Analysis Date2014-11-24 04:47:54
MD561e14b46030d7c6472343dac9e8f70bb
SHA1ba37b34e5762db73238ce233cca700a704b84ad8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 54d172686bdc28353729e6223c63331c sha1: dec1a19d89d90815bc2e6f396d208231f213bd0f size: 96768
Section.rdata md5: e900cd1b56aad2a9a3eea97ca04ae7c5 sha1: 407207dfa56ba12c4c131a7329614c29e178bc9b size: 3072
Section.data md5: db4e6f853ac1ddb945362eef05eefe69 sha1: dffaa5ca17a2d56e546a4e95950b1a682f791beb size: 15872
Section.idata md5: 86b9927eb6d1bc31059940afabf107c0 sha1: 9e1237350d90224269400aaf61df6a943c1bf6a9 size: 4096
Section.reloc md5: bdbd47f50acb588f18109210cc948292 sha1: 9dbf8af7a7c87dc4bac4a65a198928ba8802f473 size: 5632
Timestamp2004-03-19 08:58:54
PackerMicrosoft Visual C++ v6.0
PEhash6d0358752cea4c5db6b7264458868869bbcfb95f
IMPhashf487cddb16dcd5d06a605126a922346f
AV360 SafeGeneric.Sdbot.831CCFAD
AVAd-AwareGeneric.Sdbot.831CCFAD
AVAlwil (avast)SdBot-BQB [Trj]
AVArcabit (arcavir)Heur.RoundKick
AVAuthentiumW32/Sdbot.XEHK-1472
AVAvira (antivir)Worm/SdBot.57334.A
AVBullGuardGeneric.Sdbot.831CCFAD
AVCA (E-Trust Ino)Win32/Lioten!generic
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebWin32.IRC.Bot.based
AVEmsisoftGeneric.Sdbot.831CCFAD
AVEset (nod32)Win32/IRCBot.FA
AVFortinetW32/Sdbot!tr.bdr
AVFrisk (f-prot)W32/Sdbot.KB
AVF-SecureGeneric.Sdbot.831CCFAD
AVGrisoft (avg)IRC/BackDoor.SdBot.21.BE
AVIkarusBackdoor.Win32.IRCBot
AVK7Backdoor ( 04c4e9191 )
AVKasperskyBackdoor.Win32.IRCBot.gen
AVMalwareBytesno_virus
AVMcafeeW32/Sdbot.worm.gen
AVMicrosoft Security EssentialsBackdoor:Win32/Sdbot
AVMicroWorld (escan)Generic.Sdbot.831CCFAD
AVRisingBackdoor.Win32.SdBot.dud
AVSophosW32/Sdbot-Gen
AVSymantecW32.Randex.gen
AVTrend MicroBKDR_IRCBOT.GEN
AVVirusBlokAda (vba32)BScope.Backdoor.Win32.SdBot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates Mutexjop

Network Details:

DNSr0x.myvnc.com
Type: A
DNSirc.freshirc.com
Type: A

Raw Pcap

Strings
E.
P
[10][15][20][30]
:
[
Z
e
 
00-+ -E-0-0
\
.
.00 
...........?-  
0
0 
0u
Cjjjj
         (((((                  H
jjjj
msgfixed.exe
(null)
123467
1234678
12346789
123467890
*@*127.0.0.1
1#QNAN
1#SNAN
abnormal program termination
access
accounting
accounts
action
ACTION %s
addalias
administrator
ADVAPI32.dll
aliases
-[alias list]-
All threads starting with %s have been killed.
backup
bad url, or dns error.
barbara
bot started.
btHHt.
c_action
capitol
changeme
change-me-now
#change-me-now2
c_join
clone created on %s:%d, in channel %s.
Clone ready. Up %dd %dh %dm.
clone (%s)
CloseHandle
c_mode
c_nick
compaq
%%comspec%% /c %s %s
connected to %s.
connection type: %s (%s). local IP address: %d.%d.%d.%d. connected from: %s
control
CopyFileA
couldn't execute file.
couldn't open file.
couldn't open %s.
couldn't resolve host
c_part
c_privmsg
[cpu]: %dMHz. [ram]: %dKB [total], %dKB [free]. [os]: Windows %s (%d.%d, build %d). [uptime]: %dd %dh %dm
c_quit
crc32([%lu], [%d])
CRC Failed!
CreateFileA
CreateFileMappingA
CreateMutexA
CreateProcessA
CreateThread
c_rndnick
@.data
database
databasepass
databasepassword
db1234
dbpass
dbpassword
%d.%d.%d.%d
[%d-%d-%d %d:%d:%d] %s
default
del ""%1""
DeleteFileA
deleting...
del /F ""%1""
del /F %temp%
del %temp%
domain
DOMAIN error
domainpass
domainpassword
Done with SYN flood [%iKB/sec]
downloaded %.1f kb to %s @ %.1f kb/sec.
downloaded %.1f kb to %s @ %.1f kb/sec. updating...
downloading %s...
downloading update from %s...
download (%s)
%d. %s
%d. %s = %s
DSUVWh
@echo off
email sent to %s
EnableDCOM
endsess
exchange
exchnge
ExitProcess
ExpandEnvironmentStringsA
Exploiting: %s with %s / %s
*failed host auth by %s(%s).
*failed pass auth by %s(%s).
file download (%s - %dkb transferred)
file opened.
Filesize is INCORRECT!!
FindWindowA
fkndienow
- floating point not loaded
FlushFileBuffers
freddy
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
from: %s
GAIsProcessorFeaturePresent
george
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GET / HTTP/1.1
getinfo
GetLastActivePopup
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemDirectoryA
GetTempPathA
GetTickCount
GetVersion
GetVersionExA
GlobalMemoryStatus
goto start
`h````
headoffice
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
heaven
helo $rndnick
HHtpHHtl
homeuser
IcmpCloseHandle
IcmpCreateFile
ICMP.DLL
ICMP.dll not available
IcmpSendEcho
.idata
if not exist ""%1"" goto done
internet
InternetCloseHandle
InternetGetConnectedState
InternetGetConnectedStateEx
InternetOpenA
InternetOpenUrlA
InternetReadFile
intranet
irc.freshirc.com
iroffer v1.2b13 [November 10th, 2001] By PMG, http://iroffer.org/ - CYGWIN_NT-5.0 1.1.7(0.31/3/2)
IsBadWritePtr
joined channel %s.
JOIN %s %s
KERNEL32
kernel32.dll
KERNEL32.DLL
killthread
[KuanG]-
LCMapStringA
LCMapStringW
LoadLibraryA
loginpass
Login Suceeded!
logout
[Long Uptime > %d] %ddays %dhours %dminutes since the bot started.
mail from: <%s>
[Main] - Login Succeeded!.
main thread
MapViewOfFile
MessageBoxA
Microsoft Visual C++ Runtime Library
mirccmd
MODE %s
MODE %s +i
Mozilla/4.0 (compatible)
MPR.dll
Msg Fixage
msgfixed.exe
MultiByteToWideChar
netapi32.dll
NetApiBufferFree
netinfo
NetRemoteTOD
NetScheduleJobAdd
net share ADMIN$ /delete /y
net share C$ /delete /y
net share D$ /delete /y
net share IPC$ /delete /y
NetUserEnum
NICK %s
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NOTICE
NOTICE %s :
NOTICE %s :host auth failed.
NOTICE %s :Pass auth failed.
NOTICE %s :%s
NOTICE %s :your attempt has been logged.
ntscan
NTScan
[NT Scan] - [ removed spread file! ]
[NT Scan] - [ scanning stopped! ]
[NT Scan] - Scanning with %s threads for %s minutes from %s
ntstats
[NT Stats] - NT-Pass: Exploited %d IP's in %ddays %dhours %dminutes
ntstop
(null)
oeminstall
oemuser
office
[OFF] - User %s logged out.
opened %s.
orange
outlook
PART %s
pass1234
PASS %s
passwd
password
password1
Ping (%s)
PING %s
PONG %s
Port Scan started %s:%d with a delay of %dms
*@powa
#.powa
ppxxxx
prefix
privmsg
PRIVMSG
PRIVMSG #.powa :[NTScan - Exploited - Admin$] CSendFile: %s
PRIVMSG #.powa :[NTScan - Exploited - $admin sys32] CSendFile: %s
PRIVMSG #.powa :[NTScan - Exploited - c$\windows] CSendFile: %s
PRIVMSG #.powa :[NTScan - Exploited - c$\winnt\sys32] CSendFile: %s
PRIVMSG #.powa :%s
PRIVMSG %s :Error sending packets to %s.
PRIVMSG %s :Error sending pings to %s.
PRIVMSG %s :Finished sending packets to %s.
PRIVMSG %s :Finished sending pings to %s.
Program: 
<program name unknown>
- pure virtual function call
Qkkbal
QueryPerformanceCounter
QueryPerformanceFrequency
QUIT :later
QUIT :reconnecting
QUIT :%s
qwerty
r0x.myvnc.com
randomnick
rBot private 0.2.2
rcpt to: <%s>
`.rdata
ReadFile
red1rect
Redirect (%d->%s:%d)
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
RegisterServiceProcess
RegOpenKeyExA
RegSetValueExA
reh4sh
.reloc
repeat
$rndnick
RtlUnwind
runtime error 
Runtime Error!
%s\Admin$\msgfixed.exe
%s\Admin$\system32\msgfixed.exe
[ scanner: already scanning! ]
scanning with %s threads for %s minutes.
scan (%s:%d)
Scan (%s:%d)
%s\c$\windows\system32\msgfixed.exe
%s\c$\winnt\system32\msgfixed.exe
secure
send error!:%d
Sending %d pings to %s. packet size: %d, timeout: %d[ms]
Sending %d UDP packets to: %s. Packet size: %d, Delay: %d[ms].
SendMessageA
server
$server
SetEndOfFile
SetFilePointer
SetHandleCount
setserver
SetStdHandle
SHELL32.dll
ShellExecuteA
sHell SecureD
siemens
SING error
%s\ipc$
[ %s logged out ]
socks4 daemon started on port 40403 .
socks4 daemon started on port %d .
Software\Microsoft\OLE
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
spencer
%s port %d is open
sqlpass
%s\r.bat
%s -> %s
%s [%s]
%s\secure.bat
%s\%s.exe
[%s] <%s> %s
[%s] * %s %s
%s %s :%s
%s%s%s
%s %s %s :%s
SS@SSPVSS
:start
status
student
student1
subject: %s
SYN flooding [%s:%s] for %s seconds
syn flood: %s:%s [%iKB/sec]
sysinfo
system
TCP Redirect created on port %d to %s:%d.
teacher
technical
termin4te
TerminateProcess
TerminateThread
<]t_G<-uA
!This program cannot be run in DOS mode.
-[thread list]-
threads
thread(s) killed.
t-Ht!Ht
TLOSS error
t#SSUP
+ttHHtd
t.;t$$t(
turnip
t$$VSS
UDP (%s)
un1nst4ll
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnmapViewOfFile
update failed: error executing file.
update (%s)
update (%s - %dkb transferred)
uptimez
user32.dll
USER32.dll
USERHOST %s
 : USERID : UNIX : 
userpassword
USER %s 0 0 :%s
VC20XC00U
VERSION
VERSION %s
VirtualAlloc
VirtualFree
WaitForSingleObject
WideCharToMultiByte
win2000
windows
WININET.dll
WININET.DLL
winpass
WNetAddConnection2A
WNetCancelConnection2A
WriteFile
WS2_32.dll
WSASocketA
"WWShh
yellow
_^][YY