Analysis Date2014-04-13 04:38:38
MD5e4dbfa2b792bcead2e2a4e72ba6f66d7
SHA1bebe89d0d0ca122bf2522ff641a2533f9f963306

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 61931c4cfcd27442b0230704501a87ac sha1: 7eae45fa35739376dc964e71d251a828a22d7214 size: 155648
Section.rdata md5: e7c0203b564fa5c4c0cd1025324ff133 sha1: 0bdd3efe689051f0f94181155a0dd307712b7284 size: 32768
Section.data md5: f3b90a5d533254f4d71214bef675bf78 sha1: 63b6df0afd3cec9a5184452a8fad93a59795c642 size: 8192
Section.rsrc md5: 816f8c418a57703030886810f73a07f0 sha1: a288d52458a7543281ddc3f969ff3b088c742cde size: 12288
Timestamp2011-01-17 08:19:28
VersionLegalCopyright: Copyright (C) 2007
InternalName:
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName:
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription:
OriginalFilename:
PackerMicrosoft Visual C++ v6.0
PEhash5c64597d97882654698e4f273f9a7a56f59a1698
IMPhashc08393b0e811c4caf9091aebfb2326d5
AVavgBackDoor.Generic13.ACXT
AVmsseTrojanDownloader:Win32/Daumy.A
AVaviraBDS/Rungary.psa
AVmcafeeDaum.gen.a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ ➝
C:\malware.exe
RegistryHKEY_CURRENT_USER\Software\b3abaa75c\lld ➝
4-13\\x00
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ ➝
C:\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex27A1EC74A82B9D5569EC854712B1A1B70792C73640A1042832F447553BDBA1C6F8A90BAB5B62323BA411E693
Winsock URLhttp://404.dummywebsitedatabase.com/info.php?cpid=nv
Winsock URLhttp://icon.adncommerce.com/info.php?cpid=nv
Winsock URLhttp://404.dummywebsitedatabase.com/cnt2.php?cpid=nv
Winsock URLhttp://kr.yahoo.com

Network Details:

DNSany-rc.a01.yahoodns.net
Type: A
98.139.102.145
DNSkr.yahoo.com
Type: A
DNS404.dummywebsitedatabase.com
Type: A
DNSicon.adncommerce.com
Type: A
HTTP GEThttp://kr.yahoo.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 98.139.102.145:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   486f7374 3a206b72 2e796168 6f6f2e63   Host: kr.yahoo.c
0x00000020 (00032)   6f6d0d0a 0d0a                         om....


Strings
.
.....
........ ......
!"#$%%')(%$#"!
*+*
.....
.
.
.
..
...
...............
.
.
.. .!"#"$%"&'(')'*+,+++/0100300500700900;00=00?00ACDFGHIJKJLHGFMOPQA0/+*'&"!..
...
........
.
.
.
.
.
......
.
.....
....
.........................
 .
..
.
......
.........
+%
 
+%
"
\
.
..
.
..
..
......
..
...... !"#$%&'()*+#2310/.-,.45689;:4
<=<
.
`

041204b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2007
FileDescription
FileVersion
InternalName
jjjj
jjjjj
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
span
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0123456789ABCDEF
??0?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAE@PAU_iobuf@@@Z
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N1@Z
??0?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@H@Z
??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV01@@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABV0@@Z
??0Init@ios_base@std@@QAE@XZ
??0ios_base@std@@IAE@XZ
??0_Lockit@std@@QAE@XZ
??0logic_error@std@@QAE@ABV01@@Z
??0out_of_range@std@@QAE@ABV01@@Z
??0runtime_error@std@@QAE@ABV01@@Z
??0_Winit@std@@QAE@XZ
??1?$basic_filebuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ
??1?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@UAE@XZ
??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
??1exception@@UAE@XZ
??1Init@ios_base@std@@QAE@XZ
??1ios_base@std@@UAE@XZ
??1locale@std@@QAE@XZ
??1_Lockit@std@@QAE@XZ
??1ostrstream@std@@UAE@XZ
??1out_of_range@std@@UAE@XZ
??1runtime_error@std@@UAE@XZ
??1strstreambuf@std@@UAE@XZ
??1type_info@@UAE@XZ
??1_Winit@std@@QAE@XZ
26212111
262122.2}
66262212
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@ABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@D@Z
??6std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@0@AAV10@PBD@Z
??_7?$basic_ifstream@DU?$char_traits@D@std@@@std@@6B@
??_7?$basic_ios@DU?$char_traits@D@std@@@std@@6B@
??_7?$basic_ofstream@DU?$char_traits@D@std@@@std@@6B@
??_7?$basic_ostream@DU?$char_traits@D@std@@@std@@6B@
??_7?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@6B@
??_7?$basic_streambuf@DU?$char_traits@D@std@@@std@@6B@
??_7?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@6B@
??_7out_of_range@std@@6B@
??_7runtime_error@std@@6B@
??_8?$basic_ifstream@DU?$char_traits@D@std@@@std@@7B@
??_8?$basic_ofstream@DU?$char_traits@D@std@@@std@@7B@
??_8?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@7B@
??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: ko
_acmdln
_adjust_fdiv
ADVAPI32.dll
<A|E<F
%AFFILDATA
&&amp;
&amp;i=
'&apos;
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
autorun
.?AV_com_error@@
.?AVexception@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVruntime_error@std@@
.?AVtype_info@@
<base href="%s" />
beforeconnect
BeforeNavigate2
bhodel
Browser Helper Objects
?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
 cannot be Correctly Decrypted!
c=__blank
c=__blank&d=__blank
<![CDATA[
#CDATA
CDoubleBuffering::GetData(): Illegal iDataLen!
CDoubleBuffering: Illegal Construction Data!
CDoubleBuffering: m_iSize should be Even Number!
CDoubleBuffering: Referenced File not Opened or in Bad State!
chkinfo
CIEEvents
clickcycle
"clickurl"
ClickUrl
?close@?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
?close@?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
CloseHandle
CoCreateInstance
CoInitialize
#COMMENT
connect
Connection: Keep-Alive
Content-Type: application/x-www-form-urlencoded
_controlfp
cookie
CoUninitialize
CreateEventA
CreateFileA
CreateMutexA
CreateThread
CreateToolhelp32Snapshot
CThread_CheckUrl
__CxxFrameHandler
_CxxThrowException
D$4RPSh
D$4RPSQ
D$4RPWQ
D$4SPSSSSSSV
D$8j<P
@.data
??_D?$basic_ifstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??_D?$basic_ofstream@DU?$char_traits@D@std@@@std@@QAEXXZ
??_D?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXXZ
&d=__blank
D$dRPf
delete
DeleteCriticalSection
deleted
DeleteFileA
description
D$HSjf
D$hSUV
DispatchMessageA
D$,j<P
D$Ljgh
D$Lj h
D$Ljkh
D$Ljoh
D$Ljsh
__dllonexit
DocumentComplete
domain
DrawIcon
D$,RhX
D$`RPf
D$\RPf
D$@SPVW
D$(SUV
D$XSUVW
%ECODE
Element must be closed.
EnableWindow
?ends@std@@YAAAV?$basic_ostream@DU?$char_traits@D@std@@@1@AAV21@@Z
?_Eos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXI@Z
ERROR# Connect Failed[%d] :
except
_except_handler3
expires
explanation
extract
fclose
Fhttp://kr.yahoo.com
FileCrypt ERROR: Cannot open File 
FileCrypt ERROR: Encryption/Decryption Object not Initialized!
FileCrypt ERROR: File 
FileCrypt ERROR: Illegal Operation Mode!
FileCrypt ERROR: Illegal Padding Mode!
FileCrypt ERROR: in CSHA::AddData(), Data Length should be > 0!
FileCrypt ERROR: in CSHA::FinalDigest(), No data Added before call!
FileCrypt ERROR: Key Data Length should be > 0!
FileCrypt ERROR: No Key DataSpecified!
FileCrypt ERROR: The same File for Input and Output 
filename
FindClose
FindFirstFileA
FindWindowA
folder
?freeze@strstreambuf@std@@QAEX_N@Z
fulltype
fwrite
GetClassNameA
GetClientRect
GetComputerNameA
GetDesktopWindow
GetExitCodeProcess
GetFileSize
GetLastError
GetLocalTime
__getmainargs
GetMessageA
GetModuleFileNameA
GetModuleHandleA
$.getScript(
GetStartupInfoA
GetSystemDirectoryA
GetSystemMetrics
GetTickCount
GetVersionExA
GetWindow
GetWindowsDirectoryA
GetWindowTextA
Gj\j<W
?_Global@_Locimp@locale@std@@0PAV123@A
?_Grow@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAE_NI_N@Z
	H^2.Z
Ht@Ht*
http://
http://404.dummywebsitedatabase.com/cnt2.php?cpid=%AID
http://404.dummywebsitedatabase.com/cnt3.php?cpid=%AID
http://404.dummywebsitedatabase.com/sos/help.php
http://adcr.naver.com/adcr?
http://kr.search.yahoo.com/search?
http://ovc%d.minisearch.co.kr/ov_cache.php?q=%s&referurl=%s
http://rc25.overture.com/
http://%s
http://search.11st.co.kr/searchprdaction.tmall?
http://search.daum.net/search?w=tot&q=%s
http://search.naver.com/search.naver?sm=tab_hty&where=nexearch&query=%s
http://srch.minisearch.co.kr/SEARCH/click_log.php
"http://www
http://www.daum.net
http://www.microsoft.com
http://www.minisearch.co.kr
id="mainFrame"
id="topFrame"
Illegal Block Size!
Illegal Internal Rounds!
?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z
InitializeCriticalSection
?_Init@locale@std@@CAPAV_Locimp@12@XZ
?_Init@strstreambuf@std@@IAEXHPAD0H@Z
_initterm
InterlockedDecrement
InternetCloseHandle
InternetGetConnectedState
InternetOpenA
InternetOpenUrlA
InternetReadFile
InternetSetCookieA
invalid vector<T> subscript
ip=%s&ua=%s&xfip=
isalnum
IsIconic
_ismbcspace
isspace
IsWindow
it must be closed with </%s>
j	ht~B
/js/common.js
/js/jquery.min.js
KERNEL32.dll
Key Length should be at least 1
keyname
%KEYWORD
KillTimer
L$4PQSR
L$4PQWR
L$8_^[d
^l9^tt
L$<_^][d
L$ _^d
L$ _^][d
L$(_^][d
L$d_^[d
L$ FVh(
L$h_^]
L$h_^][d
L$(hd~B
link_url
Listing
L$(j>Q
L$(j	Q
L$Ljrh
L$LjWh
	LLLLLK
L$LVh4
LoadIconA
LocalFree
L$,Ph`
L$PPUR
L$ PQj
L$ Rh(
lstrcmpA
lstrlenA
lstrlenW
L$(Vhh~B
L$X_^][d
L$XRSP
_mbschr
_mbscmp
_mbsicmp
_mbsicoll
_mbsnbicmp
_mbspbrk
MFC42.DLL
module
Module32First
Module32Next
MoveFileA
moveurl
MSVCP60.dll
MSVCRT.dll
MultiByteToWideChar
NavigateComplete2
NETAPI32.dll
NewWindow2
?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
nr_query
ole32.dll
OLEAUT32.dll
OleRun
_onexit
OnQuit
?open@?$basic_filebuf@DU?$char_traits@D@std@@@std@@QAEPAV12@PBDH@Z
OpenProcess
?overflow@strstreambuf@std@@MAEHH@Z
%OVERTURE_QUERY
.PAVCException@@
.PAVCInternetException@@
?pbackfail@strstreambuf@std@@MAEHH@Z
__p__commode
PeekMessageA
__p__fmode
ply	Z1
postdata
PostMessageA
PRNG Not Initialized
Process32First
Process32Next
program
%PROGRAMFILES
_purecall
%QUERY
"&quot;
`.rdata
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@PADH@Z
Referer: %s
referurl=%s&pageurl=%s&p=0&dominfo=.
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyExA
RegEnumValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
regsvr32
ResultSet
r""""" """"'wwww""""""'"""
r"wwwwwwwwwwwwwwr"
<%s> attribute has error 
secret.txt - 
?seekoff@strstreambuf@std@@MAE?AV?$fpos@H@2@JW4seekdir@ios_base@2@H@Z
?seekpos@strstreambuf@std@@MAE?AV?$fpos@H@2@V32@H@Z
SendMessageA
__set_app_type
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PADH@Z
Set-Cookie
Set-Cookie:
SetEvent
_setmbcp
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z
SetTimer
setting
__setusermatherr
SetWindowPos
%s_event
%s expires=%s ;
SHELL32.dll
ShellExecuteA
?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
siteHost
"siteHost"
site_url
%s must be closed with </%s>
Software\
Software\Microsoft\%s
Software\Microsoft\%s\lst
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Software\Microsoft\Windows\CurrentVersion\Run
Software\%s
_splitpath
sponsor
sprintf
%s\Program Files
'<%s> ... </%s>' is not wel-formed.
%s,%s,MINI,Y,sponsor,sponsor,N,%d,-1,X,%d,1
%s=%s ; path=/ ;
%s=%s ; path=/ ; domain=%s ;
%s=%s; path=/; domain=%s
%s=%s; path=/; expires=%s; domain=%s
SSSSSQ
?str@?$basic_ostringstream@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@2@XZ
_strcmpi
strtok
subject
sw_drop
?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
%SYSTEM32
T$0hp~B
T$4SRSSSSSSV
t8Ht(HuH;
TerminateProcess
!This program cannot be run in DOS mode.
T$hSSj
?_Tidy@?$basic_stringbuf@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXXZ
?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
titleC
T$(j R
tK;|$ }E
tmquery
tolower
T$(Ph`~B
/tpl/200803/images/loader.gif
/tpl/200803/images/mini/search_btn.gif
/tpl/200803/images/mini/sub_title_bar.gif
/tpl/200803/images/tab1_on.gif
/tpl/200803/images/tab2.gif
/tpl/200803/images/tab3.gif
/tpl/200803/mini.css
T$@PVR
T$ QhP
TranslateMessage
T$(RPUh
tR<%u:
T$(Vht~B
?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
ulllll
ulluuy	
?underflow@strstreambuf@std@@MAEHXZ
USER32.dll
User Agent
User-Agent:
User-Agent: 
User-Agent: %s
uull~	Z
uUTDGfw""
uY9^luT
V4UPQR
version
vmflxnfqkghkdlxld
WaitForSingleObject
WideCharToMultiByte
WindowRegistered
WindowRevoked
%WINDOWS
Windows 95
Windows 98
Windows 98; Win 9x 4.90
Windows CE
Windows %d.%d
Windows NT %d.%d
%%WINDOWS\phid.dh
%%WINDOWS\%s.imb
%%WINDOWS\%sprv.imb
WININET.dll
workdir
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBDH@Z
WS2_32.dll
WSSSSS
 `wwwwp
" "wwwwwwwuO
wwwwwwwwwwwwwwr"
wwwwwwwwx
_XcptFilter
<?xml version="1.0" encoding="EUC-KR" ?>
XOR256STREAM
^xPSVhP
x-requested-with: XMLHttpRequest
?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHPADH@Z
?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHPBDH@Z
	yly^Z
ytuiqvksjn
yyly	Z1_
Z2ZZZ2
^^Z^Z6Z6Z
~^Z^Z6ZZ6Z
^Z^^ZZ6
^Z^^ZZZZ6Z6