This Trojan downloads other files via the Internet and launches them for execution on the victim machine. It is an HTML page which contains Visual Basic Script and Java Script. It is 677 bytes in size.

Once the Trojan is launched, it uses a vulnerability in the ActiveX component which has the unique system registry identifier shown below:

The vulnerability (CVE-2007-4105) is present in the "DloadDS()" library "BaiduBar.dll". The Trojan attempts to load a file via this vulnerability. The file is located on the remote server shown below:

The file will be saved to the current user's Windows temporary directory and launched for execution.

At the time of writing, the link was not active.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
2. Delete all files from Temporary Internet Files%.
3. Disable the vulnerable ActiveX object (see How to stop an ActiveX control from running in Internet Explorer
4. Empty the temporary directory (%Temp%).

Trojan-Downloader.Win32.Braidupdate.c

This Trojan downloads another program via the Internet and launches it on the victim machine without the user's knowledge or consent. It is a Windows PE EXE file. The size of infected files can range from 18KB to 47KB.

The Trojan contacts the following web site:

There is a list of files for download located on this link.

This list is saved to the directory as shown below:

The links in the file are encrypted.

The Trojan then downloads files from the links and saves them as shown below:

<rnd> stands for a random string of numbers and lower case Latin letters Example: m2zpp.exe, 43m66m.exe.

Once the files have been downloaded, they are launched for execution, and then delete themselves. If the downloaded files are dll files, they will register themselves in the system and be launched for execution next time the system is started.

Once it has delivered its payload, the original Trojan deletes its body.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine) if it has not deleted itself.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 123873 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the file shown below from its body:

This file is 44608 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.WOW.ahe.

The Trojan also extracts the file shown below from its body:

This file is 31713 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.mdl.

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
wow.exe

It sniffs traffic sent to the following addresses:

216.107.***.53
216.107.***.51
216.107.***.52

It does this in an attempt to harvest account data for the following games:

Maple Story
World of Warcraft

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web server.

Harvested data is sent to the remote malicious user's site.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\amvo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "amva" = "%System%\amvo.exe"
5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2"
   "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
   %System%\amvo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
   <X>:\n1deiect.com
   <x>:\autorun.inf
9. <x> stands for the letter of the removable disk.

This malicious program is a Trojan. It is a Windows PE EXE file. It is 118103 bytes in size.

Installation

The Trojan copies its executable file to the Windows system directory:

In order to ensure that the Trojan is launched automatically each time the system is restarted, the Trojan registers its executable file in the system registry:

The Trojan also extracts the file shown below from its body:

This file is 114176 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.szc.

The Trojan also extracts the file shown below from its body:

This file is 29815 bytes in size. It will be detected by Kaspersky Anti-Virus as Trojan-GameThief.Win32.OnLineGames.stcw.

The Trojan loads the .dll file to all processes launched in the system.

The Trojan intercepts mouse and keyboard events if any of the processes below have been launched:

maplestory.exe
dekaron.exe
gc.exe
RagFree.exe
Ragexe.exe
ybclient.exe
wsm.exe 
sro_client.exe
so3d.exe
ge.exe
elementclient.exe

It sniffs traffic sent to the following addresses:

61.220.60.***
61.220.62.***
61.220.56.***
61.220.62.***
203.69.46.***
220.130.113.*** 

It does this in an attempt to harvest account data for the following games:

ZhengTu
Wanmi Shijie or Perfect World
Dekaron Siwan Mojie
HuangYi Online
Rexue Jianghu
ROHAN
Seal Online
Maple Story
R2 (Reign of Revolution)
Talesweaver

and some other games. The Trojan also analyses the configuration files of the games above and attempts to harvest information about gamers' accounts on the web

server.

The Trojan also modifies the following system registry key parameter values:

The Trojan also attempts to terminate the following processes:

KAV
RAV
AVP
KAVSVC

The Trojan also has worm functionality, making it able to propagate via removable storage media. The Trojan copies its executable file to the root of each drive as follows:

<X> indicates the relevant disk.

In addition to its executable file, the Trojan also places the file shown below in the root directory of every disk:

This file will launch the Trojan executable file each time the user opens the infected disk using Explorer.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Delete the following file:
   %System%\kavo.exe
2. Reboot the computer.
3. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
4. Delete the following system registry key parameter:
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "kava" = "%System%\kavo.exe"
5. Restore the original system registry key values:
   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Fol
   der\Hidden\SHOWALL]
   "CheckedValue" = "0"
   [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
   "Hidden" = "2"
   "ShowSuperHidden" = "0"
   [HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pocilies\Explorer]
   "NoDriveTypeAutoRun" = "0x91"
6. Delete the following file:
   %System%\kavo0.dll
7. Empty the temporary directory (%Temp%).
8. Delete the files shown below from all removable disks:
   <X>:\n6j.com
   <x>:\autorun.inf

   <x> stands for the letter of the removable disk.

This Trojan downloads other files via the Internet and launches them for execution on the victim machine. The program is an HTML page which contains Java Script scenarios. It is 1432 bytes in size.

The Trojan downloads a file from the URL shown below by exploiting a vulnerability (CVE-2006-1359) in the processing of "createTextRange" in Microsoft Internet Explorer:

The Trojan saves this file to its working directory as shown below:

The downloaded file will then be launched for execution.

At the time of writing, the link was not active.

If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:

1. Use Task Manager to terminate the process shown below:
   a.exe
2. Delete the original Trojan file (the location will depend on how the program originally penetrated the victim machine).
3. Delete the following file:
   %WorkDir%\a.exe
4. Delete all files from %Temporary Internet Files%.
5. Install the latest patches for Microsoft Internet Explorer.
6. Update your antivirus databases and perform a full scan of the computer.

Bofra.A / MyDoom variant

Exploits SHDOCVW.DLL flaw

Note: Some vendors are referring to the Bofra worm as a variant of MyDoom, though even then there is disagreement as to which variant they claim it is. For example, Symantec (who also calls the widely known Bagle worm the Beagle worm) initially dubbed the Bofra worm as MyDoom.AH then later changed their name to MyDoom.AI). Bofra.A is a mass-mailing email worm that arrives without an attachment and infects when the user clicks on an enticing link contained in the Bofra worm's message. The email link claims to point to an adult video or webcam photos.

Specifically, Bofra.A exploits a vulnerability in certain versions of SHDOCVW.DLL, a Windows operating system file that renders the IFRAME, FRAME, and EMBED HTML tags.

The vulnerable versions of SHDOCVW.DLL are found on Windows Xp (SP1 and below) and 2000 systems. Windows XP SP2 is not affected.

The vulnerability was first discovered on October 23, 2004 with first public release of exploit code on November 1, 2004. Bofra.A was discovered on November 8, 2004.

The From address in the email is spoofed and portions of the header may also be forged. The Subject line of the email will be one of the following:

funny photos :)
hello
hey!
blank
random characters

The Message Body varies and may be either of the following:

FREE ADULT VIDEO! SIGN UP NOW!
Look at my homepage with my last webcam photos

The links point to a webpage on the infected host (via TCP port 1639) that exploits the SHDOCVW.DLL vulnerability and results in a buffer overflow condition in Internet Explorer. This allows shell code to execute, causing the local machine to download and execute the malicious file, thus becoming another infected host (and making the download site a perpetually moving target).

The Bofra worm searches the newly infected system for email addresses, sending the email to those found, thus repeating the process.

A second variant of the worm masquerades as a PayPal notice, claiming that PayPal has charged $175 to your account and providing a link to find 'details'. Of course, clicking the link infects the recipient's computer.

also known as Trojan-Downloader.Win32.Small.dam, Trojan.Downloader-647, Trojan.DL.Tibs.Gen!Pac13, Email-Worm.Win32.Zhelatin.a (Kaspersky), Downloader-BAI (McAfee), Troj/Dorf-Fam (Sophos), Trojan.Peacomm (Symantec), TROJ_SMALL.EDW (Trend Micro), Win32/Nuwar.N@MM (Microsoft).

Troj/Pushdo-Gen is a family of Trojans for the Windows platform.

When members of Troj/Pushdo-Gen are installed they drop and run a further file in memory, usually detected as Troj/Pushu-Gen or Mal/Basine-C. This may then drop further files, including some of the following:

<Windows>\system32\drivers\ip6fw.sys
<Windows>\system32\drivers\netdtect.sys
<System>\drivers\runtime.sys
<System>\drivers\secdrv.sys

These files are used to provide stealthing for the Trojan.

The dropped file in memory will also often attempt to inject further code into Internet Explorer.

W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.

The worm will also copy itself to various peer-to-peer shared folders as the following files:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

The worm has a trigger date of 24 March 2004, at which time it will attempt to mass mail.

Emails have the following characteristics (note that not all variations listed):

Subject lines: constructed from the following groups of strings -

Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts: chosen from -

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment description: chosen from -

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

<attached filename>:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attached file:

<filename>_ <recipient_name>.<extension>

<filename> chosen from:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

<extension> chosen from:

EXE
SCR
PIF
ZIP

W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp. NOTE: The information contained in this analysis may be considered offensive by some customers.

W32/Netsky-P is a mass-mailing worm which spreads by emailing itself to addresses harvested from files on the local drives.

The worm copies itself to the Windows folder as FVProtect.exe and adds the following registry entry to run itself whenever the user logs on to the computer:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Norton Antivirus AV
= <Windows>\FVProtect.exe

The worm will also copy itself to various peer-to-peer shared folders as the following files:

1001 Sex and more.rtf.exe
3D Studio Max 6 3dsmax.exe
ACDSee 10.exe
Adobe Photoshop 10 crack.exe
Adobe Photoshop 10 full.exe
Adobe Premiere 10.exe
Ahead Nero 8.exe
Altkins Diet.doc.exe
American Idol.doc.exe
Arnold Schwarzenegger.jpg.exe
Best Matrix Screensaver new.scr
Britney sex xxx.jpg.exe
Britney Spears and Eminem porn.jpg.exe
Britney Spears blowjob.jpg.exe
Britney Spears cumshot.jpg.exe
Britney Spears fuck.jpg.exe
Britney Spears full album.mp3.exe
Britney Spears porn.jpg.exe
Britney Spears Sexy archive.doc.exe
Britney Spears Song text archive.doc.exe
Britney Spears.jpg.exe
Britney Spears.mp3.exe
Clone DVD 6.exe
Cloning.doc.exe
Cracks & Warez Archiv.exe
Dark Angels new.pif
Dictionary English 2004 - France.doc.exe
DivX 8.0 final.exe
Doom 3 release 2.exe
E-Book Archive2.rtf.exe
Eminem blowjob.jpg.exe
Eminem full album.mp3.exe
Eminem Poster.jpg.exe
Eminem sex xxx.jpg.exe
Eminem Sexy archive.doc.exe
Eminem Song text archive.doc.exe
Eminem Spears porn.jpg.exe
Eminem.mp3.exe
Full album all.mp3.pif
Gimp 1.8 Full with Key.exe
Harry Potter 1-6 book.txt.exe
Harry Potter 5.mpg.exe
Harry Potter all e.book.doc.exe
Harry Potter e book.doc.exe
Harry Potter game.exe
Harry Potter.doc.exe
How to hack new.doc.exe
Internet Explorer 9 setup.exe
Kazaa Lite 4.0 new.exe
Kazaa new.exe
Keygen 4 all new.exe
Learn Programming 2004.doc.exe
Lightwave 9 Update.exe
Magix Video Deluxe 5 beta.exe
Matrix.mpg.exe
Microsoft Office 2003 Crack best.exe
Microsoft WinXP Crack full.exe
MS Service Pack 6.exe
netsky source code.scr
Norton Antivirus 2005 beta.exe
Opera 11.exe
Partitionsmagic 10 beta.exe
Porno Screensaver britney.scr
RFC compilation.doc.exe
Ringtones.doc.exe
Ringtones.mp3.exe
Saddam Hussein.jpg.exe
Screensaver2.scr
Serials edition.txt.exe
Smashing the stack full.rtf.exe
Star Office 9.exe
Teen Porn 15.jpg.pif
The Sims 4 beta.exe
Ulead Keygen 2004.exe
Visual Studio Net Crack all.exe
Win Longhorn re.exe
WinAmp 13 full.exe
Windows 2000 Sourcecode.doc.exe
Windows 2003 crack.exe
Windows XP crack.exe
WinXP eBook newest.doc.exe
XXX hardcore pics.jpg.exe

W32/Netsky-P harvests email addresses from files with the following extensions:
PL, HTM, HTML, EML, TXT, PHP, ASP, VBS, RTF, UIN, SHTM, CGI, DHTM, ADB, TBB, DBX, SHT, OFT, MSG, JSP, WSH, XML.

The worm has a trigger date of 24 March 2004, at which time it will attempt to mass mail.

Emails have the following characteristics (note that not all variations listed):

Subject lines: constructed from the following groups of strings -
Re: Re:
Re: Encrypted Mail
Re: Extended Mail
Re: Status
Re: Notify
Re: SMTP Server
Re: Mail Server
Re: Delivery Server
Re: Bad Request
Re: Failure
Re: Thank you for delivery
Re: Test
Re: Administration
Re: Message Error
Re: Error
Re: Extended Mail System
Re: Secure SMTP Message
Re: Protected Mail Request
Re: Protected Mail System
Re: Protected Mail Delivery
Re: Secure delivery
Re: Delivery Protection
Re: Mail Authentification

Message texts: chosen from -

Please confirm my request.
ESMTP [Secure Mail System #334]: Secure message is attached.
Partial message is available.
Waiting for a Response. Please read the attachment.
First part of the secure mail is available.
For more details see the attachment.
For further details see the attachment.
Your requested mail has been attached.
Protected Mail System Test.
Secure Mail System Beta Test.
Forwarded message is available.
Delivered message is attached.
Encrypted message is available.
Please read the attachment to get the message.
Follow the instructions to read the message.
Please authenticate the secure message.
Protected message is attached.
Waiting for authentification.
Protected message is available.
Bad Gateway: The message has been attached.
SMTP: Please confirm the attached message.
You got a new message.
Now a new message is available.
New message is available.
You have received an extended message. Please read the instructions.

Attachment description: chosen from -

Your details.
Your document.
I have received your document. The corrected document is attached.
I have attached your document.
Your document is attached to this mail.
Authentication required.
Requested file.
See the file.
Please read the important document.
Please confirm the document.
Your file is attached.
Please read the document.
Your document is attached.
Please read the attached file!
Please see the attached file for details.

followed by -

<attached filename>:

+++ Attachment: No Virus found
+++ MessageLabs AntiVirus - www.messagelabs.com
+++ Attachment: No Virus found
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Attachment: No Virus found
+++ MC-Afee AntiVirus - www.mcafee.com
+++ Attachment: No Virus found
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ Attachment: No Virus found
+++ Panda AntiVirus - www.pandasoftware.com
++++ Attachment: No Virus found
++++ Norman AntiVirus - www.norman.com
++++ Attachment: No Virus found
++++ F-Secure AntiVirus - www.f-secure.com
++++ Attachment: No Virus found
++++ Norton AntiVirus - www.symantec.de

Attached file:

<filename>_ <recipient_name>.<extension>

<filename> chosen from:

document_all
message
excel document
word document
screensaver
application
website
product
letter
information
details
document

<extension> chosen from:

EXE
SCR
PIF
ZIP

W32/Netsky-P attempts to delete registry entries which may be set by variants of the W32/Mydoom and W32/Bagle worms.

W32/Netsky-P also creates a number of the TMP files in the Windows folder: base64.tmp, zip1.tmp, zip2.tmp, zip3.tmp, zipped.tmp.