Analysis Date2015-01-27 00:24:08
MD54a0b01362faa60b34feb1b8b9dd2faf8
SHA1958e07def155210014fae4589c2cfdb21be393d3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 029b97a326eb5a6c9bad6e9a5dd4ed53 sha1: b23ed6de94f876423f2da5a37c011fa48053cd38 size: 84480
Section.rdata md5: d7c94a82af61ef5ba617ce75e8c553ee sha1: 1cfbe0d5295b71bc0b323f4492da7de89a28ee22 size: 13312
Section.data md5: afb910b44ba5953bd380b1bca0c2c956 sha1: 11a6b2bc55396781342061746b4c23b49e98d893 size: 2560
Section.rsrc md5: 5765c6cd1ac0697e4632aad015490bd7 sha1: 21d3d9ccba581b5950857be861adfd2cfe8877bb size: 50688
Section.aspack md5: 1c035f581704ccfd7cc11a2ced95375d sha1: 946ad4af275d0bd20693ba8047573e7e2e4dc1df size: 11264
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text md5: 1aac34dd94cd885abf18b5ab6b427865 sha1: 4ad6d95120fd67b63951642dc2931c41342275b0 size: 5120
Timestamp2010-06-02 03:03:21
VersionLegalCopyright: CNTV 版权所有 (C) 2010
InternalName: OnlineInstall
FileVersion: 1, 0, 1, 0
ProductName: CNTV CBox 加速器 安装程序
ProductVersion: 1, 0, 1, 0
FileDescription: CNTV CBox 加速器 安装程序
OriginalFilename: OnlineInstall.EXE
PEhash929763fb59c373044e7b90dddb41e3d3a7209728
IMPhash465def9ac45ad47ec67c62dbf9435764
AV360 SafeVirus.Win32.TuFik.C
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Tufik:Win32:Tufik
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebTrojan.DownLoader.4268
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusVirus.Win32.Tufik
AVK7Trojan-Downloader ( 00132cab1 )
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsVirus:Win32/Tufik.D
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK-1
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Program Files\Internet Explorer\IEXPLORE.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.mdmp
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwrmind.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.hdmp
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FileC:\Program Files\NetMeeting\cb32.exe
Creates FileC:\Program Files\Internet Explorer\iedw.exe
Creates FileC:\Program Files\Outlook Express\wabmig.exe
Creates FileC:\Program Files\Outlook Express\wab.exe
Creates FileC:\Program Files\NetMeeting\wb32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Outlook Express\msimn.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\Messenger\msmsgs.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\isignup.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwtutor.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\inetwiz.exe
Creates FileC:\Program Files\NetMeeting\conf.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\Program Files\Outlook Express\setup50.exe
Creates FileC:\Program Files\Movie Maker\moviemk.exe
Creates FileC:\Program Files\Outlook Express\oemig50.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\icwconn2.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\DWTRIG20.EXE
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Creates Mutexopen
Creates MutexCBOX-71DC23D4-1DFC-46A6-B855-A7134A08BEAB
Winsock DNS8.5.1.46
Winsock URLhttp://cbox.cntv.cn/update/livesetup.xml
Winsock URLhttp://8.5.1.46/csrsa.exe

Network Details:

DNS85773.com
Type: A
8.5.1.46
DNSopthw.xdwscache.speedcdns.com
Type: A
8.37.234.4
DNSopthw.xdwscache.speedcdns.com
Type: A
8.37.234.3
DNScbox.cntv.cn
Type: A
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://cbox.cntv.cn/update/livesetup.xml
User-Agent: CBox Speedupper 1.0.1.0
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80
Flows TCP192.168.1.1:1033 ➝ 8.37.234.4:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....

0x00000000 (00000)   47455420 2f757064 6174652f 6c697665   GET /update/live
0x00000010 (00016)   73657475 702e786d 6c204854 54502f31   setup.xml HTTP/1
0x00000020 (00032)   2e310d0a 55736572 2d416765 6e743a20   .1..User-Agent: 
0x00000030 (00048)   43426f78 20537065 65647570 70657220   CBox Speedupper 
0x00000040 (00064)   312e302e 312e300d 0a486f73 743a2063   1.0.1.0..Host: c
0x00000050 (00080)   626f782e 636e7476 2e636e0d 0a436163   box.cntv.cn..Cac
0x00000060 (00096)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000070 (00112)   61636865 0d0a0d0a 646f7773 204e5420   ache....dows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
.<
...
.D...
.
.`
.
.]...
.
..
.
.

080404b0
1, 0, 1, 0
 (C) 2010
CNTV 
CNTV CBox 
FileDescription
FileVersion
InternalName
LegalCopyright
OnlineInstall
OnlineInstall.EXE
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
"+^ +]
{_}~}]
07S?wV
 (08@P`p
0aaOh|
0mpt(B
0N!JUU
0\q;p]
\0us1}
0~X-=S
100603063614Z0#
-(1-4rA
1'N:8x
1sc~r{
1TBYp2
?2:FnQ
2le^/\
2%l{#r'T
2qrDdF^
36A{Ko
3INe/W
3`'k!J
3r6[e-
3tXu|>3H
|4(	0n
4iBEa%$IG
4S	L)H_!
4}Wx`	
4<zBfE.
5&4x9(d:2
'5:~91j
&5j,6rcyq
68#c9\
6"|D6'
76r*nkp?
7QnR d
8ESkgM
/$>8{f5P
[}&9:?@|5P
|97rGZ
9Ld_@!
9	lJh$
]9Lo9>S
	9"[S!
9X[FD^7~
"9x}r<4
&\,+.a
A*,25uEG4
.adata
advapi32.dll
^-a*f<
afVwUP
~}%aR=
a}ShellExecuteA
.aspack
At:ifpW
B(DB1p,
 bGfQ3
~^=bKo
B]Piy0X
{bQ&	'sR
Bxk*xx
b~@Y{?{
+C4r[R
c+7CQU
Caf+8$
c[&eZ\
CG~8B&
CharUpperW
CljhPI
|CloseHandle
comctl32.dll
comdlg32.dll
|CreateFileA
|CreateFileMappingA
|CreateMutexA
|CreateThread
csP4`~
=|CTz@
cU/tJ#
>c*&\Z
# cZ[wc
d[A5DR
\D{b8(
!decc{z
Der5B^
~$DjJ#g
dqfSfYxBc5
DUm8l\M
e9IJ_>
EB$rv3
`e`b{`w
e&cOL52
EHA~7}
e\k{U*m
epl,f{
es~+A/
?E:(WrEqo1PD
ExitProcess
f0;xz&#
f2{.1/.
<f3O:S
F,8)NE
Fa;84I
(f@f;F
|FindClose
|FindFirstFileA
|FindNextFileA
FI%y/V
F(mAxr
fO!Sf?
<fP){E
[fR-IG
|'	G1v
G2+>%)H
 \G[<6	
g7v#0U
gald$![9
gbF:ZVGI
G CDuu
gdi32.dll
|gdt'd
'gDXQM
|GetDriveTypeA
|GetFileSize
GetFileTitleW
|GetLastError
|GetLocalTime
|GetLogicalDriveStringsA
GetModuleHandleA
GetProcAddress
|GetTempPathA
@[glN 
|GlobalAlloc
|GlobalFree
GMgcKyU
G}o<A[
GqB_s?X
;g<ryK
g=tC02
gXzh>%
_h/</=
h/6IBrQ
|"HAJ1I
HI`M1/
hJ6iSS
Hm;5I1
ho|8(y,
H"OdJ	po6
HrCg@b	g 
[h;@smj
H*WS}Q
hxh9Ht
i9Hj>Y
I 9VR}1
I!^|A]HigB
`iCoa5!r
iF|a6lY6S
iFF?UE
i{	H%&
}#Ij4+
[ikkd 
ImageList_AddMasked
IMWCyb
inAdc 
InternetCloseHandle
i` sdR
I~VYO 
ix(S;g
(iYJ-7
J^<<>5
$j8j@h=xn
'jb= !
j:d	@(
jF$mZg
J>M=S*
jr!QKh*	
J{^:+U
jUZhY\e[_
KAL.CW;
Kb&<s	
kernel32.dll
]K"-@f
+ki)?3],
kl:[}5
!Kn]S`
}k^vYVj
ky;@ElH
`"KZA,BFT-!
l2P\j}j
L3zCDbG
lB&wHH%T
L*,c3'"
LCql#:OV
 LFR+4
lGEmr`
.LI/9D
+LIaoeD
/. LL1
LMmnAK
Lm,tiH
LOADER ERROR
LoadLibraryA
LQ#4q@
:l$q;c
|lstrcatA
|lstrcmpA
|lstrcpyA
|lstrlenA
]m;"1b
m2(TatT4
m89!oK?
<m9>FP
|MapViewOfFile
MA{Yh0
:MbEs)
M/di{CKp4
m,e%`c
MessageBoxA
mg;	KiL
mKzMT\
_mpj7e7
MSiO5P
|n1|oIz
/!n2;n
{n6Pl`
n8I-bn{b
n9ABa9
/naUr5
nic.GW
n!N(IP@Gt
Noj`:<`
(NROojL
`N:,|rw
]nX&b`aT
{:.Nzr
n@Zzl!
o2f;w:
!)O.i53/j
OImkp!Ak
o|i|P}
}OK3D~
oleaut32.dll
OpenPrinterW
)}op`Y
o$,QKUa
or]Ev;
p48k\U
P5EJ"as
P9)WUG
PathFindExtensionW
p_ICP~
Plmj"^
P(VD5Q
P"x;,P
q+f_K=Q
qgethostbyname
qinet_ntoa
QQ.exe
+?QR/S
q$ur*A
qWs2_32
qWSAStartup
?_}QY|
~qY}unrj
	r4OO`c/
_R%-b+
R;cS$[
^rd(6{M
.rdata
Recycler
re*F)|qi
RegOpenKeyW
,RfbB2I
r'.g.G/
RHX8*e
 R:i!N
)rLfG'*IC
RM@%~|
|RtlMoveMemory
r	=uF4W
R}v2q*
	R:WnJ
S\\:=,
S3',/:t}n
S7\kYQR
s7'MA!
s!9qe8:
SAl:2[L/O&
ScaleWindowExtEx
|SetEndOfFile
|SetFilePointer
shell32
shell32.dll
ShellExecuteExW
shlwapi.dll
sj?<HDvf
SJ_V`1~
|Sleep
T5.3R.R
{t&6G"<V
T9UFTj
tAeLaCQ
.text 
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
T?Q7#>g
	t/qo8U
<Tr;=|
t|rGY]
'tu,M6N
u\0s6lJzt6
u=8rcqX{
U	{_AU
!_:U|B
uLoadLibraryA
|UnmapViewOfFile
u,q=N"c
URLDownloadToFileA
Urlmon
user32
user32.dll
.Uu.m) 
Uuqiap
u-<!w"V
'U`XqI
>V0\&Q
v1*RdA
+Va@B3t
Va*Lod
vB[MXg
vcz`]f
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
VirtualAlloc
VirtualFree
&]Vl|h
VrNB)6
wDt%hh
wd&x`"
we{b[iZ
(%Whq	9
WINDOW
wininet.dll
winspool.drv
W@M>]9MG
W}'p7(
|WriteFile
ws2_32.dll
`WS2R;
wshlwapi
wsM,%:E
wsprintfA
wStrStrIA
<*X9x|
xA\#vbS)GR
X.cq\T
;(}|xH
X).Qj@l
}X@RsgTm
x~=wfH"
XwIu#C46
xWw8>V
/X@X>BU
y=<+'a8
YDM`C`A
ykWI@,
y}o8OD
Yv6R%%
<y'=w{
`yxlA0
yYBIZj
z&||9bs
zF68CW
Z+]O;^
`#ZO+M
	@`Z"T
&&Z"Xd2c;~
ZZ%=}!K