Analysis Date2014-11-14 15:59:37
MD5a1a76bf45f30075064bb448fccfd838c
SHA13ddd28ecc0d189e0f4f656ff9ee743457aa8c924

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fadd4cbd55cf57f72ce6d0b4bce376a1 sha1: fd530579aa9c7afde1c7197236d841a71d4e6cf9 size: 13824
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: 7babe4ca429d716775ab07a04b71b311 sha1: a64ef8fe62d35d5a64bfef3eb7f571165af78455 size: 103424
Section.rsrc md5: 42014756a41692f6537aabe5c789b2ed sha1: e5a6af0e3d1d85cbaa8cd41759f8ede8d9f17c61 size: 5120
Timestamp2009-04-25 22:00:50
VersionLegalCopyright: Copyright © 2010 PC Tools. 5 All rights reserved. M
InternalName: IHvertuN
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: p
ProductVersion: 7.0.0.61
FileDescription: tSpyware Doctor Component
OriginalFilename: IHvertuN
PackerBorland Delphi 4.0
PEhashb5ae8743e48c10018b673b31b860fed642fcc965
IMPhashdf01e256001052027e1fc59e157f674c
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)Renosator [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVWin.Trojan.Agent-252403
AVDr. WebTrojan.DownLoader2.39136
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.AEUK
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Generic_s.AXU
AVIkarusTrojan.Win32.Diple
AVK7Trojan ( 0049995d1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVNormanGen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.128AE210
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\NtWqIVLZEWZU\Olo5 ➝
30408961
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{E03B8BB0-8A43-475d-B3D8-8503D5E21BDF}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSnk.pl
Type: A
195.93.178.6
DNSnk.pl
Type: A
195.93.178.5
DNSicio.us
Type: A
50.18.171.56
DNS126.com
Type: A
123.125.50.22
DNS126.com
Type: A
220.181.12.218
DNSmoresonline.com
Type: A
66.228.61.232
DNSsuperseh.com
Type: A
HTTP POSThttp://moresonline.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1033 ➝ 66.228.61.232:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000020 (00032)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000030 (00048)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000040 (00064)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x00000050 (00080)   6f73743a 206d6f72 65736f6e 6c696e65   ost: moresonline
0x00000060 (00096)   2e636f6d 0d0a5573 65722d41 67656e74   .com..User-Agent
0x00000070 (00112)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000080 (00128)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000090 (00144)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000a0 (00160)   352e3029 0d0a436f 6e74656e 742d4c65   5.0)..Content-Le
0x000000b0 (00176)   6e677468 3a203231 370d0a43 6f6e6e65   ngth: 217..Conne
0x000000c0 (00192)   6374696f 6e3a2063 6c6f7365 0d0a4361   ction: close..Ca
0x000000d0 (00208)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000e0 (00224)   63616368 650d0a0d 0a646174 613d5159   cache....data=QY
0x000000f0 (00240)   70556a59 706f6f30 4d35414c 6f746c71   pUjYpoo0M5ALotlq
0x00000100 (00256)   53466846 694f4652 4c395731 33676f2b   SFhFiOFRL9W13go+
0x00000110 (00272)   742f7478 306c6769 53694e75 64433273   t/tx0lgiSiNudC2s
0x00000120 (00288)   7872797a 71676943 4e616845 6a397758   xryzqgiCNahEj9wX
0x00000130 (00304)   62507556 44774934 74373631 59445563   bPuVDwI4t761YDUc
0x00000140 (00320)   70386442 5145344c 47656d75 4b6f3059   p8dBQE4LGemuKo0Y
0x00000150 (00336)   53353063 2b737543 49514363 35646461   S50c+suCIQCc5dda
0x00000160 (00352)   76383937 686d616a 70674f36 32345558   v897hmajpgO624UX
0x00000170 (00368)   4572617a 4b486f63 35326976 6c7a4c74   ErazKHoc52ivlzLt
0x00000180 (00384)   73736656 57794739 30587844 32615676   ssfVWyG90XxD2aVv
0x00000190 (00400)   48316a30 3230576f 44463250 6649466d   H1j020WoDF2PfIFm
0x000001a0 (00416)   714a4374 504a7146 356a6579 39424b45   qJCtPJqF5jey9BKE
0x000001b0 (00432)   77594974 39304a7a 5a5a6645 6c704e6f   wYIt90JzZZfElpNo
0x000001c0 (00448)   4752                                  GR


Strings
.
.3
.
...
.
..
.
e
cx
040904E4
 2010  PC Tools. 5 All rights reserved. M
3MDD0
7.0.0.61
9vb6oPP
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
IHvertuN
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MmL9i
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
ReGUFK
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
tSpyware Doctor Component
VarFileInfo
VS_VERSION_INFO
Z1hv
;\0Ae`
0,VYqvt
(0W3j>
* $0yyEz
0zDLP l
1adzpL| 
1Lq`RY
%1\U{U
2'DL'c@
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3aA|0j
3Ul15wQEP
,[&3Vc6
;4(A<X
4IUNIQuSTR
<4(tv4S,
~4!yLqB
52bqdO5
@56ToApr 1
5aqk[N
5\Lzu4
63BWH9
6I7D!*h
6L279f
6<!scG8
!7\V8N(
-'809|W
8}4 j5
8]8u3z
89@-/&
:;8bz2`
@8iAH`
8%j9xH
8|QDGxX
`8Qi='
8.RT4*
;8XAA`
\8x}z7
8ZDq<e
91!Sbk
/9#5^/
9Yw4t?5
a0zLL\ p
`a>,7Lm
aaKnwX
ai9x%)BVbz
a$J4,H\
A=(KH4
a[SL9d\
AtPL-%
AYQP4SRJ7
 B1`$J
BERIPRD
BId9I#
,B.[ITgOS
.$*bYC
^C~4z8E
;CASRE
CharUpperA
CP60>'*
;cpDtb
CreateMenu
CUDdu%
CURJioe
`CuRLD
Cw)HRCr
CyJLk5
(cYjPX8
CZy+	!g
@.data
$DIydGaz
|d,/#JpJ,'y|z
Dmj,W'/@
dN _|}
dNum9B
d,uau;
E**|{#
E`43S$
edqeI_Nb
Eg:f`xz
\Ev	w9
EW7VX[
ewJH6l9
ExitProcess
e'%|x;X
'F[+\2g
f,4=n=
F"5xfj
faul~SIL
._FFfo
fhS}Du
Fx,x(f@
G9`5''
G98765.{
ga;}mG
gdwrOYj
GetActiveWindow
GetCommandLineW
GetCurrentThreadId
GetDesktopWindow
GetMenu
GetProcessHeap
GetWindowDC
GetWindowTextLengthA
GLuXcfw
_gr9KbqF9
gsZlbM
gxL8kT47
GxU9E2I
_h6/82
H7j6Ne8
h8BsxjCS
hKz3}8
`hlL?A
Hn:-\ii
}@hq^+
\*HRu>KHR8"
h+XHwI
H	z4hT8RvzcH
hZ\qpd`
I;A!79
ibcpyj
IHvertuN
|*Ij?P
Iq,RT8
IRs_52
IrVx1r
IsCharUpperA
IsDlgButtonChecked
IsMenu
izS;[`c=!
 J(,04
(J8,P`
Ja,,@\
\Jd,px
_Jeuqu
 j$l(d,	
;Jt]@@
JzVLn ~
:K8qT?zl
(KBc/$
KERNEL32.DLL
KFz>83L
kg3Nhh
KKXhvKy
k=OMR`
KqI3!S
)K@t8pNw
KVOsPTb
%kx{#&
~L!{^=
l}9Wz>
LBIqae
:}ldHn
L@EyGlS
LFO}mH
*lHRC_
 ,LJ$I
Lj(Ml] 
LJX,dx
LoadLibraryA
LocalAlloc
lr5CNl
@L$S3@F
Lym7i@24
lZjY?R
Lz\Lp 
]+*m?al
m\F^}9M(
@mi4bmng 
;MKDwbY;
mPSfc9Z
MpV>KJ
^M;Q|^
Mt1tr:
_N4Rwlw@8
n9C,u+
Naj_^[
Ne6^cp
NJF,<2
-nMr_jy
N~o4`T
n-zTl!|
_=(ObBxL
#ODlG5DYz;
O>I()y
/OoG9X
_oP4AIf0j
_opte3lucnVAclS@16
o.rdat@b
OSZ;C2
oxp%OLbEAUT2
OYJ-OEZ
o][Yq.
p 0$c0
p7[I;@
_P7uOK
PCi <_3
PJh,pt
pKbHm=;
;PKQ:(
p mOBrT
|puI]A8
py3Ob'
]Pz4K j
PZ\qXd`
Q1qqnP
Q2G9zFn@12
$Q,$`8
]%!qD%
QFu%	z	
Q	HRCg
QI~;jJ
Q!Iq")
Q.LIn*
@Qm6t(
q|QPgw
Q>Qu!\-
q:(ScBO5v
Qsou%s
<qv GaG
QvssGt
R33Swx
`.rdata
\(RE!nP
ResetEvent
;`,r@Vw
S`/2?xI
sAlzvXSdkb
S;EJCax
SetEndOfFile
SetErrorMode
shlwapi
 SI 'X
s"~~(j
sovRivDyeOu4c
spx+$y
-#S]?S<
s|xQImL
_Szs`]
t15w+`
;((T3#P
.T%.A.`
`t`,.D
tg=x`m|
This program must be run under Win32
tH:$'^Mh
\])Ti|
TIDSBPn,\
@TLeJN}
tPZHzuJ
TRw#"U
T,\uTp$
tY	GC,~
tzlwcw
Uc*=mJ
U=Q=WqQy
USbYF9
USER32.DLL
Ut	6G1|
'<V0x~
}vB?Ky^	x`
v[InAxG
VirtualAlloc
vLAP6Tt8
}V	QuW`V
^VS M#
}"Vxe"
VZhHDY
w1JoJOM
[w2*|!
W`3V[B
#W-Alf*
WJE@~wuSu
,wlHRCC
w=Lnd&
WqiaBz
WRQPgSjf
X1l#@K
x2)J$,
xArm:=A
.XCV'`
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XtOy-^BS!xG
xx`\I1|`
_y0(i8
#yB.9bD-
#\'YG7H
y J4,DT
`@`yj6O
y 	j:J?#
Ys~WE$
(z0L8 @
$z0L8 @
(Z4q,d8
Z4WX~u
z"8vlkR<
zcL	"oH
<zDLL T
zDLT h
>zFLP Z
z$L4 D
zlf)`SHLWH
z,L` h
$z<LH X
@zLLT d
!ZMHgT
z_(pPS)
Z`$Q,z
@zTLp 
zV~-}U\