net
  • 97.231.133.14 acs.pandasoftware.com
  • 97.231.133.14 www.funkytoad.com
  • 97.231.133.14 malwarebytes.org
  • 97.231.133.14 sabithpocker.blogspot.com
  • 97.231.133.14 comprolive.vox.com
  • 97.231.133.14 www.worton.com
  • 97.231.133.14 www.rss-verzeichnis.de
  • 97.231.133.14 www.bloodzone.net
  • 97.231.133.14 www.360safe.cn
  • 97.231.133.14 www.360safe.com
  • 97.231.133.14 bbs.360safe.cn
  • 97.231.133.14 bbs.360safe.com
  • 97.231.133.14 codehard.wordpress.com
  • 97.231.133.14 forum.clubedohardware.com.br
  • 97.231.133.14 antitrick.com
  • 97.231.133.14 www.configurarequipos.com
  • 97.231.133.14 www.jiwang.org
  • 97.231.133.14
    anti-virus-software-review.toptenreviews.com
  • 97.231.133.14 forums.malwarebytes.org
  • 97.231.133.14 www.360.cn
  • 97.231.133.14 www.360.com
  • 97.231.133.14 bbs.360safe.cn
  • 97.231.133.14 bbs.360safe.com
  • 97.231.133.14 www.forospyware.es
  • 97.231.133.14 p3dev.taringa.net
  • 97.231.133.14 www.precisesecurity.com
  • 97.231.133.14 dlpe.antivir.com
  • 97.231.133.14 www.jvme.com
  • 97.231.133.14 share.skype.com
  • 97.231.133.14 comprolive.com
  • 97.231.133.14 gotoknow.org
  • 97.231.133.14 www.forofantasiasmiguel.com
  • 97.231.133.14 www.spywaredemon.com
  • 97.231.133.14 baike.360.cn
  • 97.231.133.14 baike.360.com
  • 97.231.133.14 kaba.360.cn
  • 97.231.133.14 kaba.360.com
  • 97.231.133.14 deckard.geekstogo.com
  • 97.231.133.14 www.taringa.net
  • 97.231.133.14 forums.comodo.com
  • 97.231.133.14 www.mvps.org
  • 97.231.133.14 melcy.wordpress.com
  • 97.231.133.14 forum.softpedia.com
  • 97.231.133.14 pcvids.wordpress.com
  • 97.231.133.14 shop.symantecstore.com
  • 97.231.133.14 banes-pages.blogspot.com
  • 97.231.133.14 down.360safe.cn
  • 97.231.133.14 down.360safe.com
  • 97.231.133.14 x.360safe.com
  • 97.231.133.14 dl.360safe.com
  • 97.231.133.14 ftp.drweb.com
  • 97.231.133.14 www.hotshare.net
  • 97.231.133.14 es.wasalive.com
  • 97.231.133.14 free.antivirus.com
  • 97.231.133.14 forum.hocit.com
  • 97.231.133.14 destavision-forum.com
  • 97.231.133.14 inspiresoft.blogspot.com
  • 97.231.133.14 universomanualidades.foroactivo.com
  • 97.231.133.14 updatem.360safe.com
  • 97.231.133.14 updatem.360safe.cn
  • 97.231.133.14 update.360safe.cn
  • 97.231.133.14 update.360safe.com
  • 97.231.133.14 www.utilidades-utiles.com
  • 97.231.133.14 forum.kaspersky.com
  • 97.231.133.14 www.indowebster.web.id
  • 97.231.133.14 zastita.com
  • 97.231.133.14 www.sz-pet.com
  • 97.231.133.14 foros.abcdatos.com
  • 97.231.133.14 www.elektroda.pl
  • 97.231.133.14 gulaley.blogspot.com
  • 97.231.133.14 bbs.duba.net
  • 97.231.133.14 www.duba.net
  • 97.231.133.14 zhidao.baidu.com
  • 97.231.133.14 hi.baidu.com
  • 97.231.133.14 www.drweb.com.es
  • 97.231.133.14 msncleaner.softonic.com
  • 97.231.133.14 www.javacoolsoftware.com
  • 97.231.133.14 beniono.wordpress.com
  • 97.231.133.14 www.4-gsmteam.com
  • 97.231.133.14 msntubers.freehostia.com
  • 97.231.133.14 store.norton.com
  • 97.231.133.14 social.answers.microsoft.com
  • 97.231.133.14 file.ikaka.com
  • 97.231.133.14 file.ikaka.cn
  • 97.231.133.14 bbs.ikaka.com
  • 97.231.133.14 zhidao.ikaka.com
  • 97.231.133.14 www.eset-la.com
  • 97.231.133.14 download.eset.com
  • 97.231.133.14 software-files.download.com
  • 97.231.133.14 www.faravirusi.com
  • 97.231.133.14 www.winbots.es
  • 97.231.133.14 forum.chip.de
  • 97.231.133.14 www.thailandsusu.com
  • 97.231.133.14 debates.motos.net
  • 97.231.133.14 www.judj.com
  • 97.231.133.14 www.ikaka.com
  • 97.231.133.14 www.ikaka.cn
  • 97.231.133.14 bbs.cfan.com.cn
  • 97.231.133.14 www.cfan.com.cn
  • 97.231.133.14 www.pandasecurity.com
  • 97.231.133.14 es.mcafee.com
  • 97.231.133.14 downloads.malwarebytes.org
  • 97.231.133.14 www.devirusare.com
  • 97.231.133.14 forum.skype.com
  • 97.231.133.14 shitit.net
  • 97.231.133.14 www.webimmune.net
  • 97.231.133.14 forum.swzone.it
  • 97.231.133.14 www.dl4all.com
  • 97.231.133.14 foros.mcanime.net
  • 97.231.133.14 bbs.kafan.cn
  • 97.231.133.14 bbs.kafan.com
  • 97.231.133.14 bbs.kpfans.com
  • 97.231.133.14 bbs.taisha.org
  • 97.231.133.14 www.manuelruvalcaba.com
  • 97.231.133.14 support.f-secure.com
  • 97.231.133.14 bbs.winzheng.com
  • 97.231.133.14 devirusare.com
  • 97.231.133.14 social.microsoft.com
  • 97.231.133.14 www.shitit.net
  • 97.231.133.14 mx.answers.yahoo.com
  • 97.231.133.14 darkzone.in.th
  • 97.231.133.14 www.velocidadmaxima.com
  • 97.231.133.14 alerta-antivirus.inteco.es
  • 97.231.133.14 foros.zonavirus.com
  • 97.231.133.14 alerta-antivirus.red.es
  • 97.231.133.14 www.zonavirus.com
  • 97.231.133.14 www.malwarebytes.org
  • 97.231.133.14 www.commentcamarche.net
  • 97.231.133.14 news.support.veritas.com
  • 97.231.133.14 www.zonealarm.com
  • 97.231.133.14 malwarebytes-anti-malware.softonic.com
  • 97.231.133.14 www.securitystronghold.com
  • 97.231.133.14 www.ewido.net
  • 97.231.133.14 www.infospyware.com
  • 97.231.133.14 www.bitdefender.es
  • 97.231.133.14 housecall.trendmicro.com
  • 97.231.133.14 foros.toxico-pc.com
  • 97.231.133.14 www.identi.es
  • 97.231.133.14 es.kioskea.net
  • 97.231.133.14 virusinfo.info
  • 97.231.133.14 forums.zonealarm.com
  • 97.231.133.14 foro.infiernohacker.com
  • 97.231.133.14 nitroamd.spaces.live.com
  • 97.231.133.14 forums.overclockzone.com
  • 97.231.133.14 www.emsisoft.de
  • 97.231.133.14 www.securitynewsportal.com
  • 97.231.133.14 irc.ekizmedia.com
  • 97.231.133.14 zone.arminboutique.com
  • 97.231.133.14 story.dnsentrymx.com
The worm may execute the following commands:
  • cmd.exe /C attrib -s -h "C:\ntldr"
  • cmd.exe /C move "C:\ntldr" "C:\dump"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32*.exe"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32*.dll"
  • cmd.exe /C attrib -s -h "C:\ntldr"
  • cmd.exe /C move "C:\ntldr" "C:\dump"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32hal.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32*.exe"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32*.dll"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32drvers*.sys"
  • cmd.exe /C del /F /S /Q "%WINDIR%system32*.*"
  • cmd.exe /C del /F /S /Q "%WINDIR%*.*"
  • cmd.exe /C del /F /S /Q "C:\ComboFix.txt"
  • ipconfig /flushdns
The worm acquires data and commands from a remote computer or the Internet.

The worm connects to the following addresses:
  • ns89.nastysurfboards.net
  • ns94.nastysurfboards.net
  • ns101.surfthewavesinc.net
  • ns115.surfthewavesinc.net
  • ns126.surfingsuppliesco.net
  • ns133.surfingsuppliesco.net
  • ns89.nastysurfboards.net
  • ns94.nastysurfboards.net
  • ns101.surfthewavesinc.net
  • ns115.surfthewavesinc.net
  • ns126.surfingsuppliesco.net
  • ns133.surfingsuppliesco.net
  • ns146.radsurfingsupply.net
  • ns154.radsurfingsupply.net
  • ns168.saveitallbaby.com
  • ns175.saveitallbaby.com
  • ns189.savehugedaily.com
  • ns192.savehugedaily.com
  • ns196.magicsavings4all.com
  • ns207.magicsavings4all.com
  • ns219.thesavemachine.com
  • ns227.thesavemachine.com
  • ns238.jazibmahmoud.com
  • ns255.gerbertnsvinkle.com
  • ns261.gerbertnsvinkle.com
  • ns272.grudvenauctionhouse.net
  • ns283.grudvenauctionhouse.net
  • ns308.twnameservers.net
  • ns313.twnameservers.net
  • ns294.jpnicregistrar.com
  • ns236.jpnicregistrar.com
  • ns328.hotornot-tw.com
  • ns333.hotornot-tw.com
  • ns345.romanianxportsvc.com
  • ns352.romanianxportsvc.com
  • ns339.l3tsfuck1ts3xy.su
  • ns341.l3tsfuck1ts3xy.su
  • ns243.jazibmahmoud.com
  • ns175.saveitallbaby.com
The IRC protocol is used.

It can execute the following operations:
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform port scanning
  • spread via IM networks
  • open a specific URL address
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • perform port scanning
  • spread via IM networks
  • open a specific URL address
  • connect to remote computers to a specific port