Analysis Date2015-05-19 14:18:27
MD52fad0bcf431a5aa1a612ff4b1ec8d62a
SHA15c17120158f38bc46314e9f5b68d615ad6472c15

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c123f46bd0ea0c1ac67ff0c5ae53d62c sha1: 08d68a791c19dd08737dcb557120ecaf6943648e size: 233472
Section.rdata md5: a54f46f74ec7d88c1907d4f45396073e sha1: 1450416e3c33c080cd21e0a4f4de9039d02bc50e size: 12288
Section.data md5: 80aa6b709519425ce760aef9d7ed2eb6 sha1: 8300b2b574f4a2aea0197714907d29578aaa7f1d size: 20480
Section.idata md5: d5bf3d49c1531ba9e7076809483f33d8 sha1: 5668a282e056eb4809c1bdeedb684d602afc9d88 size: 8192
Section.rsrc md5: 5091f618c8dcfdfb255be06168950faf sha1: 8ef3641cc46957c3c288295344e668e51a0b28f2 size: 32768
Section.reloc md5: 78ce811c205a793e1219938bece76567 sha1: 62c5067894bb98bdd8064632f4fed14cac87ade0 size: 53248
Sectionimxvjnf md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text md5: 7281996888b4de8d37c8be12de49b40a sha1: 744bb34cc0df2f6c09d81e348d35ee0a2fb9295a size: 159744
Timestamp2002-02-23 05:59:45
Pdb path@
PEhash9d595eed9b2c41190fe5920efed5a1c48749854d
IMPhashd0706c5e131edbff1fdcd80995ce2b8e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cmss.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\cmss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini_d
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\seruvice.lnk
Creates FileC:\5c17120158f38bc46314e9f5b68d615ad6472c15mgr.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\RECYCLER_w\AllIndex.ini
Creates ProcessC:\5c17120158f38bc46314e9f5b68d615ad6472c15mgr.exe

Process
↳ C:\5c17120158f38bc46314e9f5b68d615ad6472c15mgr.exe

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.163.152
DNSsmtp.live.com
Type: A

Raw Pcap

Strings
*
0
0
_
..
00-+ 
-E-0
-0
-
-
.
] 
-e-
\
.
.
.
0
0
  
...........?-  
0
 
0
0 
0
u
!
!
.\
{----}
.P.0..)..
4
[[.

Cjjj
Cjjjj
         (((((                  H
jjjj
jjjjjj
(null)
 _	-\\
:.:@:\:{:
{{{{{{{{
{{{{{{{{{{
{{{{{{{{{{{{{
{{{{{{{{{{{{{{{{{{{
#'#'#'#'#'",
########################
									
										
													
																								
{{{{{{{{{{{{0
{{{{{{{{{{{{{0
0(0.0?0\0
0"0'0,0F0L0[0e0n0w0
0#0/0@0K0T0`0h0t0{0
0	0!0y0
0(0D0X0t0
0:0E0L0W0_0h0x0
0 0j0p0t0x0|0
0"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
0 1L1b1n1
0*1Q1*2
>0>4>8><>@>
061B1i1
\06xTM
:':0:8:L:e:j:w:
0>&i_$@
![0p	1f
(0R$I3
$0x0&1/1>1J1Y1l1
'101}1
1)1:1K1\1m1
1*131<1M1S1\1d1x1
1'131?1T1b1y1
1.161A1H1W1c1{1
1@1E1w1
1?1M1k1y1
1*1M1m1
1%2H2k2
/14HN9
183F3i3w3
1`8	Ki
=1B0Sft=
<"<(<,<1<><H<s<
1J1o1{1
1L1n1u1
1O1W1]1k1u1z1
1#QNAN
1#SNAN
''''''''''''''''@2^
\2013\Uproject(
2$2*20262<2B2H2N2T2Z2`2f2
2 2&2,22282>2D2J2P2V2\2b2h2n2t2z2
2?2b2p2
2-2E2V2k2v2
2;2I2w2
2*2X2s2!3&3
2+333?3E3S3b3n3
2.373E3M3S3\3d3l3r3{3
2f3s3z3
2f*M#g
2J2e2w2}2
=2>r>v?
30A0o0}0
3 323<3c3
33333333333330
3333333333333333333
3 3%3O3
3%3F3O3
3&3H3v3
3'434|4
3*494a4k4
3?4g4*5#6
3"4L4X4
3B3I3w3~3
\,3C4to+
;-;3;E;
3.Kh0T
	/3`rE5
404<4x4
4$4)4J5f5
4.474A4K4T4b4
4$4I4\4~4
4,525j5z5
4$70:@<H?L?P?
; ;4;A;S;`;
%4d%2d%2d%2d%2d%2d%5s
; ;%;4;E;T;c;n;z;
4G5N5]5
!4JJJJ1Y^
;4;K;Y;b;h;s;y;
?4?=?m?
.4o&"R5p:6S:
4seCE|
4V5|556;6C6Q6W6j6
>">*>4>y>
505@5L5g5w5
51565<5
5%5.5C5
556>6V6[6
5+5.7<7m7{7
5#6]6n6w6
5	6B6N6S6
5?6L6d6
58+A`M
$'''''''''''''''-5D
5G5M5[5e5
;5;S;`;t;
637B7l7{7
65hK\=	#
6 6$6(6,6064686
6%676>6X6d6
$6(686@6D6L6P6\6`6p6x6|6
6+696Q6f6
6F6Q6g6
6I7b7n7
! )6PseC|(
6PY^^^^^
6<rcH+
=,=6=s=
<6<T<Q=[=a=l=x=}=
707B7Y7e7
717?7e7s7
748G8Z8
758T8e8
7!7'70767;7H7r7w7
7"7)707%8.878M8V8
7 7'7,70747Q7{7
7 7$7(7,70747
7 7-7?7L7
7'7.7U7s7z7
7%7Z7`7
787B7P7W7{7
7=8K8X8u8
:7;c;x;
7e8l8y8i9s9
<7<]<g<q<
7h+mgr.exe
?}-------------+_7P^
7P:^:f:
818=8d8p8|8
838@8R8_8
85898?8C8I8M8S8W8]8a8g8k8
8 8,828;8C8N8X8^8g8p8
8 8$8(8,8
8 8$8W8[8_8c8g8k8o8s8w8{8
8%9-959=9V9j9
?8?E?^?k?}?
=,?8?F?b?n?|?
=8=F=N=X=i=s=}=
8L8W8j8~8
[|=8':o
8Q8X8f8m8
/8Z<-o
\9 @|,,~
%)'9<[
9,:0:8:<:
929@9g9t9
949>9J9k9}9
9!949<9J9U9a9f9s9
9#9)9:9A9j9q9y9
9 9*9/9f9k9
9(9/9U9^9
9*9A9K9\9~9
9,9B9M9Y9^9m9~9
9A9N9]9k9
9B<]<!>'>5>>>J>
9 :<:f:
9HYcq:
9I:^:p:
:9:i:s:
9.K!al
9M<!TU
=9=O=k=q=
= =9=S=
.AAAAAAAAAAAAAAABB`:6/^^^^
{AAAAAcr7SJseC|
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-/
abnormal program termination
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
a_cmp.c
ADVAPI32.dll
a_env.c
Ak_:ou
AllIndex.ini
AllIndex.ini_d
Allocation too large or negative: %u bytes.
?-?A?n?
Assertion failed: 
Assertion failed!
Assertion Failed
Assertion failed: %s, file %s, line %d
Av}9N5
;A<V<b<~<
b3XXW.@
B8J%oy
.b9j&}
Bad memory block found at 0x%08X.
$BBBBBBBBf`:oQ8^^^
begin::
$B@h.Y
>B?I?P?a?r?
B(K%oq
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
B)m<hx
BnJ%oD
BxN%oyh>[
;b-yy3]
.''''''''''''''''''''''''c0^
}c0Gf|
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
C:\Documents and Settings\Administrator\
\cEt`BV~
cHh`Wm
chsize.c
ch != _T('\0')
ch!U]]Di-
Client
client block at 0x%08X, subtype %x, %u bytes long.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
Client hook free failure.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
CloseHandle
cmss.exe
"Cn!Aa
CoCreateInstance
CoInitialize
CompareStringA
CompareStringW
<%<C<O<p<y<
CopyFileA
CoUninitialize
CreateDirectoryA
CreateFileA
CreateProcessA
crt block at 0x%08X, subtype %x, %u bytes long.
_CrtCheckMemory()
_CrtDbgReport: String too long or IO Error
_CrtIsValidHeapPointer(pUserData)
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
 : 		%d
 : 			%d
: 		%d
'-----------------------d*^
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
DAMAGED
DAMAGE: on top of Free block at 0x%08X.
@.data
 Data: <%s> %s
dbgdel.cpp
dbgheap.c
dbgrpt.c
dbmOu}ZGebnK
DebugBreak
Debug %s!
DeleteFileA
Detected memory leaks!
&#Di6PY
DOMAIN error
Dumping objects ->
DxL^I[
\e+6CT
e.Ac[+
),eCE|
=!=E=c>n>z>
'ec*y$z
Eh6K!P
ehP|/*D|
:?:E:k:r:w:}:
=E>N>S>[>a>g>o>u>{>
Error: memory allocation: bad memory block type.
EX/eZY
ExitProcess
Expression: 
,F3{d8
f6e'pp
failure, see the Visual C++ documentation on asserts
failure, see the Visual C++ documentation on asserts.
fclose.c
fffffffffv_74J^^^^
ffffv_Z43^^^^^
Fformat != NULL
fgetc.c
fgets.c
f		i^^
_filbuf.c
File: 
_file.c
#File Error#(%d) : 
filename != NULL
file != NULL
*file != _T('\0')
FileTimeToSystemTime
FindFirstFileA
FindNextFileA
flag == 0 || flag == 1
- floating point not loaded
<F<l<q<
_flsbuf.c
FlushFileBuffers
fopen.c
For information on how your program can cause an assertion
fprintf.c
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_freebuf.c
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
fS*3j}
fscanf.c
fseek.c
ftell.c
:":-:@:g:
GA7S~mK
GetACP
GetActiveWindow
_getbuf.c
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDiskFreeSpace
GetDiskFreeSpaceA
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileSize
GetFileType
GetInputState
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDriveStringsA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
g>^'gX
%G\JJzF
__GLOBAL_HEAP_SELECTED
%GOP<[
;G_YVo6
`h````
+h7}?}
*h7N,y
HeapAlloc
_heapchk fails with _HEAPBADBEGIN.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADPTR.
_heapchk fails with unknown return value!
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HeapValidate
%hJJJJFH
H,LFLd
hLI'}|%
Hmgfys
H'ox@H[
%hs allocated at file %hs(%d).
%hs(%d) : 
%hs located at 0x%08X is %u bytes long.
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
http://www.viprambler.com/newsinfo/uld/nettraveler.asp
^HyU4E; !:
HY_^Z[
i386\chkesp.c
: 		%I64d
iCdKzJc
iCkq4s
.idata
Ignore
Ii'Be?
imxvjnf
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
Index.ini
input.c
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
Invalid allocation size: %u bytes.
ioinit.c
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
?IsProcessorFeaturePresent
IW_;+\
IxNXwY
iz ex 
J<38^^^^^
j$5]G=hpzX^
:j9tr 
J{Aff_7beC|
JalTJ3^^^^
JanFebMarAprMayJunJulAugSepOctNovDec
j/,+eu\
Ji{xxxx_Oy|
JJ(Hccccc`
JJJJJ\,hE
JJJJJJ
JJJJJJJ
JJJJJJJJ
JJJJJJJJJ
JJJJJJJJJJ^
JJseCz|(
j.k$7x
J%oxGf
J%oxrq
J~rDTm
{jtV2j
>J?U?p?w?|?
.`JYK2
JZgoC&
<K<1=H=U=z=
k----------@=:64JD
kAAAAAAAAAAAActZSJ^^^^
kA	:M9
K<A/]v
;k<av/w
=%>K>e>l>p>t>x>|>
KERNEL32
kernel32.dll
KERNEL32.dll
:Kqok+%s
>!?<?L?
Largest number used: %ld bytes.
LCMapStringA
LCMapStringW
{%ld} 
%ld bytes in %ld %hs Blocks.
length<=MAX_WND_SIZE
%l.h<ZB\+i
Line: 
LNx-\,
LoadLibraryA
localind
L=RECYCLER_w
=@>L>S>~>
lstrcatA
lstrcmpA
lstrcpyA
lstrlenA
lwF3D(+T5GE
LYg\l;
M/$^86
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
mbtowc.c
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
MessageBoxA
M{<HMo
:~mhYAyb
Microsoft Visual C++ Debug Library
Microsoft Visual C++ Runtime Library
mJk~j2
mode != NULL
*mode != _T('\0')
Module: 
MoveFileA
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
&^\n^4K
nAsc"0`
(NB2tN
""nJnoee
-;nOBu
Normal
normal block at 0x%08X, %u bytes long.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
N$sd^4
(null)
Nw{dTY
=N>W>k>z>~>
<!<N<Y<_<
o!5PFi
/{:o,8}g
=(=O=b=
o|}BBBBBBBBBBBBBBBBBBBBB+]7O^
Object dump complete.
o-,bZ&
O	Cx[;<
offset<MAX_WND_SIZE
o/KR^^^
ole32.dll
_open.c
OpenMutexA
osfinfo.c
output.c
OutputDebugStringA
OVn<yj
%ox(<[
%oy}<[
%oyf<[
*&oy,k^
%oym<[
%oyr<[
_o/&&z
%ozh<[
{{{{{{{{{{{{{{{{{{{p
				P^
{{{{{{{{{{{{{p0
p3x3|6
P7G}nJ
;;;P;b;l;
)P%Bz^{
Pc@!CF
?%?P?e?
_pFirstBlock == pHead
_pFirstBlock == pOldBlock
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
pi ^(A
_pLastBlock == pHead
_pLastBlock == pOldBlock
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
PostThreadMessageA
p'PKI6
ppxxxx
*PQ(G#
Pragma: no-cache
(Press Retry to debug the application)
(Press Retry to debug the application - JIT must be enabled)
printf.c
Program: 
Program Files
<program name unknown>
Program: %s%s%s%s%s%s%s%s%s%s%s
Proxy-Connection: Keep-Alive
PRSVWh
p`(s'4H
- pure virtual function call
Q^2UAT
QD"?j=
:Q;_;l;
%qP^<[
-------+=r,
;r28cy
Rb~BH2
.rdata
ReadFile
RECYCLER
RECYCLER_d
RECYCLER_u
RegCloseKey
RegOpenKeyExA
RegQueryValueExA
rE"\"I
@.reloc
rhBC)l^
?RN)*%
RtlUnwind
runtime error 
Runtime Error!
=*=/=R=W=z=
{{{{{{{{{{{{{{{{{{s
{{{{{{{{{{{{{{{{{{{s
%s?action=datasize
%s?action=getdata
%s?action=updated&hostid=%s
%s(%d) : %s
Second Chance Assertion Failed: File %s, Line %d
seruvice
\seruvice.lnk
SetConsoleCtrlHandler
SetEndOfFile
setenv.c
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetStdHandle
SetUnhandledExceptionFilter
setvbuf.c
_sftbuf.c
SHELL32.dll
ShellExecuteA
s.hm+-
%s?hostid=%s&hostname=%s&hostip=%s&filename=%s&filestart=%u&filetext=
SING error
size >= 0
!sJ:e.
smtp.live.com
smtp.yahoo.com
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
S!oyP<[
sprintf.c
SRQWVj
Start Menu
Startup
stdargv.c
stdenvp.c
stream.c
stream != NULL
string != NULL
str != NULL
strupr.c
Success:
su[iySM
%s:UNINSTALL
SunMonTueWedThuFriSat
%s:UPLOAD
S]v3._d
-s$vpp
SYSTEMIF
System Volume Information
szUserMessage != NULL
_t5#+h7
TerminateProcess
(tfnxZ
=tGjyh
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
!This program cannot be run in DOS mode.
)tiP1 
;t@k/c
TLOSS error
TNjN[d
Total allocations: %ld bytes.
To<V8r|
TranIndex.ini
T[TqN=
t.;t$$t(
t{W'#?Gv
.[_&tX
tzset.c
tZSJNW^^^
U0a0t0
UGQ('L89^~
:U:h:t:
ukIA6K
ulBytesCoded==ulDataLength
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
ungetc.c
UnhandledExceptionFilter
uob2f:"
u_Op5P6<
../updata.exe
\Uproject\UprojectWin32\Lz77.cpp
)\UprojectWin32\LZ7.cpp
U[q^L!;3
<&<U<r<_=
user32.dll
USER32.dll
;u#[Xu
:U:Y:]:
v45V9g
VBM)j5
VC20XC00U
vF:^&Y
Vh_@dE
VirtualAlloc
VirtualFree
v+NO++
vO,n~Q
vr_)=MU
vsprintf.c
VWQRSj
<V<_<z<
{{{{{{{{{{{{w
{{{{{{{{{{{{{{{{{{{w
{w;0r'
`w.$5k
Warning
WC}r_B
WideCharToMultiByte
WINDOWS
WININET.dll
!wiq3"/+,
w!`/pm
`Wr"a'
WriteFile
WS2_32.dll
wsprintfA
wtombenv.c
WV@V U
wwwwwwwwwwww
wwwwwwwwwwwwwwwwww{s
{{{{{{x
{{{{{{{{{{{{x
{{{{{{{{{{{{{{{{{{{x
x5ylQ0
,X]FtX
<XH'm{
xV} s:
+{x@wB
>xwBx*/n
xxxx@gmail.com
Yex$P\;z
`-y|I(
^Y*Nb?
Y)p1j4
z~]>|-
_[+Z80
,zS3`6e
<zs'?w
ZTyYGo&
ZZa,P1OJ