Analysis Date2015-02-02 01:15:46
MD530f5f477129ed517181397637deef032
SHA1009d3efd6c184d11c7fbf8868b5040f161dac523

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 02b7a086ebe9c5230ee2086623528063 sha1: 9f970fa8172d550b592d99e9552f349bad8d666a size: 126976
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 82d495291f760b8014974f300e138714 sha1: 9b0bf0731904185c289198fe2b1549f05e00b78c size: 45056
Timestamp2011-05-14 00:41:18
VersionInternalName: U盘防火墙
FileVersion: 1.00.0003
CompanyName: 微软中国
ProductName: 工程1
ProductVersion: 1.00.0003
OriginalFilename: U盘防火墙.exe
PackerMicrosoft Visual Basic v5.0
PEhash1006501b482455bdb54397bc1ca460cb07fe16b8
IMPhashca9393b41b719ab2a173cce7ccf554c9
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12609251
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.12609251
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.180224.62
AVBullGuardTrojan.Generic.12609251
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.12609251
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Generic.12609251
AVGrisoft (avg)no_virus
AVIkarusTrojan.Rogue
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroPossible_Otorun8
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB87A.tmp

Network Details:


Raw Pcap

Strings
B
..
..
080404B0
1.00.0003
22906
735246446
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\U
AtEndOfStream
\AutoRun.inf
AUTORUN.INF
\AutoRun.inf\prn\
\AutoRun.inf\prn\123..\
(C) 2011 
C:\Documents and Settings\
CompanyName
 Ctrl+X
Ctrl+X
 Ctrl+Z
Ctrl+Z
C:\Users\
.exe
}.exe
\...exe
FileVersion
InternalName
.lnk
open=
OPEN=
OriginalFilename
Path
ProductName
ProductVersion
ReadLine
Recycled
.scr
StringFileInfo
Translation
 USBKiller (
username
VarFileInfo
VS_VERSION_INFO
                            
                                                                                                    
 !"#$%&'()*+,
!"#$%&'()*+,-.
$%&'()*+
,-./012345
/0123456789:;<=>?@ABCD
0y&Gin|
2007:12:26 14:15:40
222222
^3%x8)
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4?.~jy
}4~;m]
4=/PmJM
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
6[q,>^
'7GWgw
92http://ns.adobe.com/xap/1.0/
)9IYiy
[\]^_`aabcdefghijklm
:;<=>?@ABCDEFDGHIJKLMNOPQRS
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
Adobe_CM
Adobe Photoshop CS2 Windows
_allmul
altTagTEXT
autoGenerated
AUTORUN.INF
bgColorTypeenum
bottomOutsetlong
boundsObjc
Btomlong
cellTextIsHTMLbool
cellTextTEXT
Check1
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
Command1
Command10
Command11
Command12
Command13
Command2
Command3
Command4
Command5
Command7
Command8
Command9
 Ctrl+X
Ctrl+Z
         <dc:format>image/jpeg</dc:format>
default
dEU6te
DllFunctionCall
Drive1
D:\VB98\VB6.OLB
EFGHIJKLMNOPQRSTUVWXYZ
<Ejm)7oC
Es$FGs
ESliceBGColorType
ESliceHorzAlign
ESliceOrigin
ESliceType
ESliceVertAlign
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
         <exif:ColorSpace>-1</exif:ColorSpace>
         <exif:NativeDigest>36864,40960,40961,37121,37122,40962,40963,37510,40964,36867,36868,33434,33437,34850,34852,34855,34856,37377,37378,37379,37380,37381,37382,37383,37384,37385,37386,37396,41483,41484,41486,41487,41488,41492,41493,41495,41728,41729,41730,41985,41986,41987,41988,41989,41990,41991,41992,41993,41994,41995,41996,42016,0,2,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,20,22,23,24,25,26,27,28,30;A4EA05D487E0D3182C75FF794DCFB447</exif:NativeDigest>
         <exif:PixelXDimension>84</exif:PixelXDimension>
         <exif:PixelYDimension>84</exif:PixelYDimension>
Frame1
Frame2
Frame3
Fs0jGs
Fsl`Is
GetAsyncKeyState
gGsfLGsDRFsk
.Gjjc-7?
groupIDlong
hc G~r
hGsbrIs
hKm0RU
$Hm"g$
	horzAlignenum
HrCg@b	g(
Hs1hIsf
HssnGs
HstjGs
" id="W5M0MpCehiHzreSzNTczkc9d"?>
`Is*aHs
IstLGs"
j2j~>C
JAbY9Br>
}#jDh$
jGsEjGsZ]Fs
}#j(h$
}#j(h4
}#jLh$
JnPG.@
jPA{a,
}#jPh$
}#jTh$
*:JZjz
Label1
Label2
Leftlong
leftOutsetlong
LMNOPH	
?mmh|s
.mo-%h
MsgeTEXT
MSVBVM60.DLL
M^t^tP
}]M`^Zk
MzzzM]}
N0^^Mz^vwxn
nullTEXT
originenum
Photoshop 3.0
         <photoshop:ColorMode>3</photoshop:ColorMode>
         <photoshop:History/>
po+	KI
<QnBJQ
qqrrrrrsrrrrrqqdd
Rbc:NXb
      </rdf:Description>
      <rdf:Description rdf:about=""
   </rdf:RDF>
   <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
Rghtlong
rightOutsetlong
Ro{pp`YPcPPdNgNNNNNNNNNNNNffggPPhjjM^uZ}H
RORMy9
rstuvwxyz{|}~
SGISVVVVVVVVVVVVVVVVVVRA
#sk}{}
=sK	B.
sliceIDlong
slicesVlLs
t2!?+0
!This program cannot be run in DOS mode.
         <tiff:NativeDigest>256,257,258,259,262,274,277,284,530,531,282,283,296,301,318,319,529,532,306,270,271,272,305,315,33432;0807E458364692E9857FC171E54C047F</tiff:NativeDigest>
         <tiff:Orientation>1</tiff:Orientation>
         <tiff:ResolutionUnit>2</tiff:ResolutionUnit>
         <tiff:XResolution>960000/10000</tiff:XResolution>
         <tiff:YResolution>960000/10000</tiff:YResolution>
Timer1
Timer2
Top long
	topOutsetlong
TUVWXYZ[\]^_`abcdefghijklmnopq
Typeenum
urlTEXT
 USBKiller (
user32
uvwxyz{
VB5!6&vb6chs.dll
VBA6.DLL
__vbaAryDestruct
__vbaAryLock
__vbaAryUnlock
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaForEachCollAd
__vbaForEachCollObj
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2Var
__vbaI4Var
__vbaLateMemCallLd
__vbaLenBstr
__vbaNew2
__vbaNextEachCollAd
__vbaNextEachCollObj
__vbaObjSet
__vbaObjSetAddref
__vbaOnError
__vbaRedim
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrI2
__vbaStrMove
__vbaStrVarMove
__vbaStrVarVal
__vbaVarCat
__vbaVarCmpEq
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarOr
__vbaVarTstEq
__vbaVarTstNe
	vertAlignenum
v&uxN>
         <xap:CreateDate>2007-12-26T14:14:21+08:00</xap:CreateDate>
         <xap:CreatorTool>Adobe Photoshop CS2 Windows</xap:CreatorTool>
         <xap:MetadataDate>2007-12-26T14:15:40+08:00</xap:MetadataDate>
         <xapMM:DocumentID>adobe:docid:photoshop:90209bfc-6912-11dc-b7ab-b9284a62ce8a</xapMM:DocumentID>
         <xapMM:InstanceID>uuid:20D9EDDF79B3DC11A63EF930342B77B8</xapMM:InstanceID>
         <xap:ModifyDate>2007-12-26T14:15:40+08:00</xap:ModifyDate>
(X-HG~
            xmlns:dc="http://purl.org/dc/elements/1.1/">
            xmlns:exif="http://ns.adobe.com/exif/1.0/">
            xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
            xmlns:tiff="http://ns.adobe.com/tiff/1.0/">
            xmlns:xap="http://ns.adobe.com/xap/1.0/">
            xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/">
<?xpacket begin="
<?xpacket end="w"?>
</x:xmpmeta>
<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1.1-111">