#MMD - Cridex Downloaded Win32/Medfos Malware Downloader

1. =========================================
2. #MalwareMustDie - Different Cridex
3. Downloaded Win32/Medfos Malware Downloader
4. Date: 2013 March 7th @unixfreaxjp
5. ========================================
6.  
7. Software\Far\Plugins\FTP\Hosts
8. Software\Far2\Plugins\FTP\Hosts
9. Software\Far Manager\Plugins\FTP\Hosts
10. Software\Far\SavedDialogHistory\FTPHost
11. Software\Far2\SavedDialogHistory\FTPHost
12. Software\Far Manager\SavedDialogHistory\FTPHost
13. Password
14. HostName
15. User
16. Line
17. wcx_ftp.ini
18. \GHISLER
19. InstallDir
20. FtpIniName
21. Software\Ghisler\Windows Commander
22. Software\Ghisler\Total Commander
23. \Ipswitch
24. Sites\
25. \Ipswitch\WS_FTP
26. \win.ini
27. .ini
28. WS_FTP
29. DIR
30. DEFDIR
31. CUTEFTP
32. QCHistory
33. Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
34. Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
35. Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
36. Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
37. Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
38. Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
39. \GlobalSCAPE\CuteFTP
40. \GlobalSCAPE\CuteFTP Pro
41. \GlobalSCAPE\CuteFTP Lite
42. \CuteFTP
43. \sm.dat
44. Software\FlashFXP\3
45. Software\FlashFXP
46. Software\FlashFXP\4
47. InstallerDathPath
48. path
49. Install Path
50. DataFolder
51. \Sites.dat
52. \Quick.dat
53. \History.dat
54. \FlashFXP\3
55. \FlashFXP\4
56. \FileZilla
57. \sitemanager.xml
58. \recentservers.xml
59. \filezilla.xml
60. Software\FileZilla
61. Software\FileZilla Client
62. Install_Dir
63. Host
64. User
65. Pass
66. Port
67. Remote Dir
68. Server Type
69. Server.Host
70. Server.User
71. Server.Pass
72. Server.Port
73. Path
74. ServerType
75. Last Server Host
76. Last Server User
77. Last Server Pass
78. Last Server Port
79. Last Server Path
80. Last Server Type
81. FTP Navigator
82. FTP Commander
83. ftplist.txt
84. \BulletProof Software
85. .dat
86. .bps
87. Software\BPFTP\Bullet Proof FTP\Main
88. Software\BulletProof Software\BulletProof FTP Client\Main
89. Software\BPFTP\Bullet Proof FTP\Options
90. Software\BulletProof Software\BulletProof FTP Client\Options
91. Software\BPFTP
92. LastSessionFile
93. SitesDir
94. InstallDir1
95. .xml
96. \SmartFTP
97. Favorites.dat
98. History.dat
99. addrbk.dat
100. quick.dat
101. \TurboFTP
102. Software\TurboFTP
103. installpath
104. Software\Sota\FFFTP
105. CredentialSalt
106. CredentialCheck
107. Software\Sota\FFFTP\Options
108. Password
109. UserName
110. HostAdrs
111. RemoteDir
112. Port
113. HostName
114. Port
115. Username
116. Password
117. HostDirName
118. Software\CoffeeCup Software\Internet\Profiles
119. Software\FTPWare\COREFTP\Sites
120. Host
121. User
122. Port
123. PthR
124. SSH
125. profiles.xml
126. \FTP Explorer
127. Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
128. Buttons
129. Software\FTP Explorer\Profiles
130. Password
131. PasswordType
132. Host
133. Login
134. Port
135. InitialPath
136. FtpSite.xml
137. \Frigate3
138. .ini
139. \VanDyke\Config\Sessions
140. \Sessions
141. Software\VanDyke\SecureFX
142. Config Path
143. UltraFXP
144. \sites.xml
145. \FTPRush
146. RushSite.xml
147. Server
148. Username
149. Password
150. FtpPort
151. Software\Cryer\WebSitePublisher
152. \BitKinex
153. bitkinex.ds
154. Hostname
155. Username
156. Password
157. Port
158. Software\ExpanDrive\Sessions
159. \ExpanDrive
160. \drives.js
161. "password" : "
162. Software\ExpanDrive
163. ExpanDrive_Home
164. Server
165. UserName
166. Password
167. _Password
168. Directory
169. Software\NCH Software\ClassicFTP\FTPAccounts
170. FtpServer
171. FtpUserName
172. FtpPassword
173. _FtpPassword
174. FtpDirectory
175. SOFTWARE\NCH Software\Fling\Accounts
176. Software\FTPClient\Sites
177. Software\SoftX.org\FTPClient\Sites
178. .oxc
179. .oll
180. ftplast.osd
181. \GPSoftware\Directory Opus
182. \SharedSettings.ccs
183. \SharedSettings_1_0_5.ccs
184. \SharedSettings.sqlite
185. \SharedSettings_1_0_5.sqlite
186. \CoffeeCup Software
187. leapftp
188. unleap.exe
189. sites.dat
190. sites.ini
191. \LeapWare\LeapFTP
192. SOFTWARE\LeapWare
193. InstallPath
194. DataDir
195. Password
196. HostName
197. UserName
198. RemoteDirectory
199. PortNumber
200. FSProtocol
201. Software\Martin Prikryl
202. \32BitFtp.ini
203. NDSites.ini
204. \NetDrive
205. PassWord
206. Url
207. UserName
208. RootDirectory
209. Port
210. Software\South River Technologies\WebDrive\Connections
211. ServerType
212. FTP CONTROL
213. FTPCON
214. .prf
215. \Profiles
216. http://
217. https://
218. ftp://
219. opera
220. wand.dat
221. _Software\Opera Software
222. Last Directory3
223. Last Install Path
224. Opera.HTML\shell\open\command
225. wiseftpsrvs.bin
226. \AceBIT
227. Software\AceBIT
228. MRU
229. SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
230. SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
231. wiseftpsrvs.ini
232. wiseftp.ini
233. FTPVoyager.ftp
234. FTPVoyager.qc
235. \RhinoSoft.com
236. nss3.dll
237. NSS_Init
238. NSS_Shutdown
239. NSSBase64_DecodeBuffer
240. SECITEM_FreeItem
241. PK11_GetInternalKeySlot
242. PK11_Authenticate
243. PK11SDR_Decrypt
244. PK11_FreeSlot
245. sqlite3.dll
246. sqlite3_open
247. sqlite3_close
248. sqlite3_prepare
249. sqlite3_step
250. sqlite3_column_bytes
251. sqlite3_column_blob
252. mozsqlite3.dll
253. sqlite3_open
254. sqlite3_close
255. sqlite3_prepare
256. sqlite3_step
257. sqlite3_column_bytes
258. sqlite3_column_blob
259. profiles.ini
260. Profile
261. IsRelative
262. Path
263. PathToExe
264. prefs.js
265. signons.sqlite
266. signons.txt
267. signons2.txt
268. signons3.txt
269. SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
270. Firefox
271. \Mozilla\Firefox\
272. Software\Mozilla
273. ftp://
274. http://
275. https://
276. ftp.
277. fireFTPsites.dat
278. SeaMonkey
279. \Mozilla\SeaMonkey\
280. Flock
281. \Flock\Browser\
282. Mozilla
283. \Mozilla\Profiles\
284. Software\LeechFTP
285. AppDir
286. LocalDir
287. bookmark.dat
288. SiteInfo.QFP
289. Odin
290. Favorites.dat
291. WinFTP
292. sites.db
293. CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
294. servers.xml
295. \FTPGetter
296. ESTdb2.dat
297. QData.dat
298. \Estsoft\ALFTP
299. Internet Explorer
300. WininetCacheCredentials
301. MS IE FTP Passwords
302. DPAPI:
303. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
304. Microsoft_WinInet_*
305. ftp://
306. Software\Adobe\Common
307. SiteServers
308. SiteServer %d\Host
309. SiteServer %d\WebUrl
310. SiteServer %d\Remote Directory
311. SiteServer %d-User
312. SiteServer %d-User PW
313. %s\Keychain
314. SiteServer %d\SFTP
315. DeluxeFTP
316. sites.xml
317. Web Data
318. Login Data
319. SQLite format 3
320. table
321. CONSTRAINT
322. PRIMARY
323. UNIQUE
324. CHECK
325. FOREIGN
326. logins
327. origin_url
328. password_value
329. username_value
330. ftp://
331. http://
332. https://
333. \Google\Chrome
334. \Chromium
335. \ChromePlus
336. Software\ChromePlus
337. Install_Dir
338. \Bromium
339. \Nichrome
340. \Comodo
341. \RockMelt
342. K-Meleon
343. \K-Meleon
344. \Profiles
345. Epic
346. \Epic\Epic
347. Staff-FTP
348. sites.ini
349. \Sites
350. \Visicom Media
351. .ftp
352. \Global Downloader
353. SM.arch
354. FreshFTP
355. .SMF
356. BlazeFtp
357. site.dat
358. LastPassword
359. LastAddress
360. LastUser
361. LastPort
362. Software\FlashPeak\BlazeFtp\Settings
363. \BlazeFtp
364. .fpl
365. FTP++.Link\shell\open\command
366. GoFTP
367. Connections.txt
368. 3D-FTP
369. sites.ini
370. \3D-FTP
371. \SiteDesigner
372. SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
373. EasyFTP
374. \NetSarang
375. .xfp
376. .rdp
377. TERMSRV/*
378. password 51:b:
379. username:s:
380. full address:s:
381. TERMSRV/
382. FTP Now
383. FTPNow
384. sites.xml
385. SOFTWARE\Robo-FTP 3.7\Scripts
386. SOFTWARE\Robo-FTP 3.7\FTPServers
387. FTP Count
388. FTP File%d
389. Password
390. ServerName
391. UserID
392. InitialDirectory
393. PortNumber
394. ServerType
395. fMY
396. Software\LinasFTP\Site Manager
397. Host
398. User
399. Pass
400. Port
401. Remote Dir
402. \Cyberduck
403. .duck
404. user.config
405. <setting name="
406. value="
407. Software\SimonTatham\PuTTY\Sessions
408. HostName
409. UserName
410. Password
411. PortNumber
412. TerminalType
413. NppFTP.xml
414. \Notepad++
415. Software\CoffeeCup Software
416. FTP destination server
417. FTP destination user
418. FTP destination password
419. FTP destination port
420. FTP destination catalog
421. FTP profiles
422. FTPShell
423. ftpshell.fsi
424. Software\MAS-Soft\FTPInfo\Setup
425. DataDir
426. \FTPInfo
427. ServerList.xml
428. NexusFile
429. ftpsite.ini
430. FastStone Browser
431. FTPList.db
432. \MapleStudio\ChromePlus
433. Software\Nico Mak Computing\WinZip\FTP
434. Software\Nico Mak Computing\WinZip\mru\jobs
435. Site
436. UserID
437. xflags
438. Port
439. Folder
440. .wjf
441. winex="
442. \Yandex
443. My FTP
444. project.ini
445. .xml
446. {74FF1730-B1F2-4D88-926B-1568FAE61DB7}
447. NovaFTP.db
448. \INSoftware\NovaFTP
449. .oeaccount
450. Salt
451. <POP3_Password2
452. <SMTP_Password2
453. <IMAP_Password2
454. <HTTPMail_Password2
455. \Microsoft\Windows Live Mail
456. Software\Microsoft\Windows Live Mail
457. \Microsoft\Windows Mail
458. Software\Microsoft\Windows Mail
459. Software\RimArts\B2\Settings
460. DataDir
461. DataDirBak
462. Mailbox.ini
463. Software\Poco Systems Inc
464. Path
465. \PocoSystem.ini
466. Program
467. DataPath
468. accounts.ini
469. \Pocomail
470. Software\IncrediMail
471. EmailAddress
472. Technology
473. PopServer
474. PopPort
475. PopAccount
476. PopPassword
477. SmtpServer
478. SmtpPort
479. SmtpAccount
480. SmtpPassword
481. account.cfg
482. account.cfn
483. \BatMail
484. \The Bat!
485. Software\RIT\The Bat!
486. Software\RIT\The Bat!\Users depot
487. Working Directory
488. ProgramDir
489. Count
490. Default
491. Dir #%d
492. SMTP Email Address
493. SMTP Server
494. POP3 Server
495. POP3 User Name
496. SMTP User Name
497. NNTP Email Address
498. NNTP User Name
499. NNTP Server
500. IMAP Server
501. IMAP User Name
502. Email
503. HTTP User
504. HTTP Server URL
505. POP3 User
506. IMAP User
507. HTTPMail User Name
508. HTTPMail Server
509. SMTP User
510. POP3 Port
511. SMTP Port
512. IMAP Port
513. POP3 Password2
514. IMAP Password2
515. NNTP Password2
516. HTTPMail Password2
517. SMTP Password2
518. POP3 Password
519. IMAP Password
520. NNTP Password
521. HTTP Password
522. SMTP Password
523. Software\Microsoft\Internet Account Manager\Accounts
524. Identities
525. Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
526. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
527. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
528. Software\Microsoft\Internet Account Manager
529. Outlook
530. \Accounts
531. identification
532. identitymgr
533. inetcomm server passwords
534. outlook account manager passwords
535. identities
536. {%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
537. Thunderbird
538. \Thunderbird
539. FastTrack
540. ftplist.txt
541. ----
542. MalwareMustDie!