Analysis Date2014-12-15 00:40:50
MD572556e1dad5529cec4f6bc028e036006
SHA13bf39503cca009d77e85d2bf6cf0de30f972e1a1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 74282394a99acb38d3946aff7e9ed19f sha1: 701bd0c0e016504122a3b86d94952968ab0e6837 size: 16384
Section.rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.data md5: 622a956fae2331a82d2efb1286891c1c sha1: 647629448efd38f5620918e09951581ffddc343b size: 53248
Section.rsrc md5: 28530191b5c3241e87bd9236b13edf2b sha1: ca738861288a77234828a17a5ec2161ae6aafa7d size: 5120
Timestamp2009-08-21 03:45:55
VersionLegalCopyright: Copyright © 2010 r PC Tools. All rights reserved.
InternalName: WXvertuM
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: G rx
ProductVersion: 7.0.0.61
FileDescription: uQSpyware Doctor Component2c
OriginalFilename: WXvertuM
PEhash098a382be91a482df65504970fa741b82f200627
IMPhash4042c694c27a7ec24e0bf572ee805477
AV360 SafeGen:Variant.Kazy.20201
AVAd-AwareGen:Variant.Kazy.20201
AVAlwil (avast)Renos-AHM [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.20201
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Fakealert.OP.1
AVBullGuardGen:Variant.Kazy.20201
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-229830
AVDr. WebTrojan.DownLoader2.38821
AVEmsisoftGen:Variant.Kazy.20201
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20201
AVGrisoft (avg)Generic_s.ADX
AVIkarusTrojan.Win32.Jorik
AVK7Trojan ( 00246c8d1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.MJ
AVMicroWorld (escan)Gen:Variant.Kazy.20201
AVRisingTrojan.Win32.Generic.12860F01
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_FAKEAV.SM93
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSgoogle.at
Type: A
173.194.125.56
DNSgoogle.at
Type: A
173.194.125.63
DNSgoogle.at
Type: A
173.194.125.55
DNSnarod.ru
Type: A
193.109.246.86
DNSroolia.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
3$
.q..e.
040904E4
 2010 r PC Tools.  All rights reserved. 
7.0.0.61
BBABORT
C8fTb2
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
g9kn
G rx
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
jdjzg
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
SkdA
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
uQSpyware Doctor Component2c
VarFileInfo
VS_VERSION_INFO
WXvertuM
YZAh
;0u4dt
1pqHRnMIeN
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
|3u'2=
42H0mMi9nYqdQDz6
4U95Un
6DN<W;=H>
6LRzD3
6rJY8b
7Wk_ArV
8c5qosg26zQ9U@16
8+=Hz@
9M?dKb
9xfAzlFY
_9YykF5t_CB@16
A3Kv2t
a7CNt9
apnenF
$basic_7tr
B;_guQ
b-j$\No<e
bly dn
Bw$u0/{
C^HV}+
^%C<[Yx
_D9vZwzwNVjX2A@8
@.data
$df@"$
_D{S!N
DT4RAz
?-d!$u:
e2t oF.|
@	eM^'
EnableWindow
EObRPrCy6CrY572f3R
_EPRDT2o7sh@20
ERumOt
ExitProcess
_F0ObddtIT
f="1.04
f4IpF4
fac5ZIo
Faf{}B
FEQWmg
FormatMessageA
FreeLibrary
FreeResource
ftPs!:
GetACP
GetMenu
GetParent
GetProcessHeap
GetPropA
GetScrollInfo
GetWindowDC
-gEyKm
GfK@t+
gG987654F
gQBEHI
g;QZ^&c
#+g[r	LMQ
<Hiv//<
hzH"W;
IB-s AX
?iD=DR
iK\i=G
'IoxgHw
IsCharUpperA
IsWindow
IsWindowEnabled
j^w0Y9
KERNEL32.dll
KNUvFD
lj+,whq
LoadBitmapA
LoadLibraryA
@L;-=s
=lWNyu
<M4p"}
m.95{4
ma7cpy
MauopmS
M*jVqv
m?lB9%
NlnEDH
n	T&a=
o^?FC"m
_Ok4K&iQ
osw0en
OSwALh12
ouNVviUF
O*vF!So*%
Phy8kfu6M
PLaxFJPZ
q.rdat
r363$m
`.rdata
rQwq1r
_Rsepxf
 RUkc\
.RVUusd
RWok1i
sc0CX>
scuOH@24
_sdVdDNcI
shlwapi
Sys!ymM
This program must be run under Win32
tsp{6f>
tuiqAW
Uh*OM}
user32.dll
UTF-8"
]uuGL(v
Vc-Y8B
VirtualAlloc
vp[0`v
WevhzSB
wkhfbe
WLm?#q7
W>u=8  
WXvertuM
xgn	w^
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
_yjA6brdi5m9U3K@4
yzgD_joOL2cPfp@12
zO7ITEXbj