Analysis Date2014-12-19 07:33:04
MD5ce27a19d98a94317fea556a8bd78c5ec
SHA1da30fde1c4b30535dc1e19b3cac11020e4ced2b2

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 69606dc29fb53a2b8ccca6bf8e6882a7 sha1: cf114eb9da0efaca293e0b90fdb1d93e32077d11 size: 42496
SectionUPX2 md5: 0f63bc69994f3ff76dea05e93e0f70b2 sha1: d5f36dfb94f18ce1ba4d834cbe14d90b37734d97 size: 512
Timestamp2004-03-19 08:58:54
PackerUPX -> www.upx.sourceforge.net
PEhashf336aad9ace36aedcc7e1d17f4a7fc4882bddfb5
IMPhashc7ecd1a0a4200634e300116dcad86d0d
AV360 SafeGeneric.Sdbot.6E8FC594
AVAd-AwareGeneric.Sdbot.6E8FC594
AVAlwil (avast)SdBot-BQB [Trj]
AVArcabit (arcavir)Generic.Sdbot.6E8FC594
AVAuthentiumW32/Bloop.A.gen!Eldorado
AVAvira (antivir)Worm/SdBot.57334.A
AVBullGuardGeneric.Sdbot.6E8FC594
AVCA (E-Trust Ino)Win32/Lioten!generic
AVCAT (quickheal)Backdoor.IRC.r3
AVClamAVno_virus
AVDr. WebWin32.IRC.Bot.based
AVEmsisoftGeneric.Sdbot.6E8FC594
AVEset (nod32)Win32/IRCBot.FA
AVFortinetW32/Sdbot!tr.bdr
AVFrisk (f-prot)W32/Bloop.A.gen!Eldorado
AVF-SecureGeneric.Sdbot.6E8FC594
AVGrisoft (avg)IRC/BackDoor.SdBot.21.BE
AVIkarusBackdoor.Win32.IRCBot
AVK7Trojan-Downloader ( 0040f8ad1 )
AVKasperskyBackdoor.Win32.IRCBot.gen
AVMalwareBytesno_virus
AVMcafeeW32/Sdbot.worm.gen
AVMicrosoft Security EssentialsBackdoor:Win32/Sdbot
AVMicroWorld (escan)Generic.Sdbot.6E8FC594
AVRisingno_virus
AVSophosW32/Sdbot-Gen
AVSymantecW32.Randex.gen
AVTrend MicroBKDR_IRCBOT.GEN
AVVirusBlokAda (vba32)BScope.Backdoor.Win32.SdBot

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\msgfixed.exe
Creates ProcessC:\WINDOWS\system32\msgfixed.exe
Creates Mutexjop

Process
↳ C:\WINDOWS\system32\msgfixed.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Msg Fixage ➝
msgfixed.exe\\x00\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Msg Fixage ➝
msgfixed.exe\\x00\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Mutexjop

Network Details:

DNSirc.freshirc.com
Type: A
141.8.225.62
DNSr0x.myvnc.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1033 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1034 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1035 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1036 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1037 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1038 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1039 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1040 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1041 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1042 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1044 ➝ 141.8.225.62:6667
Flows TCP192.168.1.1:1045 ➝ 141.8.225.62:6667

Raw Pcap
0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313636   NICK [KuanG]-166
0x00000010 (00016)   36333934 39320d0a 55534552 205b4b75   639492..USER [Ku
0x00000020 (00032)   616e475d 2d353132 32383839 39352030   anG]-512288995 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31363636    0 :[KuanG]-1666
0x00000040 (00064)   33393439 320d0a                       39492..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383738   NICK [KuanG]-878
0x00000010 (00016)   33303032 32360d0a 55534552 205b4b75   300226..USER [Ku
0x00000020 (00032)   616e475d 2d303233 30343235 34372030   anG]-023042547 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38373833    0 :[KuanG]-8783
0x00000040 (00064)   30303232 360d0a                       00226..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313730   NICK [KuanG]-170
0x00000010 (00016)   30383438 37380d0a 55534552 205b4b75   084878..USER [Ku
0x00000020 (00032)   616e475d 2d343432 37313631 39302030   anG]-442716190 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31373030    0 :[KuanG]-1700
0x00000040 (00064)   38343837 380d0a                       84878..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d383835   NICK [KuanG]-885
0x00000010 (00016)   33323536 35340d0a 55534552 205b4b75   325654..USER [Ku
0x00000020 (00032)   616e475d 2d373434 35383035 33322030   anG]-744580532 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 38383533    0 :[KuanG]-8853
0x00000040 (00064)   32353635 340d0a                       25654..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d343834   NICK [KuanG]-484
0x00000010 (00016)   31373932 39370d0a 55534552 205b4b75   179297..USER [Ku
0x00000020 (00032)   616e475d 2d363239 38313133 39382030   anG]-629811398 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 34383431    0 :[KuanG]-4841
0x00000040 (00064)   37393239 370d0a                       79297..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373835   NICK [KuanG]-785
0x00000010 (00016)   31353338 34390d0a 55534552 205b4b75   153849..USER [Ku
0x00000020 (00032)   616e475d 2d303530 36383539 34302030   anG]-050685940 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37383531    0 :[KuanG]-7851
0x00000040 (00064)   35333834 390d0a                       53849..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d333036   NICK [KuanG]-306
0x00000010 (00016)   38323734 39310d0a 55534552 205b4b75   827491..USER [Ku
0x00000020 (00032)   616e475d 2d333036 38323734 39312030   anG]-306827491 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 33303638    0 :[KuanG]-3068
0x00000040 (00064)   32373439 310d0a                       27491..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d373437   NICK [KuanG]-747
0x00000010 (00016)   34313939 35360d0a 55534552 205b4b75   419956..USER [Ku
0x00000020 (00032)   616e475d 2d303932 31343033 35372030   anG]-092140357 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 37343734    0 :[KuanG]-7474
0x00000040 (00064)   31393935 360d0a                       19956..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313438   NICK [KuanG]-148
0x00000010 (00016)   32393335 30380d0a 55534552 205b4b75   293508..USER [Ku
0x00000020 (00032)   616e475d 2d333931 39323437 30302030   anG]-391924700 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31343832    0 :[KuanG]-1482
0x00000040 (00064)   39333530 380d0a                       93508..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d393839   NICK [KuanG]-989
0x00000010 (00016)   37333839 30320d0a 55534552 205b4b75   738902..USER [Ku
0x00000020 (00032)   616e475d 2d313534 34383932 39332030   anG]-154489293 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 39383937    0 :[KuanG]-9897
0x00000040 (00064)   33383930 320d0a                       38902..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d363935   NICK [KuanG]-695
0x00000010 (00016)   30373937 35360d0a 55534552 205b4b75   079756..USER [Ku
0x00000020 (00032)   616e475d 2d353533 31333438 34362030   anG]-553134846 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 36393530    0 :[KuanG]-6950
0x00000040 (00064)   37393735 360d0a                       79756..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d313936   NICK [KuanG]-196
0x00000010 (00016)   37343333 30310d0a 55534552 205b4b75   743301..USER [Ku
0x00000020 (00032)   616e475d 2d303534 39313832 39382030   anG]-054918298 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 31393637    0 :[KuanG]-1967
0x00000040 (00064)   34333330 310d0a                       43301..

0x00000000 (00000)   4e49434b 205b4b75 616e475d 2d353935   NICK [KuanG]-595
0x00000010 (00016)   35303739 35330d0a 55534552 205b4b75   507953..USER [Ku
0x00000020 (00032)   616e475d 2d373630 32333930 37342030   anG]-760239074 0
0x00000030 (00048)   2030203a 5b4b7561 6e475d2d 35393535    0 :[KuanG]-5955
0x00000040 (00064)   30373935 330d0a                       07953..


Strings
A
l
.?
A
l
.?

*0)quf*2
!2NU_"
2\u_Zmv
]|[4c 
.53oL&
:6c.-;
6Vt~k6
7qi5%(
9l$\w_
9tX#pO}
ADVAPI32.dll
AG87MV
aOhAVQ
^?A>XK
]cp/K_x^
.)D$H)
dM1X	l
D$t+D$\
D$t#D$h
e6$xs(
E9ml~v
elzkeZ
eqp0xt
ExitProcess
@eZ^D3d
FFShnW
FindWindowA
{F+:s/)
FvV?ZrS
~{#~G5_
GetProcAddress
hj^]*c
hl`XR86
!h*tzh
I4`1o"
I|7Irp
IFQ-lU
InternetOpenA
jfF}:1e
 JL=<vF
jnDXIs
k.0l}ZuTE%*-x6@
kAqOA5mDZ,(v
K~Biw~
KERNEL32.DLL
K"GDU)t
k[<u <
:kzQ7.
!lI0vI
,LI'3iI,
'L}jIGuj
*'lk=f
LLd3m*hw
LoadLibraryA
LQL5c)d
MPR.dll
nE8x}.
NH("oT&^U
noL~Od
NYg-Mb
oD{7Aoe
OnO!1G
(PoiNSE
P	>>%Q
psU?oH3X
P?Y<O-
Pyy|k,#|
\QoFi5
qUA=?)
q]y+)h
RegCloseKey
r J.~Ks
SHELL32.dll
ShellExecuteA
s`)L$4
!This program cannot be run in DOS mode.
t$t#t$l
T#YJz1
ug69xT
USER32.dll
VirtualAlloc
VirtualFree
VirtualProtect
#V?Soi
V`sU9>
WININET.dll
WNetAddConnection2A
'wPrZxO
WS2_32.dll
WSWB0f
w.TB!{
 =x.?$
XL)^Fe
XPTPSW
\#Xqqi4.K
X+ s4}
Z:DEvWd
Z,kMXF
zz0$CC