Analysis Date2015-02-03 16:49:10
MD5627740cb2c6f0dcce0bad4be8f5a3f32
SHA118cf03d598ee8553a3cf755d9764299b261e0d55

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 705b1ff8862b9b6efb7b3990ccf78fe7 sha1: 7e0a1be31c93d91bdcb24588043c1712176c877d size: 8704
Section.data md5: 8139fb360e6c24825b312aa944b0789a sha1: 649884ac6f5bb0743c5a11d57852e63eeb5dc4e2 size: 2048
Section.rsrc md5: 3bdf38e4f70cc5fe6b34ddeab1ff1f74 sha1: 2569e403bb12ef4e22cad04c5953ab794ddf8ab7 size: 46592
Timestamp2004-06-24 00:58:46
PEhash139d6448ecefa27eba488d4c0cc0de86f9907978
IMPhashb066f1c40fa2eccaac9da0fc497c5cf2
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.527030
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.527030
AVAuthentiumW32/Trojan.HJWD-4904
AVAvira (antivir)TR/Crypt.ZPACK.Gen4
AVBullGuardGen:Variant.Kazy.527030
AVCA (E-Trust Ino)Win32/Tnega.XAXR!suspicious
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.527030
AVEset (nod32)Win32/Kryptik.CUHD
AVFortinetW32/Kryptik.CVBD!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.527030
AVGrisoft (avg)Downloader.Agent
AVIkarusTrojan-Spy.DrSky
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-FAMV!627740CB2C6F
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis
AVMicroWorld (escan)Gen:Variant.Kazy.527030
AVRisingno_virus
AVSophosTroj/Agent-AIRO
AVSymantecTrojan.Gen
AVTrend MicroTROJ_CRYPCTB.SME
AVVirusBlokAda (vba32)Trojan.FakeAV.01657

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\18cf03d598ee8553a3cf755d9764299b261e0d55.gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_74203.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Process"rundll32.exe" C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen C:\Documents and Settings\Administrator\Local Settings\Temp\18cf03d598ee8553a3cf755d9764299b261e0d55.gif
Creates Mutex25662880
Winsock DNSwindowsupdate.microsoft.com

Process
↳ "rundll32.exe" C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen C:\Documents and Settings\Administrator\Local Settings\Temp\18cf03d598ee8553a3cf755d9764299b261e0d55.gif

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellImageView\Bounds ➝
NULL

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.192.91
DNSwww.update.microsoft.com.nsatc.net
Type: A
157.56.77.148
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)
Flows TCP192.168.1.1:1031 ➝ 65.55.192.91:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000020 (00032)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000030 (00048)   626c653b 204d5349 4520372e 303b2057   ble; MSIE 7.0; W
0x00000040 (00064)   696e646f 7773204e 5420362e 30290d0a   indows NT 6.0)..
0x00000050 (00080)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000060 (00096)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000070 (00112)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000080 (00128)   6c6f7365 0d0a0d0a                     lose....


Strings
@
..^0X.LF5K..X.R....F...p..R....[...
xL.Y...H.-C(..
q.
..|....9Mb)4....T.+.O.3uw.....l^.{..6
93..q.G.l
...Zf..Nv2.
Cej.JEY;[.>...+.
.d9B.
P...
......
..j.[T....Fs....(G.....\%.
ce.

jQsx\LU
S~6TZ
vp"Y@
-)=+@@
0aRichY
0L1D|Z
\1=<@@
3Cb*l_{
."3"kbgY$0
3s4B)u|?
4)T:^YthGAW
5WEPNih
6)5R@@
;7Wg"oxD>s5
9yn8Zm^
ADVAPI32.dll
A~o{Yq~
ar}9]l
A_YdLd^
B2-:P;
b4mH5 
?Bey(V
Brd(Nrb
|	bu{Y+
by*iF$j
CADeleteCA
CAEnumNextCA
%CcT).
certcli.dll
CharToOemA
ClearEventLogA
CloseHandle
ControlService
CPDecrypt
CPDeriveKey
CPEncrypt
CPGenKey
CreateDirectoryA
CreateProcessAsUserA
CreateWindowExA
`.data
DeviceIoControl
DialogBoxParamA
DispatchMessageA
Dj[wHP~
Dpo	ALL
DrawIcon
!dvRSwV
E'N 7t 
f1hF'xJ
{fH|O-
FoL[?H
*g4"o,D
GetCaretPos
GetEnvironmentVariableA
GetLongPathNameA
GetProcAddress
GetProcessHeap
GetProcessTimes
GetStringTypeA
GetWindowTextA
g+pSQ=
gw~R9${
=G"xp<
HeapValidate
H&q|U3
;H(-VJ[
i)=(@@
IrzeScMbaF
IsCharLowerW
IsDialogMessageA
IsTextUnicode
IsValidSecurityDescriptor
IsValidSid
IsZoomed
.IT.vS
jM>'Ki
 .)Jt'
kernel32.DLL
KERNEL32.dll
kII6B 
KUXuCwcBRlH
LoadCursorA
LoadLibraryA
lstrcmpiA
lstrcpynW
m	51@@
,~*mY!G
;@n-El
)ODRVpy
o@%Ex+
OpenServiceA
-	P.3//
PathCombineA
PathCommonPrefixA
PathCompactPathA
=PD"0`N
PeekMessageA
;pmjaK
PostMessageA
pufertuk.pdb
qSq2=k
[|qxfQT
r6&q>t&s
ReadFile
RegCreateKeyA
RegDeleteKeyA
RegDeleteValueA
RegEnumValueA
RegOpenKeyExA
RegSaveKeyA
'RQf"4?
rsaenh.dll
SetEnvironmentVariableW
SetFilePointer
SHLWAPI.dll
Sn',\f
sRNDBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
!This program cannot be run in DOS mode.
 +Tpvg
]U5G)S
 U8-	'
UpdateResourceA
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlCreateFromPathA
UrlEscapeA
UrlGetLocationA
UrlHashA
UrlIsNoHistoryW
UrlUnescapeA
user32.dll
VirtualAllocEx
VSJkMQkabvCXucVEk
+V*zo'
W	="@@
>w}1F($W
WaitForSingleObject
WriteConsoleA
	wsprintfA
wUhjmK j
:XH!v\
xSJLthtn
)y7d:.
Z8mMgE
Zx]]Vyp
ZYWYP=