Analysis Date2014-07-05 08:48:52
MD5b963211c4e22739917076da49f5ee74f
SHA16c328bcd6c806877abd82e345055eb1f906e9e27

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3c12d8ec81a17648394f48b961fd9bce sha1: d5330143546725fcd74bac884926a2088c6b6415 size: 462848
Section.rdata md5: b1bbc63d7a8a451bc490756becaa3c12 sha1: ad932f3ea8565ff4b36a0ac92c9ad33a4e4a6bf5 size: 86016
Section.data md5: 2d54261748bba08885ea831f42505648 sha1: fd8e05c87a2db010c40b1bbb91496b3e76ba878a size: 65536
Section.rsrc md5: 6f579866b4354cedc436347ce09b844d sha1: 5203bf0fa25386ce1026a520cc00c2539f348bad size: 122880
Timestamp2010-12-09 17:12:25
VersionLegalCopyright: 作者版权所有 请尊重并使用正版
FileVersion: 1.0.0.0
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: 易语言程序
ProductVersion: 1.0.0.0
FileDescription: 易语言程序
PackerMicrosoft Visual C++ v6.0
PEhashc990c036814f307ac53a30cf7d310fc9766bb597
IMPhash4cd29350c067f3b43e2a082ba7b2d31a
AV360 SafeTrojan.Generic.KDV.184412
AVAd-AwareTrojan.Generic.KDV.184412
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVAvira (antivir)TR/Rogue.kdv.184412
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.KDV.184412
AVEset (nod32)no_virus
AVFortinetW32/Hupigon.QRMH!tr.bdr
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado (generic, not disinfectable)
AVF-SecureTrojan:W32/DelfInject.R
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Backdoor ( 04c546031 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeGeneric FakeAlert.iv
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Generic.KDV.184412
AVNormanwinpe/OnLineGames.LWBP
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)no_virus
AVKasperskyno_virus
AVF-SecureTrojan:W32/DelfInject.R
AVDr. Webno_virus
AVK7Backdoor ( 04c546031 )
AVClamAVno_virus
AVFortinetW32/Hupigon.QRMH!tr.bdr
AVArcabit (arcavir)no_virus
AVSymantecno_virus
AVGrisoft (avg)no_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVEset (nod32)no_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AV360 SafeTrojan.Generic.KDV.184412
AVTrend Microno_virus
AVAd-AwareTrojan.Generic.KDV.184412
AVAuthentiumW32/Agent.EW.gen!Eldorado
AVEmsisoftTrojan.Generic.KDV.184412
AVFrisk (f-prot)W32/Agent.EW.gen!Eldorado (generic, not disinfectable)
AVIkarusno_virus
AVNormanwinpe/OnLineGames.LWBP
AVAvira (antivir)TR/Rogue.kdv.184412
AVMalwareBytesno_virus
AVMicroWorld (escan)Trojan.Generic.KDV.184412
AVMcafeeGeneric FakeAlert.iv
AVRisingno_virus
AVMicrosoft Security Essentialsno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014070520140706\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\internet[1].gif
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\zzzzj[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012014070520140706!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzcbwz11.web-43.com
Winsock DNSshedao.uueasy.com
Winsock DNSwww.qzxy8.com
Winsock DNSwww.zzzzj.com
Winsock DNSluxifazhu.uueasy.com
Winsock DNSwww.941au.com.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:

DNSwww.zzzzj.com
Type: A
175.41.20.20
DNSa.uueasy.com
Type: A
42.120.63.199
DNSa.uueasy.com
Type: A
42.120.63.199
DNSwww.941au.com.cn
Type: A
DNSwww.qzxy8.com
Type: A
DNSzcbwz11.web-43.com
Type: A
DNSshedao.uueasy.com
Type: A
DNSluxifazhu.uueasy.com
Type: A
HTTP GEThttp://www.zzzzj.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://shedao.uueasy.com/index-htm-m-bbs.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://luxifazhu.uueasy.com/index-htm-m-bbs.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.zzzzj.com/internet.gif
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 175.41.20.20:80
Flows TCP192.168.1.1:1034 ➝ 42.120.63.199:80
Flows TCP192.168.1.1:1035 ➝ 42.120.63.199:80
Flows TCP192.168.1.1:1036 ➝ 175.41.20.20:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782d68 746d2d6d   GET /index-htm-m
0x00000010 (00016)   2d626273 2e68746d 6c204854 54502f31   -bbs.html HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a416363 6570742d   : en-us..Accept-
0x00000050 (00080)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000060 (00096)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000090 (00144)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000a0 (00160)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000b0 (00176)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000c0 (00192)   0d0a486f 73743a20 73686564 616f2e75   ..Host: shedao.u
0x000000d0 (00208)   75656173 792e636f 6d0d0a43 6f6e6e65   ueasy.com..Conne
0x000000e0 (00224)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000f0 (00240)   650d0a0d 0a                           e....

0x00000000 (00000)   47455420 2f696e64 65782d68 746d2d6d   GET /index-htm-m
0x00000010 (00016)   2d626273 2e68746d 6c204854 54502f31   -bbs.html HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a416363 6570742d   : en-us..Accept-
0x00000050 (00080)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000060 (00096)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000090 (00144)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000a0 (00160)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000b0 (00176)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000c0 (00192)   0d0a486f 73743a20 6c757869 66617a68   ..Host: luxifazh
0x000000d0 (00208)   752e7575 65617379 2e636f6d 0d0a436f   u.uueasy.com..Co
0x000000e0 (00224)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000f0 (00240)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 7777772e 7a7a7a7a 6a2e636f   st: www.zzzzj.co
0x000000c0 (00192)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000d0 (00208)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f696e74 65726e65 742e6769   GET /internet.gi
0x00000010 (00016)   66204854 54502f31 2e310d0a 41636365   f HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a526566 65726572   pt: */*..Referer
0x00000030 (00048)   3a206874 74703a2f 2f777777 2e7a7a7a   : http://www.zzz
0x00000040 (00064)   7a6a2e63 6f6d2f0d 0a416363 6570742d   zj.com/..Accept-
0x00000050 (00080)   4c616e67 75616765 3a20656e 2d75730d   Language: en-us.
0x00000060 (00096)   0a416363 6570742d 456e636f 64696e67   .Accept-Encoding
0x00000070 (00112)   3a20677a 69702c20 6465666c 6174650d   : gzip, deflate.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f342e30 2028636f 6d706174   illa/4.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452036 2e303b20   ible; MSIE 6.0; 
0x000000b0 (00176)   57696e64 6f777320 4e542035 2e313b20   Windows NT 5.1; 
0x000000c0 (00192)   5356313b 202e4e45 5420434c 5220322e   SV1; .NET CLR 2.
0x000000d0 (00208)   302e3530 37323729 0d0a486f 73743a20   0.50727)..Host: 
0x000000e0 (00224)   7777772e 7a7a7a7a 6a2e636f 6d0d0a43   www.zzzzj.com..C
0x000000f0 (00240)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x00000100 (00256)   416c6976 650d0a0d 0a                  Alive....


Strings