Analysis Date2013-09-20 19:11:57
MD57071067ca9063d4291f92fc03a5e26c5
SHA1976e439bd109a1148ec97d0635881c3cf4187047

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c0c26ddc76ebe5c818747d6462a24756 sha1: 1d3ee0561a251fb48e7137dc41c0e30913abd30e size: 1024
Section.rdata md5: a2feaf3ba629027ed0b7b0663a4836e0 sha1: 3b0ef5c293336d1f6446110672af463e64f55392 size: 512
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 47888a2413f8372889cb91be1aed0fc8 sha1: db45d1dc43d9c7be324384066d5cf5a157acf885 size: 37888
Timestamp2008-02-26 22:43:13
VersionLegalCopyright: Copyright (C) 2000
InternalName: MPIRing
FileVersion: 1, 0, 0, 1
CompanyName:
LegalTrademarks:
ProductName: MPIRing Application
ProductVersion: 1, 0, 0, 1
FileDescription: MPIRing MFC Application
OriginalFilename: MPIRing.EXE
PEhash000f6813aaa7625586dd40440e95f4b29ad33c98
AVavgCrypt2.BFJA
AVmsseTrojan:Win32/Remhead
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\wyqzypcuxomf ➝
C:\Documents and Settings\Administrator\wyqzypcuxomf.exe
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\wyqzypcuxomf.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexwyqzypcuxomf

Network Details:

DNSkaroo.co.uk
Type: A
87.102.50.138
DNStartarus.uwa.edu.au
Type: A
130.95.128.3
DNStampabay.com
Type: A
23.23.118.102
DNSapollo.lv
Type: A
78.28.227.182
DNSvaxxine.com
Type: A
209.159.189.4
DNSwww.optonline.net
Type: A
66.54.17.31
DNSzoomtown.com
Type: A
64.8.70.102
DNSuakron.edu
Type: A
130.101.217.69
DNSnetscape.net
Type: A
205.188.100.58
DNSnetscape.net
Type: A
205.188.101.58
DNSnetscape.net
Type: A
207.200.74.38
DNSnetscape.net
Type: A
64.12.79.57
DNSnetscape.net
Type: A
64.12.89.186
DNSjuno.com
Type: A
64.136.45.46
DNSjuno.com
Type: A
64.136.53.46
DNSbmw.com
Type: A
160.46.244.131
DNSvoicestream.com
Type: A
206.29.177.10
DNSwww.optonline.com
Type: A
DNScollegeclub.com
Type: A
DNSvci.net
Type: A
DNSdeloitte.com
Type: A
DNSidealcollectables.com
Type: A
Flows TCP192.168.1.1:1036 ➝ 64.8.70.102:25
Flows TCP192.168.1.1:1037 ➝ 66.54.17.31:25
Flows TCP192.168.1.1:1038 ➝ 209.159.189.4:25
Flows TCP192.168.1.1:1039 ➝ 23.23.118.102:25
Flows TCP192.168.1.1:1040 ➝ 87.102.50.138:25
Flows TCP192.168.1.1:1041 ➝ 130.95.128.3:25
Flows TCP192.168.1.1:1042 ➝ 78.28.227.182:25
Flows TCP192.168.1.1:1043 ➝ 130.101.217.69:25

Raw Pcap
0x00000000 (00000)   5c2f334c 64212b50 fee06b54 5a39e857   \/3Ld!+P..kTZ9.W
0x00000010 (00016)   c6cc086d 81789a71 95d86675 3692d878   ...m.x.q..fu6..x
0x00000020 (00032)   8f539a7c ebab1680 bf05a983 a0c55487   .S.|..........T.
0x00000030 (00048)   741fe78a cde0cc8e 29392592 fd92b795   t.......)9%.....
0x00000040 (00064)   d1ec4999 b2acf59c 860688a0 67c633a4   ..I.........g.3.
0x00000050 (00080)   b32180a8 fb7b58ab f03904af 9cd5d0b2   .!...{X..9......
0x00000060 (00096)   98ed28b6 79add4b9 4d0767bd 2161f9c0   ..(.y...M.g.!a..
0x00000070 (00112)   6dbca1c4 d67a37c8 425d84cc 939475cf   m....z7.B]....u.
0x00000080 (00128)   5fee07d3 33489ad6 140846da 606312de   _...3H....F.`c..
0x00000090 (00144)   bcbb6ae1 0d8c2ee5 79d5a8e8 599554ec   ..j.....y...Y.T.
0x000000a0 (00160)   26efe6ef fa4879f3 46a445f7 af62b7fa   &....Hy.F.E..b..
0x000000b0 (00176)   63fe83fe 64920779 93808605 5a65fd08   c...d..y....Ze..
0x000000c0 (00192)   d323930c a77d2510 e3e7cf13 94976317   .#...}%.......c.
0x000000d0 (00208)   dc8b6b1f 4d3b119a a6fcc026 3a553d2a   ..k.M;.....&:U=*
0x000000e0 (00224)   d6aecf2d b76e9131 67c10137 5f22a038   ...-.n.1g..7_".8
0x000000f0 (00240)   d4de3f3e 14256fbc a89701c0 58         ..?>.%o.....X

0x00000000 (00000)   c999989c c42577a0 1de738a4 793fb5a7   .....%w...8.y?..
0x00000010 (00016)   12f078ab 2e59f3ae 4f1fd9b2 e37231b6   ..x..Y..O....r1.
0x00000020 (00032)   2fced9b9 988c6fbd 6ce601c1 4da6adc4   /.....o.l...M...
0x00000030 (00048)   21                                    !

0x00000000 (00000)   cccc9548 c758744c 13b41c50 6f0c9953   ...H.XtL...Po..S
0x00000010 (00016)   3b6a4357 de31445b 5fb8ef5e 1a3e9462   ;jCW.1D[_..^.>.b
0x00000020 (00032)   66993c66 e923056a bd7d976d 91d72971   f.<f.#.j.}.m..)q
0x00000030 (00048)   6531bc74 79910879 0de5e07b e13e737f   e1.ty..y...{.>s.
0x00000040 (00064)   b5980583 89f29786 13e18d8b 4205d28f   ............B...
0x00000050 (00080)   71237ba5 eb4584a9 4a0430ad ea3562b1   q#{..E..J.0..5b.
0x00000060 (00096)   33b6d3b4 3634aabc 245a6fc0 f8b301c4   3...64..$Zo.....
0x00000070 (00112)   5175c3c7 adcd3fcb e613a6cf 6ae77dd2   Qu....?.....j.}.
0x00000080 (00128)   364110d6 1701bcd9 eb5a4edd bfb4e0e0   6A.......ZN.....
0x00000090 (00144)   a0748ce4 34d236e8 5028b1eb 30e85cef   .t..4.6.P(..0.\.
0x000000a0 (00160)   fd41eff2 d19b81f6 1df7cdfa f6b7f9fd   .A..............
0x000000b0 (00176)   4a0bf602 2e7ff67b c72ca808 4b84380c   J......{.,..K.8.
0x000000c0 (00192)   b7dcb40f c1dec33a c2d2523f 238fe642   .......:..R?#..B
0x000000d0 (00208)   ee932e51 741c95f7 cddd4484 6136c187   ...Qt.....D.a6..
0x000000e0 (00224)   2af66c8b de4f158f 8ea23594 86032496   *.l..O....5...$.
0x000000f0 (00240)   ee595a9b 2ea0d919 c2126c1d cfd49ea4   .YZ.......l.....
0x00000100 (00256)   f325bda9 ab7f4fad 39c20d2e cf9ae7b3   .%....O.9.......
0x00000110 (00272)   70c4c4b7 918058bb a1d58ec0 6b4d9b40   p.....X.....kM.@
0x00000120 (00288)   fd7010c6 15e345cb 685a524b 9701e0d0   .p....E.hZRK....
0x00000130 (00304)   6b5b72d4 3fb504d8 020b3bdd 3b81475d   k[r.?.....;.;.G]
0x00000140 (00320)   7ac6d3e2 8e1c4ee6 6276e0e9 36d072ed   z.....N.bv..6.r.
0x00000150 (00336)   0c2a05f1 5902cf72 bf4343f8 7e0127fd   .*..Y..r.CC.~.'.
0x00000160 (00352)   1026b2                                .&.

0x00000000 (00000)   c38c99dd de1878e1 92720ae5 86cfb2e8   ......x..r......
0x00000010 (00016)   3a262fec 0e80c1ef 22e08df3 b633e6f6   :&/....."....3..
0x00000020 (00032)   8a8d78fa 46ea20fe c22f9306 aa55580a   ..x.F. ../...UX.
0x00000030 (00048)   2e2fa50e ca0ab711 26630f15 fabca118   ./......&c......
0x00000040 (00064)   1b7d4d1c 4b9f1021 2c5fbc24 3451b428   .}M.K..!,_.$4Q.(
0x00000050 (00080)   08ab462c 31372530 1e8be343 934dfa48   ..F,17%0...C.M.H
0x00000060 (00096)   7cd36b4c 5d931750 51f0bf53 05473c57   |.kL]..PQ..S.G<W
0x00000070 (00112)   daa0ce5a adfa605e 29d4ad62 5dae8565   ...Z..`^)..b]..e
0x00000080 (00128)   29081869 fd61aa6c d1bb3c70 1d170974   )..i.a.l..<p...t
0x00000090 (00144)   796f6177 ca68477b 36899f7e 09e33182   yoaw.hG{6..~..1.
0x000000a0 (00160)   d63cc485 aa967689 f6f1228d 524a7b90   .<....v...".RJ{.
0x000000b0 (00176)   26de4794 fa13b20e 26464a9b 02b3da9e   &.G.....&FJ.....
0x000000c0 (00192)   760b57a2 4a65e9a5 76ad93a9 2a190ead   v.W.Je..v...*...
0x000000d0 (00208)   2661b8b0 9acc442b 8e29dbb7 7a8057bb   &a....D+.)..z.W.
0x000000e0 (00224)   e6dbe9be ea3392c2 a7ec03c7 9f4dbac9   .....3.......M..
0x000000f0 (00240)   48a2a7ce 24b11f4f 95ea6154 059211dd   H...$..O..aT....
0x00000100 (00256)   66bf17e3 ee7940e8 feb8c46a 168e9cf1   f....y@....j....
0x00000110 (00272)   716eacf5 f23f40f9 0ffbc7fd d9729c7e   qn...?@......r.~
0x00000120 (00288)   1743320d a1e7793d 01c567be 2306dc43   .C2...y=..g.#..C
0x00000130 (00304)   f75f6e47 cbb9                         ._nG..

0x00000000 (00000)   1d3b035e 18c7e161 7188a365 cde01f69   .;.^...aq..e...i
0x00000010 (00016)   692cca6c b5d07e70 89f41074 1d486977   i,.l..~p...t.Hiw
0x00000020 (00032)   69a3117b c5fb8d7e 99552082 7a15cc85   i..{...~.U .z...
0x00000030 (00048)   4e6f5e89 9aca2a8d f6228390 ca7c1594   No^...*.."...|..
0x00000040 (00064)   9ed6a797 72303a9b 468acc9e 274a78a2   ....r0:.F...'Jx.
0x00000050 (00080)   73a5c4a6 97ff9ca9 a3572fad afedfbb0   s........W/.....
0x00000060 (00096)   4b0b54b4 1f65e6b7 f3be78bb c7180bbf   K.T..e....x.....
0x00000070 (00112)   1374b3c2 6fcc2fc6 b3a87cca 1f8054cd   .t..o./...|...T.
0x00000080 (00128)   ebd9e6d0 cc9992d4 a0f324d8 ec4ef1db   ..........$..N..
0x00000090 (00144)   48a749df acf2f3e2 f85a6ee6 cbb4       H.I......Zn...

0x00000000 (00000)   183e612b 93ca3f2f f489eb32 78e79336   .>a+..?/...2x..6
0x00000010 (00016)   9c3d103a d0d4dc3d 77915541 184bc744   .=.:...=w.UA.K.D
0x00000020 (00032)   eca45948 3802024c 9c587e4f 68b21053   ..YH8..L.X~Oh..S
0x00000030 (00048)   3c0ca356 506cef5a e4bfc75d b8195a61   <..VPl.Z...]..Za
0x00000040 (00064)   8d73ec64 60cd7e68 3427116c 0881a36f   .s.d`.~h4'.l...o
0x00000050 (00080)   61420974 fd9ae176 91f4737a bd8b407e   aB.t...v..sz..@~
0x00000060 (00096)   39a89881 0d022b85 915fd388 b5b54f8c   9.....+.._....O.
0x00000070 (00112)   890fe28f 5d697493 4947c197 0d1d999a   ....]it.IG......
0x00000080 (00128)   d9762b9e ba36d7a1 8e9069a5 62eafba8   .v+..6....i.b...
0x00000090 (00144)   36448eac 0a9e20b0 e6f7b2b3 b95145b7   6D.... ......QE.
0x000000a0 (00160)   86abd7ba da056abe f4c44ec3 2754adc6   ......j...N.'T..
0x000000b0 (00176)   459a02dd b8706a57 54b202e4 c40f93e7   E....pjWT.......
0x000000c0 (00192)   34680feb 08c2a1ee a4194cf2 e875c6f5   4h........L..u..
0x000000d0 (00208)   476757f9 4bc3e373 cf207a              GgW.K..s. z

0x00000000 (00000)   88aa8266 8336616a 64f60c6e 38509f71   ...f.6ajd..n8P.q
0x00000010 (00016)   0caa3175 53dce478 e7fd767c 88b7e87f   ..1uS..x..v|....
0x00000020 (00032)   5c117b83 306b0d87 04c59f8a d81e328e   \.{.0k........2.
0x00000030 (00048)   9f12ab91 c0d81096 542ce998 28867b9c   ........T,..(.{.
0x00000040 (00064)   fcdf0da0 d039a0a3 a49332a7 78edc4aa   .....9....2.x...
0x00000050 (00080)   c44811af 26a1e9b1 f4fa7bb5 409348b9   .H..&.....{.@.H.
0x00000060 (00096)   9caea0bc 700833c0 4462c5c3 18bc57c7   ....p.3.Db....W.
0x00000070 (00112)   ec15eaca cdd595ce d9b4e2d2 8aefd3d5   ................
0x00000080 (00128)   be7931da 9f39dddd 857a10f7 9f53a910   .y1..9...z...S..
0x00000090 (00144)   9adf8714 7b9f3318 645fdf1b 37b9711f   ....{.3.d_..7.q.
0x000000a0 (00160)   11791d23 edd2af26 312efc2a 2af0272e   .y.#...&1..**.'.
0x000000b0 (00176)   5e42fc32 42b624ac 2360d0af f9b9503c   ^B.2B.$.#`....P<
0x000000c0 (00192)   cb13e33f 55051345 a6f24f49 b4d2ec60   ...?U..E..OI...`
0x000000d0 (00208)   a78fae65 f84e54e0 cda8d46c d8026770   ...e.NT....l..gp
0x000000e0 (00224)   83c21274 551cbb77 056fb37c 0a36e37e   ...tU..w.o.|.6.~
0x000000f0 (00240)   728cf183 b2d29802 46452b06 23045e8d   r.......FE+.#.^.
0x00000100 (00256)   77585492 2fb2e695 6f903416 d1d0a89b   wXT./...o.4.....
0x00000110 (00272)   35916c9f 79eae6a2 893ff5a7 601d4328   5.l.y....?..`.C(
0x00000120 (00288)   9202e5b0 de0c58b6 31848c36 602b1abc   ......X.1..6`+..
0x00000130 (00304)   3485acbf 154558c3 d89a66c8 11119b48   4....EX...f....H
0x00000140 (00320)   2db940ce 7112bbd1 456c4dd5 19c6dfd8   -.@.q...ElM.....
0x00000150 (00336)   fc858bdc 3cf83b5e a239b0e3 e7fa95e7   ....<.;^.9......
0x00000160 (00352)   5753eeea 2bad80ee e7444df2 70c7bef5   WS..+....DM.p...
0x00000170 (00368)   a45e8bf9 30ff9dfd f93dc9              .^..0....=.

0x00000000 (00000)   47b6d5d5 4fa8cdd9 306879dd 04c20be1   G...O...0hy.....
0x00000010 (00016)   e581b7e4 c64163e8 e70749ec 7b5ba1ef   .....Ac...I.{[..
0x00000020 (00032)   5c1b4df3 85e00ef7 1e9ba4fa f2f436fe   \.M...........6.
0x00000030 (00048)   d3b4e201 2c76c805 95343a09 698ecc0c   ....,v...4:.i...
0x00000040 (00064)   4e4e7810 2b0e2414 0ccecf17 e027621b   NNx.+.$......'b.
0x00000050 (00080)   39e9c71f 1ca8b922 76014c26 0f02322a   9......"v.L&..2*
0x00000060 (00096)   3881a32d 19414f31 ed9ae134 ce5a8d38   8..-.AO1...4.Z.8
0x00000070 (00112)   af1a393c 90dae43f dcbb3144 4df42247   ..9<...?..1DM."G
0x00000080 (00128)   26b4ce4a 07747a4e e8332652 348ff255   &..J.tzN.3&R4..U
0x00000090 (00144)   9d4d6459 7e19285d 67cdbb60 3a274e64   .MdY~.(]g..`:'Nd
0x000000a0 (00160)   14e7f967 f5a6a56b 4e688b6f aac0e372   ...g...kNh.o...r
0x000000b0 (00176)   658dfc76 938899f1 6c3e4b7e c7e89d93   e..v....l>K~....
0x000000c0 (00192)   9b71e597 7c31919b 48973b9f 5ce5b5a2   .q..|1..H.;.\...
0x000000d0 (00208)   05b179a6 d9fe0521 32c0b5ad c61832b1   ..y....!2.....2.
0x000000e0 (00224)   6272c4b4 36cc6cb8 f384cebd ebe594bf   br..6.l.........
0x000000f0 (00240)   533cf3c4 a0e86343 345bf646 74bf0fce   S<....cC4[.Ft...
0x00000100 (00256)   656e6fd3 1dc801d7 5040e656 bfe673dc   eno.....P@.V..s.
0x00000110 (00272)   864c1ee0 5a9a98e3 6aeff6e8 41cdf468   .L..Z...j...A..h
0x00000120 (00288)   d3f069ee eb62c7f3 4b40c573 6d8139f9   ..i..b..K@.sm.9.
0x00000130 (00304)   41dbcbfc 15355e                       A....5^


Strings
0g}x.M
3/@luIq
]@3)Q;
3YcJ[(
5Hk=\\
5Mrlz&%
}68f]?j
7,ZfSW
89_WT6
+9\O_%
B^]8>,
CF:|<R
d9`u+l
#define _AFX_NO_OLE_RESOURCES
#define _AFX_NO_PROPERTY_RESOURCES
#define _AFX_NO_SPLITTER_RESOURCES
#define _AFX_NO_TRACKER_RESOURCES
dpr$"<
DrjC@'
>:\={_e
E6jt3d
`e$HY:T=]~
#endif
#endif //_WIN32
e(q&DD
et0DIm
fW\ng'.
gdi32.dll
GetModuleHandleA
GetObjectW
GetProcAddress
g+hSXs
"h6H'%3
"hoI9W
hR4w-+
HxG :)
#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU)
#ifdef _WIN32
\`\ikK
#include "afxres.h"
#include "afxres.rc"         // Standard components
#include "res\MPIRing.rc2"  // non-Microsoft Visual C++ edited resources
juq-AQ|
kernel32.dll
kI[h,]qT-
LANGUAGE 9, 1
L&DKbx
[lMlp6
LoadImageA
LXwEct
MessageBoxW
n^I0U_
[+o3|+
&O[3\?
o<5>:7L
O;D$[q].|,stj
,,or8O
pCY	 t
pG:L)"
#pragma code_page(1252)
.rdata
resource.h
+S:9hhq
*@SR} 
!This program cannot be run in DOS mode.
,uLGLfr
[Ur<LNmP
user32.dll
VZj/iW
;wS	0cw^
xe7A>[
xg-RTJ
`/z9tZ
zN6GzVXg
Zw67YO