Analysis Date2014-12-19 07:16:26
MD5430ab501e02ebf13b4244b0b5b517f67
SHA1aa3468bb847183badab7efd66cb14ecd786ec743

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 69606dc29fb53a2b8ccca6bf8e6882a7 sha1: cf114eb9da0efaca293e0b90fdb1d93e32077d11 size: 42496
SectionUPX2 md5: 0f63bc69994f3ff76dea05e93e0f70b2 sha1: d5f36dfb94f18ce1ba4d834cbe14d90b37734d97 size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhashf336aad9ace36aedcc7e1d17f4a7fc4882bddfb5
IMPhashc7ecd1a0a4200634e300116dcad86d0d
AV360 SafeGeneric.Sdbot.3AFE32A4
AVAd-AwareGeneric.Sdbot.3AFE32A4
AVAlwil (avast)SdBot-BQB [Trj]
AVArcabit (arcavir)Generic.Sdbot.3AFE32A4
AVAuthentiumW32/Bloop.A.gen!Eldorado
AVAvira (antivir)Worm/SdBot.57334.A
AVBullGuardGeneric.Sdbot.3AFE32A4
AVCA (E-Trust Ino)Win32/Lioten!generic
AVCAT (quickheal)Backdoor.IRC.r3
AVClamAVno_virus
AVDr. WebWin32.IRC.Bot.based
AVEmsisoftGeneric.Sdbot.3AFE32A4
AVEset (nod32)Win32/IRCBot.FA
AVFortinetW32/Sdbot!tr.bdr
AVFrisk (f-prot)W32/Bloop.A.gen!Eldorado
AVF-SecureGeneric.Sdbot.3AFE32A4
AVGrisoft (avg)IRC/BackDoor.SdBot.21.BE
AVIkarusBackdoor.Win32.IRCBot
AVK7Trojan-Downloader ( 0040f8ad1 )
AVKasperskyBackdoor.Win32.IRCBot.gen
AVMalwareBytesno_virus
AVMcafeeW32/Sdbot.worm.gen
AVMicrosoft Security EssentialsBackdoor:Win32/Sdbot
AVMicroWorld (escan)Generic.Sdbot.3AFE32A4
AVRisingno_virus
AVSophosW32/Sdbot-Gen
AVSymantecW32.Randex.gen
AVTrend MicroBKDR_IRCBOT.GEN
AVVirusBlokAda (vba32)BScope.Backdoor.Win32.SdBot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.freshirc.com
Type: A
141.8.225.62
DNSr0x.myvnc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1033 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1034 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1035 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1036 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1037 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1038 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1039 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1040 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1041 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1042 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1044 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1045 ➝ 141.8.225.62:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383531   NICK [KuanG]-851
0x00000010 (00016)   39313236 30320d0a 55534552 205b4b75   912602..USER [Ku
0x00000020 (00032)   616e475d 2d303838 37343530 37332030   anG]-088745073 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38353139    0 :[KuanG]-8519
0x00000040 (00064)   31323630 320d0a                       12602..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353239   NICK [KuanG]-529
0x00000010 (00016)   33333437 35380d0a 55534552 205b4b75   334758..USER [Ku
0x00000020 (00032)   616e475d 2d343839 34323936 32352030   anG]-489429625 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35323933    0 :[KuanG]-5293
0x00000040 (00064)   33343735 380d0a                       34758..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313230   NICK [KuanG]-120
0x00000010 (00016)   30313833 30300d0a 55534552 205b4b75   018300..USER [Ku
0x00000020 (00032)   616e475d 2d333735 37343035 30312030   anG]-375740501 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31323030    0 :[KuanG]-1200
0x00000040 (00064)   31383330 300d0a                       18300..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343331   NICK [KuanG]-431
0x00000010 (00016)   38383239 33320d0a 55534552 205b4b75   882932..USER [Ku
0x00000020 (00032)   616e475d 2d363934 35313431 35342030   anG]-694514154 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34333138    0 :[KuanG]-4318
0x00000040 (00064)   38323933 320d0a                       82932..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313932   NICK [KuanG]-192
0x00000010 (00016)   36373135 31370d0a 55534552 205b4b75   671517..USER [Ku
0x00000020 (00032)   616e475d 2d303530 38343633 38352030   anG]-050846385 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31393236    0 :[KuanG]-1926
0x00000040 (00064)   37313531 370d0a                       71517..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343933   NICK [KuanG]-493
0x00000010 (00016)   34343631 36300d0a 55534552 205b4b75   446160..USER [Ku
0x00000020 (00032)   616e475d 2d363335 31383732 36312030   anG]-635187261 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34393334    0 :[KuanG]-4934
0x00000040 (00064)   34363136 300d0a                       46160..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383932   NICK [KuanG]-892
0x00000010 (00016)   31303037 31320d0a 55534552 205b4b75   100712..USER [Ku
0x00000020 (00032)   616e475d 2d383932 31303037 31322030   anG]-892100712 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38393231    0 :[KuanG]-8921
0x00000040 (00064)   30303731 320d0a                       00712..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343334   NICK [KuanG]-434
0x00000010 (00016)   37313132 37370d0a 55534552 205b4b75   711277..USER [Ku
0x00000020 (00032)   616e475d 2d373937 34343135 37382030   anG]-797441578 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34333437    0 :[KuanG]-4347
0x00000040 (00064)   31313237 370d0a                       11277..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383534   NICK [KuanG]-854
0x00000010 (00016)   35363538 32390d0a 55534552 205b4b75   565829..USER [Ku
0x00000020 (00032)   616e475d 2d303038 32393731 32302030   anG]-008297120 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38353435    0 :[KuanG]-8545
0x00000040 (00064)   36353832 390d0a                       65829..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d363937   NICK [KuanG]-697
0x00000010 (00016)   30323031 31310d0a 55534552 205b4b75   020111..USER [Ku
0x00000020 (00032)   616e475d 2d383439 37353234 31342030   anG]-849752414 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 36393730    0 :[KuanG]-6970
0x00000040 (00064)   32303131 310d0a                       20111..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393936   NICK [KuanG]-996
0x00000010 (00016)   37303437 36350d0a 55534552 205b4b75   704765..USER [Ku
0x00000020 (00032)   616e475d 2d323431 34333630 36362030   anG]-241436066 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39393637    0 :[KuanG]-9967
0x00000040 (00064)   30343736 350d0a                       04765..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d363831   NICK [KuanG]-681
0x00000010 (00016)   30323535 32390d0a 55534552 205b4b75   025529..USER [Ku
0x00000020 (00032)   616e475d 2d363831 30323535 32392030   anG]-681025529 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 36383130    0 :[KuanG]-6810
0x00000040 (00064)   32353532 390d0a                       25529..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d323032   NICK [KuanG]-202
0x00000010 (00016)   38393931 37330d0a 55534552 205b4b75   899173..USER [Ku
0x00000020 (00032)   616e475d 2d343437 35323135 38352030   anG]-447521585 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 32303238    0 :[KuanG]-2028
0x00000040 (00064)   39393137 330d0a                       99173..


Strings
A
l
.?
A
l
.?

*0)quf*2
!2NU_"
2\u_Zmv
]|[4c 
.53oL&
:6c.-;
6Vt~k6
7qi5%(
9l$\w_
9tX#pO}
ADVAPI32.dll
AG87MV
aOhAVQ
^?A>XK
]cp/K_x^
.)D$H)
dM1X	l
D$t+D$\
D$t#D$h
e6$xs(
E9ml~v
elzkeZ
eqp0xt
ExitProcess
@eZ^D3d
FFShnW
FindWindowA
{F+:s/)
FvV?ZrS
~{#~G5_
GetProcAddress
hj^]*c
hl`XR86
!h*tzh
I4`1o"
I|7Irp
IFQ-lU
InternetOpenA
jfF}:1e
 JL=<vF
jnDXIs
k.0l}ZuTE%*-x6@
kAqOA5mDZ,(v
K~Biw~
KERNEL32.DLL
K"GDU)t
k[<u <
:kzQ7.
!lI0vI
,LI'3iI,
'L}jIGuj
*'lk=f
LLd3m*hw
LoadLibraryA
LQL5c)d
MPR.dll
nE8x}.
NH("oT&^U
noL~Od
NYg-Mb
oD{7Aoe
OnO!1G
(PoiNSE
P	>>%Q
psU?oH3X
P?Y<O-
Pyy|k,#|
\QoFi5
qUA=?)
q]y+)h
RegCloseKey
r J.~Ks
SHELL32.dll
ShellExecuteA
s`)L$4
!This program cannot be run in DOS mode.
t$t#t$l
T#YJz1
ug69xT
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
#V?Soi
V`sU9>
WININET.dll
WNetAddConnection2A
'wPrZxO
WS2_32.dll
WSWB0f
w.TB!{
 =x.?$
XL)^Fe
XPTPSW
\#Xqqi4.K
X+ s4}
Z:DEvWd
Z,kMXF
zz0$CC