Analysis Date2013-11-21 22:18:05
MD5dc421da61654c429b9eada1ae1f654a2
SHA1b20b44586f6bdc40a929ef32a87e2df2148d32b5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Language080404B0 
Section.text md5: 149e3b8cd40ac7c4a10ea277c7aeb211 sha1: 7ae2e7479e2880e8287aa12accbf098b6c85c7cc size: 27648
Section.data md5: 8968c4e30fdc2cd1e3ac0ba01f35cef4 sha1: 91cfd24158b79d4e9de10bc1fab36f65ac3004c2 size: 512
Section.rsrc md5: a7afc254ac97492c63f32a009b48746d sha1: 4a9ae2087ffbb656416452a525d309471d8f068e size: 4096
Section.aspack md5: 483189e81949e6c8ae85fdb4ff6f37ec sha1: 75a1257dbddf1e6ed60fef8893ee1756dab84b46 size: 4608
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2006-02-17 07:55:24
VersionInternalName: WinGame
FileVersion: 1.00.0008
CompanyName: zoom technology
ProductName: WinGame
ProductVersion: 1.00.0008
OriginalFilename: WinGame.exe
PackerASPack v2.1
PEhash4ac8385d509362fb60867b13ea381d814407510d
AVavgBackDoor.Generic3.TRE.dropper
AVclamavWin.Trojan.Agent-166019
AVaviraTR/Dropper.Gen
AVmcafeeBackDoor.k
AVmsseVirus:Win32/Wamgin.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CLASSES_ROOT\txtfile\shell\open\command\ ➝
C:\WINDOWS\SYSTEM32\DBST32NT.LOG NOTEPAD.EXE %1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\SMSS.EXE
Creates FileC:\dntboot.bin
Creates FileC:\b20b44586f6bdc40a929ef32a87e2df2148d32b5.dll
Creates FileC:\WINDOWS\SMSS.EXE
Creates ProcessC:\b20b44586f6bdc40a929ef32a87e2df2148d32b5.dll
Creates ProcessC:\WINDOWS\SMSS.EXE

Process
↳ cmd.exe /C net view 192.168.1.1 >c:\192.168.1.1.txt

Creates Filec:\192.168.1.1.txt
Creates Processnet view 192.168.1.1

Process
↳ cmd.exe /C net view 192.168.1.2 >c:\192.168.1.2.txt

Creates Filec:\192.168.1.2.txt
Creates Processnet view 192.168.1.2

Process
↳ C:\WINDOWS\SMSS.EXE

RegistryHKEY_CLASSES_ROOT\txtfile\shell\open\command\ ➝
C:\WINDOWS\SYSTEM32\DBST32NT.LOG NOTEPAD.EXE %1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe C:\WINDOWS\SMSS.EXE
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\SYSTEM32\DBST32NT.LOG
Creates FileC:\dntboot.bin
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Processcmd.exe /C net view 192.168.1.1 >c:\192.168.1.1.txt
Creates Processcmd.exe /C net view 192.168.1.2 >c:\192.168.1.2.txt
Winsock DNSwww.freewebs.com
Winsock URLhttp://www.freewebs.com/kelly6666/lo.txt
Winsock URLhttp://www.freewebs.com/kelly6666/sm.txt

Process
↳ C:\b20b44586f6bdc40a929ef32a87e2df2148d32b5.dll

Process
↳ net view 192.168.1.1

Creates FilePIPE\wkssvc
Creates FileUNC\192.168.1.1\PIPE\srvsvc

Process
↳ net view 192.168.1.2

Creates FileUNC\192.168.1.2\PIPE\srvsvc

Network Details:

DNSwww.freewebs.com
Type: A
75.98.17.24
HTTP GEThttp://www.freewebs.com/kelly6666/sm.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.freewebs.com/kelly6666/lo.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 75.98.17.24:80
Flows TCP192.168.1.1:1033 ➝ 75.98.17.24:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b656c 6c793636 36362f73   GET /kelly6666/s
0x00000010 (00016)   6d2e7478 74204854 54502f31 2e310d0a   m.txt HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000030 (00048)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000040 (00064)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000050 (00080)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000060 (00096)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000070 (00112)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000080 (00128)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000090 (00144)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000a0 (00160)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000b0 (00176)   66726565 77656273 2e636f6d 0d0a436f   freewebs.com..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....

0x00000000 (00000)   47455420 2f6b656c 6c793636 36362f6c   GET /kelly6666/l
0x00000010 (00016)   6f2e7478 74204854 54502f31 2e310d0a   o.txt HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000030 (00048)   6570742d 456e636f 64696e67 3a20677a   ept-Encoding: gz
0x00000040 (00064)   69702c20 6465666c 6174650d 0a557365   ip, deflate..Use
0x00000050 (00080)   722d4167 656e743a 204d6f7a 696c6c61   r-Agent: Mozilla
0x00000060 (00096)   2f342e30 2028636f 6d706174 69626c65   /4.0 (compatible
0x00000070 (00112)   3b204d53 49452036 2e303b20 57696e64   ; MSIE 6.0; Wind
0x00000080 (00128)   6f777320 4e542035 2e313b20 5356313b   ows NT 5.1; SV1;
0x00000090 (00144)   202e4e45 5420434c 5220322e 302e3530    .NET CLR 2.0.50
0x000000a0 (00160)   37323729 0d0a486f 73743a20 7777772e   727)..Host: www.
0x000000b0 (00176)   66726565 77656273 2e636f6d 0d0a436f   freewebs.com..Co
0x000000c0 (00192)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x000000d0 (00208)   6c697665 0d0a0d0a                     live....


Strings
080404B0
1.00.0008
CompanyName
FileVersion
InternalName
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
WinGame
WinGame.exe
zoom technology
 (08@P`p
0runtime error 
0SUVW3
&~2.QQ
&3<RY8M1
3uQ=R{
4,4 h~
4+Vy	b&
5oGRU%@UWY+yg{^)Z
)5z810fw
6Wv6V/
7RX4q6
88888888
88888888888888
9NM"'N
9O8w/xQ
A8NwrDVl
abnormal program termination
.adata
.aspack
av{%:y
Bd	Zd3
Cmx+^mv1
c:\outlook\s\deliver\outlook.pdb
{+c}qf
D$ _^]
D43]4~zh
d4Opj$E!f
-D9+vZ
`.data
DllGetLCID
+DNTY$
DOMAIN error
duB`j`}
%EME}x
ExitProcess
- floating point not loaded
FMessageLoop@12
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetVersion
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HSUVWh
I47	rA
_}*'IX/&|
JHN~C+z
kernel32.dll
KERNEL32.dll
-l9sE-Sni-1n
LOADER ERROR
LoadLibraryA
=LTz\X
MessageBoxA
Microsoft Visual C++ Runtime Library
msvbvm60.dll
*M(ZlX
No&&1s
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
'NRK59H{
N_RO8%y
N(Ue\t
OUTLLIB.dll
OUTLLIB.DllGetLCID
Outlook.EXE
](P'L@-
Program: 
<program name unknown>
P/RoLR
- pure virtual function call
pwwwwwwwwwwwwwww
qcdFb`SEQ
q#T1(v%
r!c`v|9
RenExitInstance@0
RenInitInstance@12
Richya
RtlUnwind
Runtime Error!
SetHandleCount
SING error
TerminateProcess
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
TLOSS error
t.;t$$t(
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
!u(P!r*G
u^# px!
user32.dll
uUmpyL
__vbaVarSub
VC20XC00U
VirtualAlloc
VirtualFree
w!a(5q
WideCharToMultiByte
WriteFile
wsprintfA
wwwpww
wwwww"
wwwwww
wwwwwwwwwwww
wwwwwwwwwwwwp
wwwwwwwwwwwwww
X"\31.
[x-op6
x(pwww
YHe3+V
)Y_Hk"
\yy)`t
Z</|kJ
%ZLCv[2
{"'z_Z