Analysis Date2014-03-11 17:43:49
MD5a0b8319ec56835be5d24027f47cb85e5
SHA13fddb7afe19738088e974ad20ff4959ea9013fb9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c123f46bd0ea0c1ac67ff0c5ae53d62c sha1: 08d68a791c19dd08737dcb557120ecaf6943648e size: 233472
Section.rdata md5: a54f46f74ec7d88c1907d4f45396073e sha1: 1450416e3c33c080cd21e0a4f4de9039d02bc50e size: 12288
Section.data md5: 80aa6b709519425ce760aef9d7ed2eb6 sha1: 8300b2b574f4a2aea0197714907d29578aaa7f1d size: 20480
Section.idata md5: d5bf3d49c1531ba9e7076809483f33d8 sha1: 5668a282e056eb4809c1bdeedb684d602afc9d88 size: 8192
Section.rsrc md5: ab6c710366327dd7f353083573ae1322 sha1: fa027b513ed3a0273a08fcd27437cc792b9aade1 size: 32768
Section.reloc md5: 4ffc754dbf27a7ac6c9b0fcac9826e8f sha1: e08215301ee9e650ae342fda9d6a49efce1c0127 size: 132864
Timestamp1998-06-19 01:24:16
Pdb path@
PackerMicrosoft Visual C++ 5.0
PEhash98e8a794a6339ff9c3a9f9dd0e28c87a794528c5
IMPhashd0706c5e131edbff1fdcd80995ce2b8e
AVavgDownloader.Agent2.BSMJ
AVmcafeeW32/Worm-FPG!A0B8319EC568
AVaviraTR/Patched.Gen
AVclamavWin.Trojan.Neshgaig

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmss.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\cmss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini_d
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\seruvice.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.162.200
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.172.254
DNSsmtp.live.com
Type: A

Raw Pcap

Strings
*
0
0
_
..
00-+ 
-E-0
-0
-
-
.
] 
-e-
\
.
.
.
0
0
  
...........?-  
0
 
0
0 
0
u
!
!
..
.A
Z
x
.=
.
m
.

Cjjj
Cjjjj
         (((((                  H
jjjj
jjjjjj
(null)
:.:@:\:{:
{{{{{{{{
{{{{{{{{{{
{{{{{{{{{{{{{
{{{{{{{{{{{{{{{{{{{
#'#'#'#'#'",
########################
									
										
													
																								
{{{{{{{{{{{{0
{{{{{{{{{{{{{0
0(0.0?0\0
0"0'0,0F0L0[0e0n0w0
0#0/0@0K0T0`0h0t0{0
0	0!0y0
0(0D0X0t0
0:0E0L0W0_0h0x0
0 0j0p0t0x0|0
0"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
0 1L1b1n1
0*1Q1*2
>0>4>8><>@>
061B1i1
:':0:8:L:e:j:w:
/0oAxg
$0x0&1/1>1J1Y1l1
'101}1
1)1:1K1\1m1
1*131<1M1S1\1d1x1
1'131?1T1b1y1
1.161A1H1W1c1{1
1@1E1w1
1?1M1k1y1
1*1M1m1
1%2H2k2
183F3i3w3
<"<(<,<1<><H<s<
1J1o1{1
1L1n1u1
1O1W1]1k1u1z1
1#QNAN
1#SNAN
1WOxF/
''''''''''''''''@2^
\2013\Uproject(
2$2*20262<2B2H2N2T2Z2`2f2
2 2&2,22282>2D2J2P2V2\2b2h2n2t2z2
2?2b2p2
2-2E2V2k2v2
2;2I2w2
2*2X2s2!3&3
2+333?3E3S3b3n3
2.373E3M3S3\3d3l3r3{3
2f3s3z3
2J2e2w2}2
=2>r>v?
30A0o0}0
3 323<3c3
33333333333330
3333333333333333333
3 3%3O3
3%3F3O3
3&3H3v3
3'434|4
3*494a4k4
3?4g4*5#6
3"4L4X4
3B3I3w3~3
3	,e=|
;-;3;E;
404<4x4
4$4)4J5f5
4.474A4K4T4b4
4$4I4\4~4
4,525j5z5
4$70:@<H?L?P?
; ;4;A;S;`;
%4d%2d%2d%2d%2d%2d%5s
; ;%;4;E;T;c;n;z;
4G5N5]5
~/4gv'
!4JJJJ1Y^
;4;K;Y;b;h;s;y;
?4?=?m?
4RBq+d<
4seCE|
4V5|556;6C6Q6W6j6
>">*>4>y>
505@5L5g5w5
51565<5
5%5.5C5
556>6V6[6
5+5.7<7m7{7
5#6]6n6w6
5	6B6N6S6
5?6L6d6
$'''''''''''''''-5D
5G5M5[5e5
;5;S;`;t;
637B7l7{7
6 6$6(6,6064686
6%676>6X6d6
$6(686@6D6L6P6\6`6p6x6|6
6+696Q6f6
6F6Q6g6
6I7b7n7
! )6PseC|(
6PY^^^^^
=,=6=s=
<6<T<Q=[=a=l=x=}=
6tW z>V
_^&-!7
707B7Y7e7
717?7e7s7
748G8Z8
#<74sv
758T8e8
7!7'70767;7H7r7w7
7"7)707%8.878M8V8
7 7'7,70747Q7{7
7 7$7(7,70747
7 7-7?7L7
7'7.7U7s7z7
7%7Z7`7
787B7P7W7{7
7=8K8X8u8
:7;c;x;
7e8l8y8i9s9
7'gJ=6
<7<]<g<q<
?}-------------+_7P^
7P:^:f:
|7Prrw
|}?7`r
:7V3W6A
7`{-vz
818=8d8p8|8
838@8R8_8
85898?8C8I8M8S8W8]8a8g8k8
8 8,828;8C8N8X8^8g8p8
8 8$8(8,8
8 8$8W8[8_8c8g8k8o8s8w8{8
8%9-959=9V9j9
?8?E?^?k?}?
=,?8?F?b?n?|?
=8=F=N=X=i=s=}=
8L8W8j8~8
8Q8X8f8m8
@,"8[w
8&w0?;
9,:0:8:<:
929@9g9t9
949>9J9k9}9
9$5U{t^[j
.9#6tn
9!949<9J9U9a9f9s9
9#9)9:9A9j9q9y9
9 9*9/9f9k9
9(9/9U9^9
9*9A9K9\9~9
9,9B9M9Y9^9m9~9
9A9N9]9k9
9B<]<!>'>5>>>J>
9 :<:f:
9I:^:p:
:9:i:s:
=9=O=k=q=
9Q"AyB
= =9=S=
.AAAAAAAAAAAAAAABB`:6/^^^^
{AAAAAcr7SJseC|
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/
abnormal program termination
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
a_cmp.c
ADVAPI32.dll
a_env.c
AhhE|jm
Ajv~>"
AllIndex.ini
AllIndex.ini_d
Allocation too large or negative: %u bytes.
?-?A?n?
AO^1s4|
Assertion failed: 
Assertion failed!
Assertion Failed
Assertion failed: %s, file %s, line %d
av5U]j
;A<V<b<~<
axZDjue`
Bad memory block found at 0x%08X.
bAfxv<
$BBBBBBBBf`:oQ8^^^
begin::
B^e@N[
>B?I?P?a?r?
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
b*O:m),
B%T`"4
=Btx1X=
.''''''''''''''''''''''''c0^
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
C:\Documents and Settings\Administrator\
chsize.c
ch != _T('\0')
Client
client block at 0x%08X, subtype %x, %u bytes long.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
Client hook free failure.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
CloseHandle
cmss.exe
c$NNf"p
c%Nq[r{
CoCreateInstance
CoInitialize
CompareStringA
CompareStringW
<%<C<O<p<y<
CopyFileA
CoUninitialize
}}c$OX
CreateDirectoryA
CreateFileA
CreateProcessA
crt block at 0x%08X, subtype %x, %u bytes long.
_CrtCheckMemory()
_CrtDbgReport: String too long or IO Error
_CrtIsValidHeapPointer(pUserData)
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
cS_dF8
czOf|E
 : 		%d
 : 			%d
: 		%d
'-----------------------d*^
D6g}g 
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
DAMAGED
DAMAGE: on top of Free block at 0x%08X.
@.data
 Data: <%s> %s
dbgdel.cpp
dbgheap.c
dbgrpt.c
dbsjz|
DebugBreak
Debug %s!
DeleteFileA
Detected memory leaks!
]D..jM
DOMAIN error
dpY\33
Dumping objects ->
/E3w_j
),eCE|
=!=E=c>n>z>
ed18w=
E$Jt@GDG
:?:E:k:r:w:}:
=E>N>S>[>a>g>o>u>{>
E#Qq)L
Error: memory allocation: bad memory block type.
ExitProcess
Expression: 
=EyF_ 
F5p8c2
F@6IdM
f^_A8u:
failure, see the Visual C++ documentation on asserts
failure, see the Visual C++ documentation on asserts.
fclose.c
fffffffffv_74J^^^^
ffffv_Z43^^^^^
Fformat != NULL
fgetc.c
fgets.c
f		i^^
_filbuf.c
File: 
_file.c
#File Error#(%d) : 
filename != NULL
file != NULL
*file != _T('\0')
FileTimeToSystemTime
FindFirstFileA
FindNextFileA
*~#F)L
flag == 0 || flag == 1
- floating point not loaded
<F<l<q<
_flsbuf.c
FlushFileBuffers
$FOBX;
fopen.c
For information on how your program can cause an assertion
fprintf.c
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_freebuf.c
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fRO+-;H9Az@Wy
fscanf.c
fseek.c
ftell.c
fz}7+xl
:":-:@:g:
G3^IdZb=.
GetACP
GetActiveWindow
_getbuf.c
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpace
GetDiskFreeSpaceA
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GetInputState
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
%G\JJzF
__GLOBAL_HEAP_SELECTED
(GQ_e'G>
gVj$^:#
*gv.V(
`h````
HeapAlloc
_heapchk fails with _HEAPBADBEGIN.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADPTR.
_heapchk fails with unknown return value!
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
hi	}Yv
%hJJJJFH
h jUA'v
%hs allocated at file %hs(%d).
%hs(%d) : 
%hs located at 0x%08X is %u bytes long.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
http://www.viprambler.com/newsinfo/uld/nettraveler.asp
HX*1>5Y
i'2 >t
i386\chkesp.c
: 		%I64d
IC#	pS
.idata
Ignore
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
Index.ini
input.c
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
Invalid allocation size: %u bytes.
ioinit.c
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
?IsProcessorFeaturePresent
i;vF&@
J<38^^^^^
/J{5~zE
)J{	9sJ
J{Aff_7beC|
JalTJ3^^^^
JanFebMarAprMayJunJulAugSepOctNovDec
Ji{xxxx_Oy|
JJ(Hccccc`
JJJJJ\,hE
JJJJJJ
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJ^
JJseCz|(
JmaEyO
>J?U?p?w?|?
<K<1=H=U=z=
k----------@=:64JD
kAAAAAAAAAAAActZSJ^^^^
=%>K>e>l>p>t>x>|>
-|kE#N
KERNEL32
KERNEL32.dll
>}K'gA/5s
KjQ7m 
kNc8heH
kT7o]\r
$kxs1+
	kz^8b
>!?<?L?
Largest number used: %ld bytes.
LCMapStringA
LCMapStringW
{%ld} 
%ld bytes in %ld %hs Blocks.
ldjV:O
LE}MqKs
length<=MAX_WND_SIZE
L}<G1`
Line: 
@_LN5a
L$NQZ9
LoadLibraryA
localind
L=RECYCLER_w
=@>L>S>~>
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
lTE	7h
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
mbtowc.c
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
MessageBoxA
M	g=5U
Microsoft Visual C++ Debug Library
Microsoft Visual C++ Runtime Library
mode != NULL
*mode != _T('\0')
Module: 
MoveFileA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
MpZ2}u
M@Q|U	2
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
M~(!&v
mW1(J	
m{Z<^=
?mZm%Z
Normal
normal block at 0x%08X, %u bytes long.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
|%n	pE
\n(sl*^
(null)
=N>W>k>z>~>
n\X|ZC
<!<N<Y<_<
%Ny`9r2+
oAud[{
=(=O=b=
o|}BBBBBBBBBBBBBBBBBBBBB+]7O^
Object dump complete.
offset<MAX_WND_SIZE
_{ohqn
o/KR^^^
ole32.dll
\%OO4Z[
_open.c
osfinfo.c
?o]"t=
output.c
OutputDebugStringA
{{{{{{{{{{{{{{{{{{{p
				P^
{{{{{{{{{{{{{p0
p3x3|6
p@({'6
;;;P;b;l;
?%?P?e?
_pFirstBlock == pHead
_pFirstBlock == pOldBlock
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
_pLastBlock == pHead
_pLastBlock == pOldBlock
PLwB.Q
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
PostThreadMessageA
ppxxxx
Pragma: no-cache
(Press Retry to debug the application)
(Press Retry to debug the application - JIT must be enabled)
printf.c
&pR+K~u
Program: 
Program Files
<program name unknown>
Program: %s%s%s%s%s%s%s%s%s%s%s
Proxy-Connection: Keep-Alive
PRSVWh
- pure virtual function call
@PVc44qf
q}3'vY
:Q;_;l;
~+Q	M	
QpBrQC
qRjw_+
-------+=r,
ra]VM[
R~B7CYx
.rdata
ReadFile
RECYCLER
RECYCLER_d
RECYCLER_u
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
@.reloc
R~'*hg
RtlUnwind
R|TpOC
runtime error 
Runtime Error!
=*=/=R=W=z=
 r	z&)
{{{{{{{{{{{{{{{{{{s
{{{{{{{{{{{{{{{{{{{s
S.{AaX
%s?action=datasize
%s?action=getdata
%s?action=updated&hostid=%s
%s(%d) : %s
Second Chance Assertion Failed: File %s, Line %d
seruvice
\seruvice.lnk
SetConsoleCtrlHandler
SetEndOfFile
setenv.c
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetStdHandle
SetUnhandledExceptionFilter
setvbuf.c
_sftbuf.c
SHELL32.dll
ShellExecuteA
%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=
SING error
size >= 0
smtp.live.com
smtp.yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sprintf.c
Start Menu
Startup
stdargv.c
stdenvp.c
stream.c
stream != NULL
string != NULL
str != NULL
strupr.c
Success:
%s:UNINSTALL
SunMonTueWedThuFriSat
%s:UPLOAD
SYSTEMIF
System Volume Information
szUserMessage != NULL
t>8K*v
TerminateProcess
=tGjyh
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
!This program cannot be run in DOS mode.
TLOSS error
Total allocations: %ld bytes.
T('R _
TranIndex.ini
(_@(tt(
t.;t$$t(
tvy2Gc
tzset.c
tZSJNW^^^
U0a0t0
[U8Fu6
UFflr1{]/Z
:U:h:t:
ulBytesCoded==ulDataLength
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
ungetc.c
UnhandledExceptionFilter
../updata.exe
\Uproject\UprojectWin32\Lz77.cpp
)\UprojectWin32\LZ7.cpp
<&<U<r<_=
user32.dll
USER32.dll
u>#[T"]8:
-@ux8J
:U:Y:]:
VC20XC00U
Vc)QE8
vebOpA
VirtualAlloc
VirtualFree
vsprintf.c
}V(YU<
<V<_<z<
V@-z"ci
{{{{{{{{{{{{w
{{{{{{{{{{{{{{{{{{{w
Warning
wDN=!@
WideCharToMultiByte
WINDOWS
WININET.dll
WriteFile
WS2_32.dll
wsprintfA
wtombenv.c
wwwwwwwwwwww
wwwwwwwwwwwwwwwwww{s
{{{{{{x
{{{{{{{{{{{{x
{{{{{{{{{{{{{{{{{{{x
~XPB'4
!XW:z)1
xxxx@gmail.com
 'XYU@fm
&XzJ0H
yVmR[8_
=Z1gN{
Z:1q	-u
?z5FO-C
z?9*+D
zgL$Xf
ZNQmyF
ZvNYqr{