Analysis Date2015-10-18 06:23:27
MD586b25686c39fcb5b106a5811468afc4a
SHA15bf61d4eba2ef50677768372abaf6120374e2ac8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62151f4a36034214713455f7e4a0bb47 sha1: 55b14cfd1e4cae0205c8ac2d54260b316d081d20 size: 28672
Section.rdata md5: b879e0ee3afc8dfef239f039686046b3 sha1: 5c6af7641ca98b4b617c4b310fb2bcfe7da4f06c size: 8192
Section.data md5: 7d6399ea800b499ed94618eb780fd840 sha1: b7992b99d56dbfbe4fb1b825ce92b3a4e41c810f size: 16384
Section.rsrc md5: ef84bc7d5b98b6d175fc8e4c22a7743e sha1: 9735dee50007b7393aea0549e108d6937453a5fb size: 45056
Timestamp2008-08-27 04:49:02
VersionLegalCopyright: Copyright ? 2010
InternalName: Server
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Microsoft Server
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: Server
OriginalFilename: Server.exe
PackerInstaller VISE Custom
PEhash74a5b0d458f94f915dc6cdc85939f30b5a966a6c
IMPhashfb3518abe2e2019f3af4d9acb91dda91
AVCA (E-Trust Ino)Win32/Nitol.AF
AVF-SecureGeneric.ServStart.E95B9F46
AVDr. WebTrojan.DownLoader5.3601
AVClamAVWIN.Dropper.Inject-6
AVArcabit (arcavir)Generic.ServStart.E95B9F46:Gen:Variant.Graftor.17698
AVBullGuardGeneric.ServStart.E95B9F46
AVPadvishno_virus
AVVirusBlokAda (vba32)SScope.Trojan.Unigo
AVCAT (quickheal)Trojan.ServStart.A4
AVTrend MicroWORM_NITOL.SMB
AVKasperskyTrojan.Win32.Generic:Trojan.Win32.Invader
AVZillya!Trojan.ServStart.Win32.556
AVEmsisoftGeneric.ServStart.E95B9F46
AVIkarusTrojan.Win32.MicroFake
AVFrisk (f-prot)no_virus
AVAuthentiumW32/Trojan.KQYT-0990
AVMalwareBytesno_virus
AVMicroWorld (escan)Generic.ServStart.E95B9F46
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.A
AVK7Trojan ( 0040f5c11 )
AVBitDefenderGeneric.ServStart.E95B9F46
AVFortinetW32/ServStart.AA!tr
AVSymantecno_virus
AVGrisoft (avg)Generic34.ACWI
AVEset (nod32)Win32/ServStart.AD
AVAlwil (avast)Nitol-A [Trj]:ServStart-C [Trj]
AVAd-AwareGeneric.ServStart.E95B9F46
AVTwisterVirus.EC90@2FF50FF15@124.mg
AVAvira (antivir)TR/ATRAPS.Gen
AVMcafeeGenericR-ERE!86B25686C39F
AVRisingBackdoor.Overie!486D

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauservyab\Description ➝
\\xc6\\xf4\\xd3\\xc3\\xcf\\xc2\\xd4\\xd8\\xba\\xcd\\xb0\\xb2\\xd7\\xb0 Windows \\xb8\\xfc\\xd0\\xc2\\xa1\\xa3\\xc8\\xe7\\xb9\\xfb\\xb4\\xcb\\xb7\\xfe\\xce\\xf1\\xb1\\xbb\\xbd\\xfb\\xd3\\xc3\\xa3\\xac\\xd5\\xe2\\xcc\\xa8\\xbc\\xc6\\xcb\\xe3\\xbb\\xfa\\xbd\\xab\\xce\\xde\\xb7\\xa8\\xca\\xb9\\xd3\\xc3\\xa1\\xb0\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2\\xa1\\xb1\\xb9\\xa6\\xc4\\xdc\\xba\\xcd Windows Update \\xcd\\xf8\\xd5\\xbe\\xa1\\xa3 nbq
Creates FileC:\WINDOWS\system32\boxlou.exe
Creates Processcalc.exe
Creates Service\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2vvm - C:\WINDOWS\system32\boxlou.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\boxlou.exe

Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\d35c221f74db5d48b3aa3ad663400c85\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates Filehra33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filehra33.dll
Creates Mutexwuauservyab

Process
↳ calc.exe

Network Details:

DNSdnspod-free.mydnspod.net
Type: A
119.28.48.228
DNSwww.wg.gd
Type: A
Flows TCP192.168.1.1:1031 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1032 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1033 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1034 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1035 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1036 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1037 ➝ 119.28.48.228:8888
Flows TCP192.168.1.1:1038 ➝ 119.28.48.228:8888

Raw Pcap
0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..

0x00000000 (00000)   8888                                  ..


Strings