Darkstar one iphlpapi dll
"No DNS entries found, MX Query cannot contine." "DHCPDomain" "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces" "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" "System\CurrentControlSet\Services\VxD\MSTCP" "HKEY_CURRENT_USER\Software\Yahoo\Pager\Yahoo! User ID" worm appears to attack the following website (and triggers the indicated actions): "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts\SMTP Email Address" "HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Default Mail Account" "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts\SMTP Email Address" "HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Default Mail Account" "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellFolders\Cache" The faked “From:” addreses is acquired from the following registry keys: "RunDll32.exe Shell32.dll,SHExitWindowsEx 0x01"
#Darkstar one iphlpapi dll code
"These things Can't be Found as long as Bush & Jews Are aLive :)"įinally, the malicious code shuts down the system using the following command: The message-boxes with the following texts are displayed during the deletion process: This value triggers the malicious payload - deletion of all the files (*.*) on the C: drive (including all the subdirectories).
The value of this key is incremented by one after each execution (restart, in general), until it reaches the value of 30. The value of the registry key: "HKEY_CURRENT_USER\DeathTime" is initialized to value "1" (initially to "0", incremented to “1”). pif extension) and uses these files to spread via kazaa peer to peer network: The worm appears to seek (randomly) between the 20th and 25th of each month files with the following extension: "*.jpg" "*.doc" "*.pps" "*.ram" "*.zip" (with certain probability).ĭisguised by the names of these files, it copies itself into the “system” directory (using the.
#Darkstar one iphlpapi dll download
Please download the attached tool (ToolAv01w32) which will help you to clean your PC. We believe that you are infected with Win32/ Virus. Has recieved an infected message from you. " "i found it in my Recycled, i know u love this kind of thing )" "attachment :) bye"Įven e-mails masquerading as important notifications sent from an av vendor: "I've got your email, but you forgot to upload the attachments." "Don't be selfish, i sent you all the files i have, send me anything :(" "If u are booooored. "I SAW THEM N I WONDERED HOW U COULD DO SO ?" "THANX BUT I DON'T ACCEPT SEX MATERIALS FROM STRANGERS." "i tried many times to send u this email but ur account was out of storage as i think" "any way, make sure that i didn't and i won't forget u :)" "Cya Forgotten :P" "you seem to be mad me coz i didn't send u anything for along time," "i didn't forget u, but i was busy, i've got all of ur emails" "thanx :) and i hope u accept this one as an apology." "if not, enjoy ur Eyes by Seeing it ) this one is deferent!" "Hummm, It looks like something men can't live without" "it really fits us, check it out carefully :)" "Coz we Burn Our selves by watching ********** like the one i attached :P" "Coz all we can do is to watch, nothing for us to touch :(" "having alil thing is better than nothing :P" "coz i couldn't get the other part of it ," "i wish u like this email and plzz don't forget me :)" "u don't know how much ur emails mean to me." "it really deserves a few minutes of your time." "i've got this surprise from a friend :)" "i thing the subject is enough to describe the attached file !" "check it out and replay your opinion" "Cya" " "just write a passage in english and chose a language to get the traslation " "one of my friends used it with his arabian gf and it worked successfully )" "so, Now we can say ' Love Speaks it All ' :) "
"Try this great program allowing u to translate 100 languages. (Note: the first line represents the e-mail subject) Examples of the e-mails are listed below: The e-mail Subject field is selected from unusually large set of optional subjects (see below).
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\Explore"Īnd searches the files with the following extensions to find new adresseess of the infected e-mails: To provide activation, the worm registers its main component (explore.exe) into the Run key as follows: It also creates a number of its copies which are used to spread via Kazaa. Smtp.ocx – the COM component, necessary to mediate communication via SMTP, After the worm (contained in the infected e-mail attachment) is executed it drops the following files: The worm carries rather malicious payload – under certain conditions it deletes all files on the C drive and shuts down the system. The first reports on the spread of this worm at around 12AM PST.