Analysis Date2014-03-24 03:49:49
MD51d3a04488358d4991229c9c894d370f2
SHA1163e4af37cc3daed8abf7c3664af5e2e1b99a98a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e6bcdd9536ee2adc5972728b5d944070 sha1: bf954d4788cc5a9309865b219b07c8e200720703 size: 204800
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 48e4f983963bd92432de6745c18b9178 sha1: f33214a13ef6e03254202304f9fe5d5d9f5f71af size: 4096
Timestamp2010-09-28 08:37:08
VersionProductVersion: 6.78
InternalName: YYQQU
FileVersion: 6.78
OriginalFilename: YYQQU.exe
ProductName: YYQQU
PackerMicrosoft Visual Basic v5.0
PEhashe36534bd20555b57ff222cf57eba0cef7e9169e3
IMPhash8b8bc1e89a90706d874f1ccaf82a9d6b
AVavgSHeur3.BCUP
AVclamavTrojan.VB-22488
AVmcafeeDownloader-CJX.gen.g
AVmsseWorm:Win32/Vobfus.gen!D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\duuil.exe
Creates ProcessC:\Documents and Settings\Administrator\duuil.exe
Creates MutexA
Creates Mutexch

Process
↳ C:\Documents and Settings\Administrator\duuil.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\duuil ➝
C:\Documents and Settings\Administrator\duuil.exe /O
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Network Details:

DNSns1.codeconline.biz
Type: A
DNSns1.player1523.com
Type: A

Raw Pcap

Strings

040904B0
6.78
FileVersion
InternalName
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
YYQQU
YYQQU.exe
8u;)g,
Bstii!
`.data
dmuMITWYWihIwqRgqUncVjNZztJTSHfvlL5
E@+DS 
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ftXCedewTBZXATwZOQomVolQsChMLCSNtkfUqVCAZrQdCKdJqxvLa
kPs(lBs
MethCallEngine
MSVBVM60.DLL
Ns$FPs
OsDROs
OsE`Os
OsetPs
OsOoPsh;Rs
oVQPCuMi
ProcCallEngine
qg^}=.
|Qsj|Ps
QssnPs
s<RD1I2
!This program cannot be run in DOS mode.
VB5!6&*
__vbaExceptHandler
X{*zr)
YYQQU"
YYQQU01
YYQQU02
YYQQU03
YYQQU04
YYQQU05
YYQQU06
YYQQUz4