Analysis Date2015-01-28 10:33:10
MD548e9934cd65245f52ba1280fcff159c8
SHA1706d13f06b9234b416903d3cf570a42437cf0c3d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bef2bfdc73e070b2482a2a13da462474 sha1: 81e84103009c8347fc7eab162b97e1994504fd74 size: 8192
Section.data md5: 84b93fd51ae50f234dd84457ca2cad62 sha1: 0fccdcd99cbd43b2b4895491d7a05988be295d39 size: 109056
Section.rsrc md5: 5e58f6bbc05db2e78660cbc2e4ecdf2d sha1: a96d6ec1606a35d5020c64190081f31bd033d2ed size: 10240
Timestamp2009-08-02 04:06:56
VersionLegalCopyright: Copyright © 2010 3S PC Tools. y All rights reserved.
InternalName: vertuz
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: RZ fu
ProductVersion: 7.0.0.61
FileDescription: gSpyware Doctor Componentf
OriginalFilename: vertuz
PackerBorland Delphi 4.0
PEhash709df89ef84db76c33beda08f32b0a0bbe922187
IMPhash7be1fb70033f410a27c58b3cc48d4a97
AV360 Safeno_virus
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)Downloader-GSX [Trj]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.NK.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVW32.Trojan.Agent-823
AVDr. WebTrojan.DownLoader2.40076
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.NK.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Generic22.PVT
AVIkarusTrojan.SuspectCRC
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.aq
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.12898994
AVSophosMal/FakeAV-IZ
AVSymantecno_virus
AVTrend MicroTROJ_KRYPTO.SMIJ
AVVirusBlokAda (vba32)BScope.Trojan.MTA.0506

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\D1T2EUR7FZ ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\D1T2EUR7FZ\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSjoomla.org
Type: A
72.29.124.146
DNScsdn.net
Type: A
14.17.69.22
DNStechcrunch.com
Type: A
66.155.9.244
DNStechcrunch.com
Type: A
66.155.11.244
DNStechcrunch.com
Type: A
76.74.255.117
DNStechcrunch.com
Type: A
76.74.255.123
DNStechcrunch.com
Type: A
192.0.82.250
DNStechcrunch.com
Type: A
192.0.83.250
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
.
?
,
..
.
..
.
.W
..
.
5.K
.

040904E4
 2010 3S PC Tools. y All rights reserved. 
7.0.0.61
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
FileDescription
FileVersion
FJmz
gSpyware Doctor Componentf
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
PREVIEWGLYPH
ProductName
ProductVersion
Property is read-only
Property %s does not exist
qV9WH
Resource %s not found
RZ fu
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
vertuz
VS_VERSION_INFO
0LT,]7
0oR<>@1
2""333:"C8
2""#33:DC8
2$B""""C38
2C4"""D338
2{>Hu'&m
2Y9kPF
2zX7wh|
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
333333?
3333333
$3333333
#3333333
33333333
33333333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
3333333333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
33338?383
3333Dc3333333
3333f3333333?
3333fc33333338
3333>fd333338
3334JC33333338?333
3336Dc3333338
3336fC3333338
:*"*"$3338
333838
333*C33
333DDD33333?
333>fC333333
333>fd333333
$334B"$3
334C33333338
33B$3333333
33DDDDD3333
33fd3>fC333
33>ffffc338
34""C33333833
3B""$33333
4{{'b`
4~bMW]	
4"*""C3338
4DF334DC33
_4PZ1MfK0zb1g
(|4SWP
&.4WdT;
4XEL1tqMxVM
5^^al]
5rnJOVlN6NGN@20
_5r	|U
5Ze\kYW
6PvzE2
+6Zi30
7Hm,jru
7QFdco
@8[Bni
8G<dqt
?_8IdyW
8[Pb^~{
8ty8g,|
9m	V\@
9p%YonW
_aAa2pcA04BGDCm
[A{j<hP|
AvmkGJG	x^
^Awrar
bjtcy9
_bxzzNUIhHdw
:"C333
"$c33333
c333333
"C333333
C3333333
C33333833?33
"C3338
c33*C333
"C8338
CjC338
CQnFpd
Cr,}ts
`.data
dBrU<&UQ
"dc3333833
D*C33383
:DC33:""$8
"DDB""$3
dIh1%^
D$*jBZ,\
:Dn6{Jxd
D	>tDae
_/dUh$
e)\0$~=
e0b@'h
e$5Qi2
E:;F\}
eJ7iNh
EJGO85h
](E<k<
ExitProcess
EZY(	.
fC333?3
fC33333
fDFfC338
FDJ`~t~g
F*F333383
fff3333
Fr"[%2
frrl'?kU
F=vDEnqY
}G4@=y
G8&9Nq
^=GeJh
GetACP
GetCommandLineW
GetCurrentThreadId
GetMenu
GetOEMCP
gG9z7654{
G>gm ]l
glgyK'
GlobalAlloc
H~eb0G+
HgZ](J
~hSK[1F
hu	e*mm
h+_VHw
hzoA[Le~
,i40?Y
IBl o^
IhqGg@~
IKJ[ZWd
iNu7iaUa
*@`=I;oeR
IsDlgButtonChecked
IsWindowEnabled
IsWindowUnicode
 iT&Y 
!!iy:/K
"J333333
"J"C3333
[JHoaY
[j.mh\e'G/w\
jXFM,dp
K`$_&]=.
kbqsb-
k%D]s!T
kernel32.dll
/ K||m
L0v^4J
L95L\3
L%[hPe
|L^iW 
|l"PG.
+lt9}R&
m |`bbMCm
m)l@HY
MmolX!m
_mpBSrihHXNcK@16
M]PYYv
'mS1S,
%!M_v.
_n1n1U8RGIhF
nD`9;0tq(
npnBNy
NX[/[\
\oIG\u
OOIEjWTK@4
OpenIcon
OS&@:;
O?X\KJ
p24HiM,%
p4t=:=
?,p?5qI
]{pbA'
PgT8"R
_"!pj Ag=O:oZ
P$*[nLW%
pukfyJ
puU%DL
pv;zqum'
PZM6XP
QAEtXZlB
qiXLKP
qL2p`{
rD;faul
RfoE3S
rL{0^X
rOVSZl
r?+S4~
rsurped
R:}Y-bD
s(9uX7t
scQwjlHost
*<;Se(
SendMessageA
SetActiveWindow
SetCapture
SetErrorMode
siix7E9L
&S%}oV
s`q#eh
sQs9-=|
suZ`	o
sv3IEt
SxPB1E
t$,{-|@
T`8wo_G8
_$`tEb
tfh r|
This program must be run under Win32
TiYP>y
T#=\jI
=]Tv_+`p
+t}v/wy
Tz4HLR
u)90-%X
 ^Ug~g
UilUSelP
ur4leD
u++/+RE
user32.dll
uY8UBG
vertuz
VirtualAlloc
_VkqlPwt@12
VP8kVp
$\#VVN
vxg_[O.]
W3uZVkn3N
w72cSY
$wi 	i!th
wJr@OxuH
WoZcw9'Z
w(VhXe
wx i3%
Wz\a2}
xD<I=I
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
/]x@N+
^./.XQ
X<}xev
XY93kZ_w@16
Y1/ngm
`YFa}`^
yh'l9gFq+
yNNe1V3n
yPD]3Z
>-y\SV
z5UsFqN
@Z.8n8{
=Z.;kD
ZPzT*k
zvjLxIkz
@>*ZzP