Analysis Date2014-12-12 16:28:48
MD59dce55caf8f702c223f95faf7ee40184
SHA1bed4122aedf6cb93ab2e957bb0b68e058896d5b0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c7a8411b083eaa155834ee518096b7cc sha1: cc7fa608bc4881866bab26bf89f7aba444711fa8 size: 6656
Section.rdata md5: 2ba717503c3dfee1084ec74f75a0e2c4 sha1: 835e9059e290eb7fba4ac63a677e388c60777c2f size: 107520
Section.rsrc md5: 5c1d83a7fcf29909042329c69ab412e9 sha1: 3d4f584be24bd975eaf0930779ecee4337cf34ef size: 10240
Timestamp2010-01-15 04:44:23
VersionLegalCopyright: Copyright © 2010 PC Tools. All rights reserved. 1x
InternalName: vertuXv
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: j 4
ProductVersion: 7.0.0.61
FileDescription: 3vSpyware Doctor Componentim
OriginalFilename: vertuXv
PEhash5b0c9e78be5cb96ec296f05b3e5a91c003507405
IMPhashdf165e1346317e9cbdee7783c656377d
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)Renos-AHT [Drp]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.NK.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.39969
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.MXC
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.NK.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Generic22.OIC
AVIkarusTrojan.Win32.Jorik
AVK7Unwanted-Program ( 004a8e8a1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.aq
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.12862A10
AVSophosMal/FakeAV-IZ
AVSymantecDownloader
AVTrend MicroTROJ_KRYPTO.SMIJ
AVVirusBlokAda (vba32)Trojan.Jorik.Skor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSkiqconsultants.com
Winsock DNSclubhamm.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSkiqconsultants.com
Type: A
DNSclubhamm.com
Type: A
DNSfirstjs.com
Type: A
DNStopkoel.com
Type: A

Raw Pcap

Strings
.
.
...m.
..J......n
040904E4
 2010  PC Tools.  All rights reserved. 1x
3vSpyware Doctor Componentim
7.0.0.61
7ZPk
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
FileDescription
FileVersion
gtmN
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MNDc
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
PREVIEWGLYPH
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
txnt
UFHSx
V5q8
VarFileInfo
vertuXv
VS_VERSION_INFO
Y4ve1
zioI
={0{>;
02GQlZ
07Gt3n
0^]>h#
0R.0jiCQv
;0u63X
*_1,G}
>1O,,~
1vQJ4AP
2""333:"C8
2""#33:DC8
"2b6tg
2$B""""C38
2C4"""D338
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
333333?
3333333
$3333333
#3333333
33333333
33333333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
3333333333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
33338?383
3333Dc3333333
3333f3333333?
3333fc33333338
3333>fd333338
3334JC33333338?333
3336Dc3333338
3336fC3333338
:*"*"$3338
333838
333*C33
333DDD33333?
333>fC333333
333>fd333333
$334B"$3
334C33333338
33B$3333333
33DDDDD3333
33fd3>fC333
33>ffffc338
34""C33333833
3B""$33333
3{_E8u
3FCSkemG
409J5g
4"*""C3338
4DF334DC33
4IHtd|4
`=	4;Mi
4!ZW;*cX
6LVIPM
6x7I1D
\7|?:_
_7nwtgzBBmERY2
95]Si"
>"9:F*
9NJ5coJ
9W5P;ZD
adI''O
AGb}GQG`R
aiToiuV
a@kz2CNf
}Alr@-
AMBj@H
aUXMfo
b5X-46]
bbAp)F(
biwys@24
Bo6V0sjR
%>:&c'2
:"C333
"$c33333
c333333
"C333333
C3333333
C33333833?33
"C3338
c33*C333
"C8338
cCD(VY
cDVHPI
?\c}gn
CharNextA
CjC338
cK`C?i
cnlupC
comdlg32
cREdKS
cTBRK3
C)|zV@
d1z2pL
d2]P02
"dc3333833
D*C33383
:DC33:""$8
"DDB""$3
|\%d	l
d*n[u 
DrawMenuBar
{dT^]6
DVJENq
]DVW.9
E5hftj
e9#&T>
EDO)jIC
E/;F\}
eFj0C;p
EHAOSBCIW
eJ8py}
eoOM_DwJxHDyk@20
etUsjrD
&E<twr{
ExitProcess
f66nVXv
F^8{dx
FA%d#5
fC333?3
fC33333
fDFfC338
F`)d)u_
_fEid_
F*F333383
fff3333
FH&}?u>-
FindClose
FindFirstFileA
FormatMessageA
+,FR	L
F@Thtm
|FY+!#
_fyEXu@12
G4gU`A`
gBFFTH1BgTt
Gdt/:(
*Ge*Pf<
GetActiveWindow
GetCurrentThreadId
GetFocus
GetLastError
GetMenu
GetMenuStringA
GetMessagePos
GetModuleHandleA
GetSysColorBrush
GetWindowDC
GetWindowTextLengthA
gLn%KM
!(G#n\%
#gOgHh;
|^%g	p
%gwO%,
h8U%[3,
h@>\C^v
hd8pV@4
=hRKfp
i1RVOs
=:\|I95
iaFOOyvb8W
i*Aubj
ihi$i{
iOR},8
IP6Npqj
_ipq9u\m
Ir?#1);
IsCharLowerA
"J333333
J=|4w 
"J"C3333
j$D2[3S4?i
jDjpBIrTOvy
j|HP,#
$)jL/W
J:qX>.\h
J+}W)^
jzil,p
`K5h@rO
KERNEL32.DLL
_K_iAAutst@12
KZ`RAQ
LoadLibraryA
LSIDFLAm
lW5E%}
l#?z_%
m9J4t0
#`MBKA
mFXqNc
MS=CP6
$N.J!+i'
nokABagK
NPEm%t
-NrRi!|
NX]]@m
)&|O@<
o8wnu^
:oA+A9
_orkKgryIrYDxR@16
Ou<C:&
{;#p(?
P0>"H<h
Pc}R@4D
PjTwxcTr6dY7hc@16
P}n@gr
}PrO|r
PyKm_d
q&>?6A}
Q9V88zgZj
QC2OrpTRt1
qc;osuh
">qe>p;
<Q%jHB
QMHsnx#b
^;QOabJ2
Qu4We=-`
Q]UM"6
qZO+}fn
r7cDDK
`.rdat{
`.rdata
?R?Kk[<
rWSDa5
ryHrCB&
$|S^(}
S5xVr]
SA$j8VE
S^e#K~I
Sg/3726Jd
.siNQ;K
SitxM?+
SK'~UP
-S;pDtFx
sPs0/YQ
ssZ_98
t$"2{qz
t9>5r5+
t:[]cp
This program must be run under Win32
tIX;SB
tPlXQj.
#%)U |
ub8Ci?A#
UCEp%<1]_3b5aB
_UjZ3ussbQHQP8O@20
uMIke!b
uMrCdvYwQGQ
uN4OGw
uQ?Nu%
USER32.DLL
Us(I$-
uwNuS4ge5W
=v_]]7
V%BP2o2
Vcx7|r
vertuXv
V!	hy9J
VirtualAllocEx
]VLlU`
vpT{Um
v_[S^3{@O
;!v(U"
Vy70yxi
vY[eq\R
W95LIV
WaDVMoi
{$w#Ei
'WrU#O
wu?;"^c
$x2,S)
Xi	BD7
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
-xO}v?
>xWXAmG
xX[ZK=
y39fZ0cklciZH5t5
_y3~WVar
Y,7urH
YB/<f1
Yi~Qen
yOI3bkAup_67L
 y(sa7
[YZi| 
z84RWrnCMa@20
ZEa$dSW
ZZVfAy7