Bibliothèque
Ma bibliothèque

+ Ajouter à la bibliothèque

Contacter-nous !
Support 24/24 | Rules regarding submitting

Nous téléphoner

0 825 300 230

Forum

Vos requêtes

  • Toutes : -
  • Non clôturées : -
  • Dernière : le -

Nous téléphoner

0 825 300 230

Profil

Win32.HLLM.Beagle

(TR/Rootkit.Gen, TROJ_BAGLE.MV, Rootkit.Bagle.D, Generic.dx, Trojan:WinNT/Bagle.gen, I-Worm/Bagle, I-Worm/Bagle.LS, Trojan-Downloader.Win32.Bagle, Generic.dh, Trojan-Downloader.Win32.Bagle.avs, IRC/BackDoor.SdBot3.XTX, W32/Bagle.bs.gen, TROJ_BAGLE.APF, Worm:Win32/Bagle.gen!encrypted, WORM_Bagle.GEN-1, WORM_BAGLE.APB, Trojan-Downloader.Win32.Bagle.eo, W32/Bagle, TROJ_BAGLE.BVC, Worm.Win32.Bagle.KD, Trojan-Proxy.Win32.Mitglieder.dz, Downloader.Generic2.YX, TROJ_BAGLE.AM, Downloader.Generic6.AKKW)

Added to the Dr.Web virus database: 2006-06-20

Virus description added:

Virus Type: Mass mailing worm

Affected OS: Win95/98/Me/NT/2000/XP

Size: can be 69 842 byte, 85 508 byte

Packed by: PECRYPT

Technical Information

  • Spreads via e-mail. Attachment represents ZIP-archive, which is password protected for complicating its detection by antivirus programs. In order that careless user could extract archive contents, password is indicated in grafical file [random name].gif.
  • During its own startup registers itself in autorun section in registry.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "drv_st_key" = "%UserProfile%\Application Data\hidn\hidn1.exe"
  • Bans loading in SafeMode: deletes registry branch
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
  • During its first run shows "Error" picture.
  • Attachment name is chosen out of the following list:

    Elizabeth
    Elizabethe
    Anne
    Ann
    Anna
    Anne
    Annes
    Mary
    Marie
    Marye
    Margaret
    Margaret
    Margarett
    Margerie
    Margerye
    Margret
    Margrett
    Sara
    Dorothy
    Dorithie
    Dorothee
    Jane
    Katherine
    Katherine
    Katheryne
    Susanna
    Susanna
    Suzanna
    Francis
    Frances
    Fraunces
    Joane
    Judith
    Judeth
    Judith
    Judithe
    Alice
    Ales
    Alice
    Alyce
    Ellen
    Ellen
    Ellyn
    Grace
    Isabell
    Isabel
    Isabell
    Martha
    Susan
    Winifred
    Wynefreed
    Wynefrede
    Wynnefreede
    Avis
    Avis
    Avice
    Bennet
    Bennet
    Bennett
    Christian
    Christian
    Christean
    Constance
    Cybil
    Sybell
    Sybyll
    Ester
    Rebecka
    Rose
    Sidney
    Sindony
    Syndony
    John
    John
    Johen
    Thomas
    William
    Richard
    Richarde
    Richard
    Rycharde
    Robert
    Roberte
    Robert
    George
    Edward
    Edwarde
    Edward
    Nicholas
    Nicholas
    Nycholas
    Nicholaus
    James
    Jeames
    James
    Henry
    Henrie
    Henry
    Henrye
    Edmund
    Edmonde
    Edmond
    Edmund
    Harry
    Harrye
    Harry
    Anthony
    Anthonye
    Anthonie
    Roger
    Peter
    Nathaniel
    Nathaniell
    Nathaniel
    Nathanyell
    Stephen
    Jeffrey
    Jeffrye
    Geoffraie
    Francis
    Andrew
    Androw
    Androwe
    Valentyne
    Samuell
    Ralph
    Michael
    Michael
    Mychaell
    Leonard
    Leonard
    Leonarde
    Josias
    Humphrey
    Humphrey
    Humphrie
    Hughe
    Gabriell
    Emanual
    Emanuell
    Emanuel
    Daniel
    Daniel
    Danyell
  • Message body contains text:

    To the beloved
    I love you

  • Searches for addresses for its further spreading in the files with such extensions:
    .wab
    .txt
    .msg
    .htm
    .shtm
    .stm
    .xml
    .dbx
    .mbx
    .mdx
    .eml
    .nch
    .mmf
    .ods
    .cfg
    .asp
    .php
    .pl
    .wsh
    .adb
    .tbb
    .sht
    .xls
    .oft
    .uin
    .cgi
    .mht
    .dhtm
    .jsp
  • Contains rootkit-component (file m_hook.sys; size - 15 360 bytes) for hiding its processes, files and also registry branches. Creates folder hidn with attribute "Hidden" in C:\Documents and Settings\%USERPROFILE%\Application Data\, where locates its direct executable file and rootkit-component.
  • Worm doesn’t spread its own copies in case if address contains the following substrings:

    rating@
    f-secur
    news
    update
    anyone@
    bugs@
    contract@
    feste
    gold-certs@
    help@
    info@
    nobody@
    noone@
    kasp
    admin
    icrosoft
    support
    ntivi
    unix
    bsd
    linux
    listserv
    certific
    sopho
    @foo
    @iana
    free-av
    @messagelab
    winzip
    google
    winrar
    samples
    abuse
    panda
    cafee
    spam
    pgp
    @avp.
    noreply
    local
    root@
    postmaster@
  • Worm contains destructive functions: deletes processes, which belong to different computer security systems, and also stops services.

  • Processes which can be completed and, if possible, deleted from the disk:

    a2guard.exe
    aavshield.exe
    AckWin32.exe
    ADVCHK.EXE
    AhnSD.exe
    airdefense.exe
    ALERTSVC.EXE
    ALMon.exe
    ALOGSERV.EXE
    ALsvc.exe
    amon.exe
    Anti-Trojan.exe
    AntiVirScheduler
    AntiVirService
    ANTS.EXE
    APVXDWIN.EXE
    Armor2net.exe
    ashAvast.exe
    ashDisp.exe
    ashEnhcd.exe
    ashMaiSv.exe
    ashPopWz.exe
    ashServ.exe
    ashSimpl.exe
    ashSkPck.exe
    ashWebSv.exe
    aswUpdSv.exe
    ATCON.EXE
    ATUPDATER.EXE
    ATWATCH.EXE
    AUPDATE.EXE
    AUTODOWN.EXE
    AUTOTRACE.EXE
    AUTOUPDATE.EXE
    avciman.exe
    Avconsol.exe
    AVENGINE.EXE
    avgamsvr.exe
    avgcc.exe
    AVGCC32.EXE
    AVGCTRL.EXE
    avgemc.exe
    avgfwsrv.exe
    AVGNT.EXE
    avgntdd
    avgntmgr
    AVGSERV.EXE
    AVGUARD.EXE
    avgupsvc.exe
    avinitnt.exe
    AvkServ.exe
    AVKService.exe
    AVKWCtl.exe
    AVP.EXE
    AVP32.EXE
    avpcc.exe
    avpm.exe
    AVPUPD.EXE
    AVSCHED32.EXE
    avsynmgr.exe
    AVWUPD32.EXE
    AVWUPSRV.EXE
    AVXMONITOR9X.EXE
    AVXMONITORNT.EXE
    AVXQUAR.EXE
    BackWeb-4476822.exe
    bdmcon.exe
    bdnews.exe
    bdoesrv.exe
    bdss.exe
    bdsubmit.exe
    bdswitch.exe
    blackd.exe
    blackice.exe
    cafix.exe
    ccApp.exe
    ccEvtMgr.exe
    ccProxy.exe
    ccSetMgr.exe
    CFIAUDIT.EXE
    ClamTray.exe
    ClamWin.exe
    Claw95.exe
    Claw95cf.exe
    cleaner.exe
    cleaner3.exe
    CliSvc.exe
    CMGrdian.exe
    cpd.exe
    DefWatch.exe
    DOORS.EXE
    DrVirus.exe
    drwadins.exe
    drweb32w.exe
    drwebscd.exe
    DRWEBUPW.EXE
    ESCANH95.EXE
    ESCANHNT.EXE
    ewidoctrl.exe
    EzAntivirusRegistrationCheck.exe
    F-AGNT95.EXE
    F-PROT95.EXE
    F-Sched.exe
    F-StopW.EXE
    FAMEH32.EXE
    FAST.EXE
    FCH32.EXE
    FireSvc.exe
    FireTray.exe
    FIREWALL.EXE
    fpavupdm.exe
    freshclam.exe
    FRW.EXE
    fsav32.exe
    fsavgui.exe
    fsbwsys.exe
    fsdfwd.exe
    FSGK32.EXE
    fsgk32st.exe
    fsguiexe.exe
    FSM32.EXE
    FSMA32.EXE
    FSMB32.EXE
    fspex.exe
    fssm32.exe
    gcasDtServ.exe
    gcasServ.exe
    GIANTAntiSpywareMain.exe
    GIANTAntiSpywareUpdater.exe
    GUARD.EXE
    GUARDGUI.EXE
    GuardNT.exe
    HRegMon.exe
    Hrres.exe
    HSockPE.exe
    HUpdate.EXE
    iamapp.exe
    iamserv.exe
    ICLOAD95.EXE
    ICLOADNT.EXE
    ICMON.EXE
    ICSSUPPNT.EXE
    ICSUPP95.EXE
    ICSUPPNT.EXE
    IFACE.EXE
    INETUPD.EXE
    InocIT.exe
    InoRpc.exe
    InoRT.exe
    InoTask.exe
    InoUpTNG.exe
    IOMON98.EXE
    isafe.exe
    ISATRAY.EXE
    ISRV95.EXE
    ISSVC.exe
    JEDI.EXE
    KAV.exe
    kavmm.exe
    KAVPF.exe
    KavPFW.exe
    KAVStart.exe
    KAVSvc.exe
    KAVSvcUI.EXE
    KMailMon.EXE
    KPfwSvc.EXE
    KWatch.EXE
    livesrv.exe
    LOCKDOWN2000.EXE
    LogWatNT.exe
    lpfw.exe
    LUALL.EXE
    LUCOMSERVER.EXE
    Luupdate.exe
    MCAGENT.EXE
    mcmnhdlr.exe
    mcregwiz.exe
    Mcshield.exe
    MCUPDATE.EXE
    mcvsshld.exe
    MINILOG.EXE
    MONITOR.EXE
    MonSysNT.exe
    MOOLIVE.EXE
    MpEng.exe
    mpssvc.exe
    MSMPSVC.exe
    myAgtSvc.exe
    myagttry.exe
    navapsvc.exe
    NAVAPW32.EXE
    NavLu32.exe
    NAVW32.EXE
    NDD32.EXE
    NeoWatchLog.exe
    NeoWatchTray.exe
    NISSERV
    NISUM.EXE
    NMAIN.EXE
    nod32.exe
    nod32krn.exe
    nod32kui.exe
    NORMIST.EXE
    notstart.exe
    npavtray.exe
    NPFMNTOR.EXE
    npfmsg.exe
    NPROTECT.EXE
    NSCHED32.EXE
    NSMdtr.exe
    NssServ.exe
    NssTray.exe
    ntrtscan.exe
    NTXconfig.exe
    NUPGRADE.EXE
    NVC95.EXE
    Nvcod.exe
    Nvcte.exe
    Nvcut.exe
    NWService.exe
    OfcPfwSvc.exe
    OUTPOST.EXE
    PAV.EXE
    PavFires.exe
    PavFnSvr.exe
    Pavkre.exe
    PavProt.exe
    pavProxy.exe
    pavprsrv.exe
    pavsrv51.exe
    PAVSS.EXE
    pccguide.exe
    PCCIOMON.EXE
    pccntmon.exe
    PCCPFW.exe
    PcCtlCom.exe
    PCTAV.exe
    PERSFW.EXE
    pertsk.exe
    PERVAC.EXE
    PNMSRV.EXE
    POP3TRAP.EXE
    POPROXY.EXE
    prevsrv.exe
    PsImSvc.exe
    QHM32.EXE
    QHONLINE.EXE
    QHONSVC.EXE
    QHPF.EXE
    qhwscsvc.exe
    RavMon.exe
    RavTimer.exe
    Realmon.exe
    REALMON95.EXE
    Rescue.exe
    rfwmain.exe
    Rtvscan.exe
    RTVSCN95.EXE
    RuLaunch.exe
    SAVAdminService.exe
    SAVMain.exe
    savprogress.exe
    SAVScan.exe
    SCAN32.EXE
    ScanningProcess.exe
    sched.exe
    sdhelp.exe
    SERVIC~1.EXE
    SHSTAT.EXE
    SiteCli.exe
    smc.exe
    SNDSrvc.exe
    SPBBCSvc.exe
    SPHINX.EXE
    spiderml.exe
    spidernt.exe
    Spiderui.exe
    SpybotSD.exe
    SPYXX.EXE
    SS3EDIT.EXE
    stopsignav.exe
    swAgent.exe
    swdoctor.exe
    SWNETSUP.EXE
    symlcsvc.exe
    SymProxySvc.exe
    SymSPort.exe
    SymWSC.exe
    SYNMGR.EXE
    TAUMON.EXE
    TBMon.exe
    TC.EXE
    tca.exe
    TCM.EXE
    TDS-3.EXE
    TeaTimer.exe
    TFAK.EXE
    THAV.EXE
    THSM.EXE
    Tmas.exe
    tmlisten.exe
    Tmntsrv.exe
    TmPfw.exe
    tmproxy.exe
    TNBUtil.exe
    TRJSCAN.EXE
    Up2Date.exe
    UPDATE.EXE
    UpdaterUI.exe
    upgrepl.exe
    Vba32ECM.exe
    Vba32ifs.exe
    vba32ldr.exe
    Vba32PP3.exe
    VBSNTW.exe
    vchk.exe
    vcrmon.exe
    VetTray.exe
    VirusKeeper.exe
    VPTRAY.EXE
    vrfwsvc.exe
    VRMONNT.EXE
    vrmonsvc.exe
    vrrw32.exe
    VSECOMR.EXE
    Vshwin32.exe
    vsmon.exe
    vsserv.exe
    VsStat.exe
    WATCHDOG.EXE
    WebProxy.exe
    Webscanx.exe
    WEBTRAP.EXE
    WGFE95.EXE
    Winaw32.exe
    winroute.exe
    winss.exe
    winssnotify.exe
    WRADMIN.EXE
    WRCTRL.EXE
    xcommsvr.exe
    zatutor.exe
    ZAUINST.EXE
    zlclient.exe
    zonealarm.exe
    _AVP32.EXE
    _AVPCC.EXE
    _AVPM.EXE
  • Services, which are disabled by the worm:

    wuauserv
    Aavmker4
    ABVPN2K
    ADBLOCK.DLL
    ADFirewall
    AFWMCL
    Ahnlab
    task
    Scheduler
    alerter
    AlertManger
    AntiVir
    Service
    AntiyFirewall
    ARP.DLL
    aswMon2
    aswRdr
    aswTdi
    aswUpdSv
    Ati
    HotKey
    Poller avast!
    Antivirus avast!
    Mail Scanner avast!
    Web Scanner
    AVEService
    AVExch32Service
    AvFlt
    Avg7Alrt
    Avg7Core
    Avg7RsW
    Avg7RsXP
    Avg7UpdSvc
    AvgCore
    AvgFsh
    AVGFwSrv
    AvgFwSvr
    AvgServ
    AvgTdi
    AVIRAMailService
    AVIRAService
    avpcc
    AVUPDService
    AVWUpSrv
    AvxIni
    awhost32
    backweb
    client - 4476822
    BackWeb Client - 7681197
    backweb client-4476822
    Bdfndisf
    bdftdif
    bdss
    BlackICE
    BsFileSpy
    BsFirewall
    BsMailProxy
    CAISafe
    ccEvtMgr
    ccPwdSvc
    ccSetMgr
    ccSetMgr.exe
    CONTENT.DLL
    DefWatch
    DNSCACHE.DLL
    drwebnet
    dvpapi
    dvpinit
    ewido
    security
    suite
    control
    ewido
    security
    suite
    driver
    ewido
    security
    suite
    guard
    F-Prot
    Antivirus
    Update
    Monitor
    F-Secure
    Gatekeeper
    Handler
    Starter
    firewall
    fsbwsys
    FSDFWD
    FSFW
    FSMA
    FTPFILT.DLL
    FwcAgent
    fwdrv
    Guard NT
    HSnSFW
    HSnSPro
    HTMLFILT.DLL
    HTTPFILT.DLL
    IMAPFILT.DLL
    noRPC
    InoRT
    InoTask
    Ip6Fw
    Ip6FwHlp
    KAVMonitorService
    KAVSvc
    KLBLMain
    KPfwSvc
    KWatch3
    KWatchSvc
    MAILFILT.DLL
    McAfee Firewall
    McAfeeFramework
    McShield
    McTaskManager
    mcupdmgr.exe
    MCVSRte
    Microsoft NetWork FireWall Services
    MonSvcNT
    MpfService
    navapsvc
    Ndisuio
    NDIS_RD
    Network Associates Log Service
    nipsvc
    NISSERV
    NISUM
    NNTPFILT.DLL
    NOD32ControlCenter
    NOD32krn
    NOD32Service
    Norman
    NJeeves
    Norman
    Type-R
    Norman
    ZANDA
    Norton AntiVirus Server
    NPDriver
    NPFMntor
    NProtectService
    NSCTOP
    nvcoas
    NVCScheduler
    nwclntc
    nwclntd
    nwclnte
    nwclntf
    nwclntg
    nwclnth
    NWService
    OfcPfwSvc
    Outbreak
    Manager
    Outpost Firewall
    OutpostFirewall
    PASSRV
    PAVAGENTE
    PavAtScheduler
    PAVDRV
    PAVFIRES
    PAVFNSVR
    Pavkre
    PavProc
    PavProt
    PavPrSrv
    PavReport
    PAVSRV
    PCCPFW
    PCC_PFW
    PersFW
    Personal Firewall
    POP3FILT.DLL
    PREVSRV
    PROTECT.DLL
    PSIMSVC
    qhwscsvc
    wscsvc
    Quick Heal
    Online Protection
    ravmon8
    RfwService
    SAVFMSE
    SAVScan
    SBService
    schscnt
    SECRET.DLL
    SharedAccess
    SmcService
    SNDSrvc
    SPBBCSvc
    SpiderNT
    SweepNet
    SWEEPSRV.SYS
    Symantec AntiVirus
    Client Symantec
    Core LC
    The_Hacker_Antivirus
    Tmntsrv
    TmPfw
    tmproxy
    tmtdi
    tm_cfw T_H_S_M V3MonNT
    V3MonSvc
    Vba32ECM
    Vba32ifs
    Vba32Ldr
    Vba32PP3
    VBCompManService
    VexiraAntivirus
    VFILT
    VisNetic
    AntiVirus Plug-in
    vrfwsvc
    vsmon
    VSSERV
    WinAntivirus
    WinRoute
    wuauserv
    xcomm
    Empty
  • Worm blocks running regedt32.exe and regedit.exe utilities.
  • In order to check-out its modules updates, worm tries to conduct connection with web sites. The list of these web sites is stored in worm body.
  • hxxp://www.titanmotors.com/images/1/eml.php
    hxxp://veranmaisala.com/1/eml.php
    hxxp://wklight.nazwa.pl/1/eml.php
    hxxp://yongsan24.co.kr/1/eml.php
    hxxp://accesible.cl/1/eml.php
    hxxp://hotelesalba.com/1/eml.php
    hxxp://amdlady.com/1/eml.php
    hxxp://inca.dnetsolution.net/1/eml.php
    hxxp://www.auraura.com/1/eml.php
    hxxp://avataresgratis.com/1/eml.php
    hxxp://beyoglu.com.tr/1/eml.php
    hxxp://brandshock.com/1/eml.php
    hxxp://www.buydigital.co.kr/1/eml.php
    hxxp://camaramafra.sc.gov.br/1/eml.php
    hxxp://camposequipamentos.com.br/1/eml.php
    hxxp://cbradio.sos.pl/1/eml.php
    hxxp://c-d-c.com.au/1/eml.php
    hxxp://www.klanpl.com/1/eml.php
    hxxp://coparefrescos.stantonstreetgroup.com/1/eml.php
    hxxp://creainspire.com/1/eml.php
    hxxp://desenjoi.com.br/1/eml.php
    hxxp://www.inprofile.gr/1/eml.php
    hxxp://www.diem.cl/1/eml.php
    hxxp://www.discotecapuzzle.com/1/eml.php
    hxxp://ujscie.one.pl/777.gif
    hxxp://1point2.iae.nl/777.gif
    hxxp://appaloosa.no/777.gif
    hxxp://apromed.com/777.gif
    hxxp://arborfolia.com/777.gif
    hxxp://pawlacz.com/777.gif
    hxxp://areal-realt.ru/777.gif
    hxxp://bitel.ru/777.gif
    hxxp://yetii.no-ip.com/777.gif
    hxxp://art4u1.superhost.pl/777.gif
    hxxp://www.artbed.pl/777.gif
    hxxp://art-bizar.foxnet.pl/777.gif
    hxxp://www.jonogueira.com/777.gif
    hxxp://asdesign.cz/777.gif
    hxxp://ftp-dom.earthlink.net/777.gif
    hxxp://www.aureaorodeley.com/777.gif
    hxxp://www.autoekb.ru/777.gif
    hxxp://www.autovorota.ru/777.gif
    hxxp://avenue.ee/777.gif
    hxxp://www.avinpharma.ru/777.gif
    hxxp://ouarzazateservices.com/777.gif
    hxxp://stats-adf.altadis.com/777.gif
    hxxp://bartex-cit.com.pl/777.gif
    hxxp://bazarbekr.sk/777.gif
    hxxp://gnu.univ.gda.pl/777.gif
    hxxp://bid-usa.com/777.gif
    hxxp://biliskov.com/777.gif
    hxxp://biomedpel.cz/777.gif
    hxxp://blackbull.cz/777.gif
    hxxp://bohuminsko.cz/777.gif
    hxxp://bonsai-world.com.au/777.gif
    hxxp://bpsbillboards.com/777.gif
    hxxp://cadinformatics.com/777.gif
    hxxp://canecaecia.com/777.gif
    hxxp://www.castnetnultimedia.com/777.gif
    hxxp://compucel.com/777.gif
    hxxp://continentalcarbonindia.com/777.gif
    hxxp://ceramax.co.kr/777.gif
    hxxp://prime.gushi.org/777.gif
    hxxp://www.chapisteriadaniel.com/777.gif
    hxxp://charlesspaans.com/777.gif
    hxxp://chatsk.wz.cz/777.gif
    hxxp://www.chittychat.com/777.gif
    hxxp://checkalertusa.com/777.gif
    hxxp://cibernegocios.com.ar/777.gif
    hxxp://5050clothing.com/777.gif
    hxxp://cof666.shockonline.net/777.gif
    hxxp://comaxtechnologies.net/777.gif
    hxxp://concellodesandias.com/777.gif
    hxxp://www.cort.ru/777.gif
    hxxp://donchef.com/777.gif
    hxxp://www.crfj.com/777.gif
    hxxp://kremz.ru/777.gif
    hxxp://dev.jintek.com/777.gif
    hxxp://foxvcoin.com/777.gif
    hxxp://uwua132.org/777.gif
    hxxp://v-v-kopretiny.ic.cz/777.gif
    hxxp://erich-kaestner-schule-donaueschingen.de/777.gif
    hxxp://vanvakfi.com/777.gif
    hxxp://axelero.hu/777.gif
    hxxp://kisalfold.com/777.gif
    hxxp://vega-sps.com/777.gif
    hxxp://vidus.ru/777.gif
    hxxp://viralstrategies.com/777.gif
    hxxp://svatba.viskot.cz/777.gif
    hxxp://Vivamodelhobby.com/777.gif
    hxxp://vkinfotech.com/777.gif
    hxxp://vytukas.com/777.gif
    hxxp://waisenhaus-kenya.ch/777.gif
    hxxp://watsrisuphan.org/777.gif
    hxxp://www.ag.ohio-state.edu/777.gif
    hxxp://wbecanada.com/777.gif
    hxxp://calamarco.com/777.gif
    hxxp://vproinc.com/777.gif
    hxxp://grupdogus.de/777.gif
    hxxp://knickimbit.de/777.gif
    hxxp://dogoodesign.ch/777.gif
    hxxp://systemforex.de/777.gif
    hxxp://zebrachina.net/777.gif
    hxxp://www.walsch.de/777.gif
    hxxp://hotchillishop.de/777.gif
    hxxp://innovation.ojom.net/777.gif
    hxxp://massgroup.de/777.gif
    hxxp://web-comp.hu/777.gif
    hxxp://webfull.com/777.gif
    hxxp://welvo.com/777.gif
    hxxp://www.ag.ohio-state.edu/777.gif
    hxxp://poliklinika-vajnorska.sk/777.gif
    hxxp://wvpilots.org/777.gif
    hxxp://www.kersten.de/777.gif
    hxxp://www.kljbwadersloh.de/777.gif
    hxxp://www.voov.de/777.gif
    hxxp://www.wchat.cz/777.gif
    hxxp://www.wg-aufbau-bautzen.de/777.gif
    hxxp://www.wzhuate.com/777.gif
    hxxp://zsnabreznaknm.sk/777.gif
    hxxp://xotravel.ru/777.gif
    hxxp://ilikesimple.com/777.gif
    hxxp://yeniguntugla.com/777.gif