Analysis Date2013-10-16 07:19:47
MD51e6316c1b890e20cdf5d72eb1c3e3555
SHA1034df70ddc22a5c499298f636b7beef29f7811ce

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: edc9507a5834301b3723881947c859dc sha1: e1a6f9d2f3a34d71049c75f6a96c15bbc81ae77d size: 16384
Timestamp2009-12-05 22:50:46
PackerNullsoft PiMP Stub -> SFX
PEhash336a352e59d00358300f30da274c8fc7805d3935
AVaviraADWARE/AdRotator.A.181
AVclamavTrojan.Dropper.Agent-209
AVmsseAdware:Win32/AdRotator
AVavgWin32/Heri

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\AppDataLow\Software\{94C1BCC8-4F4A-D0BE-97F3-B67B231B005E}\aff_id ➝
revenuestreaming_4
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\xqlyeqdxyq\DisplayName ➝
Advanced Performance Platform Revenuestreaming.\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\Documents and Settings\Administrator\Local Settings\Temp\nsp4.tmp.dll"
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\System.dll
Creates FileC:\WINDOWS\system32\xqlyeqdxyq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsr2.tmp
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsp4.tmp.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsl1.tmp
Creates Process"C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSrevenuestreaming.net

Process
↳ "C:\WINDOWS\system32\regsvr32.exe" /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"

RegistryHKEY_CLASSES_ROOT\CLSID\{30E7B485-2705-7529-3AA6-C604A4D8153C}\ ➝
revenuestreaming browser enhancer\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fwovtriaczyfxhx ➝
C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\tslgjhnnbbbqrsru.dll"
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{30E7B485-2705-7529-3AA6-C604A4D8153C}\NoExplorer ➝
1
Creates FilePIPE\lsarpc
Creates MutexGlobal\bannerrotator_startup

Network Details:

DNSrevenuestreaming.net
Type: A
64.74.223.44
HTTP GEThttp://revenuestreaming.net/bc/nsi_install.php?inst_result=success&aff_id=revenuestreaming_4&id=7d2c1ab9d1cfe00d7254c93d819c053475c383b2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 64.74.223.44:80

Raw Pcap
0x00000000 (00000)   47455420 2f62632f 6e73695f 696e7374   GET /bc/nsi_inst
0x00000010 (00016)   616c6c2e 7068703f 696e7374 5f726573   all.php?inst_res
0x00000020 (00032)   756c743d 73756363 65737326 6166665f   ult=success&aff_
0x00000030 (00048)   69643d72 6576656e 75657374 7265616d   id=revenuestream
0x00000040 (00064)   696e675f 34266964 3d376432 63316162   ing_4&id=7d2c1ab
0x00000050 (00080)   39643163 66653030 64373235 34633933   9d1cfe00d7254c93
0x00000060 (00096)   64383139 63303533 34373563 33383362   d819c053475c383b
0x00000070 (00112)   32204854 54502f31 2e310d0a 41636365   2 HTTP/1.1..Acce
0x00000080 (00128)   70743a20 2a2f2a0d 0a416363 6570742d   pt: */*..Accept-
0x00000090 (00144)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x000000a0 (00160)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x000000b0 (00176)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000c0 (00192)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x000000d0 (00208)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000e0 (00224)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000f0 (00240)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x00000100 (00256)   0d0a486f 73743a20 72657665 6e756573   ..Host: revenues
0x00000110 (00272)   74726561 6d696e67 2e6e6574 0d0a436f   treaming.net..Co
0x00000120 (00288)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000130 (00304)   6c697665 0d0a0d0a                     live....


Strings
msctls_progress32
MS Shell Dlg
SysListView32
:'="::
*?|<>/":
075kmn
}0| :9
0ar#DUmQ
!0DLxt
,0.JV=
0nE8wsn
.0Ra-n
_0)t{b
0$TZa{xk|
*0x	N8~
11HFucv
~1elPK
1fPPH*.
1gk^}(
1nLTr~
1O9>gp
_;1q.s
?1qZ"a
1`wM/a
[25DY0
2C;gXp
2fj&a08B)
!2H'DN
.2hUvd
2lf#NJRx
2oY'Rv
2RE-jQ&
\2>/Y6
3EtaGI2
3+|HAL
3?K2;#
3K9A*\
3mO7FP
3-p;u>
|3&]yq;
!/45km
 46o3J
*4ll-	o
4NOQ{1
4r6#f/
4u9(6w
@/'@	5
5Op\b)
5rL9,2
.5smG'
5To98O
5uw#7%	
:5; V\
+=6.!"~
6@7q6F
-=68u	h
= 6A9I
&6hVR?rX
6|rLiv
;6X	t}
.;6zR|
7[0odBI
_;@7AM
7#B	[k
_7kC _"
7lyxmP
7/Uc(gf
87D@'q-N
8g0<0v
8NCRCu
8T8n7)
8#Ywc%
9e$2ln
9|L-U`
9	!N$\
9?qNnm7
aa5+W;S
A&' 'C
aCK(H.6~/
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
Ae&M-7*
/ a!h\
>{aH$<
:ahG2E
Ai#Y.?
~aP_4Bw
AppendMenuA
AR<p*#
AvS44F
?a/w#n
?B,}",
b3u=z-
b7T;=v
B9/8GyI
BeginPaint
%Be RI?
~}`bh|
b~%Hiz^x
B&Oa^>[
]bp>@'
bRN"-sHm[
bufBv\
bV~rMY
b vw#du
B&>x=<7
bXAZ+b
c4`^+v
#!C6^C
$c9Y< P
CallWindowProcA
C	b8C7B
CDE*&&'
Cd>K|6,L6LZ
CharNextA
CharPrevA
CheckDlgButton
c,}jpOj
:Cl*op:u
CloseClipboard
CloseHandle
CM#'_f
cnP1I$;
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
Cq/ae\
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
csb0@|
.C%*SY
+C>ua.
C^uHB(
C|uw;YP
C{Y|Fp{\
... %d%%
D$0+D$(P
D<2-5c
@.data
DBgpM8
DdEBA@@@@=
*} DD<(K/f
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
Df=p	b
DialogBoxParamA
dib<t(
DispatchMessageA
-|DKEP
]do^LI1
DrawTextA
d+=sBtm0
D$(SPS
eBe nU
eBPw2r
EE'[1D
eeInfT
$`<]eF
eI[>{A%
EmptyClipboard
EnableMenuItem
EnableWindow
ENB>[^
EndDialog
EndPaint
eRDMni
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
Esv0=SZ/
E|sxdXbb[\
.,EvLt
exI~^2
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
FAM#N{
FDtVuoc>
fffffox
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
>fok)4
fQt=O 
FreeLibrary
FR~Pu2
'	.fs:
*F-t-]|
F!V_KX
^%FwIU
FX%mF)
"FYD.4
g%0HxUn
GDI32.dll
{ge5e$
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
#}[%gf
gH4Wp|'
\=>Gl	`
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
\	}gLub
\gtDpu
'gTmohE
#@gubh!
H8,t(m6
HF7xXF
&HhZ[F
hnEL`sds
'?	'~h+NJ
hpppiffT
ht)<.!
-h#TPh
http://nsis.sf.net/NSIS_Error
HwDKDF
:	H`x$x
HXxwC\E^1
'@'H-y
hyK)DnK
H;y*W&
I0*pErv5d
@_I2>by
iEqpi	=O
i%kk7Y
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
iUo,]b
IV%geZ
iv:w{Vj
;j\6ob
j# dFP
J!E1Rt
]J '-gh
JG%TVD
<@J;`m(M
 joRk>
j\RM4@
!jVM[y
((+:K1
K/34vqT(
k"5y}H
K:8`t.
Ka(e:e
^k'aS%
KERNEL32
KERNEL32.dll
]Ke;Zb
Kh}c$<
k:MCbd
k^m]<<Q
.#kRb!y
{k-S!U
*k	wD9s
	K,zps
L?0|ns
$l7&UZ
l8R%){y
lfn\TZ=
#Lg/fO
($l|iu'C5Z
Ljs9Uc
L,kl>,
LN6oS\n=~=
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
,@-L(P
lp(	5B]7d
l!RY(.
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
LyA;E;
lZ/d#	
McYWP>
MessageBoxIndirectA
MHc`6b
\Microsoft\Internet Explorer\Quick Launch
}M:jSn
M	LO!I2
|M'lqO:
#mO{O>
More information at:
MoveFileA
MoveFileExA
mrEpQ\
/mrtH	
MulDiv
MultiByteToWideChar
M\WL@s,m
(*MXob
M*^y^N
Mz)1z z
 'n7L}
.ndata
=ND\uU
nJU|hX
N[kKOi
!Nl"i.
&+,Nlo
nlzQP E
=n`>oK'6
Nq<\#W
NSIS Error
~nsu.tmp
NullsoftInst
NulluM	E
NX\kqphZUQ3,
nxZ@O'Sw
^nzrOR\N
O"/0-Oi
Og'stV
o?iK5@C3
ole32.dll
OleInitialize
OleUninitialize
O_mcs]0
oNy:2|p
OpenClipboard
OpenProcessToken
o@tSYW
$O?Vclo
*OW8 y
P;?@@?
P;?@@@@?
P0$,Gd8R
P?D`N0
PeekMessageA
pHBa&j
>P.I8Zb
pl4D!#pq
@pLSP@%
P~n(1t^
PNH,1.;]
P.OF?u
PostQuitMessage
p/pk,FO
PPPPPP
$<p>prJ
pQU;}~P
punqq974.
puqqqqq<770
'PVUc-
$}Q=/'
q	B2kL
q!>cm7
~`)[qG
QI"U$"z
[qk["R@
Q<KUn{
R.>7/I
.rdata
%R!DPN
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
[)rfc8
Rf"y>h
|(rGWiQh
RichEd20
RichEd32
RichEdit
RichEdit20A
rlbA?4)
rL`S;qa
R_+S:o
R/V^25Wb
rXA6&L_
RYjgfW2+*
{{{s<.
S0B%f6L
*<S1hb8
}S2mQ|
s9oXu_Vi^M[
%<SBej"
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
s^I_bS
*S;k=,a1
SkWH/a
s*}l@_
SMJD>+
s:Nr?<C
s.o_=F
softuV
Software\Microsoft\Windows\CurrentVersion
spH)HA/
SQSSSPW
SSi7[H
{ssuBBs@@@<4
?s>#=X
S!%<xd\E]
SystemParametersInfoA
&sz04#
> _?=t
t;b	E,
TD7c|,
T\E`\e
{]Te@s
!This program cannot be run in DOS mode.
_|t&l_
T/O /hT
_^[t	P
|TP9iy
TrackPopupMenu
tRH_K&5N
~<t('Y
%t.}Yt
TzQ04#
U1_C-R
U1k21/a
*U2mX`
u49-,?B
U5v^2X
.u7H!)
/u:|A}}
u=at '
@:U$i_
Ui6shq'
!{uj#D?
uMNB:J
unpacking data: %d%%
uPptth
USER32.dll
.Uu6IC_
%u.%u%s%s
uvW=l1&
|:u<YH
uZ1IdKG$r
v6*L`}
v95LpA
V9)\t6O
vA@&@.
(vcTY#
VDA*=.
v|_DDR#
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#Vh;+@
v'mQl_
v oCcEC
VRS[0I
(?vs5Y
_VTTPPI
V_VPTPIG
vY,;r[
vYRm EH
<=W6Hl
*w6!IA,
WaitForSingleObject
wBQvHm
W<CMv7P
wl`-X:
";;W[p
w]_QIf
(wRD7s*
WriteFile
WritePrivateProfileStringA
)W]Rlx
wsprintfA
wwwwww
wwwwwwp
wwwwwwwx
wwwwwx
w xmrp
wxwwwwww
Xb*H>`k
@Xjmy'
]=xmFz
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
\x`+%Mw
xr#>;kn[$
}X&R_u|
xr@z3%
/xT'iS
XTu$Z5
xut5&(I
Y64^e8
y@d	sk-
YfGHI	qO
Y:f)v[
yL,!Fl
)-.Yln
y+>>?O)
yq|1f!i
yqZ1.(
$y: Uh
ywv*+"
z@2os(
z9VwS!
ZaZaZXKJ
z~['?c
:*)zdi
Ze7!j?Z4
Zh8;([
^#ZN 5xA
|=Z">o
*zQ?_+
-zqX!v
zsLRg*
--zWio@W
z(x*J"
Z_ZT_PI
zzz||||
z}z}z{v