Analysis Date2014-06-15 07:56:42
MD5b3638c85621cbe90917f7d6797022df2
SHA1b7b5cb1ef3494a934f7cd4149b83e0ff7ac754dc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bd8f877fe9f79f74518cf325fd0ded29 sha1: e9b02c73da3863765f2b063dae486c2597248cb5 size: 60928
Section.rdata md5: 83b82f4b1b7366407c31b5b69a126f74 sha1: 63016a065286883fa844ebf7af59d4b7e6aa0e68 size: 2048
Section.data md5: be473b699659afc7a27502cb8ffa69ee sha1: c416ccbdb13194d690cd6324828e0e373164c62d size: 51200
Section.rsrc md5: dc794dd506d5ac02a94d1e48afa874fa sha1: 3390436e3c70c4bb9939f131e0dabfa1f11e8643 size: 1024
Timestamp2005-10-12 05:22:16
VersionLegalCopyright: Copyright (C) 2010
ProductVersion: 1, 0, 0, 2
PrivateBuild: 1078
FileVersion: 1, 0, 0, 2
FileDescription: MS Shell
PEhashcac62b4f7754d4439b43c646ce3a06cbd8c54223
IMPhash69abbdd68aaec80075d35c04836d773d
AV360 SafeGen:Heur.Conjar.9
AV360 SafeGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)MalOb-IJ [Cryp]
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Packed.Krap.Hy
AVArcabit (arcavir)Packed.Krap.Hy
AVAuthentiumW32/Goolbot.A.gen!Eldorado
AVAuthentiumW32/Goolbot.A.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWIN.Trojan.Agent-1521
AVClamAVWIN.Trojan.Agent-1521
AVDr. WebTrojan.DownLoader1.34133
AVDr. WebTrojan.DownLoader1.34133
AVEmsisoftGen:Heur.Conjar.9
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.HVW
AVEset (nod32)Win32/Kryptik.HVW
AVFortinetW32/FakeAV.BZD!tr
AVFortinetW32/FakeAV.BZD!tr
AVFrisk (f-prot)W32/Goolbot.A.gen!Eldorado (generic, not disinfectable)
AVFrisk (f-prot)W32/Goolbot.A.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Heur.Conjar.9
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Cryptic.BFI
AVGrisoft (avg)Cryptic.BFI
AVIkarusTrojan.Win32.FakeAV
AVIkarusTrojan.Win32.FakeAV
AVKasperskyPacked.Win32.Krap.hy
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesBackdoor.Gbot
AVMalwareBytesBackdoor.Gbot
AVMcafeeBackDoor-EXI.gen.d
AVMcafeeBackDoor-EXI.gen.d
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVNormanwinpe/Suspicious_Gen2.FCKNG
AVNormanwinpe/Suspicious_Gen2.FCKNG
AVRisingno_virus
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSophosMal/FakeAV-IS
AVSymantecTrojan.FakeAV!gen39
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYBOT.SMA
AVTrend MicroBKDR_CYBOT.SMA
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwww.google.com
Winsock DNS127.0.0.1
Winsock DNSfreeonlinedatingtips.net
Winsock DNScheckserverstatux.com
Winsock DNSwhysohardx.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Network Details:

DNSfreeonlinedatingtips.net
Type: A
204.197.252.70
DNSwww.google.com
Type: A
74.125.227.240
DNSwww.google.com
Type: A
74.125.227.241
DNSwww.google.com
Type: A
74.125.227.242
DNSwww.google.com
Type: A
74.125.227.243
DNSwww.google.com
Type: A
74.125.227.244
DNSprotectyourpc-11.com
Type: A
69.43.161.170
DNSwhysohardx.com
Type: A
DNScheckserverstatux.com
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://freeonlinedatingtips.net/images/dating1.jpg?tq=gHZutDyMv5rJfyG1J8K%2B1MWCJbP4lltXIA%3D%3D
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=main&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err084&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err095_2_7&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1033 ➝ 74.125.227.240:80
Flows TCP192.168.1.1:1032 ➝ 204.197.252.70:80
Flows TCP192.168.1.1:1034 ➝ 74.125.227.240:80
Flows TCP192.168.1.1:1035 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1036 ➝ 69.43.161.170:80
Flows TCP192.168.1.1:1037 ➝ 69.43.161.170:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f696d61 6765732f 64617469   GET /images/dati
0x00000010 (00016)   6e67312e 6a70673f 74713d67 485a7574   ng1.jpg?tq=gHZut
0x00000020 (00032)   44794d76 35724a66 7947314a 384b2532   DyMv5rJfyG1J8K%2
0x00000030 (00048)   42314d57 434a6250 346c6c74 58494125   B1MWCJbP4lltXIA%
0x00000040 (00064)   33442533 44204854 54502f31 2e300d0a   3D%3D HTTP/1.0..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20667265 656f6e6c   e..Host: freeonl
0x00000070 (00112)   696e6564 6174696e 67746970 732e6e65   inedatingtips.ne
0x00000080 (00128)   740d0a41 63636570 743a202a 2f2a0d0a   t..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a                     /2.3....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 4b25320a             */*....K%2.

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d6d 61696e26 6e3d3026   status=main&n=0&
0x00000070 (00112)   65787472 613d3020 48545450 2f312e31   extra=0 HTTP/1.1
0x00000080 (00128)   0d0a486f 73743a20 70726f74 65637479   ..Host: protecty
0x00000090 (00144)   6f757270 632d3131 2e636f6d 0d0a5573   ourpc-11.com..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a312e 302e2e0a            se....1.0...

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723038 34266e3d   status=err084&n=
0x00000070 (00112)   30266578 7472613d 30204854 54502f31   0&extra=0 HTTP/1
0x00000080 (00128)   2e310d0a 486f7374 3a207072 6f746563   .1..Host: protec
0x00000090 (00144)   74796f75 7270632d 31312e63 6f6d0d0a   tyourpc-11.com..
0x000000a0 (00160)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000b0 (00176)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000c0 (00192)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000d0 (00208)   696e646f 7773204e 5420352e 31290d0a   indows NT 5.1)..
0x000000e0 (00224)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000f0 (00240)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000100 (00256)   6c6f7365 0d0a0d0a 302e2e0a            lose....0...

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723039 355f325f   status=err095_2_
0x00000070 (00112)   37266e3d 30266578 7472613d 30204854   7&n=0&extra=0 HT
0x00000080 (00128)   54502f31 2e310d0a 486f7374 3a207072   TP/1.1..Host: pr
0x00000090 (00144)   6f746563 74796f75 7270632d 31312e63   otectyourpc-11.c
0x000000a0 (00160)   6f6d0d0a 55736572 2d416765 6e743a20   om..User-Agent: 
0x000000b0 (00176)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000c0 (00192)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000d0 (00208)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000e0 (00224)   31290d0a 436f6e74 656e742d 4c656e67   1)..Content-Leng
0x000000f0 (00240)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000100 (00256)   6e3a2063 6c6f7365 0d0a0d0a 73207365   n: close....s se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.
.}
040904b0
1, 0, 0, 2
1078
Copyright (C) 2010
FileDescription
FileVersion
LegalCopyright
&Main
MS Sans Serif
MS Shell
PrivateBuild
ProductVersion
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0UfucJ
0{y6BM
0ZQ^Ev
>;1)I#
3att{8
4673Ml
4N[iwJ
5!@~^4
5mhuK@
?7oVhUX
7@S9@D
[8i\ju
9d?EBn
9koO{$9
ac928T
AG_K/MJ0
#ATg1[
?;b!5/f
B<Ja?JNe
brzER 
bSX_ck
):Bv;B\
BWx%>vQ
bZKlgiU.
c,<^AW
CloseHandle
Cptww0
?cpw"WA>S
CreateDirectoryW
CreateFileW
CRYPT32.dll
CryptEncodeObject
CryptEncodeObjectEx
CryptEnumOIDInfo
d4Q.`h
@.data
Dcpb\>
DDRAW.dll
DecodePointer
DeleteFileW
dGBFbV
DirectDrawCreateClipper
>dr(C=
E9VkS8?,
e^{=-d
EnumUILanguagesW
ESA%=(
eu}yC'Z
ExitProcess
ExpandEnvironmentStringsW
.Fdf}4
;Fl"r=
F}n25d
F(P/""y
f!r%/_
FreeLibrary
G[+1Cp
G~AC8DI
G/@clx
,G`DJ&
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessVersion
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
Go5MNXN
_gT[u|z
gvM[%V
"]h3YUlM0|
hIhlP@
hlAllh
hlFreh
hThbV@
hVh0J@
=hw#o2
hXhTW@
I6.rw?| 
IcY}^/K
Ij;^{h
I&n>k_
InterlockedCompareExchange
InterlockedExchange
#JRPXf
JtI 9D
J(UlZN
K[.-+0Y
k4h`Jx
K7IIrf
KERNEL32.dll
k	-^M] b
~&K!<V
L;[5^Q"-
le{P8=R
/L"lII
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
lstrcmpW
lstrlenW
lU~D~VRI=
	=lYnG
M7)5OC
&	?m)e('
mGAhV?
}Mliqt9d!Hb>
mN,g-|U
MoveFileW
N6p3k4
N<h]P@
n~;Q1w
ntdll.dll
oDF87h
o-nW.g
OpenEventW
Opp])jF
os4;hU
osiyI$
O#YP";
ozih{(
P,-.)^
"@(P[5]
PathFileExistsW
PathFindFileNameW
Pb"{@s
P^b>sf
Pl]Pa\
?P]P~3C
PPJaP=
PPU50V\
pq\t.	{(
PV(=+I
-P~WJP
P-xrD/
P$~]_Y~
p{;yKI
"!Qm V
 ,q^!T
QueryPerformanceCounter
`.rdata
RtlUnwind
S ,1(-
SetConsoleMode
SetUnhandledExceptionFilter
SHELL32.dll
SHGetFolderPathAndSubDirW
SHLWAPI.dll
SHSetLocalizedName
SL5>ZwT
sTj.y"
StrCmpNW
StrStrW
t3zF}f
tDlkIT"
TerminateProcess
TFh+A@
!This program cannot be run in DOS mode.
ThSlee
ThualP
%ts<][
T,w6TQ%
UnhandledExceptionFilter
-U/@PPy
U+PVZp$
uq]%@x
U[(/x]"
_vg[{2Wd
{}V	H|
vu;7ms}I
vu$'h4
W3yl2B
w88xhu
WaitForSingleObject
\WC46fwW
/'=wJj
WriteFile
w(t^S<"
WZ;M,9h
=Y(}.>~^
Y_|k)Q[H
y*QR]#
-z3o2c
Z/)*n9
)_zOMk
+z->sJ