Analysis Date2015-01-20 13:17:28
MD595c87026e76e89a6bb1e5dedf25ec4b1
SHA1d237ddd904b1dd42f0a652e086a898e2fa32bbbc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7a2c34ee1af1ac7f596076d3c567bdd2 sha1: 5c4fc9980490adafee55cf5436f78891192c1ffa size: 10240
Section.rdata md5: cf2bc0e22dd757f3d7c732fb7f27f8be sha1: e5264641a2e26c139edf80e75a2009384607a666 size: 6144
Section.data md5: 3dd5e26dda2c7017017aba3fc1fde15a sha1: 7cd54b0f31e25ebf93271a203b1eed20ebf058b6 size: 115200
Section.rsrc md5: 04e2facc1f7db546e627c159b413266a sha1: ad64eaa4645921028233738186bef5f0151f5e43 size: 2048
Timestamp2009-02-02 03:04:06
VersionLegalCopyright: Copyright (C) Kb DoctorWeb, Ltd., 1992-2011
InternalName: Dr.Web for Windows Eq
FileVersion: 5.0.572.1152
CompanyName: ComponentOne LLC
LegalTrademarks:
Comments:
ProductName: Dr.Web for Windows 3x
ProductVersion: 5.0.572.1152
FileDescription: DrWeb For Windows kq 2011
OriginalFilename: File ProtectorH2 v2011 Tu.exe
PEhashe4dcb7f6761d447b063ab585e4e836dd4d51cd32
IMPhash29ea9ee2278e075f3f549a791e6a5ef1
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.13127
AVAlwil (avast)MalOb-EM [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.13127
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Dldr.Renos.psx.15
AVBullGuardGen:Variant.Kazy.13127
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LX
AVClamAVTrojan.FakeAV.DRW
AVDr. WebTrojan.Siggen2.21484
AVEmsisoftGen:Variant.Kazy.13127
AVEset (nod32)Win32/Kryptik.LTB
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureTrojan-Downloader:W32/Renos.GTX
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.SuspectCRC
AVK7Trojan-Downloader ( 00212ca21 )
AVKasperskyTrojan-Downloader.Win32.CodecPack.ajfn
AVMalwareBytesTrojan.Agent
AVMcafeeDownloader-CEW.x
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.13127
AVRisingTrojan.Win32.Generic.127BBD5B
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen48
AVTrend MicroTROJ_FAKEAV.SM1C
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\CE8SIIFGSU\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSftuny.com

Network Details:

DNSdailymotion.com
Type: A
195.8.215.137
DNSdailymotion.com
Type: A
195.8.215.138
DNSdailymotion.com
Type: A
195.8.215.139
DNSdailymotion.com
Type: A
195.8.215.136
DNSnetflix.com
Type: A
23.23.191.68
DNSnetflix.com
Type: A
50.19.210.42
DNSnetflix.com
Type: A
54.204.2.219
DNSnetflix.com
Type: A
54.204.43.31
DNSnetflix.com
Type: A
54.225.192.83
DNSnetflix.com
Type: A
54.243.253.96
DNSnetflix.com
Type: A
75.101.139.66
DNSnetflix.com
Type: A
107.20.151.133
DNSnetflix.com
Type: A
107.20.154.246
DNSnetflix.com
Type: A
107.20.177.34
DNSnetflix.com
Type: A
174.129.2.58
DNSnetflix.com
Type: A
23.21.190.124
DNSftuny.com
Type: A
208.73.211.167
DNSftuny.com
Type: A
208.73.211.244
DNSftuny.com
Type: A
208.73.211.250
DNSftuny.com
Type: A
208.73.210.211
DNSphreeway.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.167:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   3855336d 4f487037 65526348 5069596f   8U3mOHp7eRcHPiYo
0x00000150 (00336)   39394d4d 55756a67 55573462 76544964   99MMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c73 76325649   /Golwxlm9kLsv2VI
0x00000230 (00560)   36706f36 6e333664 2f33346b 6f6c5677   6po6n36d/34kolVw
0x00000240 (00576)   614b5168 2f513d3d                     aKQh/Q==


Strings
.
...1
n.......
.
.
.7.
..(
..."
._._F
pp$*...y.

041904E3
5.0.572.1152
ANSI
ASCII
BCD overflow
Big Endian Unicode
Comments
CompanyName
ComponentOne LLC
Copyright (C) Kb DoctorWeb, Ltd., 1992-2011
Dr.Web for Windows 3x
Dr.Web for Windows Eq
DrWeb For Windows kq 2011
FileDescription
File ProtectorH2 v2011 Tu.exe
FileVersion
InternalName
Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL
Invalid SQL date/time values
LegalCopyright
LegalTrademarks
LError loading dock zone from the stream. Expecting version %d, but found %d.#No OnGetItem event handler assigned
OriginalFilename
ProductName
ProductVersion
Remote Login
%s is not a valid BCD value$Could not parse SQL TimeStamp string
StringFileInfo
Translation
Unicode
UTF-7
UTF-8
VarFileInfo
VS_VERSION_INFO
ZXAX
=$:@;/
0@;5i)D
;0Eu6o|Th
0}f j7
0p3twain_32
2'  8NF\
2qQCi3X
3a^c	kg
3f"<$OFf
3#Zb?5
4c5Pc 
!4C.?k%=
)4 D0b
<4f[?>
<4g~H4B
4j]wg 
4xacvZ
5<"bEl
!)5c@8
?5TBva
\@>]63
6EerXL0
6O^Xve
6@Qm6tN
6z<mK}
8$4_8!
8E>X0-
8fqu*&5
8{~ltU 
8\Y6&I7
|,^9}c
9c$lkB
9^Co&c
9]d8\A
9fqo&c
9gq6:g
9gql#g
9pJFZ<
9S0B<0
9U"v'#
9xNLvRK
aFYY%V
AHCQPY
anf>kE
A%Xub2J
AX[Y< _RV
'BCP0T
BeginPaint
BJYD0E
b	p0r5
brtchQ9LM3@4
C8":lC
CallNextHookEx
CallWindowProcA
CharLowerA
CharLowerBuffA
CharNextA
CharToOemA
CharUpperA
CharUpperBuffA
CheckMenuItem
ChildWindowFromPoint
c,J,@#
>*C)Ko
clDww2
ClientToScreen
CloseClipboard
&CO1f 
CreateIcon
CreateMenu
CreatePopupMenu
CreateWindowExA
CWrL"|]
d1X)<&^
}D2yJM
@.data
DefMDIChildProcA
DefWindowProcA
DeleteMenu
DestroyCursor
DestroyIcon
DE[\u3^r
DFl|(O
DispatchMessageA
DispatchMessageW
D{j#ml
dLi?'A
<; DlK
!\D;N_
DrawAnimatedRects
DrawEdge
DrawFrameControl
DrawIcon
DrawIconEx
DrawMenuBar
DrawTextA
DvhM,J^
DydjA`
E+&<0c
eAFPqn
ECk7kMzuNnd@24
EHo=9@:
(EK#~]
@ELsDl]?
EmptyClipboard
EnableMenuItem
EnableScrollBar
EnableWindow
EndDialog
EndPaint
E	n*j$
EnumChildWindows
EnumThreadWindows
EnumWindows
EqualRect
E"#,xt|
f14:2203
f3`6?X
fdrP9d
fd V\!M!
fFmFsPcy8
File ProtectorH2 v2011 Tu.exe
FillRect
FindWindowA
FKBRVA
FnGr98
fo=*k8
FrameRect
GDI32.DLL
GetActiveWindow
GetBkColor
GetBkMode
GetCapture
GetClassInfoA
GetClassLongA
GetClassNameA
GetClientRect
GetClipboardData
GetCursorPos
GetDCEx
GetDesktopWindow
GetDlgItem
GetFileSize
GetFocus
GetForegroundWindow
GetIconInfo
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardType
GetKeyNameTextA
GetKeyState
GetLastActivePopup
GetMenu
GetMenuItemCount
GetMenuItemID
GetMenuItemInfoA
GetMenuState
GetMenuStringA
GetMessagePos
GetPropA
GetScrollInfo
GetScrollPos
GetScrollRange
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMenu
GetSystemMetrics
GetTextColor
GetTopWindow
GetWindow
GetWindowDC
GetWindowLongA
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowTextLengthA
GetWindowThreadProcessId
Gjw |Wpi
G"p^Qw
:gq4:gqz?g
gq5Kg0h_
:gq,:gqW:
h2o(cq"
h8o(cq"
H^FZI%
hoC*>0Wy
^HvJhOo4g
hx0qY43X
iByveTo
'iDQ)u
,IE;8Z
if9=G~
"-IFXRdZx
InflateRect
InsertMenuA
IntersectRect
InvalidateRect
IsCharLowerA
IsCharUpperA
IsChild
IsDialogMessageW
IsDlgButtonChecked
IsMenu
IsRectEmpty
IsWindow
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
iWcq2C
JD:*kd;
~(j?H(_<
jj<G~P
_JLTOsA8NHBn
Jn3.~y
JNZ0Tb
JoDiwd
_^]Jr^D	NyMQ
j	]WF 
K5TbRb
k9fqwl
kA9qzeq
KD\xKZ
kernel32.dll
Khda#T
KillTimer
K=Jjxp
_kpCPKfTC0aF8@24
'=[kTF
KXhpdc\
ld):Ha
\(@lEI
[lFTIR
="LGDDx
lj,go*]
LoadBitmapA
LoadCursorA
LoadIconA
LoadKeyboardLayoutA
LoadLibraryA
LoadStringA
MapVirtualKeyA
MapWindowPoints
MessageBeep
MessageBoxA
MoveWindow
MsgWaitForMultipleObjects
n)b|jtd(R
.n~=g*
N)g?pG
_Nlh2JIU@16
?npFjY
n PQHa
NU+tJ5/uF5=
[\.:O$
;o3<[:
oC_>~/
`OC:@i
(o[DP`
OemToCharA
OffsetRect
O]g^X4
O_k&rAA
OpenClipboard
OpenIcon
=@=|Oz
oZBVvS
$	(!p3
P9gcAd
PeekMessageA
PeekMessageW
PostMessageA
PostQuitMessage
.Prma 
PtInRect
$_PWKmX
<Q!F,:,S
;q@>Q@8
QQJ\+?
Q,R a,
Qvqf1OaUC
@|r@]@
r6.euM
r8:-e,).hy
r8:gq=
Rd"A~,
`.rdata
rDnfau
RedrawWindow
RegisterClipboardFormatA
RegisterWindowMessageA
ReleaseCapture
ReleaseDC
RemoveMenu
RemovePropA
r	i$_EdC
`/Rk+8t8
Rr7l\e
RSFQAK
r=u+z$<
ScreenToClient
ScrollWindow
SendMessageA
SendMessageW
SetActiveWindow
SetCapture
SetClassLongA
SetClipboardData
SetCursor
SetFocus
SetForegroundWindow
SetLastError
SetMenu
SetMenuItemInfoA
SetParent
SetPropA
SetRect
SetScrollInfo
SetScrollPos
SetScrollRange
SetTimer
SetWindowLongA
SetWindowLongW
SetWindowPlacement
SetWindowPos
SetWindowsHookExA
SetWindowTextA
^Sfg"B
ShowOwnedPopups
ShowScrollBar
ShowWindow
SizeofResource
SjFrY1
SN^$Aj
SO4nWr
SPqX&,
_SUeQFEoj2
SXI8IDT
SystemParametersInfoA
t0xZ\,I
t 17I!0
tCS~]?
t	d*V;
tFBA*0
!This program cannot be run in DOS mode.
t_I CC
t$=M9q
t^N-#JN
TrackPopupMenu
TranslateMDISysAccel
u1fGoQxe@12
U4jC9lEW
u9qgr5+(
UH{PE"
UnhookWindowsHookEx
UNIQSTR
UnregisterClassA
UpdateWindow
>;u_:<q
UQAE'XZTBB
user32.dll
uUqO`u
uUU[&Q
uVTs,Y
VADV0P
VirtualAlloc
vs{#@n_
'vvjhGB
.vvqh7B
WaitMessage
	wG2d 
WindowFromPoint
WNX62DUa4UFezK
wsprintfA
WVwWU]
}X8Ju?
|XFDi3
xl=Fd"
|^Xm,y
/XnPG(
XuKEYFDIC
Y9X(ph
Ya[Pg$+@@
YdBTwz
yjHnLY
Y&PC7Q`Z;+
YXRQIkBPKG6@12
ZP4pK|q~
|)ZQTKL0
z.\R,d
,Z=^ u
zzj_S5jqOH