Analysis Date2015-01-10 19:53:36
MD568599adac17c0c5c4333697357f5478d
SHA19851efa289191292c3443652ef607127d9680584

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ab7c889912035c201c403e437dc7ff42 sha1: 4ef211019e4484981db29387538f353a56997bfc size: 77824
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 0dbf73a7896b79a034e58cb7b475dd84 sha1: f4c50cab22b72582fe74705f0d2b69c85aa7405b size: 57344
Section.tdata md5: 01f8971cf8e8aadb4368eba002db1c93 sha1: bec6d4f05af5fe2e1bb11d0cb6ced7a47a5ffaf6 size: 241664
Sectionvctcbvo md5: c36bb11e85925238fcf36f7dbc3c71b8 sha1: 2b1bbc2f32cbec424f12142a4aaf1d3f9383f5f9 size: 110592
Sectionivlziah md5: eb329763fc587a58221ad24fbd47cae3 sha1: f248ec4091f4e0fc9243e33e1c78df9b3127948c size: 14833
Timestamp1998-05-20 03:10:22
VersionProductVersion: 1.00
InternalName: Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC]
FileVersion: 1.00
OriginalFilename: Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC].exe
ProductName: Project1
PackerMicrosoft Visual Basic v5.0
PEhash1c591f1de726b23aab4024d2f416f7936ecedd7c
IMPhashcf50fe0440cedf0cda3eb290ddef45de
AV360 Safeno_virus
AVAd-AwareGen:Variant.Barys.266
AVAlwil (avast)VB-PXN [Trj]
AVArcabit (arcavir)Gen:Variant.Barys.266
AVAuthentiumW32/A-fdad15a0!Eldorado
AVAvira (antivir)TR/VB.alo
AVBullGuardGen:Variant.Barys.266
AVCA (E-Trust Ino)Win32/VBNA.A!generic
AVCAT (quickheal)Trojan.Agen.r6
AVClamAVWin.Trojan.Agent-768917
AVDr. WebTrojan.Siggen2.15838
AVEmsisoftGen:Variant.Barys.266
AVEset (nod32)Win32/VB.PIC
AVFortinetW32/VB.AUIE!tr
AVFrisk (f-prot)W32/VBTrojan.17E!Maximus
AVF-SecureGen:Variant.Barys.266
AVGrisoft (avg)Dropper.Generic8.BGYA
AVIkarusTrojan.Win32.Scar
AVK7Trojan ( 0040f9111 )
AVKasperskyTrojan.Win32.Agent.vrbr
AVMalwareBytesSpyware.Password
AVMcafeeTrojan-FDMO!68599ADAC17C
AVMicrosoft Security EssentialsVirTool:Win32/Vbcrypt.AX
AVMicroWorld (escan)Gen:Variant.Barys.266
AVRisingTrojan.VBCrypt!48D0
AVSophosMal/VB-F
AVSymantecTrojan.Dropper
AVTrend MicroMal_OtorunP
AVVirusBlokAda (vba32)Trojan.VB.gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Filec:\Documents And Settings\All Users\Documents\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB7E3.tmp
Creates Processreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v FirewallXP /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\csrss.exe" /f
Creates Processreg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v svchost /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\svchost.exe" /f

Process
↳ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v FirewallXP /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\csrss.exe" /f

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\FirewallXP ➝
c:\Documents And Settings\All Users\Documents\csrss.exe\\x00

Process
↳ reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v svchost /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\svchost.exe" /f

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
c:\Documents And Settings\All Users\Documents\svchost.exe\\x00

Network Details:


Raw Pcap

Strings
i.nD.P
..P
.Dni.@
/
/
5

040904B0
1.00
A*\AE:\Virus\Dropper\Project1.vbp
c:\Documents And Settings\All Users\Documents\
c:\Documents And Settings\All Users\Documents\csrss.exe
c:\Documents And Settings\All Users\Documents\Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC].exe
c:\Documents And Settings\All Users\Documents\Readme.txt
c:\Documents And Settings\All Users\Documents\svchost.exe
c:\Documents And Settings\All Users\Documents\Win32.dll
csrss.exe
c:\users\public
c:\users\public\
c:\users\public\csrss.exe
c:\users\public\Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC].exe
c:\users\public\Readme.txt
c:\users\public\svchost.exe
c:\users\public\Win32.dll
FileVersion
@hAxA
Hjjj
Hjjjjj
InternalName
jjjjj
OriginalFilename
Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC]
Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC].exe
ProductName
ProductVersion
Project1
Readme.txt
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v Firewall7 /t REG_SZ /d c:\users\public\csrss.exe /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v FirewallXP /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\csrss.exe" /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v svchost7 /t REG_SZ /d c:\users\public\svchost.exe /f
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ /v svchost /t REG_SZ /d "c:\Documents And Settings\All Users\Documents\svchost.exe" /f
StringFileInfo
svchost.exe
taskkill /f /im Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC].exe
Translation
VarFileInfo
VS_VERSION_INFO
Win32.dll
#%'''<[[^^\\]
0*^64DW
;&06aly
:0%G:f:
?0P;3 
$1;GVvys
*1=R\QQc
2@CVVg`m
'2FCaccm
`2XJ\wZj
+388<<a^^^^]^
#%&3DS
3F[Yam
$45Bst
4[jdJ2
4lb'.d
)	4mfj
5 6v l
%@74i%
#%88<Ca[]]]]]
"#%89addammmr
+<8D{ 
"%%8D<aabm^^m
$-8<Gdnmmmj
$-8GGhnsrr}
$-8GIdnnjrr
#-8<Iaammmmm
9|$$_^]
 99MJJBy
$-9Gdhnszz
$-9GGggs}s
+-9Ghgys
  9KJJJ\
9#KMJJ\
!/9?NGGaaq^^^m
#%''<_a[^^^\^
#%''<<aa^^^^^
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
_allmul
##''<_am^m^^m
AQ"2aq
Bl/"V\
#%''CCZ[^\\\]
C+FUY&
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
CopyFileA
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
ct_7b="documentElement",ct_8b="substr",ct_9b="right",ct_$b="event",ct_O=this,ct_ac=function(a,b,c){a=a[ct_u](".");c=c||ct_O;!(a[0]in c)&&c.execScript&&c.execScript("var "+a[0]);for(var d;a[ct_s]&&(d=a[ct_Qa]());)if(!a[ct_s]&&b!==ct_f)c[d]=b;else c=c[d]?c[d]:c[d]={}},ct_bc=function(a,b){for(var c=a[ct_u]("."),d=b||ct_O,e;e=c[ct_Qa]();)if(d[e])d=d[e];else return ct_c;return d},ct_cc=function(){},ct_dc=function(a){a.getInstance=function(){return a.Ji||(a.Ji=new a)}},ct_ec=function(a){var b=typeof a;
ct__c[ct_].ai=function(a,b){var c=a[ct_s];b[ct_r]("[");for(var d="",e=0;e<c;e++){b[ct_r](d);this.Vc(a[e],b);d=","}b[ct_r]("]")};ct__c[ct_].ci=function(a,b){b[ct_r]("{");var c="";for(var d in a)if(a[ct_jb](d)){var e=a[d];if(typeof e!="function"){b[ct_r](c);this.df(d,b);b[ct_r](":");this.Vc(e,b);c=","}}b[ct_r]("}")};var ct_3c=function(a,b,c){for(var d in a)b[ct_D](c,a[d],d,a)},ct_4c=function(a,b,c){var d={};for(var e in a)if(b[ct_D](c,a[e],e,a))d[e]=a[e];return d},ct_5c=function(a){var b=[],c=0;for(var d in a)b[c++]=a[d];return b},ct_6c=function(a){var b=[],c=0;for(var d in a)b[c++]=d;return b},ct_7c=function(a){for(var b in a)return ct_d;return ct_b},ct_8c=function(a,b){var c;if(c=b in a)delete a[b];return c},ct_9c=function(a,b,c){if(b in a)return a[b];return c},ct_$c=["constructor","hasOwnProperty","isPrototypeOf",
ct__c[ct_].serialize=function(a){var b=[];this.Vc(a,b);return b[ct_N]("")};ct__c[ct_].Vc=function(a,b){switch(typeof a){case "string":this.df(a,b);break;case "number":this.bi(a,b);break;case "boolean":b[ct_r](a);break;case "undefined":b[ct_r]("null");break;case "object":if(a==ct_c){b[ct_r]("null");break}if(ct_fc(a)){this.ai(a,b);break}this.ci(a,b);break;case "function":break;default:ct_a(ct_e("Unknown type: "+typeof a))}};
ct_Ec=function(a,b){for(var c=0,d=String(a)[ct_t](/^[\s\xa0]+|[\s\xa0]+$/g,"")[ct_u]("."),e=String(b)[ct_t](/^[\s\xa0]+|[\s\xa0]+$/g,"")[ct_u]("."),f=ct_k.max(d[ct_s],e[ct_s]),g=0;c==0&&g<f;g++){var h=d[g]||"",i=e[g]||"",j=ct_ia("(\\d*)(\\D*)","g"),k=ct_ia("(\\d*)(\\D*)","g");do{var m=j[ct_Ta](h)||["","",""],l=k[ct_Ta](i)||["","",""];if(m[0][ct_s]==0&&l[0][ct_s]==0)break;c=m[1][ct_s]==0?0:ct_da(m[1],10);var n=l[1][ct_s]==0?0:ct_da(l[1],10);c=ct_Dc(c,n)||ct_Dc(m[2][ct_s]==0,l[2][ct_s]==0)||ct_Dc(m[2],
ct_Mb="currentStyle",ct_Nb="href",ct_H="elements",ct_I="substring",ct_Ob="handleEvent",ct_J="type",ct_Pb="apply",ct_Qb="parentWindow",ct_Rb="childNodes",ct_Sb="tagName",ct_Tb="attachEvent",ct_Ub="defaultView",ct_Vb="setRelayUrl",ct_K="name",ct_L="parentNode",ct_Wb="fileName",ct_Xb="display",ct_Yb="nextSibling",ct_Zb="offsetTop",ct_M="height",ct__b="splice",ct_0b="getTime",ct_1b="offsetHeight",ct_N="join",ct_2b="unshift",ct_3b="getElementsByTagName",ct_4b="toLowerCase",ct_5b="clientX",ct_6b="clientY",
ct_Vc(arguments,1))},ct_Vc=function(a,b,c){ct_Hc(a||ct_P(a));ct_Jc(a[ct_s]);return arguments[ct_s]<=2?ct_Kc[ct_Za][ct_D](a,b):ct_Kc[ct_Za][ct_D](a,b,c)};var ct_Xc=function(a){return a};var ct_Yc=function(a){if(/^\s*$/[ct_Pa](a))return ct_d;var b=/\\["\\\/bfnrtu]/g,c=/"[^"\\\n\r\u2028\u2029\x00-\x08\x10-\x1f\x80-\x9f]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g,d=/(?:^|:|,)(?:[\s\u2028\u2029]*\[)+/g,e=/^[\],:{}\s\u2028\u2029]*$/;return e[ct_Pa](a[ct_t](b,"@")[ct_t](c,"]")[ct_t](d,""))},ct_Zc=function(a){a=String(a);if(ct_Yc(a))try{return eval("("+a+")")}catch(b){}ct_a(ct_e("Invalid JSON string: "+a))},ct_0c=function(a){return(new ct__c).serialize(a)},ct__c=function(){};
,ct_vc=/&/g,ct_wc=/</g,ct_xc=/>/g,ct_yc=/\"/g,ct_zc=/[&<>\"]/,ct_Bc=function(a,b){for(var c=b[ct_s],d=0;d<c;d++){var e=c==1?b:b[ct_$a](d);if(a[ct_$a](0)==e&&a[ct_$a](a[ct_s]-1)==e)return a[ct_I](1,a[ct_s]-1)}return a},ct_Cc=function(){return ct_k[ct_4a](ct_k[ct_zb]()*2147483648)[ct_Ka](36)+(ct_k[ct_4a](ct_k[ct_zb]()*2147483648)^ct_nc())[ct_Ka](36)},
D$0PQS
/}D:Io
DllFunctionCall
D$(PSj
?{e:5l
.el_cal_sheet_day{background:#FFF;border:1px solid #AE0A84;background-image:url(//static1.orkut.com/img/castro/se_calendargradient.gif)}
.el_cal_sheet_weekday{color:#FFF;background:#AE0A84}
.el_day{background-color:#D6CEC1}
.el_day_separator{background-color:#000}
.el_future .el_cal_sheet_day{border-color:#069}
.el_future .el_cal_sheet_weekday{background-color:#069}
.el_past .el_cal_sheet_day{color:#999;border-color:#86A1C4}
.el_past .el_cal_sheet_weekday{background-color:#86A1C4}
.el_sel_el_day{background-color:#C6BEB1}
.ev_dr_qu #guestListContainer .ev_invitees{background:inherit}
.eventHour{color:#FFF}
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
.ev_row{background-color:#C9C1B4}
.ev_rowBorder,.ev_uaBorder{border:1px solid #DDD}
.ev_row_today{background-color:#A7A096}
_>fSZN
GetDriveTypeA
.g-o-pp-avbl{border-color:#C9C9C9}
.g-o-pp-item .g-o-pp-item-in{background:#EEE}
.g-o-pp-item,.g-o-pp-item-over{background:#EEE;border-color:#EEE}
.g-o-pp-item-over .g-o-pp-item-in,.g-o-pp-item-sel .g-o-pp-item-in,.g-o-pp-item-sel-over .g-o-pp-item-in{background:#FFF4DD}
.g-o-pp-item-sel,.g-o-pp-item-sel-over{background:#CCC;border-color:#EEE3CC}
.g-o-pp-lctrl-dis,.g-o-pp-rctrl-dis{color:#EEE}
.g-o-pp-lctrl,.g-o-pp-lctrl-dis,.g-o-pp-rctrl,.g-o-pp-rctrl-dis{background:#FFF}
.g-o-pp-lctrl,.g-o-pp-rctrl{color:#C2B8A9}
.g-o-pp-lctrl-over,.g-o-pp-rctrl-over{background:#BBB;color:#FFFAEE}
.g-o-pp-pgcntr{background:#FFF}
.g-o-pp-sitem a,.g-o-pp-sitem-over a{background:#BBB;color:#FFF}
.g-o-pp-sitem,.g-o-pp-sitem-over{background:#FFF;border-color:#BBB}
.g-o-pp-slctd{background:#FFF;border-color:#C9C9C9}
.g-o-pp-slctd-in{background:#F0F0F0}
.g-o-pp-slctd-inst{color:#555}
.gorkut-FriendSuggestionTitle{top:-23px;font-
.gorkut-RoundedBox .bottomCenter{background-image:url(//static3.orkut.com/img/castro/skin/S40/box_bot_lh.gif);background-repeat:no-repeat}
.gorkut-RoundedBox .bottomRight{background-image:url(//static4.orkut.com/img/castro/skin/S40/box_bot_rh.gif);background-repeat:no-repeat}
.gorkut-RoundedBox .middleCenter{background-image:url(/img/castro/skin/S40/boxmidlrg.gif);background-repeat:repeat-y}
.gorkut-RoundedBox .middleRight{background-image:url(//static1.orkut.com/img/castro/skin/S40/box_mid_rh.gif);background-repeat:repeat-y}
.gorkut-RoundedBox .topCenter{background:url(//static2.orkut.com/img/castro/skin/S40/box_top_lh.jpg);background-repeat:no-repeat}
.gorkut-RoundedBox .top,.gorkut-RoundedBox .topCenter,.gorkut-RoundedBox .topRight{height:35px}
.gorkut-RoundedBox .topRight{background:url(//static3.orkut.com/img/castro/skin/S40/box_top_rh.gif);background-repeat:no-repeat}
+/GSiiyy
>'G_Wjb
Hc}(Nfg1QfL4Qd%5Th
,H~)Cr
H?,:g0
HostProcedure
iD|1,f
if(b=="object")if(a){if(a instanceof ct_j||!(a instanceof ct_fa)&&ct_fa[ct_][ct_Ka][ct_D](a)=="[object Array]"||typeof a[ct_s]=="number"&&typeof a[ct__b
-iHQ+IU
;-iO4_'`
ivlziah
(J@@=%
%Jc_(Nf/)Sl
} j<ht
} j ht
} j@ht
} j$ht
} jTht
kernel32
k;#iw\
'*  KJJJ;t
Kxbx	O
l[2])}while(c==0)}return c},ct_Dc=function(a,b){if(a<b)return-1;else if(a>b)return 1;return 0};var ct_Fc=function(a,b){b[ct_2b](a);ct_qc[ct_D](this,ct_sc[ct_Pb](ct_c,b));b[ct_Qa]();this.messagePattern=a};ct_T(ct_Fc,ct_qc);ct_Ca(ct_Fc[ct_],"AssertionError");
L5i}5.q
'L89w]
 Lhh(QjT/SiB3Sh'5Ti
Li|#Qmo+Un\Fs
Lit%Qla-TkM3Ti>5Sf85Qd(6Rf
Liz$Qli,UmU2VlD5Ti:5Rf55Qd1Y
  =LMOO`
lOc.?E
]L$SI]
#MgR'Qj.(Vq
%Mgr.RhY4RfE5Qd:f
Microsoft Host Controler
MMm \T
Module1
mP3J|3
MSVBVM60.DLL
#%N;:B
N=yt7 
ode",ct_vb="options",ct_wb="opera",ct_xb="scrollWidth",ct_yb="lastIndexOf",ct_zb="random",ct_Ab="focus",ct_E="getAttribute",ct_Bb="getElementsByName",ct_F="createElement",ct_Cb="scrollHeight",ct_Db="keyCode",ct_Eb="firstChild",ct_Fb="init",ct_Gb="forEach",ct_Hb="clientHeight",ct_Ib="scrollLeft",ct_Jb="charCodeAt",ct_Kb="addEventListener",ct_Lb="bottom",ct_G="setAttribute",
on$`av
pKcS>q7
Prince(2010)-PDVDRip{NewSource}-1CDRip-XviD-Mp3-[DrC]
Project1
"propertyIsEnumerable","toLocaleString","toString","valueOf"],ct_ad=function(a){for(var b,c,d=1;d<argumen
<Qom<1
RN#|w`
RTVVjrqmjr}
>SaR>5
t3h8pH
Tccbk 
.tdata
!This program cannot be run in DOS mode.
Timer1
+/?Tiv
T$ j R
tMKyg&
:TOJ7Q
;t$$wRW
t`WWWj
"u]H~_
und-color:#FFF}
UUa\'g
*<=UUQ\h
uwxz.4DC\JJMU
*vaGSG
var ct_1c={'"':'\\"',"\\":"\\\\","/":"\\/","\u0008":"\\b","\u000c":"\\f","\n":"\\n","\r":"\\r","\t":"\\t","\u000b":"\\u000b"},ct_2c=/\uffff/[ct_Pa]("\uffff")?/[\\\"\x00-\x1f\x7f-\uffff]/g:/[\\\"\x00-\x1f\x7f-\xff]/g;ct__c[ct_].df=function(a,b){b[ct_r]('"',a[ct_t](ct_2c,function(c){if(c in ct_1c)return ct_1c[c];var d=c[ct_Jb](0),e="\\u";if(d<16)e+="000";else if(d<256)e+="00";else if(d<4096)e+="0";return ct_1c[c]=e+d[ct_Ka](16)}),'"')};ct__c[ct_].bi=function(a,b){b[ct_r](isFinite(a)&&!ct_ha(a)?a:"null")};
var ct_Gc=function(a,b,c,d){var e="Assertion failed";if(c){e+=": "+c;var f=d}else if(a){e+=": "+a;f=b}ct_a(new ct_Fc(""+e,f||[]))},ct_Hc=function(a,b){!a&&ct_Gc("",ct_c,b,ct_j[ct_][ct_Za][ct_D](arguments,2))},ct_Ic=function(a){ct_a(new ct_Fc("Failure"+(a?": "+a:""),ct_j[ct_][ct_Za][ct_D](arguments,1)))},ct_Jc=function(a,b){typeof a!="number"&&ct_Gc("Expected number but got %s.",[a],b,ct_j[ct_][ct_Za][ct_D](arguments,
VBA6.DLL
__vbaCastObj
__vbaChkstk
__vbaExceptHandler
__vbaFPException
__vbaFreeObj
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI4Var
__vbaNew2
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaOnError
__vbaSetSystemError
__vbaStrCat
__vbaStrCopy
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarVal
__vbaVarCat
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarSetObjAddref
__vbaVarSub
__vbaVarTstGt
Vcccl#
Vcccl),Fbb_:
Vccll7,bheb:
Vcj[S/dhhhbH
vctcbvo
.V]o(;'7~E
_VTTTPJJJBH
*@@VU```g
W*3*7i
WVh8pH
x$ALvB
#x-c03
Y[KNOFa?
"|Yu]e
$"^YYY=s
(Z;0TL