Analysis Date2014-12-03 05:27:24
MD52427acf8b1552d6dccab0109545882a2
SHA103ca21a39bb4f38af1b7af110ed7810d6c232b81

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: e300b4c3d365769efc9d62917794c118 sha1: 7c1251242e36bf3c02da7665c83bf3f1781c61f7 size: 2048
Section.text md5: 294d3b0fd2353fdeb72659b76a31361c sha1: 97c5c800a6d8499688dc75a3c8063a8ecd24541a size: 6656
Section.rdata md5: d3404c0e0f01ffd525aba85527c0eb06 sha1: b5ee3f3837508b454e14356cf7a16ac8bb8939ed size: 512
Section.data md5: c4b71dd7f5b54fa22bf7e30e7c8e71c1 sha1: 3350899edc81b9794317e8be37f664faae3199ce size: 2048
Section.rsrc md5: 6236b80cdab0d5d98a0b858891cb2daf sha1: 6f873b68d8b9167e3264e781181f3d852dd79ce2 size: 1024
Timestamp2011-04-03 12:07:51
PEhash5c781c5f52b6075f73beb1efb7929c0cc60cf381
IMPhasha8f69eb2cf9f30ea96961c86b4347282
AV360 SafeGen:Win32.FileInfector.euZ@aKw3MUhi
AVAd-AwareGen:Win32.FileInfector.euZ@aKw3MUhi
AVAlwil (avast)Small-NTV [Wrm]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Sivis.A
AVAvira (antivir)W32/Sivis.A
AVBullGuardGen:Win32.FileInfector.euZ@aKw3MUhi
AVCA (E-Trust Ino)Win32/Agent.BFH
AVCAT (quickheal)W32.Sivis.A5
AVClamAVWIN.Trojan.Sivis
AVDr. WebTrojan.Siggen3.2175
AVEmsisoftGen:Win32.FileInfector.euZ@aKw3MUhi
AVEset (nod32)Win32/Agent.NBA virus
AVFortinetW32/Agent.NBA!worm
AVFrisk (f-prot)W32/Sivis.A
AVF-SecureGen:Win32.FileInfector.euZ@aKw3MUhi
AVGrisoft (avg)Win32/Agent.CP
AVIkarusGen.Win32.FileInfector
AVK7Riskware ( 0015e4f11 )
AVKasperskyVirus.Win32.Agent.es
AVMalwareBytesno_virus
AVMcafeeW32/Sivis.gen.a
AVMicrosoft Security EssentialsVirus:Win32/Sivis.A
AVMicroWorld (escan)Gen:Win32.FileInfector.euZ@aKw3MUhi
AVNormanGen:Win32.FileInfector.euZ@aKw3MUhi
AVRisingWin32.Visisig.a
AVSophosW32/Sivis-A
AVSymantecTrojan.Gen
AVTrend MicroPE_SIVIS.A-O
AVVirusBlokAda (vba32)Trojan.Agent

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Updater\updater.log
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
Creates Filec:\Documents and Settings\Administrator\Favorites\Links\Windows Marketplace.url
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\AdobeCMapFnt07.lst
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\UserCache.bin
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\IMJP8_1\imjp81u.dic
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
Creates Filec:\Documents and Settings\Administrator\Favorites\MSN.com.url
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\Themes\Custom.theme
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\AdbeRdrUpd933_all_incr.msp
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak
Creates Filec:\Documents and Settings\Administrator\Favorites\Radio Station Guide.url
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udlog.txt
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\SharedDataEvents
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\AdobeSysFnt07.lst
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\AdbeRdrUpd932_all_incr.msp
Creates Filec:\Documents and Settings\Administrator\Favorites\Links\Windows Media.url
Creates Filec:\boot.ini
Creates Filec:\AUTOEXEC.BAT
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\7.0\Cache\AcroFnt07.lst
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JSADM.exv
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\JavaScripts\glob.settings.js
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\ACECache4.lst
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.js
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Color\ACECache10.lst
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\AdobeSysFnt09.lst
Creates Filec:\CONFIG.SYS
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
Creates Filec:\Documents and Settings\Administrator\Favorites\Links\Windows.url
Creates Filec:\Documents and Settings\Administrator\Cookies\index.dat
Creates Filec:\Documents and Settings\Administrator\Favorites\Links\Free Hotmail.url
Creates Filec:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\AdbeRdrUpd934_all_incr.msp
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\AdobeCMapFnt09.lst
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\UserCache.bin
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0\JavaScripts\glob.settings.js
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Updater\udstore.js
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Creates Filec:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Desktop.htt
Creates Filec:\Documents and Settings\Administrator\Favorites\Links\Customize Links.url
Creates Filec:\Documents and Settings\Administrator\Application Data\desktop.ini
Creates Filec:\Documents and Settings\Administrator\Favorites\Desktop.ini
Creates Filec:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\7.0\Collab\RSS

Network Details:


Raw Pcap

Strings

040904E4
11.0.8160
 2002-2003 Microsoft Corporation.  All rights reserved.
{5A79987F-5D0A-425c-B70D-E49AD5B6BF23}
Apartment
CLSID
CompanyName
Copyright 
CurrentVersion
dwdcw
dwdcw20.dl
dwdcw.dll
Explorer
FileDescription
FileVersion
InprocServer32
InternalName
 is a registered trademark of Microsoft Corporation.
LegalCopyright
LegalTrademarks1
LegalTrademarks2
Microsoft
Microsoft Corporation
Microsoft Event Reporting Disk Cleanup Wizard
Microsoft EventReporting Disk Cleanup Wizard
Microsoft Event Reporting stores files to be reported later as well as other temporary data files.  These files can be deleted safely.
Microsoft Event Reporting Temp Files
Microsoft Event Reporting Temporary Files
OriginalFilename
PCHealth\ErrorRep\QHeadles
PCHealth\ErrorRep\QRegular
PCHealth\ErrorRep\QSignoff
ProductName
ProductVersion
"%s" -%c %u
shfolder.dll
SOFTWARE
StringFileInfo
SubC
%temp%\dw.log
%temp%\dwtrig20.log
ThreadingModel
Translation
VarFileInfo
VolumeCaches
VS_VERSION_INFO
Windows
0"0-0;0@0G0Q0m1
0-040=0V0[0m0
0(040I0N0
0123456789ABCDEF
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0<1S1Y1_1{1
030806000000Z
031204000000Z
060404174414Z
060404194346Z
060916010447Z
060916015300Z
070314004037Z0#
070615000000Z
071004195346Z0t1
071029223936Z
080703015048Z0
081101213802Z0
:0:C:f:
0http://crl.verisign.com/ThawteTimestampingCA.crl0
0p1+0)
110916020300Z0
1 1+111
1"1C1T1
120426070000Z0
120614235959Z0\1
130805235959Z0U1
131203235959Z0S1
162;2M2k2
<	=#=,=1=6===C=M=f=k=}=
190915070000Z0y1
;';1;Z;b;l;x;
201231070000Z0p1+0)
201231235959Z0
202`2{2
2:3@3Z3
2(3P3w8
2,62686
<,<2<8<@<^<d<
??2@YAPAXI@Z
3 3,383D3l4t4x4|4
3'3D3I3m3
3;3F3M3m3
3@?5>200;;--,,+82S|
?)?3?B?o?y?
3http://crl.microsoft.com/pki/crl/products/tspca.crl0H
3http://www.microsoft.com/pki/certs/CodeSignPCA2.crt0
??3@YAXPAX@Z
4"4(4.4
4!4)484N4T4h4n4
494I4_4w4
)'&%4=//.+a|
>->4>P>U>
)'&%4;T
4T9X9d9h9t9x9
)'&%4=-W
50595>5
<.<5<O<p<
%61=9W
6^bMRQ4q
6+Re&G
6S6`6f6l6}6
761=/9S
)'774=//,S|
7$7,7L7P7T7X7\7`7d7h7l7p7t7x7|7
7$787>7^7
7)7H7w7
=$=7=B=r=
;/;7;@;H;U;];k;p;z;
?7!Op1
7ZeYfn
8 8$8(8,8084888<8@8D8H8L8P8T8X8
8#9[9o9
8?9D9h9m9r9
8`9h9l9
8<9N9q9y9
8g8m8t8
:8:J:f:
95:F:V:
9~:};5?I?k?r?
960801000000Z
970110070000Z
9]tu4W
a19hDV
_adjust_fdiv
ADVAPI32.dll
AllocateAndInitializeSid
_amsg_exit
</assembly>
  <assemblyIdentity
      <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
:[bFgk
BMarks
bookmarks.html
browser.bookmarks.file
browser-directory-provider
browserdirprovider.dll
BuyURL=http://windowsmedia.com/redir/xpsample.asp
California1
	Cape Town1
.cdata
Certification Services Division1!0
C:/exp/
CheckTokenMembership
__clean_type_info_names_internal
CloseHandle
CoInitialize
COMCTL32.DLL
common
"Copyright (c) 1997 Microsoft Corp.1
"Copyright (c) 2000 Microsoft Corp.1#0!
CoTaskMemAlloc
CoTaskMemFree
Couldn't open the file! 
__CppXcptFilter
CreateDirectoryA
CreateFileA
CreatePipe
CreateProcessA
CreateProcessW
_crt_debugger_hook
C:\WINDOWS\system32\rcimlby.exe
`.data
@.data
ddFFFkFJJJJP
_decode_pointer
DeleteCriticalSection
DeleteFileW
  </dependency>
  <dependency>
    </dependentAssembly>
    <dependentAssembly>
  <description></description>
destBrowserDirProvider
DisableThreadLibraryCalls
distribution
distribution.searchplugins.defaultLocale
DllCanUnloadNow
DllGetClassObject
__dllonexit
DllRegisterServer
DllUnregisterServer
dNBBBBAAEA@?55>20u5c
DuplicateHandle
Durbanville1
dwdcw20.dll
dwdcw20.pdb
dwintl20.dll
e:\fx19rel\WINNT_5.2_Depend\mozilla\obj-fx-trunk\browser\components\dirprovider\browserdirprovider.pdb
EnableWindow
_encoded_null
_encode_pointer
EnterCriticalSection
EnumWindows
Etj<^V
_except_handler3
_except_handler4_common
ExistingPrefOverride
existing-profile-defaults.js
ExitProcess
ExpandEnvironmentStringsW
Ex t3S
 [File] 
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
?:?@?F?L?R?X?_?f?m?t?{?
FreeLibrary
FreeSid
=F=R=Y=
general.useragent.locale
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDriveTypeA
GetFileAttributesA
GetFileSize
GetForegroundWindow
GetLastError
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetShortPathNameW
GetStdHandle
GetSystemDefaultLCID
GetSystemDefaultUILanguage
GetSystemTimeAsFileTime
GetSystemWindowsDirectoryW
GetTickCount
GetUserDefaultLangID
GetWindowThreadProcessId
GlobalAlloc
GlobalFree
H56y`1
h7UJRhwA
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
:http://crl.microsoft.com/pki/crl/products/CodeSignPCA2.crl0O
-http://crl.thawte.com/ThawteCodeSigningCA.crl02
/http://crl.thawte.com/ThawtePremiumServerCA.crl0
"http://crl.verisign.com/tss-ca.crl0
http://ocsp.thawte.com0
http://ocsp.verisign.com0
http://office.microsoft.com 0
,http://www.microsoft.com/pki/certs/tspca.crt0
http://www.mozilla.com0
Information
InitCommonControls
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
_initterm
_initterm_e
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
Internet Explorer.lnk=@xpsp1res.dll,-11001
ipfx'f
IsDebuggerPresent
IsWindowEnabled
IsWindowVisible
JcEG.k
j(hdW@
jni[Zecba
KERNEL32.dll
^KIP9&: 
\KX]ffn
        language="*" />
LeaveCriticalSection
{lm^sNkC
.lnk=@%systemroot%\system32\rcbdyctl.dll,-152
LoadLibraryA
LoadLibraryW
LoadStringW
locale
[LocalizedFileNames]
LocalizedResourceName=@shell32.dll,-21782
lstrcmpiW
malloc
_malloc_crt
memcpy
memmove
memset
MessageBoxA
Microsoft Code Signing PCA
Microsoft Code Signing PCA0
Microsoft Corporation0
Microsoft Corporation1
Microsoft Corporation1!0
Microsoft Corporation1'0%
Microsoft Corporation1#0!
Microsoft Corporation1+0)
Microsoft Root Authority
Microsoft Root Authority0
Microsoft Timestamping PCA
Microsoft Timestamping PCA0
Microsoft Timestamping Service0
microsummary-generators
MicsumGens
Mountain View1
MOZCRT19.dll
Mozilla Corporation0
Mozilla Corporation1'0%
@mozilla.org/browser/directory-provider;1
@mozilla.org/categorymanager;1
@mozilla.org/file/directory_service;1
@mozilla.org/preferences-service;1
<"=M=r=
MSVCRT.dll
#>)n#>
    name="CompanyName.ProductName.YourApp"
        name="Microsoft.Windows.Common-Controls"
nCipher DSE ESN:D8A9-CFCC-579C1'0%
;N<e<m<z<
N+"\hE
NS_Alloc
nsBrowserDirectoryProvider
NS_CStringContainerFinish
NS_CStringContainerInit
NS_CStringContainerInit2
NSGetModule
NS_GetServiceManager
NS_NewNativeLocalFile
nspr4.dll
ole32.dll
OLE32.DLL
oMGIRw
_onexit
Outlook Express.lnk=@xpsp1res.dll,-11004
PNNNLLUUTUTTWWSSaa
P~PPNcci
PR_AtomicDecrement
PR_AtomicIncrement
premium-server@thawte.com0
PrivateLabel2-1440
        processorArchitecture="X86"
    processorArchitecture="X86"
_\^PROMKL
PSSSSSSh 
        publicKeyToken="6595b64144ccf1df"
PVVVVVV
q221fpk8xesqikk
#;q@4G
QueryPerformanceCounter
r0p1+0)
rcimlby.exe
`.rdata
ReadFile
realloc
Redmond1
RegCloseKey
RegCreateKeyExW
RegEnumValueW
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
@.reloc
RemoveDirectoryW
RSDSKc
searchplugins
Secure Application Development1
SetFileAttributesA
SetFilePointer
SetLastError
SetUnhandledExceptionFilter
SHDeleteKeyW
SHELL32.DLL
ShellExecuteExA
SHGetFolderPathW
SHLWAPI.dll
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
SrchPluginsDL
SrchPlugns
strcat
strcmp
strcpy
_stricmp
strlen
strncmp
strncpy
_strnicmp
 [Sub-Dir] 
SVWh$C
sXXY]fn
system32
%SYSTEMROOT%\system32\rcimlby.exe
:%;=;];t;
t	_^]3
TerminateProcess
`.text
Thawte1
Thawte Certification1
Thawte Code Signing CA
Thawte Code Signing CA0
Thawte Consulting cc1(0&
Thawte Consulting (Pty) Ltd.1
Thawte Premium Server CA1(0&
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
TlsAlloc
TlsFree
TSA1-20
TSA2048-1-530
        type="win32"
    type="win32" />
UnhandledExceptionFilter
_unlock
USER32.dll
USER32.DLL
UsrMicsumGens
UsrSrchPlugns
@u&USW
uzhh_t
VeriSign, Inc.1+0)
VeriSign, Inc.1402
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
+VeriSign Time Stamping Services Signer - G20
    version="1.0.0.0"
        version="6.0.0.0"
VirtualAlloc
VirtualFree
VirtualProtect
visuaL
visuaMZ
visua[.ShellClassInfo]
VKRYYn
vsplab1\otools\BBT_TEMP\DWDCW20O.pdb
WaitForSingleObject
Washington1
Western Cape1
WINDOWS
wnsprintfW
WriteFile
www.mozilla.com0>
wwwwww
wwwwwwwwww
wwwwwwwwwww
#! /.+)(X
X1AU8~
_XcptFilter
XCurProcD
x^de[MbhE
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x`^^n7c"w6~
xpcom-directory-providers
xpcom.dll
XREExtDL
YYu+WV
ZA1%0#