Download Link: hxxp://2005-search.com/go.exe File Name: go.exe File size: 198144 bytes <--Packed with UPX MD5: 0394118e08995f5e87c703926c77f37b SHA1: 45be384e8dd543b933e48f41b03425c1f6ccd6b5 PEiD: - packers: UPX Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=0394118e08995f5e87c703926c77f37b packers: UPX packers: UPX Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CD3FB3BA00E15454062E039751E72800DBBB4040 VirusTotal Result: 23/32 (71.88%) AhnLab-V3: Win-Trojan/Xema.variant AntiVir: TR/Click.Delf.LP AVG: BackDoor.Delf.BJA CAT-QuickHeal: TrojanClicker.Delf.lp DrWeb: Trojan.Click.5027 eSafe: Win32.Delf.lp Ewido: Hijacker.Delf.lp F-Prot: W32/Trojan2.AEGV F-Secure: Trojan-Clicker.Win32.Delf.lp FileAdvisor: High threat detected Fortinet: Adware/Delf Ikarus: Trojan-Clicker.Win32.Delf.lp Kaspersky: Trojan-Clicker.Win32.Delf.lp McAfee: AdClicker-FU Norman: W32/Delf.BLEM Panda: Suspicious file Prevx1: TROJAN.CLICKER.DELF.FJ Rising: Trojan.Win32.Undef.apz Sophos: Mal/Generic-A Symantec: Trojan Horse TheHacker: Trojan/Clicker.Delf.lp VBA32: Trojan-Downloader.Win32.Small.iul Webwasher-Gateway: Trojan.Click.Delf.LP File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 0002F000 Size of initialized data: 00002000 Size of uninitialized data: 00054000 Address of entry point: 00083C70 Base of code: 00055000 Base of data: 00084000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00086000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00054000 00001000 00000000 00000400 E0000080 UPX1 0002F000 00055000 0002F000 00000400 E0000040 .rsrc 00002000 00084000 00001200 0002F400 C0000040 Import table (libraries: 10) KERNEL32.DLL (imports: 3) LoadLibraryA GetProcAddress ExitProcess advapi32.dll (imports: 1) RegFlushKey comctl32.dll (imports: 1) ImageList_Add gdi32.dll (imports: 1) SaveDC ole32.dll (imports: 1) OleDraw oleaut32.dll (imports: 1) VariantInit shell32.dll (imports: 1) SHGetMalloc URLMON.DLL (imports: 1) CoInternetCreateZoneManager user32.dll (imports: 1) GetDC version.dll (imports: 1) VerQueryValueA Unpacking with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 502784 <- 198144 39.41% win32/pe go.exe Unpacked 1 file. File Info: File Name: go.exe File size: 502784 bytes <-- Unpacked with UPX MD5: d2b029eb2fa497fe3d85a270173d12be SHA1: 6f7c70dfbc9add138eb35b196f6b4175051b3e24 PEiD: BobSoft Mini Delphi -> BoB / BobSoft VirusTotal Result: 10/31 (32.26%) AntiVir: HEUR/Malware DrWeb: Trojan.Click.5027 Ewido: Hijacker.Delf.lp F-Prot: W32/Trojan2.AEGV F-Secure: Trojan-Clicker.Win32.Delf.lp Kaspersky: Trojan-Clicker.Win32.Delf.lp McAfee: AdClicker-FU Panda: Suspicious file VBA32: Trojan-Downloader.Win32.Small.iul Webwasher-Gateway: Heuristic.Malware Process info: Process ID 1784 File Name: C:\go.exe File Size: 198144 bytes <--Packed with UPX MD5: 0394118e08995f5e87c703926c77f37b Start Reason: Analysis of the Target binary COM: COM Create Instance: C:\WINDOWS\System32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\System32\shdocvw.dll (OPEN_EXISTING) Find File: c:\z_Drivers\svchost.exe Copy File: C:\file.exe to c:\z_Drivers\svchost.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\System32\Ras\*.pbk Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\file.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Administrator\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Read INI File: C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy.A] Owner = C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName = C:\Documents and Settings\Administrator\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName = C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName = Mutexes: Creates Mutex: RasPbFile Opens Mutex: WininetStartupMutex Registry Changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DriverLoad" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DriverCheck" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemDriverLoad" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemDriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "FDriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ADriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CDriver" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DDriver" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "alpha" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "beta" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gamma" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DriverLoad" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DriverCheck" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "SystemDriverLoad" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost1" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost2" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost3" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost4" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "SystemDriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "FDriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "ADriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "CDriver" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DDriver" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "alpha" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "beta" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "gamma" = c:\z_Drivers\svchost.exe Registry Reads: HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec "" HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec "" HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec "" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 "" Process Management: Creates Process - Filename (C:\file.exe) CommandLine: () As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1784) As User: () Creation Flags: () Service Management: Open Service Manager - Name: "SCM" System Info: Get System Directory Get Computer Name Get System Time User Management: Impersonate User - Domain: () User: (Administrator) Get User Name Window: Find Window - Class Name (MS_AutodialMonitor) Window Name () Find Window - Class Name (MS_WebcheckMonitor) Window Name () Enum Windows: Destroy Window - Class Name (Shell DocObject View) Window Name () Network Activity: DNS Lookup: Host Name IP Address 2005-search.com 85.255.117.212 cjtracer.com cjtracer.com new-2005-search.com 216.255.178.219 Download URLs: hxxp://85.255.117.212/go/go.php (2005-search.com) Outgoing connection to remote server: 2005-search.com TCP port 80 Outgoing connection to remote server: new-2005-search.com TCP port 80 Process info: Process ID 1784 File Name: C:\go.exe File Size: 198144 bytes <--Packed with UPX MD5: 0394118e08995f5e87c703926c77f37b Start Reason: CreateProcess funftion call COM: COM Create Instance: C:\WINDOWS\System32\shdocvw.dll, ProgID: (Shell.Explorer.2), Interface ID: ({00000112-0000-0000-C000-000000000046}) COM Create Instance: C:\WINDOWS\system32\urlmon.dll, ProgID: (), Interface ID: ({79EAC9EE-BAF9-11CE-8C82-00AA004BA90B}) COM Create Instance: C:\WINDOWS\System32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E}) COM Create Instance: %SystemRoot%\System32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38}) COM Create Instance: C:\WINDOWS\System32\mshtmled.dll, ProgID: (Trident.HTMLEditor.1), Interface ID: ({3050F7FA-98B5-11CF-BB82-00AA00BDCE0B}) COM Create Instance: C:\WINDOWS\System32\jscript.dll, ProgID: (JScript), Interface ID: ({BB1A2AE1-A4F9-11CF-8F20-00805F2CD064}) COM Create Instance: , ProgID: (), Interface ID: ({00000146-0000-0000-C000-000000000046}) COM Create Instance: , ProgID: (), Interface ID: ({6C736DC1-AB0D-11D0-A2AD-00A0C90F27E8}) COM Get Class Object: %SystemRoot%\System32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) File System Activities: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\System32\shdocvw.dll (OPEN_EXISTING) Find File: c:\z_Drivers\svchost.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\System32\Ras\*.pbk Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Get File Attributes: C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer Flags: (SECURITY_ANONYMOUS) Create/Open File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT (OPEN_ALWAYS) Read INI File: WIN.INI [windows] DragScrollInset = WIN.INI [windows] DragScrollDelay = WIN.INI [windows] DragDelay = WIN.INI [windows] DragScrollInterval = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini [.ShellClassInfo] LocalizedResourceName = Mutexes: Creates Mutex: RasPbFile Creates Mutex: CTF.LBES.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-500 Creates Mutex: CTF.Compart.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-500 Creates Mutex: CTF.Asm.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-500 Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-500 Creates Mutex: CTF.TMD.MutexDefaultS-1-5-21-1614895754-1303643608-682003330-500 Creates Mutex: _!SHMSFTHISTORY!_ Creates Mutex: MSIMGSIZECacheMutex Opens Mutex: WininetStartupMutex Opens Mutex: _!SHMSFTHISTORY!_ Registry Changes: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform "" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DriverLoad" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DriverCheck" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemDriverLoad" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "SystemDriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "FDriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ADriver" = HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "CDriver" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "DDriver" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "alpha" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "beta" = c:\z_Drivers\svchost.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gamma" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DriverLoad" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DriverCheck" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "SystemDriverLoad" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost1" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost2" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost3" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "Winhost4" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "SystemDriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "FDriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "ADriver" = HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "CDriver" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "DDriver" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "alpha" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "beta" = c:\z_Drivers\svchost.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run "gamma" = c:\z_Drivers\svchost.exe Registry Reads: HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\htmlfile\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\application "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec\topic "" HKEY_CLASSES_ROOT\Folder\shell\open\ddeexec "" HKEY_CLASSES_ROOT\Folder\shell\explore\ddeexec "" HKEY_CLASSES_ROOT\Directory\shell\find\ddeexec "" HKEY_CLASSES_ROOT\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0 "win32" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\InProcServer32 "" _HKEY(1940)_ "NumShape" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext" HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 "" HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 "COM+Enabled" Registry Enums: HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP Process Management: Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1424) Service Management: Open Service Manager - Name: "SCM" System Info: Get System Directory Get Computer Name Get System Time User Management: Impersonate User - Domain: () User: (Administrator) Impersonate User - Domain: () User: (Administrator) Get User Name Window: Find Window - Class Name (MS_AutodialMonitor) Window Name () Find Window - Class Name (MS_WebcheckMonitor) Window Name () Enum Windows: Destroy Window - Class Name (Shell DocObject View) Window Name () Network Activities: DNS Lookup: Host Name IP Address 2005-search.com 85.255.117.212 cjtracer.com cjtracer.com new-2005-search.com 216.255.178.219 cjtracer.com cjtracer.com cjtracer.com cjtracer.com picsteen.org 216.255.185.174 cjtracer.com cjtracer.com cjtracer.com teenslagune.com 67.19.104.108 cjtracer.com cjtracer.com cjtracer.com cjtracer.com Download URLs: hxxp://85.255.117.212/go/go.php (2005-search.com) hxxp://216.255.178.219/27_11/picsteen.org.html (new-2005-search.com) hxxp://216.255.185.174/ (picsteen.org) hxxp://216.255.185.174/z.php?id1=279 (picsteen.org) hxxp://67.19.104.108/ (teenslagune.com) hxxp://67.19.104.108/images/table_02.gif (teenslagune.com) hxxp://67.19.104.108/images/an.jpg (teenslagune.com) hxxp://67.19.104.108/pillstitle.gif (teenslagune.com) hxxp://67.19.104.108/images/index_03.jpg (teenslagune.com) hxxp://67.19.104.108/images/table_03.gif (teenslagune.com) hxxp://67.19.104.108/images/bottom_02.gif (teenslagune.com) hxxp://67.19.104.108/images/bottom_03.gif (teenslagune.com) hxxp://67.19.104.108/images/bg.jpg (teenslagune.com) hxxp://67.19.104.108/images/teens.gif (teenslagune.com) hxxp://67.19.104.108/images/bg1.jpg (teenslagune.com) hxxp://67.19.104.108/images/bottom_01.gif (teenslagune.com) hxxp://67.19.104.108/barbg.gif (teenslagune.com) hxxp://67.19.104.108/images/index_01.jpg (teenslagune.com) hxxp://67.19.104.108/images/table_01.gif (teenslagune.com) hxxp://67.19.104.108/alt="Click" (teenslagune.com) hxxp://67.19.104.108/cgi-bin/tm3/l?c=.alt=\"Click\" (teenslagune.com) Outgoing connection to remote server: 2005-search.com TCP port 80 Outgoing connection to remote server: new-2005-search.com TCP port 80 Outgoing connection to remote server: picsteen.org TCP port 80 Outgoing connection to remote server: picsteen.org TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80 Outgoing connection to remote server: teenslagune.com TCP port 80