Analysis Date2015-01-11 23:22:46
MD5567ebd08bea14b1a1abab10b5f5ba732
SHA17d3f36f86f21d06fdf2a9bd9505e6e855c9adec3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b9378fba87e9fd7c19d5dc2794444b73 sha1: 767b26420233ac5202b1c743ffefc7ca86fa3adb size: 71680
Section.rdata md5: ff0edab7c3c459bf992dcf6daf91b646 sha1: 426f23e165b3cfe5fa57c159e5d652e271908b2b size: 3072
Section.data md5: 60c40231cb5f3b841cf03d730e53d13d sha1: 12c5e58135fe58b8d1eff1f98e3102a8f9649673 size: 35328
Section.rsrc md5: 43891545995413e9df35190e1616a667 sha1: 573d9530a0db4dd79ef8b1663faa6c81e0d25e71 size: 1024
Timestamp2005-11-01 14:07:17
VersionPrivateBuild: 1090
FileDescription: Windows Host Process
PEhash0bf3d92012b2e44d3b8d0ce279367db83bcba862
IMPhash066e37a5183aff5da6fe3336c34f437f
AV360 Safeno_virus
AVAd-AwareGen:Heur.Conjar.2
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.Conjar.2
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen3
AVBullGuardGen:Heur.Conjar.2
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Agent-216151
AVDr. WebTrojan.DownLoader1.36203
AVEmsisoftGen:Heur.Conjar.2
AVEset (nod32)Win32/Cycbot.AA
AVFortinetW32/Codepack.SJT!tr
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado
AVF-SecureGen:Heur.Conjar.2
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.FakeAV
AVK7Backdoor ( 003210941 )
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesTrojan.Agent.Gen
AVMcafeeBackDoor-EXI.gen.d
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.2
AVRisingno_virus
AVSophosTroj/FakeDpr-A
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.google.com
Winsock DNSxinmin.cn
Winsock DNS127.0.0.1
Winsock DNSfindeffectivecasino.com
Winsock DNSbigtelevideochanel.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Network Details:

DNSwww.google.com
Type: A
173.194.46.84
DNSwww.google.com
Type: A
173.194.46.80
DNSwww.google.com
Type: A
173.194.46.81
DNSwww.google.com
Type: A
173.194.46.82
DNSwww.google.com
Type: A
173.194.46.83
DNSxinmin.cn
Type: A
222.73.115.218
DNSfindeffectivecasino.com
Type: A
DNSprotectyourpc-11.com
Type: A
DNSbigtelevideochanel.com
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://xinmin.cn/2010/10/10/20101010095345843723.jpg?tq=gP4aKydvdB6SukT8TOM0Fl9%2FIvlxuENEeDonTF%2BYnPJ1SMgQu6SB9jVAsPgzZ4VEU%2Bj3icr6Ibh%2BGF2Ghd0%2BlNpNrgHtYxL7mkdKnT39GLKVR5dH0f4SHLAPMKjKxZ3QdcdJoTsIrJLh7Of7wonlrGjuX18vuXgs%2FQtcvCQE%2F8uLMuDJcgIhXkbRUKaHWSP2XnTqEKsYIM56NAQZAwlsVPugMvE4y0NXqJYbtRItQg1WGsPVl%2BEuttkEGNEqJkg3CdEY0BsreiqJ9aIjS0uQloHlKNgHjKQ9mNeJhAf575f58yCrP4r5HndqhVh0JOnSfBwW64q%2FtNdOKbHWl0DTbSw8SPObBYrd0fAlJQWm%2FHtxwAdLbO%2BDnQGDlhxkWQmHtQXhVwpW2NVK
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
Flows TCP192.168.1.1:1032 ➝ 173.194.46.84:80
Flows TCP192.168.1.1:1033 ➝ 222.73.115.218:80
Flows TCP192.168.1.1:1034 ➝ 173.194.46.84:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f323031 302f3130 2f31302f   GET /2010/10/10/
0x00000010 (00016)   32303130 31303130 30393533 34353834   2010101009534584
0x00000020 (00032)   33373233 2e6a7067 3f74713d 67503461   3723.jpg?tq=gP4a
0x00000030 (00048)   4b796476 64423653 756b5438 544f4d30   KydvdB6SukT8TOM0
0x00000040 (00064)   466c3925 32464976 6c787545 4e456544   Fl9%2FIvlxuENEeD
0x00000050 (00080)   6f6e5446 25324259 6e504a31 534d6751   onTF%2BYnPJ1SMgQ
0x00000060 (00096)   75365342 396a5641 7350677a 5a345645   u6SB9jVAsPgzZ4VE
0x00000070 (00112)   55253242 6a336963 72364962 68253242   U%2Bj3icr6Ibh%2B
0x00000080 (00128)   47463247 68643025 32426c4e 704e7267   GF2Ghd0%2BlNpNrg
0x00000090 (00144)   48745978 4c376d6b 644b6e54 3339474c   HtYxL7mkdKnT39GL
0x000000a0 (00160)   4b565235 64483066 3453484c 41504d4b   KVR5dH0f4SHLAPMK
0x000000b0 (00176)   6a4b785a 33516463 644a6f54 7349724a   jKxZ3QdcdJoTsIrJ
0x000000c0 (00192)   4c68374f 6637776f 6e6c7247 6a755831   Lh7Of7wonlrGjuX1
0x000000d0 (00208)   38767558 67732532 46517463 76435145   8vuXgs%2FQtcvCQE
0x000000e0 (00224)   25324638 754c4d75 444a6367 4968586b   %2F8uLMuDJcgIhXk
0x000000f0 (00240)   6252554b 61485753 5032586e 5471454b   bRUKaHWSP2XnTqEK
0x00000100 (00256)   7359494d 35364e41 515a4177 6c735650   sYIM56NAQZAwlsVP
0x00000110 (00272)   75674d76 45347930 4e58714a 59627452   ugMvE4y0NXqJYbtR
0x00000120 (00288)   49745167 31574773 50566c25 32424575   ItQg1WGsPVl%2BEu
0x00000130 (00304)   74746b45 474e4571 4a6b6733 43644559   ttkEGNEqJkg3CdEY
0x00000140 (00320)   30427372 6569714a 3961496a 53307551   0BsreiqJ9aIjS0uQ
0x00000150 (00336)   6c6f486c 4b4e6748 6a4b5139 6d4e654a   loHlKNgHjKQ9mNeJ
0x00000160 (00352)   68416635 37356635 38794372 50347235   hAf575f58yCrP4r5
0x00000170 (00368)   486e6471 68566830 4a4f6e53 66427757   HndqhVh0JOnSfBwW
0x00000180 (00384)   36347125 3246744e 644f4b62 48576c30   64q%2FtNdOKbHWl0
0x00000190 (00400)   44546253 77385350 4f624259 72643066   DTbSw8SPObBYrd0f
0x000001a0 (00416)   416c4a51 576d2532 46487478 7741644c   AlJQWm%2FHtxwAdL
0x000001b0 (00432)   624f2532 42446e51 47446c68 786b5751   bO%2BDnQGDlhxkWQ
0x000001c0 (00448)   6d487451 58685677 7057324e 564b2048   mHtQXhVwpW2NVK H
0x000001d0 (00464)   5454502f 312e300d 0a436f6e 6e656374   TTP/1.0..Connect
0x000001e0 (00480)   696f6e3a 20636c6f 73650d0a 486f7374   ion: close..Host
0x000001f0 (00496)   3a207869 6e6d696e 2e636e0d 0a416363   : xinmin.cn..Acc
0x00000200 (00512)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x00000210 (00528)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x00000220 (00544)   0d0a                                  ..

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 2e636e2e 2e416363    */*.....cn..Acc
0x00000050 (00080)   60                                    `


Strings
.
7

040904b0
1090
FileDescription
&Main
MS Sans Serif
PrivateBuild
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Host Process
,:	]>/
0kLy{x8
20I0"jQ'
~5D8'V~
{-7n4f
{7P*7}A0
^@=7r_
'7udck
>:8N	S
(8 T]z
9Z ;~j
AcEArA
af)R.2
aHc@Z&
 b``>3
b8'B4`H2Jq
?bBSTN&w
BeginPaint
bX;;+-
CancelWaitableTimer
CertCloseStore
CertEnumSystemStoreLocation
CertFindCertificateInStore
CertFreeCertificateContext
CertGetNameStringW
CoCreateInstance
CoInitialize
CoUninitialize
CreateFontIndirectW
CreateSolidBrush
CreateStdAccessibleObject
CRYPT32.dll
CryptDecodeObject
CryptMsgClose
CryptMsgGetParam
CryptQueryObject
cSouU1
cYc,k+
D1"wx%p
@.data
-d=Bj@
DefWindowProcW
DeleteCriticalSection
DeleteObject
DestroyWindow
EndPaint
-ETd*X
Ewn'Iw
ExitProcess
ezJj[1!
Fd;+}K
FlushFileBuffers
FO>ey~
FreeEnvironmentStringsA
FreeEnvironmentStringsW
/frTr"5
f&<Yqb
*G28(Q
GDI32.dll
GetACP
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThreadId
GetDeviceCaps
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileAttributesW
GetFileType
GetModuleFileNameA
GetModuleHandleA
GetObjectW
GetOEMCP
GetParent
GetProcessHeap
GetProcessVersion
GetStartupInfoA
GetStdHandle
GetTickCount
GetVersionExA
GetWindowDC
GetWindowLongW
(h7F X
h8^YOiY
hcR7#.m
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
hfOHn`l
)hhLocah
hhrote
hhualPhU<@
hLoadh
hPh K@
[HSCbc\n
IHs:0@w
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
)",(IX
",I/Z\
j0jiD"
'j8STS:
JUfJsJ
K6HMUPM 
KERNEL32.dll
@l=IBK
+lk1{+7O
lN=46{N
LoadBitmapW
LoadIconW
LoadLibraryW
LoadStringW
<L/V>6
Mb( p?
@mCG`S
MessageBoxW
:|Mx	D
>=n.^;
NA6b-G
#N.\Aq`
n/^"[f
NNe?8R
.nsnktHyv
nUu/bJK
O	\bMN
ole32.dll
OLEACC.dll
PostMessageW
pVtKJ[
qK_`R:
:]q?o.+
)>qOLW
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
ReleaseDC
r(hZe@
_rSjbt
RtlUnwind
SendMessageW
SetBkColor
SetBkMode
SetDlgItemTextW
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
SetWindowLongW
SetWindowPos
SHBrowseForFolderW
SHELL32.dll
ShellExecuteW
SHGetPathFromIDListW
SHGetSpecialFolderPathW
T4TXB(
TerminateProcess
!This program cannot be run in DOS mode.
ThlFre
[ThLibrh
ThSleehS
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
To?9{u{
ucB7N"
u$h2y@
UnhandledExceptionFilter
USER32.dll
UVC6q$
VirtualFree
:VjXk5-
<v:]uR
V}uy)G
WideCharToMultiByte
Wl3{qC
X}4/tB
X-7gm7_@
xF/FQn"
xMt8W7
#xYM^Ts`
y''>(c
YNWI>MB
yoLy(`
Yu4|(G
;Yw+$5$
zAGGd9[Y