Analysis Date2014-12-21 14:03:32
MD588e03957cdc0b341a41f8b03cddd63f8
SHA1a2986dc12b9b2d1b9dcadd39b90ed61963899133

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section md5: 7ad6a89ec4c355c22af8bbb55b62456d sha1: b2a30f25a7fd0fb8ecd561362dacc639829dcb47 size: 53248
Section md5: 9d93cd2fe414c3f5412651aa77876dd2 sha1: fafdedf6fa8846d482ac0eea83861bee485c40e3 size: 8192
Section md5: 02aab43e8490bb3c39c4acc6da2d6f8a sha1: d7d229329aecd1b99f53903c37c239deaf3e96ce size: 45056
Section.rsrc md5: 4c7cdf1e14a093ecf8168434fb0072c0 sha1: a9a3f0b57471cca74350e0eeead11b116de36a46 size: 4096
Section.data md5: bb92970670a2f36fbbb31dd309c18b8b sha1: d39309b5645a2d13252ae582199866b2460d2e9e size: 49152
Section.data md5: 972848dd987802ce21bc9030f73345af sha1: ce00afd0977e2998eaa62eb23f2d4df97eb79987 size: 8192
Timestamp2003-02-13 12:53:01
PackerMicrosoft Visual C++ v6.0
PEhash026850840f588d55a8e9dcd3ad69d7e95a4678e6
IMPhashd1c51845c07b489cb23a02c7de3b8df1
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.12364608
AVAlwil (avast)PeepViewer-D [Trj]
AVArcabit (arcavir)Trojan.Generic.12364608
AVAuthentiumW32/Backdoor.OVVU-8008
AVAvira (antivir)TR/Spy.Gen
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Peepviewer-5
AVDr. WebBackDoor.PeepView.201
AVEmsisoftTrojan.Generic.12364608
AVEset (nod32)Win32/PeepViewer.201
AVFortinetW32/Peepviewer.L!tr.bdr
AVFrisk (f-prot)W32/Backdoor2.GGRA
AVF-SecureTrojan.Generic.12364608
AVGrisoft (avg)BackDoor.Peepviewer.L
AVIkarusBackdoor.Win32.PeepViewer
AVK7Trojan ( 00001eef1 )
AVKasperskyBackdoor.Win32.PeepViewer.201.a
AVMalwareBytesno_virus
AVMcafeeSpy-Peep
AVMicrosoft Security EssentialsBackdoor:Win32/Peepviewer.2_01
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosMal/Behav-001
AVSymantecBackdoor.Peeper
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
c:\windows\system32\explorer.exe
Creates Filec:\windows\system32\explorer.exe
Creates Processc:\windows\system32\explorer.exe NoRunOrg

Process
↳ c:\windows\system32\explorer.exe NoRunOrg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
c:\windows\system32\explorer.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\AsyncSelectHlp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock URLhttp://bestliuqiang.myetang.com

Network Details:

DNSbestliuqiang.myetang.com
Type: A
208.73.211.250
DNSbestliuqiang.myetang.com
Type: A
208.73.210.211
DNSbestliuqiang.myetang.com
Type: A
208.73.211.167
DNSbestliuqiang.myetang.com
Type: A
208.73.211.244
HTTP GEThttp://bestliuqiang.myetang.com/
User-Agent: Microsoft Internet Explorer
HTTP GEThttp://bestliuqiang.myetang.com/
User-Agent: Microsoft Internet Explorer
Flows TCP192.168.1.1:1031 ➝ 208.73.211.250:80
Flows TCP192.168.1.1:1043 ➝ 208.73.211.250:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d696372   User-Agent: Micr
0x00000020 (00032)   6f736f66 7420496e 7465726e 65742045   osoft Internet E
0x00000030 (00048)   78706c6f 7265720d 0a486f73 743a2062   xplorer..Host: b
0x00000040 (00064)   6573746c 69757169 616e672e 6d796574   estliuqiang.myet
0x00000050 (00080)   616e672e 636f6d0d 0a436f6e 6e656374   ang.com..Connect
0x00000060 (00096)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d696372   User-Agent: Micr
0x00000020 (00032)   6f736f66 7420496e 7465726e 65742045   osoft Internet E
0x00000030 (00048)   78706c6f 7265720d 0a486f73 743a2062   xplorer..Host: b
0x00000040 (00064)   6573746c 69757169 616e672e 6d796574   estliuqiang.myet
0x00000050 (00080)   616e672e 636f6d0d 0a436f6e 6e656374   ang.com..Connect
0x00000060 (00096)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x00000070 (00112)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000080 (00128)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
7#'
.
%.!..+
.-.
)
531
/$$$
.
.
?
 -E-0-0
.\00
............?-  
0
0 
0u
.8..........
2.01
         (((((                  H
(null)
+/= $()
012{p3
0[_|A~@
127.0.0.1
1`>J`_
1#QNAN
1#SNAN
1@y2S+@
"%/28;=#$019:>?
!&.37<
3u`L!$
.+3VYg
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
4$@@VFC x
4	vX0O
56789ABC
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
>5	DNL
":5;J<\=
>6\|7A
<&=.$68V?
6oxOiY!
#7@Qhq\1@NWgyxeH\_bpdgc
8ccccc/Bcccccccccccccccccccccccccccccccccccccc
%8DmgM
8:X;f<	o=|>
aB<D;\
abnormal program termination
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
BACKSPACE
BindFilePoint
BitBlt
btHHt.
ByJ$?{
\~@,?C:
CAPSLOCK
CheckBindFile
CheckDefaultWeb
CheckInstall
CloseHandle
@!c`n`
CompareStringA
CompareStringW
CopyFileA
CreateCompatibleBitmap
CreateCompatibleDC
CreateDCA
CreateDirectoryA
CreateFileA
CreateFileMappingA
CreateProcessA
CreateProcess failed.
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
dAIp7k
DDDDDD
DDDDDDDDD@
DDDDDDDDDDDDDD
DDDDDDDDDGpw
DefWindowProcA
DELETE
DeleteDC
DeleteFileA
DeleteObject
D@FziVl$
d'hGlgp
DispatchMessageA
DISPLAY
D@ltV(`
DOMAIN error
DrawTextA
DSUVWh
eH?}WD
EnumDisplaySettingsA
EnumWindows
e ordi
eption
ESCAPE
ExitProcess
ExitWindowsEx
Explorer.exe
F6zQ=5,
f95d@A
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindNextFileA
- floating point not loaded
FlushFileBuffers
fMemo(ry
"@Fre\
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
GAIsProcessorFeaturePresent
gdi32.dll
GDI32.dll
GetACP
GetActiveWindow
GetClassNameA
GetClientRect
GetCommandLineA
GetComputerNameA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCursorPos
GetDesktopWindow
GetDeviceCaps
GetDIBits
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocalTime
GetLogicalDrives
GetLogicalDriveStringsA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetOEMCP
GetPriorityClass
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemDefaultLCID
GetSystemDirectoryA
GetSystemInfo
GetTempFileNameA
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetUserNameA
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GetWindowThreadProcessId
__GLOBAL_HEAP_SELECTED
GlobalMemoryStatus
GY  ,@
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
hijklmno
HmaVDM
HtgHt?H
HttHtKHt@Ht/H
http://bestliuqiang.myetang.com
IJKLpM
INSERT
InternetCloseHandle
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
InternetReadFile
J?1e59
JanFebMarAprMayJunJulAugSepOctNovDec
JVVVVj
K$%6@O
KERNEL32
kernel32.dll
kernel32.DLL
KERNEL32.dll
KERNEL\CPUUsage
keybd_event
KillTimer
KvH-nA
KWrg9z
l`B0>8H
LCMapStringA
LCMapStringW
LoadIconA
LoadLibraryA
LoadStringA
LookupPrivilegeValueA
lstrcmpA
m"1EF<~gsZ.
MapViewOfFile
MapVirtualKeyA
MessageBoxA
Microsoft Internet Explorer
Microsoft Visual C++ Runtime Library
|mlc. k
Module32First
Module32Next
mouse_event
MoveFileA
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
MX^>l2
N`i}(9
NIS@j/
<NO NAME>
NoRunOrg
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NtQuerySystemInformation
(null)
NUMLOCK
nyLIM:
@O>]_/
oftwareW
o/LGCE
on=1L~
OpenFileMappingA
OpenProcess
OpenProcessToken
[Options]
@#OU	"R$
PAGEINDEX=4
PeepClass
PeepMap
PerfStats\StartStat
PerfStats\StatData
PerfStats\StopStat
PMTN?\N`
PostMessageA
PostQuitMessage
PPPPPPPP
ppxxxx
prin5tf
Process32First
Process32Next
Progman
Program: 
<program name unknown>
- pure virtual function call
PVVVVV
QPPh3C@
QQSVW3
qrstuvw
QSUVW3
QUEUESYNC
r4\3P+
rC!}V>
ReadFile
RealizePalette
RegCloseKey
RegCreateKeyA
RegEnumKeyExA
RegEnumValueA
RegisterClassA
RegisterServiceProcess
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
ReleaseDC
/remove
RemoveDirectoryA
~rftqv
rltvv|x
rn0l32.u
RtlUnwind
runtime error 
Runtime Error!
SCROLLOCK
+sD1`"
SelectObject
SelectPalette
SendMessageA
SeShutdownPrivilege
SetComputerNameA
SetCursorPos
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetHandleCount
SetLocalTime
SetRect
SetStdHandle
SetTimer
%s.exe
%s\Explorer.exe
%s~f2.tmp
'SGeg~
shell32.dll
SHELL32.dll
ShellExecuteA
ShowWindow
SING error
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SS@SSPVSS
%s~temp.exe
StrDefaultWeb
S T@UV&
SunMonTueWedThuFriSat
Taskmgr.exe
TD(@,S
TerminateProcess
teSVja
!This program cannot be run in DOS mode.
t-Ht!Ht
TLOSS error
tpHth9]
TQUak.
TranslateMessage
.TRg	>
t#SSUP
+ttHHtd
t.;t$$t(
tu~abA
t$$VSS
t/WWUPj
>:u#FV
<" \ug.
ulvd!nzt
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
UnmapViewOfFile
/update
UpdateWindow
u,`qbVh%
user32.dll
USER32.dll
ut95H@A
vByHZR
VC20XC00U
VirtualAlloc
VirtualFree
VPPPPh
VWuBh0
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
WQj;"G
WriteFile
ws2_32.dll
WS2_32.dll
wsprintfA
wwwwww
wwwwwwwwwwwwww
_x-[ )E
!@XgNAme
XVVVVj
`]->Xy
\x,z4|8~r<t@vDxHzL
YPhh@A
_^][YY
$)z5YV
Zabcdefpg
ZyTwW	S2I/