Analysis Date2014-01-09 23:56:22
MD51c26aac59c0aeed97fbd14ea7394ef84
SHA1c216ef7e046564ef4cdc5f5a638eb03f82defbe3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 62c344fe2bce6386656424df3c2790b5 sha1: 7f7b5734b3e3c73e8fd955b91c661d61e7d93d65 size: 135168
Section.rdata md5: 27bd25e8c0fb80dff58ff2c1f0c13e3d sha1: 3c1a568f838aedced79c3f04f2649732673aef60 size: 8192
Section.data md5: 61a8db24b05b44feae55aefdcca53d1f sha1: 4ee2c0e71fe7df3e1669333f4300434a8136a49b size: 16384
Section.idata md5: d8b42090cd9443f4df8e45303683b004 sha1: 9fe02c1b70ad18f85c30ead3450854262bc8e2a0 size: 4096
Section.rsrc md5: 22203d4b551ca1692f17d726d724b82a sha1: 76f64a055a8d5bd3faaca537e92bd9ae274fc5f6 size: 77824
Section.reloc md5: 167ac80edc0d152da6ba886612049566 sha1: 960a0e3fef34439040b55b62c38fef33f9b075b9 size: 32768
Sectionbffuqta md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2008-07-30 10:45:03
Pdb path@
PackerMicrosoft Visual C++ 5.0
PEhashb9fddeea2314a9cf59d391c33307c4391f8596c9
AVavgWin32/Virut.AN
AVmsseVirus:Win32/Virut.BM
AVaviraTR/Crypt.ZPACK.Gen
AVmcafeeW32/Virut.n.gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{E2E2DD38-D088-4134-82B7-F2BA38496583}\iexplore\Type ➝
4
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\Links\Order ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Type ➝
3
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{FB5F1910-F110-11D2-BB9E-00C04F795683}\iexplore\Type ➝
4
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\shop.221199[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012014010920140110\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012014010920140110!
Creates MutexShell.CMruPidlList
Winsock DNSshop.221199.com

Network Details:

DNS60ff37a7926beea7.cdn.jiashule.com
Type: A
222.216.190.69
DNSshop.221199.com
Type: A
HTTP GEThttp://shop.221199.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 222.216.190.69:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000020 (00032)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000030 (00048)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000040 (00064)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000050 (00080)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000060 (00096)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000070 (00112)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000080 (00128)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x00000090 (00144)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000a0 (00160)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000b0 (00176)   73743a20 73686f70 2e323231 3139392e   st: shop.221199.
0x000000c0 (00192)   636f6d0d 0a436f6e 6e656374 696f6e3a   com..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a0d0a      Keep-Alive....


Strings
Bjjj
Bjjjj
         (((((                  H
jjjj
(null)
0-1@1Y1v1
_03/m|
?"?0?7?[?~?
080J0R0X0\0a0n0x0
09>LOlV
.0d0n0}0
:&:0:>:D:t:}:
>&>+>0>:>?>E>N>]>j>
0J1O1T1z1
0K2Y2l2
1!1'10161;1H1r1w1
1}1a2T4
1!1J1Q1Y1w1
1	202Z2a2
1#282~2
1:2K2r2
152T2e2
161J1a1
181=1t1
20272?2D2H2L2u2
2.242>2L2x2
2%2K2R2W2]2m2s2y2
2"3(3,30343
2#3/3@3J3Z3d3s3
2/363Q4X4
2/393S3r3
2>3E3S3
2@3L3t3
25'ja*I
:2:9:?:K:R:^:f:q:y:
3!4'454=4C4W4d4i4o4
3 60:T:X:\:
>#>'>+>/>3>7>;>?>C>G>K>O>d>h>l>p>t>
415D5f5
4181$?(?0?4?<?@?
4 4<4[4e4
4-474E4N4
4+5@5R5\5
464:4>4B4U4g4
:-;4;8;<;@;D;H;L;P;
=*=4=8=<=@=D=H=w=
;$;,;4;<;D;L;T;\;d;l;t;|;
4M4T4X4\4`4d4h4l4p4
4V5_5n5z5
5$505S5m5
5!5H5r5y5+626X6|6
5$6*60666<6B6H6N6T6Z6`6f6l6r6x6~6
5JhG=6
?5?S?Z?
5W5c5w5
626C6p6w6
636E6O6
6-646E6L6
6)6J6o6
6E7Q7p7u7
7#="=^
707U7c7|7
7 7&7,72787>7D7J7P7
7%7D7P7~7
7(7J7l7
7%8D8P8o8
?,?7?A?
7I8\8z8
;7<i<n<
80=0E0
8"818F8T8u8}8
8 8+848@8H8T8[8`8i8q8|8
8%8,878?8H8X8f8r8
8:8G8m8
=.=8=D=f=
8uBfE$
98:M:Y:
9-939<9D9X9a9
9 9*969V9\9e9u9~9
9$9(9,9U9{9
9#9D9W9c9
9-9H9d9k9u9
; ;-;9;B;W;m;r;
?(?9?C?M?`?o?
9E:N:S:X:e:j:
9.:_:k:
abnormal program termination
a_env.c
Allocation too large or negative: %u bytes.
<> Anj!
Assertion failed: 
Assertion failed!
Assertion Failed
avAa?S
Bad memory block found at 0x%08X.
>)>B>a>m>
bffuqta
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
;!<B<M<`<
bntchv
C,/FZ6
ch != _T('\0')
Client
client block at 0x%08X, subtype %x, %u bytes long.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
Client hook free failure.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
CloseHandle
crt block at 0x%08X, subtype %x, %u bytes long.
_CrtCheckMemory()
_CrtDbgReport: String too long or IO Error
_CrtIsValidHeapPointer(pUserData)
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
><?]?c?u?
=,=C=Z=q={=
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
DAMAGED
DAMAGE: on top of Free block at 0x%08X.
@.data
 Data: <%s> %s
dbgheap.c
dbgrpt.c
DebugBreak
Debug %s!
Detected memory leaks!
DOMAIN error
Dumping objects ->
' ]E0x
E=3d?E
Error: memory allocation: bad memory block type.
ExitProcess
Expression: 
eZGI/^
failure, see the Visual C++ documentation on asserts.
 F)[+B
fc-]Ft
fclose.c
File: 
_file.c
#File Error#(%d) : 
- floating point not loaded
_flsbuf.c
FlushFileBuffers
FNhq:v
f/Nj_+
For information on how your program can cause an assertion
format != NULL
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_freebuf.c
FreeEnvironmentStringsA
FreeEnvironmentStringsW
g~.0U;
:;;G;b;u;
-G~+	E4
GetACP
GetActiveWindow
_getbuf.c
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GetVersionExA
__GLOBAL_HEAP_SELECTED
g@ZZmo
`h````
:%;=;h;~;
}!h0.B
HeapAlloc
_heapchk fails with _HEAPBADBEGIN.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADPTR.
_heapchk fails with unknown return value!
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapValidate
"HRich4
%hs allocated at file %hs(%d).
%hs(%d) : 
%hs located at 0x%08X is %u bytes long.
http://shop.221199.com
i386\chkesp.c
.idata
Ignore
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
InterlockedDecrement
InterlockedIncrement
Invalid allocation size: %u bytes.
IO#.~G
ioinit.c
IsBadReadPtr
IsBadWritePtr
j0hp/B
j*h@ B
j;hD/B
j.hD/B
}jhL*uF
jihp.B
>J>_>k>
jmhp#B
jwhd/B
|jyhX/B
KERNEL32.dll
lAN3<T
Largest number used: %ld bytes.
LCMapStringA
LCMapStringW
{%ld} 
%ld bytes in %ld %hs Blocks.
Line: 
LoadLibraryA
lwGxmM
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
MessageBoxA
Microsoft Visual C++ Debug Library
Microsoft Visual C++ Runtime Library
Module: 
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
Normal
normal block at 0x%08X, %u bytes long.
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
N%qz}-
(null)
<#</<o<|<
Object dump complete.
>">;>O>]>d>u>}>
/<o:eI/3
osfinfo.c
output.c
OutputDebugStringA
_pFirstBlock == pHead
_pFirstBlock == pOldBlock
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
	PK Ckp
_pLastBlock == pHead
_pLastBlock == pOldBlock
)p|	Nm
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
ppxxxx
(Press Retry to debug the application)
Program: 
<program name unknown>
Program: %s%s%s%s%s%s%s%s%s%s%s
PRSVWhT B
- pure virtual function call
PZp1W_,R
}q000e
'{q(%g
 Qh,-B
 QhT+B
"q>-u\
.rdata
@.reloc
Rft\Q/
RtlUnwind
runtime error 
Runtime Error!
S[&3oJn
S,:4BhX
">sc,s
%s(%d) : %s
Second Chance Assertion Failed: File %s, Line %d
SetConsoleCtrlHandler
SetFilePointer
SetHandleCount
SetStdHandle
SHELL32.dll
ShellExecuteA
SING error
Soz=7KT
sprintf.c
stdargv.c
stdenvp.c
stream != NULL
string != NULL
str != NULL
szUserMessage != NULL
TerminateProcess
=tGjyhp#B
t!h8(B
t&h('B
The value of ESP was not properly saved across a function call.  This is usually a result of calling a function declared with one calling convention with a function pointer declared with a different calling convention. 
!This program cannot be run in DOS mode.
t!hl(B
TLOSS error
Total allocations: %ld bytes.
t.;t$$t(
u+hh,B
u%hX#B
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
user32.dll
VC20XC00U
:v"I*n
VirtualAlloc
VirtualFree
:vP	:AF
vsprintf.c
Warning
WideCharToMultiByte
WriteFile
wsprintfA
:X>c>k>
Xhp}JVb.=6
xqp-f#
Y5kU,k
/YjF35
|zhLIH