Analysis Date2015-01-31 06:32:56
MD53ff95c0669d7dd9313858c194e229ef5
SHA1a589b8b5b71156148eaaaf46729c84bdb10d22b3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 7f6261a2ac19e41dda4916f2fa0f751d sha1: 98f54bf1a1c015da4c2a31c857b2a8db0ea2e415 size: 180224
Timestamp2009-06-06 21:41:54
PackerNullsoft PiMP Stub -> SFX
PEhashd23f2a230a7d5465988937924212b6a5b5bf805b
IMPhash099c0646ea7282d232219f8807883be0
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Chindo.269204.1
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Error Scanning File
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\2.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\Meinvkankan\Uninstall.exe
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\nsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\Inetc.dll
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Meinvkankan\uninst.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\3.ico
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nst2.tmp
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\i.rar
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\2.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\i.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy3.tmp\NSISdl.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexMeinvkankan
Winsock DNSpconline.org.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.69
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSISDL/1.2 (Mozilla)
HTTP GEThttp://pconline.org.cn/2.ico
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.69:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e300d 0a486f73 743a2069 6e742e64   1.0..Host: int.d
0x00000030 (00048)   706f6f6c 2e73696e 612e636f 6d2e636e   pool.sina.com.cn
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   4953444c 2f312e32 20284d6f 7a696c6c   ISDL/1.2 (Mozill
0x00000060 (00096)   61290d0a 41636365 70743a20 2a2f2a0d   a)..Accept: */*.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f322e69 636f2048 5454502f   GET /2.ico HTTP/
0x00000010 (00016)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000020 (00032)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000030 (00048)   696c6c61 290d0a48 6f73743a 2070636f   illa)..Host: pco
0x00000040 (00064)   6e6c696e 652e6f72 672e636e 0d0a436f   nline.org.cn..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings
 " "
E
.
q
... Mj
..
.

MS Shell Dlg
Please wait while Setup is loading...
*?|<>/":
#%*|$%(
03:,16;<16;[16=w16=
05<%26<]3:C
06:I06=
06<L08@p39B
0]91_Q0U
0if\Kd_U
(+0J(+1
0v L\D
16;317>c17>
]1`e6c
1eRM:%!
~%1Et8S~
1=Iq+5>
,``	1m
	1m=	1m
	1m#	1m
1v) P8
1]Yae6e
23=Moc
}?24k:
25<L28@
$*2d#',G
}304c-O$
30T^3i
347wE!
3+A`1c`
3\\]c)
3,.\f4
3$FJQCM
3 H|iW
3IPaft
$3mM3I
3:uF,B
41mtH 
4:@~48?P38?&
49F4EX
4AKq(/8
4*fU9*kXk
',4V-1;
574JOk
5EMR,4>
5()HTpjn
5\nb83
6%?2{|
68RB5)g
.6?A$&,
6HaVBL\
^7^49y
/7;616<v06?
7?7O;A
7=Ei/4;
7?G&29A]17?
7@J/29A^17>
7tnD}Q
*7Vv@I!
8/ctY`9GZ,E~x
8.hHV7
8/;$|&N
8NCRCu
8!V~*/
#9HR>~
9#jaUg
9Zk-jc
$A>,#}
-A4dtM.[|5
aaP9,u
	@<ab)q
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
A"e|W"
;&a'FQ
A~?GUy\
ajN].7
:AK?=EO]>GQw8?H
AL:@"$N!
aO2S^\L
`aPF}i
AppendMenuA
a&@$:v
*:B1Xda
bD5=Q5
BeginPaint
B}erP U42
 ]B-g'
Bk|s2Fx
bt."rD
(bZ	p:
>C|$6$
CallWindowProcA
=	CgtA
CharNextA
CharPrevA
CheckDlgButton
CiEK%\t
_c}J/O9
CloseClipboard
CloseHandle
cO|bcg
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
:Cqt!(
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
D$0+D$(P
 D7	.^
&d:ADH!RHn
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
.dF	1m
DialogBoxParamA
DispatchMessageA
Dls	b$
:DM>09A}+29
=DM8>FP[>EOp@IQ
DrawTextA
D$(SPS
DU($#EAr(
D>#vK*
D-z!@`O
E1F*1q
e;1M!R
^E^421{
E676PB
E	C~p;
e[iZ&aj
e K4=^
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
eo!Z9_
#!ePGMt|
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
=}@E\s.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
ez?v_s@q
<*-%f4
F$5Va+d
,fAW{Y om
fcmbrJ{
FCV?t'
FgRg91
FillRect
`{*FIM
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
)f;-LQ`
>FP0?GQBCKUi>FQy;BK
FreeLibrary
/]F'zK?
{)GC|9`
G)cOnr=
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
gfpVp]
GK~RR5
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gnB]7L
GO?)9{
>GOo?FN3
;GQ<5>F|/5=
%$$h,*(
]h0-(4
h*4a7V&
{h6[LL
h'"@8	
{-h]ai
HedL!r
/he	EY
HhhNM~
hI ~ZF
hJt]GR
HO%Xg(
h=p7DZ3<
http://nsis.sf.net/NSIS_Error
*Hu#T@
i2R<s\
?i]"}4
I,@c*u
IDAT7)
|.I' l5
i~ma2T
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
i(}Mtpq
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
"!I$UQ
IW0,q4
j0C65C
_:j%79"
J7lE57
]jcYiR
JHQjzI'\
j@N))c
/JoWl'
JWcs[m~
=*kA@;
<~KDNET
KERNEL32
KERNEL32.dll
&kfGD6o
kH&gA(
K\i$BP\R7@J
kp!]XgT
?KUY*S
|k)Vq9
l02JvUt
"l0.j)
l6 &W&
.,Lb|c
L[hbFTaj?LX
LhF>SJ
&LNM073
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LON37=
LookupPrivilegeValueA
LQlnrya
!+~L	R
[l|RTfu
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
L&TUE=42
	lU22#
LXHk3K
_l*%?Z
MdeI[mz
M+%e2 
MessageBoxIndirectA
)M]GUUh
M]HlFF"
\Microsoft\Internet Explorer\Quick Launch
`mkZObx{
More information at:
MoveFileA
MoveFileExA
MQ1J#7m
MulDiv
MultiByteToWideChar
@"MY$=
-`+Mz?
?N\01<F
NA?OYt^
Nb3MW)
#	n\>ChSk
.ndata
=n?H.1
NSIS Error
~nsu.tmp
NullsoftInst7]
NulluM	E
:N>y//
nz>:Ky
O9@ _+
O9BDZ}
oJyjMJy
o/;kWs
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
O"S^>V
	OV+/z
P0P=s_
+[p	1m
p@1X 9
pDLPh@'F^J
PeekMessageA
PJqc(%
=^:<-PN^(p
PostQuitMessage
Pp`0"8k
PPPPPP
P\SUh:
pyce=B4
Pyk]G<
q#0J\Q6
,]Q	1m
q6EAi-i
QAiX \
"qF*Em
qu	)*fT|A
QX>ut~
qZ7#WP
{R=8c%
r90%bR|_
Rbb,RW
`.rdata
ReadFile
r\Efbe
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
R*^~{g
RGm2a'
RichEd20
RichEd32
RichEdit
RichEdit20A
RIle6Q
^rjQJ~s
+RK	Ys
`rO0i(
$Rp/<~
rQL\At
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SFu^lY
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
;S,Kq_>
!S{~L}
softuV
Software\Microsoft\Windows\CurrentVersion
^^;Sp7
SQSSSPW
s|RRPD"
Ssvim]
s+]VRB
sXk0(U
sx/@qp
SystemParametersInfoA
> _?=t
T[2X3&V
tBrbkI!
@#tEX)
Tf;HU(d`
!This program cannot be run in DOS mode.
+thMuX
]Tkk\:
#T[k/kq
tN7Xwy
_^[t	P
TrackPopupMenu
:tS;56
;TvL"<&M
"Tx5 p(
U1S`US
u467IZ
u49-,?B
U8Wc~i
U\~C}?
ud+EKOy
u]Gk+I+
unpacking data: %d%%
*u:(O'
U o6@]
$u&qcE.
UrL	>6
USER32.dll
%u.%u%s%s
u+x;{)
u(XWFkP
uzj+e|
V,#~,|
v95LpA
V:9,xS2
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#Vh;+@
)vn<f\[Jc
vq+#{H
V-*V6|>g^
%V)ydZG@j
w3</ex$
w7Ua)V#
WaitForSingleObject
WI!C| 	F
Wk:nm%N
wMc7F\
`woSk#B
Wp!~FP
WriteFile
WritePrivateProfileStringA
wsprintfA
wV;,9i
x\5c`DfP
x5*i2IW
\X^avv
XDg`iIV
x:gmC*?
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
%xq^j*r
xS9JkMNS
/:xt#\t
`X)uJe
XwW	cA
Y}!G7X@M
yI3Mhf	
yJa'((
y&kkSL
?~YM!(
YnNaI*
yOPnAj
Y:\W5j
%yW8Hg
YXu1%l
yYn^YK
^ZA	I7
 )ZE~<
ZKJ	TQ
zrjz)k
Z+VE!3