Analysis Date2014-07-24 03:43:44
MD53ed127365719d8a3d47cc162501e8478
SHA16b2fbd8da1ce56d021048e4a22ed8a11fe2802ef

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0f11b43d845a854cc3ac46a377404809 sha1: 7cfa06d5f84b2d807e998a6b512aa6fdab7f69d7 size: 13312
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: b085628af45f6390327bdcd133979141 sha1: 0ece9de6c08df392a24630387b869f22982ba8c8 size: 113664
Section.rsrc md5: 662ef4cb51dcc31f0f0d77af3f8def1c sha1: 636d87f45cf9302c5e27fe612e5552ef715ec75c size: 5120
Timestamp2010-01-07 19:47:31
VersionLegalCopyright: Copyright © 2010 hF PC Tools. 2A All rights reserved. n2
InternalName: BTvertu7x
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: WR
ProductVersion: 7.0.0.61
FileDescription: Spyware Doctor Component
OriginalFilename: BTvertu7x
PEhash1ba6b0bba4ae52d65d76266c5e7b200e1e12f331
IMPhash1e05d78d77855bac3c09da95077f2890
AV360 SafeTrojan.Generic.5938365
AVAd-AwareTrojan.Generic.5938365
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Agent-229833
AVDr. WebTrojan.DownLoader2.39229
AVEmsisoftTrojan.Generic.5938365
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan.Generic.5938365
AVGrisoft (avg)Generic22.NUC
AVIkarusTrojan-Downloader.Win32.Renos
AVK7Trojan-Downloader ( 001359961 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Trojan.Generic.5938365
AVNormanwinpe/FakeAlert.DODM
AVRisingTrojan.Win32.Generic.12860FF9
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.Gen
AVTrend MicroTROJ_JORIK.SMRL
AVVirusBlokAda (vba32)BScope.Trojan.Diple

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSkiqconsultants.com
Winsock DNSclubhamm.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSkiqconsultants.com
Type: A
DNSclubhamm.com
Type: A
DNSfirstjs.com
Type: A
DNStopkoel.com
Type: A

Raw Pcap

Strings
.
4
M
040904E4
 2010 hF PC Tools. 2A All rights reserved. n2
7.0.0.61
BBABORT
BTvertu7x
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
FzEi
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
Spyware Doctor Component
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
zewH
014B8[<
=0B85B|
;0itqV
0-K3*GpqW
%@0__P
#0q%.K
1`B7K+
*;1`qdF
\%1w`j("
-22H1q
	26im,
>~/2]F
2{v;F 
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
36QoF@
3Vesion
5l|t,g
5StR+W
64$@p0h
6@~/@HY
%6 k}k
6pUX4I
'"6Vgo
70!Y@g
(7|5XRMj
76{54wk:\#
(7`a,Jh_0
7FxMCq3k_8bPl_@4
(7Ha0JL_8
&7,hr,
..7Kda
7\_lQX
^7(U,X4W
7{wvs6Tj
7Z WPS
8mnC@{
8qNRY;
8RUNIQSTR
`"8#+/W
8XUqK5*9
8:Z!a8
9er]S`CU
9faNgq
9FXr%h
$9j,Z6&
 9Q$s0
\9>vt*
9#Ztj-
(a[0z"
a6ZHwZ
a[8{7MAw+
aAs;O]2
_abZq_JuxNH3X
AFEYsf%
AHpr s
a["j+O4
[A$pVS
aRmLsW
Arr_7 o0
a~vP&A{
#@=aZGC
=AZ[WY
BEiIPiD&
>&"b:F@
bGfsBn3jt
bghZm@12
bhT\Cxs
!bL9)Hi
bn|^1x
#b@P@5
BTvertu7x
bxJ@e`K
B Zp=?A
Bz$Z?j
c3L<T)>
C<5lp_
Cb["O*
C&F'C5
CharNextA
CharTo
cR7cdd
|cZIO2
"[d1?9p
[D2GX{
d4kLkD
@.data
DC9@tl
dPHxqw
DQA-EcXZ
dqlBt[|
DrawMenuBar
DrLBTB
!Dy]::w
Ec#G9S
e>~HqB
EKNECkY
EndPaint
EnumChildWindows
EnumThreadWindows
Ev58md
ExitProcess
f67[4Y
	f'{9~
fabulEIL
^facYMq6
fpuRH@20
Fsud5t
fx62lE
Gaw{{`
GDQ ,1
GetMenu
GetMenuItemCount
GetWindowTextLengthA
gJ@[ {
gJ@h r
{*gJ@:W
Gp4LSOVaP
gPRQhu
`Gr"7hq
Gr!kq~w
GXqR}GR
,GYR5;4>
~H6.ll
H7\aPJ
>hhrCXj
hJJO}I@
hVdoWyF
hVq7.+
hYzfjA
&*HZgX
i68aOUtt
~i8R# 
?iDcVW
:IdhWAj'
Ifwxfa
iHByZi
]img[a
iOR@/ 3:
IsCharUpperA
IsDlgButtonChecked
j0h Sk
\J]A`q
jLx]+'
JqZ7bZr
JuBI8D
`kBuqZ
KERNEL32.DLL
kgg4[Q
KillTimer
KN9;vu
ko@d2;I
krqjIL7d
K"RQKS
LBn1Jga
lfGzQ(
.lfwsS@HLW
LirL"L^
_LjiUW6YmCLS7m
LoadLibraryA
lstrcpyA
lstrcpynA
mE[E5h
:MiFG\
M)pM1pM:
Ms25KGxY6Ch@8
MV~PKI
=:N8EK
N9&G1	
N{et-S
nRxqSF5
;@NW2P
%	NZ:W
os_"OVLEAUT0-
Ou`a:`Flrn
P$5T^>W
pCw	^w6lb
;pDvtF
PjC][p
 [>PO[	
%pw;2X
}@pX\jQ
q@-	3	*
q$B,[4
]	qblP
qIkY!b
qI!)/O!
Q`j4[=
qohFI9u6cw
}QTo3>
 Q$W(Z,a
qxBFNa=
Qyh2%T
,r4B<B
@|(RBc
RBv%CY
`.rdata
R]fo^^
R:$i/>
({RM3|
 {RM(x
:rOM	x
RS0kq9
RW3t`"
rYeCuLK
s6gJ@:o
sA\Proc=dj
SR5k3w
SU[z]310}dGp{
-[t0@^Q
T1352T
?_T3hy
~#t6fj
t*`9XF
TbDO[l
_tCxEF
].tex"F
t&GMk9
Th_ad!I
This program must be run under Win32
TK!ai"
t(RP\$
t:v_"`
ty`*%U
U[7^!gjpA
U#\'G7sc
UGJ7mQJc0cq
uHVXtS
U`.rdat
user32.dll
V%02xU[?#
v,4B^PSa
V9^(u!
_v9x9c@20
v*a[3j<OD
v)eV@p
VirtualAllocEx
v_,K<=
v,o?z)
VqoOrSCTXvgvUV@8
v S!]1rX
W2y{lz
W3KHFGE
w5VSj _
w\!djlOt
wFP0u4
WideCharToMultiByte
W_KjtO
Wl-dawK
wLSI{DF
Wpr,GhIqD
W@Qm6t
WriteFile
WRQPSja
@WS!(y
%WwE%"E;
xbPGKbM
_xcu2w
	xK,56
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
xnUrvodX
XRa@T.
|x'U\Z
*x&Y-7
Y6zW[t
Y7Bte9
Y8}XT$A[
Y+kXZa
Y@MVjBG)
yqE8W(&O
:yz;#B<s
z7mshlwapi
z8FB9s
z``A8"
:zaSBh
Z$A,w8
zjo>g9
zr7A!jo
Zrl=Fm
_zS_1GG7lRuLH@4
ZsW.2!\#+
ZT	cZj
ZWJ<rm
Z~ WzX