Analysis Date2015-04-01 03:14:18
MD54a233a3dce59bfb8393de37714c70943
SHA19b22c33ff6c9650f5cbffc97524a6e01868f8534

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3692472e6ebadbca59855d4c66fed118 sha1: 731b4400f63f6d67f4dca9de165a4abc633bde2a size: 22528
Section.rdata md5: 2036037722b3d740c2c24fea4fbf237f sha1: 19e474f2f2f663ab4dccac124522fa62ab97476d size: 5120
Section.data md5: 5c97db224e6c141073c4c49ea59843ec sha1: 1aeaba146bd366867608aa8f4406bc6b608cf2c5 size: 118272
Section.rsrc md5: 465fa3aea5bd31656bdaa31f62bcf347 sha1: 78088d0e83ee8f0ee35b73fbb06b55e12bd68aaa size: 4612
Sectionaxkppgs md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2003-03-24 02:22:13
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: CLIPSRV.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Windows NT DDE Server
PackerMicrosoft Visual C++ 7.0
PEhashe7f746772497ba8d8f97d7c4e7db920652b62081
IMPhash77f93fcb6b22682020d7ec5697185655
AV360 Safeno_virus
AVAd-AwareGen:Variant.Zusy.Elzob.24779
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)Gen:Variant.Zusy.Elzob.24779
AVAuthentiumW32/Carberp.C.gen!Eldorado
AVAvira (antivir)TR/Dropper.Gen
AVBullGuardGen:Variant.Zusy.Elzob.24779
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Zbot.Y4
AVClamAVWorm.Palevo-28227
AVDr. WebTrojan.MulDrop1.64009
AVEmsisoftGen:Variant.Zusy.Elzob.24779
AVEset (nod32)Win32/Kryptik.LBN
AVFortinetW32/SpyEyes.LBN!tr.spy
AVFrisk (f-prot)W32/Carberp.C.gen!Eldorado
AVF-SecureGen:Variant.Zusy.Elzob.24779
AVGrisoft (avg)Generic21.NJI
AVIkarusWorm.Win32.AutoRun
AVK7Trojan ( 003c36381 )
AVKaspersky 2015Trojan.Win32.Generic
AVMalwareBytesTrojan.VBKrypt
AVMcafeePWS-Spyeye.x
AVMicrosoft Security EssentialsTrojan:Win32/Ramnit.A
AVMicroWorld (escan)Gen:Variant.Zusy.Elzob.24779
AVRisingno_virus
AVSophosTroj/Ramnit-CL
AVSymantecInfostealer
AVTrend MicroTSPY_AZ.71F993FF
AVVirusBlokAda (vba32)MalwareScope.Trojan-PSW.Pinch.9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D699D61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CC21D45}

Network Details:

DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSgoogle.com
Type: A
216.58.219.110
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
Flows TCP192.168.1.1:1032 ➝ 216.58.219.110:80
Flows TCP192.168.1.1:1031 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1037 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1038 ➝ 198.74.50.135:443

Raw Pcap

Strings
\
.
 
'
m
.
cl
.'.
$.
040904b0
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2105)
CLIPSRV.EXE
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
LegalCopyright
MANIFEST
Microsoft
 Microsoft Corporation. All rights reserved.
 Operating System
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 Windows
Windows NT DDE Server
0zt}uT
1d8Rc2XwbHsFxb
1pW[}	
1?q.`	s
	22N(M
,2Mn.q
2ZW6lj
3FQtru
	3Fx$P
3#[{fza
3\j`t>
3sXqVC
3Ts+j,2:Bo
!$^4bA
}/4~j4
4nxSDL
4X#@s@vp
4y`4en
5kFk92
5^=O0C
5zZ{(4j=
65Ez0!
6-#!dn
6dot*"
6g7``7dw
?6^>;mn/
&(%-!\7
_75UCLg
(7}EOm
7!pcqt3
7&q Fo
"8	.4S
8bQSqE
8lzsR'
+8&OUI]
,=[+8p
8p4G$I
(8XK6>i+
9DTy~J>Cf
9ejqqnf?
9t^];T?
*a<1>T%
a,AO=,
A buffer overrun has been detected which has corrupted the program's
ADVAPI32.dll
 aF(kYd<\
AfxHch
a~fZ-:
\aL<k#9
A security error of unknown cause has been detected which has
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
!A@SXa
axkppgs
(b@1)Z
(bJ^'B
'BoC~\aV
B"tgwH
Buffer overrun detected!
bwW31cxs
C2.	vd
c,5\Y<
c6@\p*d
C@ahc 01E
Ce-v~yq0
@c f6A
/Cg[''mHt
ChooseFontA
cKup9Oo
comdlg32.dll
CompareStringW
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CreatePen
ct	8&U
%/)'d3s
@.data
DOMAIN error
dp*BL4
)dpXObb
dT4P(\
dt~S*'e
*e8LNC
 [~eEx
eFI!&C
EltDi[
ELxtV\
e|tq;^b
e+:;V8
ExitProcess
'F(!8S
FcUec%q2Q
"'Fi9*K
FindClose
FindTextW
%fiRr~z
- floating point not loaded
{fmM"c{~
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fX;3hi
FXbAAXAvQV
G-.1]E
g(#?}7%m
g7-ORsc@
G-8r-M)c
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDlgItem
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetFullPathNameW
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenuItemID
GetMenuStringW
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GfS(_3
GI\219i
GlobalFree
GlobalSize
g>;LUGN!
gN{{3P
$Gr\:z
GtbDNE
GU#	F2
GXBF"qt
:_*H1K
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HF	NdE
hG"dE7 X
Hg*=r2
hkklAeV
HLM?-f
Hpr6:o
{HtztB=OE
hX8J?n
HytHP@
@i3n!Bq
_i:!|B
?	IdZ~
IEksI@u,=
i"lrJz
InterlockedExchange
internal state.  The program cannot safely continue execution and must
IsBadWritePtr
I"XEl6b
I=YYx;
j"1\,a
j`h8q@
jkC4	*
=.,JnJ
K4aNBR
(K7eA{c
kernel32.dll
KERNEL32.dll
k)g"ly~t
&}K,#H
LA:fSmu
lC(-h,
LCMapStringA
LCMapStringW
lcr.Vm
LoadLibraryA
lstrcpynW
!|,=M&
_ma1Qe
mC\{#0
MessageBoxA
M?Hw$R
Microsoft Visual C++ Runtime Library
mj(^$n
MoveToEx
mscoree.dll
MultiByteToWideChar
?=my-0
@m$y+o
mzHb)U
n*2XtrL
>n'8e1
*Nf{A 
N/h#n9
{}nn#l
n{oaEa
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
!nrq0x
~oE \k
ofsJcB
@!OguQSF
 	p9T)e20TEg5x
&PeE}f
`$PEy3
?P}hEs
Please contact the application's support team for more information.
pm/e=m
<:Pn#>
)pn2g"
>>pN`B@
Pp7XPR
"(pr{2
Program: 
<program name unknown>
!PROZIUM32..m cannot be run in DOS mode.
- pure virtual function call
P@X3S7Vv@
QB}\$oPr!
Q<e^}3
QH BJenf
+}q#N%
Qq,=fw
QQpbBh
QQSVW3
QQTG,u
QtYoJ)rM
QueryPerformanceCounter
QuuU|	Y:
QwNB|'
QZ-pIo
<r2/Wx
`.rdata
rdC$,U^
RegEnumKeyExA
ReplaceTextW
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
= RHfH
;Rj=)n
Rp{=]K
&R+=^t
RtlUnwind
runtime error 
Runtime Error!
= RvlO	
'r>Z/-
@s 7@'
Sb65 E
s;cAJ$I
sd/KEb
 </security>
 <security>
SetCaretPos
SetHandleCount
sgU5!&R5
SING error
^Sm2hd
s"R(9L
sz1K+!
t2WWVPVSW
t:cqE/
TerminateProcess
T{g`~J
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
ThtW6%R
TLOSS error
{(TO@pz
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
t$$VSS
:u4k`B	)
U7KYftW
\@U9U:
u%D"SP80B"%D""xur
U^eoZ|
+UG\	.
^U#gv|
.^Uh&U
u^KFgN
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
^$Us-5
user32.dll
USER32.dll
!U$|wx")
$V0pAN
.V8'ufy
VC20XC00U
 `vC73dd5p
V	E	2y
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
VKie^;
VO6D0\
v@p@&}N
Vt9_dS
=w_#{D
W,EpE_
WideCharToMultiByte
wm=|d:
W(`Rg>!
WriteFile
WWWWVSW
W\yCMM
X"6R@AT
xc.<[Z
xEMqV!
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x=MyW/W]}
x,NU/B
xtm0a#wm
*Xx\ 9
Y5yYGc
Y9?&Mv
/yB_(9
Y[/+d).@
|[Yf4Z
YGUcqK8
[yH.4!
y%Mc\G
=yNz^=
yv<I1-JC
Yv:P|B
>YXQ^rbb
_^][YY
yY`Wlg,S
Z"2v=%
zH@*EU
Z~la"a
z\ps+T
Z{]V#R