Analysis Date2014-11-05 23:55:00
MD5b47833cb8b284dd36e838437ed8bd50a
SHA1ea488f96a9d821eb6d970ef41739e636836fdd7b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 24c185a3c951581028c30fed1237118f sha1: eddae04125afc6f8f4b0cb9582737ba33971d8ba size: 96768
Section.rdata md5: 9278a77d14a0dfea58f9cedcd74f5f8f sha1: b8a0496fe67db2e7b8326a0bdfbb1a46814bd9d1 size: 1536
Section.data md5: 3acbf7d0e42e1e5d14d51eb9ae95a06f sha1: 611dcfaa7aab41b8d03e569103f16ef8e95828b0 size: 78848
Section.reloc md5: 35ca4ccd131d4dafc0fd49ee1a379de2 sha1: b3bb8b6d9a65b9681197872361cf51d72931be97 size: 1024
Timestamp2005-11-18 21:30:29
PEhasha40aa381e6b69dc12e6ad3605bd4062999304c2d
IMPhash20a9f3fb8a1b7b4558f1be741137b280
AV360 SafeGen:Heur.Conjar.5
AVAd-AwareGen:Heur.Conjar.5
AVAlwil (avast)Cybota [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Goolbot.K.gen!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBullGuardGen:Heur.Conjar.5
AVCA (E-Trust Ino)Win32/FraudSecurity.B!generic
AVCAT (quickheal)Backdoor.Cycbot.B
AVClamAVno_virus
AVDr. WebBackDoor.Gbot
AVEmsisoftGen:Heur.Conjar.5
AVEset (nod32)Win32/Kryptik.TQJ
AVFortinetW32/FakeAV.ISS!tr
AVFrisk (f-prot)W32/Goolbot.K.gen!Eldorado
AVF-SecureGen:Heur.Conjar.5
AVGrisoft (avg)Win32/Cryptor
AVIkarusBackdoor.Win32.Agent
AVK7Backdoor ( 003210941 )
AVKasperskyTrojan-FakeAV.Win32.AVGuard.c
AVMalwareBytesBackdoor.Bot
AVMcafeeBackDoor-EXI.gen.t
AVMicrosoft Security EssentialsBackdoor:Win32/Cycbot.G
AVMicroWorld (escan)Gen:Heur.Conjar.5
AVNormanGen:Heur.Conjar.5
AVRisingno_virus
AVSophosMal/FakeAV-IS
AVSymantecBackdoor.Cycbot!gen7
AVTrend MicroBKDR_CYCBOT.SME3
AVVirusBlokAda (vba32)BScope.Cycbot.1213

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
1
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\conhost ➝
C:\Documents and Settings\Administrator\Application Data\Microsoft\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\75DE.FFC
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\csrss.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\lvvm.exe
Creates ProcessC:\malware.exe startC:\Documents and Settings\Administrator\Application Data\conhost.exe%C:\Documents and Settings\Administrator\Application Data
Creates ProcessC:\malware.exe startC:\WINDOWS\system32\lvvm.exe%C:\WINDOWS\system32
Creates Mutex{A5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{5A92A751-F926-4BB9-872E-BEC4A4CD571F}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutex{61B98B86-5F44-42b3-BCA1-33904B067B81}
Creates Mutex{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{B5B35993-9674-43cd-8AC7-5BC5013E617B}
Creates Mutex{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}
Creates Mutex{B37C48AF-B05C-4520-8B38-2FE181D5DC78}
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNS127.0.0.1
Winsock DNSgravatar.com
Winsock DNSyourmediaspace.com

Process
↳ C:\malware.exe startC:\Documents and Settings\Administrator\Application Data\conhost.exe%C:\Documents and Settings\Administrator\Application Data

Creates ProcessC:\Documents and Settings\Administrator\Application Data\conhost.exe

Process
↳ C:\malware.exe startC:\WINDOWS\system32\lvvm.exe%C:\WINDOWS\system32

Creates ProcessC:\WINDOWS\system32\lvvm.exe

Process
↳ C:\WINDOWS\system32\lvvm.exe

Network Details:

DNSgravatar.com
Type: A
192.0.80.241
DNSgravatar.com
Type: A
192.0.80.242
DNSgravatar.com
Type: A
192.0.80.239
DNSgravatar.com
Type: A
192.0.80.240
DNSzonedg.com
Type: A
141.8.225.80
DNSyourmediaspace.com
Type: A
HTTP GEThttp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1?v13=58&tq=gJ4WK%2FSUh7TFlER8oY%2BQtMWTUj26kJH7yZJSP7qVybhqtUn5CGFATA%3D%3D
User-Agent: mozilla/2.0
HTTP POSThttp://zonedg.com/index.html?tq=gKY0sHoL7L%2BN6yLhbz627sHdMfVsSPT5wug%2BtygfvO7H33Hhbj%2Fh7sbedf1sSvT8t65i9hlL9PmxqXH0bF%2FmiMWrdPd5SOeikL50gB9K5PLNq3eFGjzh%2F8DdAYdrT5WO0alxtygbpb6HvnSAOQij%2B8CiYvEaSvT%2Bsqpi8RpL6fhSr%2Fe%2BV5ZuRg%3D%3D
User-Agent: mozilla/2.0
Flows TCP192.168.1.1:1031 ➝ 192.0.80.241:80
Flows TCP192.168.1.1:1032 ➝ 141.8.225.80:80

Raw Pcap
0x00000000 (00000)   47455420 2f617661 7461722e 7068703f   GET /avatar.php?
0x00000010 (00016)   67726176 61746172 5f69643d 66326133   gravatar_id=f2a3
0x00000020 (00032)   38383961 66663666 63393731 31613363   889aff6fc9711a3c
0x00000030 (00048)   62636665 36343036 37626531 3f763133   bcfe64067be1?v13
0x00000040 (00064)   3d353826 74713d67 4a34574b 25324653   =58&tq=gJ4WK%2FS
0x00000050 (00080)   55683754 466c4552 386f5925 32425174   Uh7TFlER8oY%2BQt
0x00000060 (00096)   4d575455 6a32366b 4a483779 5a4a5350   MWTUj26kJH7yZJSP
0x00000070 (00112)   37715679 62687174 556e3543 47464154   7qVybhqtUn5CGFAT
0x00000080 (00128)   41253344 25334420 48545450 2f312e30   A%3D%3D HTTP/1.0
0x00000090 (00144)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x000000a0 (00160)   6f73650d 0a486f73 743a2067 72617661   ose..Host: grava
0x000000b0 (00176)   7461722e 636f6d0d 0a416363 6570743a   tar.com..Accept:
0x000000c0 (00192)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x000000d0 (00208)   3a206d6f 7a696c6c 612f322e 300d0a0d   : mozilla/2.0...
0x000000e0 (00224)   0a                                    .

0x00000000 (00000)   504f5354 202f696e 6465782e 68746d6c   POST /index.html
0x00000010 (00016)   3f74713d 674b5930 73486f4c 374c2532   ?tq=gKY0sHoL7L%2
0x00000020 (00032)   424e3679 4c68627a 36323773 48644d66   BN6yLhbz627sHdMf
0x00000030 (00048)   56735350 54357775 67253242 74796766   VsSPT5wug%2Btygf
0x00000040 (00064)   764f3748 33334868 626a2532 46683773   vO7H33Hhbj%2Fh7s
0x00000050 (00080)   62656466 31735376 54387436 35693968   bedf1sSvT8t65i9h
0x00000060 (00096)   6c4c3950 6d787158 48306246 2532466d   lL9PmxqXH0bF%2Fm
0x00000070 (00112)   694d5772 64506435 534f6569 6b4c3530   iMWrdPd5SOeikL50
0x00000080 (00128)   6742394b 35504c4e 71336546 476a7a68   gB9K5PLNq3eFGjzh
0x00000090 (00144)   25324638 44644159 64725435 574f3061   %2F8DdAYdrT5WO0a
0x000000a0 (00160)   6c787479 67627062 3648766e 53414f51   lxtygbpb6HvnSAOQ
0x000000b0 (00176)   696a2532 42384369 59764561 53765425   ij%2B8CiYvEaSvT%
0x000000c0 (00192)   32427371 70693852 704c3666 68537225   2Bsqpi8RpL6fhSr%
0x000000d0 (00208)   32466525 32425635 5a755267 25334425   2Fe%2BV5ZuRg%3D%
0x000000e0 (00224)   33442048 5454502f 312e310d 0a486f73   3D HTTP/1.1..Hos
0x000000f0 (00240)   743a207a 6f6e6564 672e636f 6d0d0a55   t: zonedg.com..U
0x00000100 (00256)   7365722d 4167656e 743a206d 6f7a696c   ser-Agent: mozil
0x00000110 (00272)   6c612f32 2e300d0a 436f6e74 656e742d   la/2.0..Content-
0x00000120 (00288)   4c656e67 74683a20 300d0a43 6f6e6e65   Length: 0..Conne
0x00000130 (00304)   6374696f 6e3a2063 6c6f7365 0d0a0d0a   ction: close....
0x00000140 (00320)                                         


Strings
.
4.
.
.
a.g
]j
\s5
F
..
..

080904b0
1.0.0.1
1482
&Execute    Shift+E
FileVersion
PrivateBuild
ProductVersion
&shit menu
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
^^^^^^
^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^
~~~~~~
~~/////
<<<<<<<<<<<<
<<<<<<<<<<<<<
========
==========&&&
>>>>>>
>>>>>>>
>>>>)))
|||||||
            
------```````
-------
---------
,,,,,,,,,
;;;;;;;
!!!!!!
!!!!!!!!!
/////////">>>>>>>>
'''''''''
((((((
[[[?==
[[[[[[
[[[[[[[[[[[[
]]]]]]
]]]]]]]
{{{{{{{{{
}}}}}}}
******
\\\\\\
&&&&&&&&
&&&&&&&&&&&&&&
															
																	
0]}~?*
0000**
000000003333
0<EbhP
	0h3'Q
1:Ntxa
1sSgW23
1sssss22222222222222
_!28l4b
2jKqgB}
%@3~0P
````````````333
3j(.VEL
~3'`"L
44______
4444444
491k>Zz`"-
4\Fl@I
\4Y>hZ
52}X?A
555555555h
5-|k!c
5-LZybH
5U	[$:9,
6666666666
66mm@@@
6'GDl}
70AhA,
7BvmB{
7^I4jq
7lqxMN
\7r`5Ht
7W<Lik
8JEEU-
8{rzPq0
99999999999999999999
( 9M7;
';9]@P^4
-9w=;%
+@<A	5x
<<<<<<<<aaaa
aaaaaa
aaaaaaa
aaaaaaaaaaaaaaaa
AA-----DDDDDDDD
]Abibk
ADVAPI32.dll
\]a?i/o1
ALQzH@S
aP2E;&
>]aT^n 
$a:=Tp>m
b!!!!!
bALmZZ
bb}}}}}}}
bbbbAAAAggggg
BBBBBB
bbbbbbbbbbbbb
bK)Kn5
^bpdvA
BqcCcaKELk
;BRuI@
Bv?HF(
Bx@bU~
c00~?_
c1SJC]
c46t5-& 
;c51q[[
)	c_6u
:::ccccc
*********ccccc
CCCCCCC
#cHT/[
c<{(JKo
cl"e.?
CM_Get_DevNode_Status
CMP_WaitNoPendingInstallEvents
C%%o0<
C{R>3$"
CreateProcessW
CreateStdAccessibleObject
C(Uqh$vi
c?:[#V
}}}}}}}d
D<<<<<<<<<<
/;{d9a
@.data
d=C+kN
ddd ______
DDDDDD
ddddddd
DDDDDDD
ddddddddd
DDDWWW
dD#EF '
dhmWqRt3
}D@mRe`~
dV3O<X
d]WfgM^
DZ-G}L@#
E6aOIFcrC
EbyJoE
EEEE666
EEEEE)
EEEEE9999
EEEEEEEEE
ejT:3S C
ElxIoR1M
EnumResourceNamesA
+Eo9~l
(e]Zk)
FFFFFF
FFFFFFF				
FFFFFFFF>>>
FFFFFFFFFFFFF
ffffffffvvvvvvvvvvvv
@FfR_ou=
fjTs	n"
fmg2B+
):@G5v
[G5w5Q
G//////////AAjjj
gbbbbbbbbb
GetACP
GetAtomNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentVariableW
GetLocaleInfoW
GetModuleHandleW
GetStartupInfoW
GetSystemTimeAsFileTime
GetThreadLocale
GetTickCount
gggggggggggg
GrEvYL
gTr:3~
gu+2p:
< ?gz8
#}HAb#
HGLCKC
|HHHHHHHH
HHHHHHHHHHHHHHHHHHHHHHH
hhhhpppp
^Hm3y*
H*OUZTl
HuFDGD!
hu'Z"a
^,[^I;
I}bG2G
Ic%)k.e
I'!d?U
'-#I&dZ
IIIIII
iiiiiiii
i;l/[R
InstallCatalog
InterlockedCompareExchange
InterlockedExchange
i.<|&O
IQslw'
IsDebuggerPresent
Iu/ZA#
iVjvvVh
*iw?q4
)J2bA~
j3>7s;.&L
_J ;EUP
>>>>JJ
jjjjjjj
jjjjjjjjj
JJJJJJJJJJJ
JJJJJJJJJJJJ
jjjjjjjjjjjjjFFFF
jO*t'u
j-uS|Ek
jxtxQ7
:::::::::K
K"C)m9
KERNEL32.dll
k	@F"Tx
KKKKKKKKKKKK
KKKKKKKKKKKKKKK
KKKKKKKKKKKKKKKKKKK
kS}>h?
LL{{{{{{{{
LLLLLLL
#L (NzEib
LocalAlloc
LresultFromObject
lstrlenA
lstrlenW
;;;;;;;;;;;m;;;;;;;
m|4Jw0
_~'@M^?5L5
mciSendCommandA
m|f3K0
MIIIICCCCCCC######
mmmmmmmm
MMMMMMMMMM44XXXXX
MMMMMMMMMMMMMMMM
mmmmtttt
mq<OiW
M!<}T~i
MultiByteToWideChar
mZ_=Ur
n4>dq1P
}N8F:]
Na'Y]o
ne(]z6@
=Nk2UA
nnhJZL
NNNNNN
nnnnnnn
nnnnnnnnnnD((FFFFF
nnnnnnnnnnnnnnn
nnnnnnnooooooo
Nu(/r-	
'nuyxq
o4?R]6j
>O5u[`D
oAwg*Q
`O`~e%/
oEeji9*
ohsu=i
OLEACC
oo22222222222jjjj
OOOOOOOO
oooooooooooooo
$=~:Ooy
Ow;y5Rs~
o::Xv0
?oY19-Nf
PathAddBackslashA
$pb6-]
-PeQ^z
pppp!!
ppppp--
PPPPPPP
ppppppp22222222
P:_ThG
;qjd^/qp
qJRB	H@
QQQQQQQ
qqqqqqqqq
QueryMemoryResourceNotification
QueryPerformanceCounter
R1zn7?
R7XA^0Xy
RaiseException
rBhT	"
&!rcq!p
`.rdata
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
.reloc
{}rhhr
:rp_5J
rqx-K8
rrkkkkk00000000000
rrrrrrr
(((((((RRRRRRRRRRppppp
rS7j]cS
\	@s^{;
-S2#<o
S2|vKa
SetUnhandledExceptionFilter
SETUPAPI.dll
SetupDiGetDeviceRegistryPropertyW
SHLWAPI.dll
sndPlaySoundA
((((((((((((((SSSffccc
SSSSSS
ssssssssssssD
SSSSSSSSSSSSS
[&s<wRnL
SwZpUQP
-szDFN
t9O"MZ=
T,==9WP_
TerminateProcess
t'Gu).
!This program cannot be run in DOS mode.
Ti@9fm
TKB[:'/a
^@tkq|W'8
tttttt
ttttttt?
T`]T\x/
U`C! 9`\
 u\@cZ
~u{|iL
uiLLL1111111111
UJdx]@
Uj[_+x
UMFWYf
UnhandledExceptionFilter
;\`u[s
++++++++++uuu
			===uuuu
UUUUyyyy
V8[V6)4mJ
VAB9RJ
VKJsE$
vvvvoooooooo
vvvvvhh
vvvvvv
vvvvvvvvvvvvv
W2KUaZ
WArJ<dZE
W\e_^e"
wg>[wi
WideCharToMultiByte
WINMM.dll
WjJNx[
>WTzmAD>:Z
ww]]]]
wwwwwwwwwww
wy4uAT
-Wy_zsY
??x555555
x993rU-
xBBBBBB
xC0Lq*
%^xhe{9e
XM}yaFk3
XXXXVVVV
xxxxxx##
XXXXXXXXX
YFWkBQ
Yuuuuu
yVVVVVVVVVVV
YYYYcccc
YYYY$$$$$$TT
YYYYYYY
|;;;;z
[Z1M'5
z#4Sbr%Um;
.@z}-6
]<z)k#t
ZLLLLLLLL
ZmGUe.why
Zs=6*8(
@ZS7B8
`#!z'U!
?z;V4J]s
___ZZZZ