Analysis Date2013-10-26 02:48:51
MD542c689b66f1fd42d4ed7067e7df1d733
SHA1b1c30cfd4a923bbc5c83c40d9a201ebad317c5f9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 6ee10eb7599da5e38ec497f92a7166dc sha1: b3f678541c7e604f11e0ef648c4b662b1ed6c960 size: 1024
SectionUPX2 md5: 906116ae9fe8b11b3e5289313acc03c5 sha1: ef8d46ca726c517ad687ef5b2adc5660642f8952 size: 17408
Timestamp2006-02-03 21:52:57
PEhash118565886a36f5c474953e537b1f76255f73e717
AVavgWin32/Sality
AVmsseWorm:Win32/Bagle.IE@mm
AVclamavWorm.Bagle-54
AVaviraWORM/Bagle.FJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsplObjects ➝
C:\WINDOWS\system32\windspl.exe
Creates FileC:\WINDOWS\system32\windspl.exe
Creates ProcessC:\WINDOWS\system32\windspl.exe
Creates MutexAdmSkynetJklS003
Creates Mutex'D'r'o'p'p'e'd'S'k'y'N'e't'
Creates Mutex____--->>>>U<<<<--____
Creates MutexMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Creates Mutex_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Creates Mutex[SkyNet.cz]SystemsMutex
Creates Mutex_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_

Process
↳ C:\WINDOWS\system32\windspl.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsplObjects ➝
C:\WINDOWS\system32\windspl.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\WinAmp 6 New!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Windows Sourcecode update.doc.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\KAV 5.0
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Office 2003 Crack, Working!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Kaspersky Antivirus 5.0
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Serials.txt.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Ahead Nero 7.exe
Creates FileC:\WINDOWS\system32\windspl.exeopenopen
Creates FileC:\WINDOWS\regisp32.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Opera 8 New!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\WinAmp 5 Pro Keygen Crack Update.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno pics arhive, xxx.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\ACDSee 9.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Office XP working Crack, Keygen.exe
Creates FileC:\WINDOWS\system32\windspl.exeopen
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Microsoft Windows XP, WinXP Crack, working Keygen.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Matrix 3 Revolution English Subtitles.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\XXX hardcore images.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Windown Longhorn Beta Leak.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno, sex, oral, anal cool, awesome!!.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Adobe Photoshop 9 full.exe
Creates FileC:\Documents and Settings\Administrator\NetHood\shared on Samba 3.6.9-151.el6 (192.168.1.1)\Porno Screensaver.scr
Creates ProcessC:\WINDOWS\regisp32.exe
Creates Mutex'D'r'o'p'p'e'd'S'k'y'N'e't'
Creates Mutex____--->>>>U<<<<--____
Creates MutexMuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
Creates Mutex_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_
Creates Mutex[SkyNet.cz]SystemsMutex
Creates MutexAdmSkynetJklS003
Creates Mutexsmtp_bagla_1000
Creates Mutex_-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
Winsock URLhttp://ijj.t35.com/

Process
↳ C:\WINDOWS\regisp32.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\regisp32.exe ➝
C:\WINDOWS\regisp32.exe:*:Enabled:ipsec
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winvkdfu.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winomuw.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winjqgu.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\winuxonlv.tmp
Creates Mutexsmtp_bagla_1000
Winsock URLhttp://myphotokool.t235.com/
Winsock URLhttp://dook.zoo.by/
Winsock URLhttp://209.16.85.230/.%20/pr
Winsock URLhttp://ijj.t235.com/
Winsock URLhttp://debut.zoo.com/
Winsock URLhttp://noshit.fateback.com/

Network Details:

DNSlbr-hosted.inspcloud.com
Type: A
54.229.43.36
DNSmyphotokool.t235.com
Type: A
82.98.86.174
DNSnoshit.fateback.com
Type: A
198.23.52.92
DNSijj.t235.com
Type: A
82.98.86.174
DNSijj.t35.com
Type: A
DNSdook.zoo.by
Type: A
DNSdebut.zoo.com
Type: A
HTTP GEThttp://debut.zoo.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://myphotokool.t235.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://noshit.fateback.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://ijj.t235.com/
User-Agent: DEBUT.TMP
HTTP GEThttp://209.16.85.230/.%20/pr
User-Agent: DEBUT.TMP
Flows TCP192.168.1.1:1033 ➝ 54.229.43.36:80
Flows TCP192.168.1.1:1034 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1035 ➝ 198.23.52.92:80
Flows TCP192.168.1.1:1036 ➝ 82.98.86.174:80
Flows TCP192.168.1.1:1037 ➝ 209.16.85.230:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 20646562   T.TMP..Host: deb
0x00000030 (00048)   75742e7a 6f6f2e63 6f6d0d0a 0d0a       ut.zoo.com....

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 206d7970   T.TMP..Host: myp
0x00000030 (00048)   686f746f 6b6f6f6c 2e743233 352e636f   hotokool.t235.co
0x00000040 (00064)   6d0d0a0d 0a742d4c 656e6774 683a2039   m....t-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a205361 742c2032 36204f63 74203230   : Sat, 26 Oct 20
0x00000080 (00128)   31332030 313a3337 3a343820 474d540d   13 01:37:48 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 206e6f73   T.TMP..Host: nos
0x00000030 (00048)   6869742e 66617465 6261636b 2e636f6d   hit.fateback.com
0x00000040 (00064)   0d0a0d0a 6e742d4c 656e6774 683a2039   ....nt-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a205361 742c2032 36204f63 74203230   : Sat, 26 Oct 20
0x00000080 (00128)   31332030 313a3337 3a343920 474d540d   13 01:37:49 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 44454255   User-Agent: DEBU
0x00000020 (00032)   542e544d 500d0a48 6f73743a 20696a6a   T.TMP..Host: ijj
0x00000030 (00048)   2e743233 352e636f 6d0d0a0d 0a0d0a43   .t235.com......C
0x00000040 (00064)   6f6e7465 6e742d4c 656e6774 683a2039   ontent-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a205361 742c2032 36204f63 74203230   : Sat, 26 Oct 20
0x00000080 (00128)   31332030 313a3337 3a343920 474d540d   13 01:37:49 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f2e2532 302f7072 20485454   GET /.%20/pr HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a2044 45425554 2e544d50 0d0a486f   t: DEBUT.TMP..Ho
0x00000030 (00048)   73743a20 3230392e 31362e38 352e3233   st: 209.16.85.23
0x00000040 (00064)   300d0a0d 0a742d4c 656e6774 683a2039   0....t-Length: 9
0x00000050 (00080)   330d0a43 6f6e7465 6e742d54 7970653a   3..Content-Type:
0x00000060 (00096)   20746578 742f6874 6d6c0d0a 44617465    text/html..Date
0x00000070 (00112)   3a205361 742c2032 36204f63 74203230   : Sat, 26 Oct 20
0x00000080 (00128)   31332030 313a3337 3a343920 474d540d   13 01:37:49 GMT.
0x00000090 (00144)   0a0d0a3c 68746d6c 3e0a2020 3c686561   ...<html>.  <hea
0x000000a0 (00160)   643e0a20 2020203c 7469746c 653e0a09   d>.    <title>..
0x000000b0 (00176)   34303420 4e6f7420 466f756e 640a2020   404 Not Found.  
0x000000c0 (00192)   20203c2f 7469746c 653e0a20 203c2f68     </title>.  </h
0x000000d0 (00208)   6561643e 0a20203c 626f6479 3e0a2020   ead>.  <body>.  
0x000000e0 (00224)   3c2f626f 64793e0a 3c2f6874 6d6c3e0a   </body>.</html>.
0x000000f0 (00240)                                         


Strings
,0D2222@HLP0222|xtp22
`1{,G~tY
2003 C
209.16.8
 ,=220
~-2p!n
3've goNhem alreaA
3WnAiB
5|Ht[b ]
797b8^p3
7bia6p
7c-Typem
<9v$<A
9viewRZ
+AD$}Q`
ADVAPI;@
advapi32.dll
($aMool
<.a<_t
$aT	! 
AuthQ$29.04
ay"H88
\!'^bbTN
CoInitialize
CPT TO
DCDSR;
DeleteDC
([d\r8sG
'D'r'o'p
Dy(Jm)
e'd'S'k'y'N
e'empP
EgqfOG
-elot	@
:*:Enabl :ip
e]R0k	
!>Er^r!Jw
Faxc{h{%]
FedAc5
 $(FFFF,048fFFF<@D
f'fZf;U
ficult worlV
+ft\W@
<>g7'\h
gdi32.dll
	GermFy.
GetI<En}K`omd
GetProcAddress
gifjolgw]
Gw$MsI
g'zffb(==7a<
HeCs:-)
HELO %l"
Hfo@AobP
h&Pii",oG
http://ijj
hutdown
hY Bnlk
$Id: NRV 0.54 Copyright (C) 1996-1999 Markus F.X.J. Oberhumer $
$Id: UPX 0.61 Copyright (C) 1996-1999 Laszlo Molnar & Markus Oberhumer $
ill be mine!!
image/bmpk[
In a d
InternetOpenA
ion\Ru
ipgpCGpj
?KERNEL32d
kernel32.dll
KERNEL32.DLL
&k:#Ibane
k-y-N-e-t][
\l+0.u
laIP4&
$License: NRV for UPX is distributed under special license $
LoadLibraryA
MAIL FROM:<
 MIME-N
mYa+FiI
n09oQ^t_a
nameless =
Nm#<+GU
oazuf q[$|
~og1lD
_-oOaI|-
oomnixcsd
o surviv
ph$%z*ttc%{!|wxypw
Pl0> U
P^U(wB
QL+S#c
RegCloseKey
R)y|?38\k
shell32.dll
ShellExecuteA
sh%KAV'
shlwapi.dll
SOFTWARE\dispering
So, you
Startup
StrDupA
SYSTEM
.t35.com/7$
t|eKOo-_mO
!This program cannot be run in DOS mode.
TickCf
tole32.dll
UmLi&/
\upldfo
URLDownloadToFileA
urlmon.dll
ur|ntV
~us.dl*G
user32.dll
=-{v7v
vValueEEq
W8S<Poi>
waTP/'y
wininet.dll
wsock32.dll
wsprintfA
xm<(bx
Y2&5-P
_^{YAV
YQba~64"B