Analysis Date2014-01-29 11:31:11
MD5ca377d0cd91e4f91ebdc8a894efe5f9f
SHA104d02f29ae0cabcae5d1cc8197e5d6d1121b5cb5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4b569e892375c4d3b0dd8aac2b6e1ecd sha1: e845c25be79a542e06c73699a1f9b68dd6ed37ef size: 49152
Section.rdata md5: c837ea596716fd33ed0854210c6ce88d sha1: 95f180ace5330f0af3f27ff39cbb1002101486a7 size: 8192
Section.data md5: d1f52eaa7aceac03466ce24df17970c4 sha1: 7824a87d48e34583067a15e9d252d91e5d34652d size: 20480
Section.rsrc md5: 4ae71336e44bf9bf79d2752e234818a5 sha1: e129f27c5103bc5cc44bcdf0a15e160d445066ff size: 16
Timestamp2002-04-13 01:49:44
PackerVIRUS - I-Worm.KLEZ
PEhashbf5d4e4fe2dc802903e881a86190f470acba9f36
AVclamavW32.Elkern.C
AVaviraW32/Elkern.C
AVmcafeeW32/Klez.h@MM
AVmsseWorm:Win32/Klez.H@mm
AVavgI-Worm/Klez.K

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\Winkrae.exe
Creates ServiceWinkrae - C:\WINDOWS\system32\Winkrae.exe
Starts ServiceWinkrae

Process
↳ C:\WINDOWS\system32\Winkrae.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\WINDOWS\TEMP\Cmh8.exe
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\Program Files\Xe1.exe
Creates FileC:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\TEMP\Zt2.exe
Creates FileC:\WINDOWS\TEMP\Aah5.exe
Creates FileC:\WINDOWS\TEMP\Fnf6.exe
Creates FilePIPE\wkssvc
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\TEMP\Ug4.exe
Creates FileC:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\Messenger\msmsgs.exe
Creates FileC:\WINDOWS\TEMP\Dbr7.exe
Creates FileC:\Program Files\Messenger\msmsgs.zfz
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FilePIPE\SfcApi
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\TEMP\Czf3.exe
Creates FileC:\Documents and Settings\LocalService\Cookies\index.dat
Deletes FileC:\WINDOWS\TEMP\Cmh8.exe
Deletes FileC:\WINDOWS\TEMP\Aah5.tmp
Deletes FileC:\WINDOWS\TEMP\Czf3.tmp
Deletes FileC:\WINDOWS\TEMP\Dbr7.tmp
Deletes FileC:\WINDOWS\TEMP\Fnf6.tmp
Deletes FileC:\WINDOWS\TEMP\Zt2.exe
Deletes FileC:\WINDOWS\TEMP\Cmh8.tmp
Deletes FileC:\WINDOWS\TEMP\Zt2.tmp
Deletes FileC:\WINDOWS\TEMP\Aah5.exe
Deletes FileC:\WINDOWS\TEMP\Dbr7.exe
Deletes FileC:\WINDOWS\TEMP\Fnf6.exe
Deletes FileC:\Program Files\Xe1.tmp
Deletes FileC:\WINDOWS\TEMP\Ug4.tmp
Deletes FileC:\WINDOWS\TEMP\Ug4.exe
Creates ProcessC:\Program Files\Xe1.exe
Creates MutexWininetConnectionMutex

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WER4db6.dir00\appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WER4db6.dir00\Xe1.exe.hdmp

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\Program Files\Xe1.exe

Creates FilePIPE\lsarpc
Creates Filepipe\PCHFaultRepExecPipe

Network Details:


Raw Pcap

Strings
.
.
.
=.
=..t.0. 00-+ ...e.... ...\

..
..
.

API_ADOBE_PUBLIC_KEY
         (((((                  H
(null)
T405_ADOBE_PUBLIC_KEY
.,()%$@!`~ 
<04(, $
<\0,94p\9d
-1-1pd
,4h9%4
4hlp,t
,4<lt,9
,4<lt,9h
]8s`%`)
,9(,`,
90l$9 
\90,<lh
9<4ht9<t9<9 <
<`,9<9
9(, ,<h9h
,9<hh<4
$9 ,<hlp,
(9h,th
,9|l,th
\9|l,th
9`,p\9
9t,,9\
<9-t9-t9$<
<9-t9-t9d,0t
<9-t9-t9h
<9-t9-t9x<h4
,9tp4Mu
(,9txp,<(
abnormal program termination
AdjustTokenPrivileges
ADVAPI32.dll
AllocateAndInitializeSid
CloseHandle
CloseServiceHandle
CopyFileA
CreateFileA
CreateFileMappingA
CreateProcessA
CreateServiceA
CreateThread
CreateToolhelp32Snapshot
,d90<0\9
,d9\,<p
d9<p,9\
@.data
DDDDDDDDDDD
DDDDDDDDDDDDDDDG
DDDDDDDDDDDDDDG
DDDDDDDDDDDDDG
DDDDDDDDDDG
DDDDDDDDDG
DDDDDDDDG
DDDDDDDG
DDDDDDDxw
DDDDDDG
DDDDDG
DDDDDptwtDDDDptDwDDDHptDHxwxwptDDtOwtptDD
DDp|DDHDDDp|
DDxDDG
DeleteFileA
DOMAIN error
Dpwwwwwwwp
DSUVWh
`d+u]q
EqualSid
ExitProcess
ExpandEnvironmentStringsA
\explorer
FindClose
FindFirstFileA
FindNextFileA
- floating point not loaded
FlushFileBuffers
`+.f/qT
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeSid
GetACP
GetActiveWindow
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileTime
GetFileType
GetLastActivePopup
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTokenInformation
GetVersion
GetVersionExA
`h````
h,4h,(
%h90,9t,
h90l$9 p,,	0,4<lt,9
%h9(,h,4h9
h9qyyq	
 hd<p,
 hd<p,94<
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HELO %s
HHtpHHtl
h,p,th
,ht4<x,
,h%t90,9 p
h%t9`,p\9(<
ht9`,p\9t
hth,d<p
.idata
IsDBCSLeadByte
j/j(}}Sl+me
KERNEL32
KERNEL32.dll
LCMapStringA
LCMapStringW
LoadLibraryA
LocalAlloc
LocalFree
LookupPrivilegeValueA
l%p,9h
lp9x<ttd
lpp\9d
lt90\94
MAIL FROM: <
MapViewOfFile
MessageBoxA
Microsoft Visual C++ Runtime Library
Module32First
MPR.dll
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
(null)
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenServiceA
OtDDDDDDDDDDDDDDG
oY\aD/
,`,p94
p,,9d,,
,<$,p9h
,<(,p9Y
<ph9th,<
plt9h,4
p,|l,th
ppxxxx
Process32First
Process32Next
Program: 
<program name unknown>
PSSSSSSSj
((p,tt
- pure virtual function call
PVVVVVV
PWWhf`@
$Q90<t,ai
Q9I-tA
QQSVWj
`QTj@h
`QTQPSW
QTQQPQQ
>Rar!t
RCPT TO:<
`.rdata
ReadFile
ReadProcessMemory
RegCloseKey
RegConnectRegistryA
RegCreateKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterServiceCtrlHandlerA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
.reloc
RtlUnwind
runtime error 
Runtime Error!
%s%08d
SetEndOfFile
SetFileAttributesA
SetFilePointer
SetFileTime
SetHandleCount
SetServiceStatus
SetStdHandle
SING error
Sj WSj
SS@SSPVSS
SSSSSVSj
StartServiceA
StartServiceCtrlDispatcherA
SVW|*j 
SVWj_^3
SystemTimeToFileTime
t<`<$,
t5Wj j
,<t,9`
t9<9-t9(<
,<t,9h
,<t,9hp\9<$<
,<t,9I<9
-t9I-tA
t9 p,,9
tDDDDD
tDDDDDD
tDDDDDDD
tDDDDDDDD
tDDDDDDDDDDDDDDDDDDDDG
tDDDDDDDDDDDDDDDG
tDDDDDDDDDDDDG
tDDDDDDDDDG
tDDDDDDDDOw
tDDDDDDDG
tDDDDDDDOtDDO
tDDDDDDH
tDDDDDDO
tDDDDDDx
tDDDDDG
tDDDDDw
tDDDDHtOtDDDDG
tDDDDODD
tDDDDxO
tDDGxDDDDDDD
tDHHtDDDDDDDDG
tem32\dllcac
TerminateProcess
<]t_G<-uA
!This program cannot be run in DOS mode.
This program must be run under Win32
TLOSS error
t#SSUP
<tt%9t,X\9x
t.;t$$t(
t$$VSS
txp,<(9h
<tx,pt
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnmapViewOfFile
user32.dll
=userXu
:	uUSER32.d
VC20XC00U
VirtualAlloc
VirtualFree
vMPR.dll
W;5 LI
WaitForSingleObject
WideCharToMultiByte
WNetCloseEnum
WNetEnumResourceA
WNetOpenEnumA
WriteFile
WS2_32.dll
wsfc.dll
]w<w$%
"WWShL
wwwwwwwpt
wwwwwwwwwwwwww
wwwwwwwwwwwwwwwwwwwwww
x(<h,t
x|pthl`dX\Py}quimaeY]
\x,Q9h,Xh
\x,Q9-tU
,Xx,4h
Y;58LI
Yt%hm	A
_^][YY
YYPSWhT
YYPWhT
YY~`SW
YYv%WS
+|$ +z
Z<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv)cpu/e