Analysis Date2015-05-01 22:24:52
MD5a0ffb5708ec0cd3f3dfdda9deb40e172
SHA103f7d8260f3511688c5d170b049cf58ea0ac2504

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c123f46bd0ea0c1ac67ff0c5ae53d62c sha1: 08d68a791c19dd08737dcb557120ecaf6943648e size: 233472
Section.rdata md5: a54f46f74ec7d88c1907d4f45396073e sha1: 1450416e3c33c080cd21e0a4f4de9039d02bc50e size: 12288
Section.data md5: 80aa6b709519425ce760aef9d7ed2eb6 sha1: 8300b2b574f4a2aea0197714907d29578aaa7f1d size: 20480
Section.idata md5: d5bf3d49c1531ba9e7076809483f33d8 sha1: 5668a282e056eb4809c1bdeedb684d602afc9d88 size: 8192
Section.rsrc md5: 5091f618c8dcfdfb255be06168950faf sha1: 8ef3641cc46957c3c288295344e668e51a0b28f2 size: 32768
Section.reloc md5: be74b58978d2d98ddb7da81ec5749a15 sha1: c4c2baa907981b1639e7daaf8345c5edd4285948 size: 49152
Timestamp1983-12-24 02:01:31
Pdb path@
PackerMicrosoft Visual C++ 5.0
PEhashd898c64453cad180627507813fca795ced3748d1
IMPhashd0706c5e131edbff1fdcd80995ce2b8e
AVAd-AwareGen:Variant.Zusy.82831
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Zusy.82831
AVAuthentiumW32/Trojan.NSCX-6861
AVAvira (antivir)TR/Patched.Ren.Gen
AVBitDefenderGen:Variant.Zusy.82831
AVBullGuardGen:Variant.Zusy.82831
AVCA (E-Trust Ino)Win32/FakeFLDR_i
AVCAT (quickheal)TrojanDownloader.Agent.GZ6
AVClamAVWin.Trojan.Neshgaig
AVDr. WebTrojan.PWS.Gamania.41439
AVEmsisoftGen:Variant.Zusy.82831
AVEset (nod32)Win32/Agent.PWF
AVFortinetW32/Agent.GZLE!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.82831
AVGrisoft (avg)Downloader.Agent2.BSMJ
AVIkarusTrojan.Win32.Beaugrit
AVK7Trojan ( 000cbae21 )
AVKasperskyTrojan-Downloader.Win32.Agent.gzle
AVMalwareBytesWorm.Agent.RC
AVMcafeeW32/Worm-FPG!A0FFB5708EC0
AVMicrosoft Security EssentialsTrojan:Win32/Beaugrit.gen!AAA
AVMicroWorld (escan)Gen:Variant.Zusy.82831
AVPadvishno_virus
AVRisingWorm.Win32.VBInjectEx.a
AVSophosno_virus
AVSymantecTrojan.Travnet
AVTrend MicroTSPY_BE.7BF2119A
AVTwisterTrojan.AC6316F0F3F58227
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmss.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\cmss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini_d
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\seruvice.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.live.com
Type: A

Raw Pcap

Strings
*
0
0
_
..
00-+ 
-E-0
-0
-
-
.
] 
-e-
\
.
.
.
0
0
  
...........?-  
0
 
0
0 
0
u
!
!
..
.A
Z
Cjjj
Cjjjj
         (((((                  H
jjjj
jjjjjj
(null)
:.:@:\:{:
{{{{{{{{
{{{{{{{{{{
{{{{{{{{{{{{{
{{{{{{{{{{{{{{{{{{{
#'#'#'#'#'",
########################
									
										
													
																								
{{{{{{{{{{{{0
{{{{{{{{{{{{{0
0(0.0?0\0
0"0'0,0F0L0[0e0n0w0
0#0/0@0K0T0`0h0t0{0
0	0!0y0
0(0D0X0t0
0:0E0L0W0_0h0x0
0 0j0p0t0x0|0
0"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
0 1L1b1n1
0*1Q1*2
>0>4>8><>@>
061B1i1
:':0:8:L:e:j:w:
/0oAxg
$0x0&1/1>1J1Y1l1
'101}1
1)1:1K1\1m1
1*131<1M1S1\1d1x1
1'131?1T1b1y1
1.161A1H1W1c1{1
1@1E1w1
1?1M1k1y1
1*1M1m1
1%2H2k2
183F3i3w3
<"<(<,<1<><H<s<
1J1o1{1
1L1n1u1
1O1W1]1k1u1z1
1#QNAN
1#SNAN
''''''''''''''''@2^
\2013\Uproject(
2$2*20262<2B2H2N2T2Z2`2f2
2 2&2,22282>2D2J2P2V2\2b2h2n2t2z2
2?2b2p2
2-2E2V2k2v2
2;2I2w2
2*2X2s2!3&3
2+333?3E3S3b3n3
2.373E3M3S3\3d3l3r3{3
2f3s3z3
2J2e2w2}2
=2>r>v?
30A0o0}0
3 323<3c3
33333333333330
3333333333333333333
3 3%3O3
3%3F3O3
3&3H3v3
3'434|4
3*494a4k4
3?4g4*5#6
3"4L4X4
3B3I3w3~3
3	,e=|
;-;3;E;
404<4x4
4$4)4J5f5
4.474A4K4T4b4
4$4I4\4~4
4,525j5z5
4$70:@<H?L?P?
; ;4;A;S;`;
%4d%2d%2d%2d%2d%2d%5s
; ;%;4;E;T;c;n;z;
4G5N5]5
!4JJJJ1Y^
;4;K;Y;b;h;s;y;
?4?=?m?
4seCE|
4V5|556;6C6Q6W6j6
>">*>4>y>
505@5L5g5w5
51565<5
5%5.5C5
556>6V6[6
5+5.7<7m7{7
5#6]6n6w6
5	6B6N6S6
5?6L6d6
$'''''''''''''''-5D
5G5M5[5e5
;5;S;`;t;
637B7l7{7
6 6$6(6,6064686
6%676>6X6d6
$6(686@6D6L6P6\6`6p6x6|6
6+696Q6f6
6F6Q6g6
6I7b7n7
! )6PseC|(
6PY^^^^^
=,=6=s=
<6<T<Q=[=a=l=x=}=
707B7Y7e7
717?7e7s7
748G8Z8
758T8e8
7!7'70767;7H7r7w7
7"7)707%8.878M8V8
7 7'7,70747Q7{7
7 7$7(7,70747
7 7-7?7L7
7'7.7U7s7z7
7%7Z7`7
787B7P7W7{7
7=8K8X8u8
:7;c;x;
7e8l8y8i9s9
7'gJ=6
<7<]<g<q<
?}-------------+_7P^
7P:^:f:
7`{-vz
818=8d8p8|8
838@8R8_8
85898?8C8I8M8S8W8]8a8g8k8
8 8,828;8C8N8X8^8g8p8
8 8$8(8,8
8 8$8W8[8_8c8g8k8o8s8w8{8
8%9-959=9V9j9
?8?E?^?k?}?
=,?8?F?b?n?|?
=8=F=N=X=i=s=}=
8L8W8j8~8
8Q8X8f8m8
9,:0:8:<:
929@9g9t9
949>9J9k9}9
9!949<9J9U9a9f9s9
9#9)9:9A9j9q9y9
9 9*9/9f9k9
9(9/9U9^9
9*9A9K9\9~9
9,9B9M9Y9^9m9~9
9A9N9]9k9
9B<]<!>'>5>>>J>
9 :<:f:
9I:^:p:
:9:i:s:
=9=O=k=q=
= =9=S=
.AAAAAAAAAAAAAAABB`:6/^^^^
{AAAAAcr7SJseC|
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/
abnormal program termination
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
a_cmp.c
ADVAPI32.dll
a_env.c
Ajv~>"
AllIndex.ini
AllIndex.ini_d
Allocation too large or negative: %u bytes.
?-?A?n?
Assertion failed: 
Assertion failed!
Assertion Failed
Assertion failed: %s, file %s, line %d
;A<V<b<~<
Bad memory block found at 0x%08X.
bAfxv<
$BBBBBBBBf`:oQ8^^^
begin::
>B?I?P?a?r?
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
=Btx1X=
.''''''''''''''''''''''''c0^
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
C:\Documents and Settings\Administrator\
chsize.c
ch != _T('\0')
Client
client block at 0x%08X, subtype %x, %u bytes long.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
Client hook free failure.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
CloseHandle
cmss.exe
c%Nq[r{
CoCreateInstance
CoInitialize
CompareStringA
CompareStringW
<%<C<O<p<y<
CopyFileA
CoUninitialize
CreateDirectoryA
CreateFileA
CreateProcessA
crt block at 0x%08X, subtype %x, %u bytes long.
_CrtCheckMemory()
_CrtDbgReport: String too long or IO Error
_CrtIsValidHeapPointer(pUserData)
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
 : 		%d
 : 			%d
: 		%d
'-----------------------d*^
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
DAMAGED
DAMAGE: on top of Free block at 0x%08X.
@.data
 Data: <%s> %s
dbgdel.cpp
dbgheap.c
dbgrpt.c
DebugBreak
Debug %s!
DeleteFileA
Detected memory leaks!
DOMAIN error
Dumping objects ->
),eCE|
=!=E=c>n>z>
:?:E:k:r:w:}:
=E>N>S>[>a>g>o>u>{>
E#Qq)L
Error: memory allocation: bad memory block type.
ExitProcess
Expression: 
=EyF_ 
F5p8c2
failure, see the Visual C++ documentation on asserts
failure, see the Visual C++ documentation on asserts.
fclose.c
fffffffffv_74J^^^^
ffffv_Z43^^^^^
Fformat != NULL
fgetc.c
fgets.c
f		i^^
_filbuf.c
File: 
_file.c
#File Error#(%d) : 
filename != NULL
file != NULL
*file != _T('\0')
FileTimeToSystemTime
FindFirstFileA
FindNextFileA
*~#F)L
flag == 0 || flag == 1
- floating point not loaded
<F<l<q<
_flsbuf.c
FlushFileBuffers
fopen.c
For information on how your program can cause an assertion
fprintf.c
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_freebuf.c
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fscanf.c
fseek.c
ftell.c
:":-:@:g:
GetACP
GetActiveWindow
_getbuf.c
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpace
GetDiskFreeSpaceA
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GetInputState
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
%G\JJzF
__GLOBAL_HEAP_SELECTED
`h````
HeapAlloc
_heapchk fails with _HEAPBADBEGIN.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADPTR.
_heapchk fails with unknown return value!
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
%hJJJJFH
h jUA'v
%hs allocated at file %hs(%d).
%hs(%d) : 
%hs located at 0x%08X is %u bytes long.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
http://www.viprambler.com/newsinfo/uld/nettraveler.asp
i'2 >t
i386\chkesp.c
: 		%I64d
IC#	pS
.idata
Ignore
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
Index.ini
input.c
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
Invalid allocation size: %u bytes.
ioinit.c
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
?IsProcessorFeaturePresent
J<38^^^^^
/J{5~zE
J{Aff_7beC|
JalTJ3^^^^
JanFebMarAprMayJunJulAugSepOctNovDec
Ji{xxxx_Oy|
JJ(Hccccc`
JJJJJ\,hE
JJJJJJ
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJ^
JJseCz|(
JmaEyO
>J?U?p?w?|?
<K<1=H=U=z=
k----------@=:64JD
kAAAAAAAAAAAActZSJ^^^^
=%>K>e>l>p>t>x>|>
KERNEL32
KERNEL32.dll
kNc8heH
	kz^8b
>!?<?L?
Largest number used: %ld bytes.
LCMapStringA
LCMapStringW
{%ld} 
%ld bytes in %ld %hs Blocks.
ldjV:O
LE}MqKs
length<=MAX_WND_SIZE
Line: 
LoadLibraryA
localind
L=RECYCLER_w
=@>L>S>~>
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
mbtowc.c
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
MessageBoxA
M	g=5U
Microsoft Visual C++ Debug Library
Microsoft Visual C++ Runtime Library
mode != NULL
*mode != _T('\0')
Module: 
MoveFileA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
?mZm%Z
Normal
normal block at 0x%08X, %u bytes long.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
\n(sl*^
(null)
=N>W>k>z>~>
n\X|ZC
<!<N<Y<_<
%Ny`9r2+
oAud[{
=(=O=b=
o|}BBBBBBBBBBBBBBBBBBBBB+]7O^
Object dump complete.
offset<MAX_WND_SIZE
_{ohqn
o/KR^^^
ole32.dll
_open.c
osfinfo.c
output.c
OutputDebugStringA
{{{{{{{{{{{{{{{{{{{p
				P^
{{{{{{{{{{{{{p0
p3x3|6
;;;P;b;l;
?%?P?e?
_pFirstBlock == pHead
_pFirstBlock == pOldBlock
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
_pLastBlock == pHead
_pLastBlock == pOldBlock
PLwB.Q
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
PostThreadMessageA
ppxxxx
Pragma: no-cache
(Press Retry to debug the application)
(Press Retry to debug the application - JIT must be enabled)
printf.c
&pR+K~u
Program: 
Program Files
<program name unknown>
Program: %s%s%s%s%s%s%s%s%s%s%s
Proxy-Connection: Keep-Alive
PRSVWh
- pure virtual function call
:Q;_;l;
QpBrQC
-------+=r,
.rdata
ReadFile
RECYCLER
RECYCLER_d
RECYCLER_u
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
@.reloc
R~'*hg
RtlUnwind
runtime error 
Runtime Error!
=*=/=R=W=z=
{{{{{{{{{{{{{{{{{{s
{{{{{{{{{{{{{{{{{{{s
S.{AaX
%s?action=datasize
%s?action=getdata
%s?action=updated&hostid=%s
%s(%d) : %s
Second Chance Assertion Failed: File %s, Line %d
seruvice
\seruvice.lnk
SetConsoleCtrlHandler
SetEndOfFile
setenv.c
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetStdHandle
SetUnhandledExceptionFilter
setvbuf.c
_sftbuf.c
SHELL32.dll
ShellExecuteA
%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=
SING error
size >= 0
smtp.live.com
smtp.yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sprintf.c
Start Menu
Startup
stdargv.c
stdenvp.c
stream.c
stream != NULL
string != NULL
str != NULL
strupr.c
Success:
%s:UNINSTALL
SunMonTueWedThuFriSat
%s:UPLOAD
SYSTEMIF
System Volume Information
szUserMessage != NULL
TerminateProcess
=tGjyh
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
!This program cannot be run in DOS mode.
TLOSS error
Total allocations: %ld bytes.
TranIndex.ini
t.;t$$t(
tzset.c
tZSJNW^^^
U0a0t0
[U8Fu6
:U:h:t:
ulBytesCoded==ulDataLength
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
ungetc.c
UnhandledExceptionFilter
../updata.exe
\Uproject\UprojectWin32\Lz77.cpp
)\UprojectWin32\LZ7.cpp
<&<U<r<_=
user32.dll
USER32.dll
:U:Y:]:
VC20XC00U
VirtualAlloc
VirtualFree
vsprintf.c
<V<_<z<
{{{{{{{{{{{{w
{{{{{{{{{{{{{{{{{{{w
Warning
WideCharToMultiByte
WINDOWS
WININET.dll
WriteFile
WS2_32.dll
wsprintfA
wtombenv.c
wwwwwwwwwwww
wwwwwwwwwwwwwwwwww{s
{{{{{{x
{{{{{{{{{{{{x
{{{{{{{{{{{{{{{{{{{x
!XW:z)1
xxxx@gmail.com
 'XYU@fm
=Z1gN{
?z5FO-C
ZNQmyF
ZvNYqr{