Analysis Date2014-12-21 19:27:01
MD516a88e42a645631f1c6189a28d947d3c
SHA148a587f2b14cf4e462850385d8fb601f7ff2628b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nsp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.nsp1 md5: 147c72f71f7a42bbb07ec24d518c8e1f sha1: c6891f6e11c07158d7099236f384237e916a35c4 size: 93009
Section.nsp2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2006-07-04 11:34:50
PackerNSPack 3.x -> Liu Xing Ping
PEhash85792b13beb5ebb7352428d02536b280c2e8a701
IMPhash28a18f58924d2f4dd2bffbbc85a12952
AV360 SafeGeneric.Sdbot.4CD7EE79
AVAd-AwareGeneric.Sdbot.4CD7EE79
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Generic.Sdbot.4CD7EE79
AVAuthentiumW32/Downloader.AT.gen!Eldorado
AVAvira (antivir)TR/Downloader.Gen
AVBullGuardGeneric.Sdbot.4CD7EE79
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Win32.Backdoor.Rbot.1470B0D03
AVClamAVTrojan.SdBot-3329
AVDr. WebBackDoor.Wowish
AVEmsisoftGeneric.Sdbot.4CD7EE79
AVEset (nod32)Win32/Rbot
AVFortinetW32/SdBot.IT!tr.bdr
AVFrisk (f-prot)W32/Downloader.AT.gen!Eldorado
AVF-SecureGeneric.Sdbot.4CD7EE79
AVGrisoft (avg)Win32/DH{ATaBEyADZwgJCg+BEiR8Ig}
AVIkarusBackdoor.Rbot
AVK7Trojan ( 003bc76d1 )
AVKasperskyBackdoor.Win32.Rbot.gen
AVMalwareBytesMalware.Packer.Gen
AVMcafeeW32/Sdbot.worm.gen.g
AVMicrosoft Security EssentialsBackdoor:Win32/Rbot
AVMicroWorld (escan)Generic.Sdbot.4CD7EE79
AVRisingBackdoor.Win32.IRCbot.az
AVSophosW32/Rbot-BCE
AVSymantecW32.Spybot.Worm
AVTrend MicroWORM_RBOT.FJ
AVVirusBlokAda (vba32)OScope.Backdoor.Sdbot.Cgen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\a.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\WINDOWS\system32\msnbeta.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\msnbeta.exe 0 "C:\malware.exe"
Creates Processc:\a.bat
Creates Mutexxyeaxhxp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ c:\a.bat

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.reg
Creates ProcessREGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\1.reg

Process
↳ c:\a.bat

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.reg
Deletes Filec:\a.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\1.reg
Creates ProcessREGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\1.reg

Process
↳ C:\WINDOWS\system32\msnbeta.exe 0 "C:\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSNS PLUS XP2 ➝
msnbeta.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\OLE\MSNS PLUS XP2 ➝
msnbeta.exe
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\MSNS PLUS XP2 ➝
msnbeta.exe
Creates Filec:\a.bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\malware.exe
Creates Processc:\a.bat
Creates Mutexxyeaxhxp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ REGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\1.reg

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\TransportBindName ➝
\\x00

Process
↳ REGEDIT /S C:\Documents and Settings\Administrator\Local Settings\Temp\1.reg

Network Details:

DNSram.peruvianpower.com
Type: A
184.168.221.69
Flows TCP192.168.1.1:1031 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1032 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1033 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1034 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1035 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1036 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1037 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1038 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1039 ➝ 184.168.221.69:6667
Flows TCP192.168.1.1:1040 ➝ 184.168.221.69:6667

Raw Pcap
0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 32363136 3939360d 0a555345   XXXX2616996..USE
0x00000020 (00032)   52207a78 70756d70 78747420 30203020   R zxpumpxtt 0 0 
0x00000030 (00048)   3a434f4d 50555445 522d5858 58585858   :COMPUTER-XXXXXX
0x00000040 (00064)   32363136 3939360d 0a                  2616996..

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 38373332 3838340d 0a555345   XXXX8732884..USE
0x00000020 (00032)   52207067 7a62616a 6d203020 30203a43   R pgzbajm 0 0 :C
0x00000030 (00048)   4f4d5055 5445522d 58585858 58583837   OMPUTER-XXXXXX87
0x00000040 (00064)   33323838 340d0a0d 0a                  32884....

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 32373430 3532300d 0a555345   XXXX2740520..USE
0x00000020 (00032)   52206a61 776c7363 64662030 2030203a   R jawlscdf 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585832   COMPUTER-XXXXXX2
0x00000040 (00064)   37343035 32300d0a 0a                  740520...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 37333538 3433350d 0a555345   XXXX7358435..USE
0x00000020 (00032)   5220626d 6c6c7a70 64782030 2030203a   R bmllzpdx 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585837   COMPUTER-XXXXXX7
0x00000040 (00064)   33353834 33350d0a 0a                  358435...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 32333635 3238310d 0a555345   XXXX2365281..USE
0x00000020 (00032)   52207364 75746e72 73662030 2030203a   R sdutnrsf 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585832   COMPUTER-XXXXXX2
0x00000040 (00064)   33363532 38310d0a 0a                  365281...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 39323138 3438300d 0a555345   XXXX9218480..USE
0x00000020 (00032)   5220696d 7761626c 68772030 2030203a   R imwablhw 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585839   COMPUTER-XXXXXX9
0x00000040 (00064)   32313834 38300d0a 0a                  218480...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 34343036 3133360d 0a555345   XXXX4406136..USE
0x00000020 (00032)   52207176 67717066 776d2030 2030203a   R qvgqpfwm 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585834   COMPUTER-XXXXXX4
0x00000040 (00064)   34303631 33360d0a 0a                  406136...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 30383331 3538390d 0a555345   XXXX0831589..USE
0x00000020 (00032)   52206363 63677477 76692030 2030203a   R cccgtwvi 0 0 :
0x00000030 (00048)   434f4d50 55544552 2d585858 58585830   COMPUTER-XXXXXX0
0x00000040 (00064)   38333135 38390d0a 0a                  831589...

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 34383338 3332350d 0a555345   XXXX4838325..USE
0x00000020 (00032)   5220677a 656a6d68 78203020 30203a43   R gzejmhx 0 0 :C
0x00000030 (00048)   4f4d5055 5445522d 58585858 58583438   OMPUTER-XXXXXX48
0x00000040 (00064)   33383332 350d0a0a 0a                  38325....

0x00000000 (00000)   4e49434b 20434f4d 50555445 522d5858   NICK COMPUTER-XX
0x00000010 (00016)   58585858 30323534 3233300d 0a555345   XXXX0254230..USE
0x00000020 (00032)   52207769 6f716162 6d203020 30203a43   R wioqabm 0 0 :C
0x00000030 (00048)   4f4d5055 5445522d 58585858 58583032   OMPUTER-XXXXXX02
0x00000040 (00064)   35343233 300d0a0a 0a                  54230....


Strings
cb..
f
.
.
m
..
.i

*/02cJ
03>{f[
1*;HPcpn
2oDZ{on
/@(3=C
	3jiStM4
3x{-nm
3=Z*)7L
/4]9o10M
5B8}B7]
.5<X5W
'6,"4%X
6Tc2fC~
6TkMeh:%
*_&7b`
7Cr m	<Sx
7G#o	W*	Ww
)7J )n
7+KA%Zv3G?
8g{!Is
8^j<6mBE0
"8loFS
8n2"S)(
/{>{)9
@@9A	@J
[9%m;X
9]ZP`n
aE4p2,
-aJIV$
AR,G^x
B2nv?p"w
B6xxg}e
BI9:c|&
bV&TI)
@cfE[`
chc>]U
~cMYd6
c^W 0i
cxb5		4!gC
D'>:D]I
~dgJcX
<Di&^$
dWMl07
e3)~6?%
e4Twbt
E"()-g
"E$joB
eu0=Gjz
ExitProcess
f\|D$'
fLwQa{
_g'1	V
@gDAd8
GetProcAddress
G`f1_[
g>;KI61
GQcj?JZ"
gQZyDx
&g:<S\"
<H{|0A
h@&noe}
HyED-9
h@z57h
i](_H=
ILS4L9
i	^mW/
iq0b@KZ
ir5M\S5
|"iS9K
-	Is<J
ji$(QM
JN1\AZ
j-TKDO
<+k^"<
;kDX0?
KERNEL32.DLL
KhDh	d
]K.q}$
L4H[1`*z
LoadLibraryA
l/R'%)
\m.(ay
M/dY$%
'm"we0C [
n2Ze:t
n&AwA6
NHe)^v+
nS8iqf
"'NYO1
[*o1Qh
@O>K==
ONX*G`\
o=s#$N
OZFf-q!95
p64CIc
{P6Tc!I
pBt^`]
P~?~=g%
]P&I~l
[|p^iv
p j}p4YEb
[pL?z	%
Q)([dV'x
#QfrU^
Q/:g+i
qmS:0C
{QV?kDU 
qVW%{"
qXX	LE]P
.qZR5aD
?rdaiZ
r<hK^]}
]rJs=3>P
[Ros\e
$ROTFv |j[D
}rpX]!
RX~0/=
s9!Y@2"
SC&IpW
sF@@|bIA0
sH=]b+
s^'I0}
sNbUdD
sZI	jG6
T1y8@^J=<\Q
tc26+kR
!This program cannot be run in DOS mode.
Tz(^m;
U,.-.._
u9$9&~
!_u$b	
`%uqT~
Uy`}/}
v7r76T
`VA(2Yi
v/d	2S
ve,B](
'vHkeq
VirtualAlloc
VirtualFree
VirtualProtect
;v$usP
VyOf!D
W3c88Ve=
W~^A2Z
$wjrKx!
W_?lJ<p
WS2_32.DLL
'Wy/.gwsT
#|x2Vx
$xc:b4L8
X*dBNr
x&'GHR}
xh=sxm
%XY;k"vlR
%y"7?k
Yb>x%c`
YO&<m.x
z0as(B"I
ZnkD`H
ztcM``
Z?/\urA C