Analysis Date2013-09-08 01:26:55
MD54a35448a603b386a0464f0e150aa9a43
SHA12fe9e2c8c27709caded8bf9afcde07280f421863

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f77e3a8249a2433084dca8a7a03c4a02 sha1: 329cdfc8e6d3beae02fa64644bc79d45b979b876 size: 53760
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: a8ed2cf42868604495d05c05d6be6c80 sha1: f40a2cefa5a1c7e94b9f9509e9db71e208095b7b size: 2560
Timestamp2010-07-13 08:43:14
VersionProductVersion: 3.65
InternalName: TTvtPMcC
FileVersion: 3.65
OriginalFilename: TTvtPMcC.exe
ProductName: e
PackerMicrosoft Visual Basic v5.0 - v6.0
PEhashf1ea28f3e5a0d46089d584ff27d5de10c4b8104b
AVavgInjector.UB
AVmsseWorm:Win32/Vobfus.S
AVaviraTR/Dldr.VB.dxh
AVclamavTrojan.VB-19611

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File\Device\Afd\AsyncSelectHlp
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qioupo.exe
Creates ProcessC:\Documents and Settings\Administrator\qioupo.exe
Creates MutexA

Process
↳ C:\Documents and Settings\Administrator\qioupo.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\qioupo ➝
C:\Documents and Settings\Administrator\qioupo.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden ➝
NULL
Creates FileC:\New Folder.lnk
Creates FilePIPE\DAV RPC SERVICE
Creates FileC:\autorun.inf
Creates FileC:\Passwords.lnk
Creates FileC:\qioupo.exe
Creates FileC:\Video.lnk
Creates FileC:\Music.lnk
Creates FileC:\temp.lnk
Creates FileC:\Pictures.lnk
Creates FilePIPE\wkssvc
Creates FileC:\..lnk
Creates FileC:\...lnk
Creates FileC:\qioupo.scr
Creates FileC:\Documents.lnk
Creates FileUNC\192.168.1.1\PIPE\srvsvc

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Network Details:

DNSns1.thepicturehut.net
Type: A
192.155.89.148
Flows TCP192.168.1.1:1031 ➝ 192.155.89.148:8000

Raw Pcap

Strings