Analysis Date2013-10-28 22:51:10
MD5a9ef37fda122f0af2998d2f2d4ff4323
SHA1ed2dcfb6c9cb3c2f7e1e4c419ec31ebb12c3ada3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b45ccdd15edee1baca8064a4b20635b0 sha1: 851b34ecd2c7fb29ae67a31a07a3461fc4a63075 size: 23040
Section.rdata md5: 9a4c5d765a28fb9f7efb6896024d70dd sha1: ca91f108481695058c91f138490f50e624ab9440 size: 4608
Section.data md5: 44b4c1a8b7b954d45ab0e80c3c998752 sha1: fffedb5fb3515d595fa405e44ba48125c7b85f54 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 33ab8fb13aa02f270d40d29128eebe70 sha1: 5c610b52aa8df919ede9534aee15c85fa43deb8c size: 10752
Timestamp2007-03-31 15:09:36
PEhash6c73b149205ee716b7a972f7fb5171efb1691f1e
AVavira[TempDir]/AutoClick2.exe <<< TR/Jorik.AC
AVavgGeneric25.BLD
AVclamavWin.Trojan.8256801

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsq1.tmp
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe
Creates Processdw20.exe -x -s 276

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MSASCui.exe\\x00
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\7384_appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 220

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick3.exe
Creates Processdw20.exe -x -s 280

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe

Creates FilePIPE\lsarpc
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe
Creates Processdw20.exe -x -s 272

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick4.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender ➝
C:\Documents and Settings\Administrator\Local Settings\Temp\MSASCui.exe\\x00
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\AutoClick2.exe

Process
↳ dw20.exe -x -s 276

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\16711.dmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\16711.dmp

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 220

Process
↳ dw20.exe -x -s 280

Process
↳ dw20.exe -x -s 272

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\1844E.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
msctls_progress32
MS Shell Dlg
SysListView32
`	*  `
*?|<>/":
00uOU~:
07.Mk)c
07n-+0
0}fb2M
0f%CBK
0f<=S/
0g${,1G
0G@9xX
0k"vS	
0+Rtj^
0rzu`}ArXe
)0UYN5
13}Gb#
14~'g0j
17\$WT
)1bwQb
1eWyJv
1^h/<v
~1%=#)K
1M0[so
1MFd	m
1%x+\:
2&74Il
2pG~vx
2qGnvx
2sp2s{
2t#@jr9
2:(y{E
3^L1"N
3VN`Zk
{4+=,:
]^43a0
  43}W
4m.3sEe
=4o\Fo
4<Q)eD
4|TJcZ
5be~=\h
%5FM()h+
5k{o34
(5NBhi
5@Nd'g
5q'((a
601+CF
~60gIp?i
6H9v`{7
6NXi(/X
6qI:p  u
6tY;:6Fjx&
6u,gJ~?,UI
{6uVnw
>(6w@5
6=y	E0d5W1
^7>Id_&
$=7q.+
7SyRI	"
*&7TIm^
7t<T+gX
7t">ur
7TVulq
7u%+c^
&7*XYxl%
/7z`a$
86:|0d
|89{m:{
8c'q1]
8NCRCu
}8PC	\
8psFfR
8T,~J5'
8Xmix<X4
96?3O1K
9f#yR	
9G;!l{
9G;!l{%
}-}9]i
9qG$De0m
9uU\^Z
A20fff@
a6A	]d
ACJ216
AdjustTokenPrivileges
ADVAPI32.dll
A@;E |
AI[0PSm6
a:'*&K
ApnhN,
AppendMenuA
aQ,k<[
{&,#aS
Au_.exe
B*2'MAwJ
B6<WrZ
BBClF@s
,b]EB@
BeginPaint
Bh-Y<:>e
BHZ`Z[
BjChC`
B	lD66
b`LM14
bmD}Ix
BM+QJ*;=
bOh56SbOFT
bTs!Pg"
B,`?UJ
"C2'8U8
CallWindowProcA
&CBzji
 C(@ef3-
CharNextA
CharPrevA
CheckDlgButton
chXyT&
CloseClipboard
CloseHandle
cNs!rO
CoCreateInstance
COMCTL32.dll
CommonFilesDir
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
C:\Program Files
_CQv6v
<Cq=~vlEZ&
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
CSI	i%.4
cs'W{]Z
CtUU.~
cX673k
("!Cyx
... %d%%
D$0+D$(P
~D25{y{G
D7+_Si
D>`?95
@.data
=DDDDKm
/#*%dD@Ss{
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
di1czG
DialogBoxParamA
DispatchMessageA
DJ9fC6
DrawTextA
!DRWmn0
Dsf-##
d`w]ya}
&DYtr56
dzuWv!pc
e2hZ=8
[)-*e~8Qe
>E&!bA
$el#:i;
EmptyClipboard
EnableWindow
EndDialog
EndPaint
Er4x_.
! (E>rri
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
E@UneEl!
']ewtW
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
<F_01n
f3GCT:
F5\1l\
f;:@7,
fAV+rm
`fd/CG
F&(die
#	fDxwT
=^F'E_`
.fffff}
F)I!"9
F|I~Fm5
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
<%fKTo
F^Nn[,
FreeLibrary
f #%sR
fW/ $#P
G#5ALy
-G5oDd
ga4$sogKY1k:?
GDI32.dll
<GeO6U
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
gHle1k0N
Gj,u'}Tr
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GQ%H.	6
GR4Tcf
GRu'w&
GxyJ&W5
h11s;K
`h!@3?7
,'{hbb
hBIfr0
HDCdd;
HDCdd{x
h 'ioX
HK"PQ	 
&\,$h{m
H}-m8(M"
^HMld 
H$MSv-
*hp3??J
hp(!DE
>-H<?s
^HS2N2
h^{@tCB;
H]`uXj
HXH>juao
.hz_2I
I!4#)$
i44jx4
i7Q({%
I7=_Sz
icF:c*
#I@cm4!
IC)SDr
%*~I<*|?G
IiU R"7b
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
InvalidateRect
(iqAe{
IsWindow
IsWindowEnabled
IsWindowVisible
It may be possible to skip this check using the /NCRC command line switch
Iv7wrJ
Ix^TXz0Y
$j}(}'
j2i=OM4
j5BHq?
J}5X m
j7	0@K
Jg`{df/
j(H#dv
J,QS3(
$JR$u-
jTP;YT-
-,<JvOM
j+WE7J
jWk~Tx
jyO}>?
K1gcfo
K5J!Anx
k+77iB
Ka3'OJ
KERNEL32.dll
kFKWtrW
+Kgp4W1
KGuU >
khikZ.?
>kICPX
K^st9>h
k*TQF>S
K!U~f6
KU"H/2`
@	KUxQ
ky-MG)
L1cABW
l72Yi&
.l&'_A
/=LD$QH
L/g9]%;
LgCC/|T
lh7L\3
liIW0I
l;,+nb
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
l,,qF+
l_RN5=
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
'lu5q+!Z
lV1]Q:
&&M10#
]m_17|_	
M>9-o<!
m)#c_Ql
mE?CJyOS
MessageBoxA
m>FnnLc
\Microsoft\Internet Explorer\Quick Launch
\mk	EEkZ
+m'+kJ
mL/bf5
MM0#=F
MoveFileA
MoveFileExA
MP`8=)
MQ4dH)%
MQ"hvQ,e
MTI;xW
mU,d	s
MulDiv
MultiByteToWideChar
M%~Wye1
my27 t)
.ndata
NDMP\R
(NOT RECOMMENDED).
N#"p:5
NSIS Error
~nsu.tmp
 }n<SwO
NullsoftInst<
Nulluz	E
&>NV.D
=N$z#hA
o_#2^X
+?o4{m
o/5u6_Zl>
ODKRaV9
/o}FVI
OI<;8l
o=$#IL
ole32.dll
OleInitialize
OleUninitialize
OO)5;^
OpenClipboard
OpenProcessToken
oQv5Q;f*
oS*p2)"
?|OV?s
Ow!C~hq^
oX~D@&
!ox-vLZ
P~$$`|
P2&Zsy2'oR
P48+'7
$PA1%#
Pd0f' 
PeekMessageA
PH~~}(
\p,.nW
Po.sfpU
PostQuitMessage
pp1_cxS
pPf<-F{
PPHL|J
ProgramFilesDir
Prw_]@q
{P#Uvu
=p:Y%F
("q~@?
Q}:["~
\#Q30fff@
q5=="L
Q8qz '
q}9%2h
]q<HVE
"Q.NM@
	Qo}Lg
qq14@o_
$Q]V0<
Q^*Wo/
q/	Z&\
,/R1q,dn
r4ege/
R^4m]^
R,\}5/o
;r*:`8.
raQMqC9
rbYi`RV
rc3Pf*O}
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RF*dz^
RichEd20.dll
RichEdit20A
RIkhQ}?
	r!L#J
r!l~	V0
")?roQ
{{RPQ 
/_rsyD
S0-|YK
ScreenToClient
sCS	GJ
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
.s{GE?
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHGetFileInfoA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
shlwapi.dll
ShowWindow
S"Ldr5ou
S"}}m~
Software\Microsoft\Windows\CurrentVersion
+&S{q/
s-TxVF'
%SuWwwuUv]
>s]W|}
SystemParametersInfoA
	SZmLmb[@<
? _?=t
T!%}5M@
@	t[\6
T8zjil
&t{E=AN
The installer you are trying to use is corrupted or incomplete.
This could be the result of a damaged disk, a failed download or a virus.
!This program cannot be run in DOS mode.
t,hZRm
_Tid5wU,
	<,T~K
tk5'e(+4
_^[t	P
TrackPopupMenu
TUUUTW
."~|U;
===:u8qRz
U)~<BLj2
uDrTv-
Ue_k0AG
u^@<ey7
u'[-Ko
U:+nR&L[E
/uqC%g
UR+E[C
USER32.dll
U&toFs6
%u.%u%s%s
Uw*fnb
&u'WhX
UWwuUWwwN
|UY<a'
Uza*+@
UZ (|WDV0--
V87uQ4
vB "HA#S@
>vEQ @
verifying installer: %d%%
VerQueryValueA
VERSION.dll
^VGE(e
vGF2Qo
%v+JUl
V;Lc/S
V)o({q`@
>v-_qS?
vrw_3L
)\VSac
V#T=ba
V[tCG;
$v>(+\uuv
v{w\r;M
vYwuUWe
W1kXIF.
w5HJjTJD
WaitForSingleObject
W:AoGukf
W	b	9DJ
w^Dly>+
w{>f`Ta
w/G~s((
 W|hU=
w,[j82
w~;oyv
wp-_t<
WriteFile
WritePrivateProfileStringA
wRjd(; 
W|"SF@
wsprintfA
W|t1l^
Wupegj
]W}VuM
w^*W%*
{~wwo5C
WwuUUn
wwUWww$
WZV#b(
x1mw51580pw
X@%)4X
,{X5>J
)X61	8
-x6!Wf
xDLts;lNZ
@/-$xe
xiFrfl
XI<MK$k
)XiWveCts
^xp62naBl
Y6u6zp
y::b pZ
y^G4kX
Yh 1wn.
&;YiSQO
		Y#J-
^y	Kx	
(Y+#M@
{yOsa{
You may want to contact the author of this installer to obtain a new copy.
YR!<4U
YSXTfGV
YwwURK
&Yx=%54#
yxo'5<
yXXFQ$
z_}@+"
?Z	/?:
Z1^*;~JIg.L
z,3o\fY
z4M44i
za=C=B
z:Bmbf
z('=#e
z<_E]*
zf{7!+
zfy$Zb	8|
Zh6[](b!
,&Z=ia
}Zj\m.
*zN&RM
>Zop}G
z"pHbJ
,ZqhUo.q
z}/s4$k
ZSc]c1
z@=S|t
zv$BGusZ}m7
`zxMT/
ZzuZ1>