Analysis Date2015-02-04 01:53:16
MD5a233478346fb01b7191b51d0cd8a0cf2
SHA13cd50292cce2857fb991e30687d6fe11d3e6e9a8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9199ec953803ee1ad54f6e3ed89e60fd sha1: 545b57dbe2ef252ee772b5b90b20a44cc9dfe1ee size: 188416
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: c07aaf426475b22895dc538fe9e24142 sha1: 1a54fdbe2e8b0bfb042acf67e9f1e857fd06e04e size: 147456
Timestamp2010-07-07 13:21:22
VersionProductVersion: 7.07.0007
InternalName: NoPorn
FileVersion: 7.07.0007
OriginalFilename: NoPorn.exe
ProductName: NoPorn
PackerMicrosoft Visual Basic v5.0
PEhash815bc895c28226b25c5085a3a338a9e87b03724f
IMPhash0affd390cdf3687adbaaafa19030cee1
AV360 Safeno_virus
AVAd-AwareBackdoor.Agent.1
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Backdoor.Agent.1
AVAuthentiumW32/VBTrojan.17E!Maximus
AVAvira (antivir)TR/Dropper.Gen2
AVBullGuardBackdoor.Agent.1
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftBackdoor.Agent.1
AVEset (nod32)Win32/AutoRun.VB.OS worm
AVFortinetW32/VB.AIXR!tr.dldr
AVFrisk (f-prot)W32/VBTrojan.17E!Maximus
AVF-SecureBackdoor.Agent.1
AVGrisoft (avg)Win32/DH{gQouNjk}
AVIkarusWorm.Win32.VB.li
AVK7P2PWorm ( 00057d1f1 )
AVKasperskyTrojan-Downloader.Win32.Andromeda.aixr
AVMalwareBytesno_virus
AVMcafeeNew Malware.iu
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Backdoor.Agent.1
AVRisingno_virus
AVSophosMal/VB-F
AVSymantecno_virus
AVTrend MicroPossible_Otorun8
AVVirusBlokAda (vba32)TrojanDownloader.Andromeda

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\DefaultValue ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickLaunch ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB8A1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe
Creates ProcessREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Creates Processcmd.exe /c start wmplayer.exe

Process
↳ wmplayer.exe

Creates Processwmplayer.exe
Creates Processwmplayer.exe
Creates Processwmplayer.exe

Process
↳ cmd.exe /c start wmplayer.exe

Creates Processwmplayer.exe
Creates Processwmplayer.exe
Creates Processwmplayer.exe

Process
↳ REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\DefaultValue ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickLaunch ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFF1C5.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe
Creates ProcessREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
Creates Processcmd.exe /c start wmplayer.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF6725.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF58D7.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\DefaultValue ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner ➝
JAUHI_PORNOGRAFI\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr ➝
1
RegistryHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\system\DisableCMD ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickLaunch ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title ➝
::KOREKSI::DIRI::KITA::TINGKATKAN::IMAN::\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF52E3.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\NoPorn.exe
Creates ProcessREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF6ADD.tmp

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\mplayerc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DF788A.tmp

Process
↳ wmplayer.exe

Creates Processsetup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe
Creates Processsetup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe
Creates MutexMicrosoft_WMP_70_CheckForOtherInstanceMutex

Process
↳ wmplayer.exe

Creates Processsetup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe
Creates Processsetup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe

Process
↳ REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Process
↳ REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f

Process
↳ setup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Multimedia\ActiveMovie\Filter Cache\0 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device\FriendlyName ➝
Default DirectSound Device\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device\FriendlyName ➝
Default MidiOut Device\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\MediaPlayer\MP2.SaveDir ➝
C:\Program Files\Windows Media Player\\x00
Creates FilePIPE\wkssvc
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500
Creates MutexWMSetup-UI

Process
↳ setup_wm.exe /RunOnce:C:\Program Files\Windows Media Player\wmplayer.exe

Creates MutexWMSetup-UI

Network Details:


Raw Pcap

Strings
...

040904B0
*.3gp
7.07.0007
alarm
ansav
Anti
antivir
Apakah anda setuju :
ariel
auslogics
autorun
[Autorun]
\Autorun.inf
avast
avira
B*\AF:\SENIN\VIRUS\Project1.vbp
basic
Bg.exe
BITDEVINDER
clam
clamwin
cmd.exe /c start wmplayer.exe
command
command prompt
config
control
Control
control panel
c:\windows\system
c:\windows\system32
DisableCMD
drives
drivetype
eset
.exe
Files
FileVersion
find
Find
folder options
GetExtensionName
getfolder
GetSpecialFolder
hijack
HKCU\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SuperHidden
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\DefaultValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt\UncheckedValue
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MediaPlayer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QuickLaunch
HKLM\
instal
InternalName
japan
JAUHI_PORNOGRAFI
karan
kars
kill
::KOREKSI::DIRI::KITA::TINGKATKAN::IMAN::
look
loov
luna
Mari Kita Tingkatkan Iman Dan Takwa Kita...!!!!
microsoft
microsoft visual
MPEG
MPLAYERC
\mplayerc.exe
nod32
NoPorn
\NoPorn.exe
NoPorn.exe
notepad
option
OriginalFilename
path
patrol
PCMAV
Policies\Explorer\NoClose
Policies\Explorer\NoControlPanel
Policies\Explorer\NoFind
Policies\Explorer\NoFolderOptions
Policies\Explorer\NoRun
Policies\Explorer\NoStartMenuMorePrograms
Policies\Explorer\NoViewContextMenu
Policies\Explorer\NoViewOnDrive
Policies\System\DisableMsConfig
Policies\System\DisableRegistryTools
Policies\System\DisableTaskMgr
process
ProductName
ProductVersion
project
properties
Prote
REAL
REG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f
REG_DWORD
\RegisteredOrganization
\RegisteredOwner
registry
RegWrite
remov
Repair
Rest
restore
safe
scan
scripting.filesystemobject
Searc
search
setup
shell\explore\Command=
shell\explore=Explore
shell\open\Command=
shell\open\Default=1
shell\open=MediaPlayer
shutdown -r -f -t 00
SMADA
Software\Microsoft\Internet Explorer\Main\
Software\Microsoft\Windows\CurrentVersion\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\
Software\Policies\Microsoft\Windows\system\
start
Stop
StringFileInfo
Subfolders
system
system restore
task
task manager
TINGKATKAN_IMAN
tool
Translation
Tune
untitled
VarFileInfo
virgin
VS_VERSION_INFO
watson
\Window Title
Wscript.Shell
WScript.Shell
$$$$#!
#%!+.*
1112:42:27 PM
111BBB5
'111I000L000M000M000M///M///M///M...M...M...M---M---M---M,,,M+++M***M(((L'''L'''H
11%855$!
\2_}}X(uus1/s
-,;43$
*** 555
555~888
555y888
   _666
:73bx+R&S}! Nu
+++#888
9[}}})Vum.Ku
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
>B;DI>B
BlljjjI@}d
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
`.data
DdejIDBB@Fll
DeleteFileA
;DIjsuu}}}}}vwd
DJeklllj
DllFunctionCall
e`68^uTPUglllll
---e888
EnableWindow
EnumWindows
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
@FIeellsu}}
FuuusssssjID>
#GDBDEEGGGG$
GetParent
GetWindowTextA
HHH<***
IFFIFFGGFFFFDD
IIFIIIIesssslliHCA@@BD
IIIIIIIdljjjjdFDd
IslslldD
IsWindowVisible
}#jhhXPB
}#j|hXPB
}jjjlsu}}}}
} jPhXPB
jPsEjPs
}#jXhXPB
kernel32
lljleI@
lll*777
lllljd@llld
lllslllljjjjeIFD
lslllljjjjjedID
Module1
Module2
MSVBVM60.DLL
NoPorn
nRs*aQs?|Ps
NsbrRs
Ns$FPsx
Ns];Os\TPs
oject1.
Os0jPs
OstLPs"
PostMessageA
Project1
PsDROsk
}Ps"UPs
Ps>UPs
Qs1hRs
QstjPs
RsH!Os
\SENINProject1
sp_Z4uO$&%gsM0k
sssssssssssssrd@=
!This program cannot be run in DOS mode.
TmrInfeksi
TmrPayload
user32
uuuuusuttsjDB
uuuuuujF@
VBA6.DLL
__vbaAryUnlock
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaFileClose
__vbaFileOpen
__vbaForEachVar
__vbaFPException
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGet3
__vbaHresultCheckObj
__vbaI4Var
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLenBstr
__vbaLenVar
__vbaNew2
__vbaNextEachVar
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPut3
__vbaSetSystemError
__vbaStrCat
__vbaStrCopy
__vbaStrLike
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarMove
__vbaStrVarVal
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpNe
__vbaVarDup
__vbaVargVar
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarOr
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarZero
wwwxww
W,-x}v#Yl
$$$x777
y]5}u)QnssL"r
YYY9ccc