Analysis Date2014-12-28 09:35:51
MD5154b563f86c5a4d024a8c4a8fd167fa2
SHA1ed435c445ff7a6145006a057f45987ba1888b044

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 307355aab2fd54b325c0bb4a9b309979 sha1: 77bc8f19dc7187775183ac186c0cac2e48a7088b size: 114688
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: 4b6d6f48a03069403c6c1f38d88cdd9e sha1: c88140c35d53b2b4db60c2d66cfc5f7c1a947550 size: 4096
Timestamp2006-12-13 18:49:13
VersionLegalCopyright: XUTU
InternalName: beve.exe
FileVersion: 1.00
CompanyName: XUTU
LegalTrademarks:
ProductName: beve
ProductVersion: 1.00
FileDescription:
OriginalFilename: beve.exe
PackerMicrosoft Visual Basic v5.0
PEhashdae38e47b7619ae84be363749bef5fc2ebc25f8f
IMPhash7cc844549fb095c15ab6bda19b6403c4
AV360 SafeTrojan.Clicker.Vb.PM
AVAd-AwareTrojan.Clicker.Vb.PM
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Trojan.Clicker.Vb.PM
AVAuthentiumW32/Trojan.YCEF-7021
AVAvira (antivir)ADSPY/Sepelelu.A
AVBullGuardTrojan.Clicker.Vb.PM
AVCA (E-Trust Ino)Win32/SillyDl.CZI
AVCAT (quickheal)no_virus
AVClamAVTrojan.VB-8163
AVDr. WebTrojan.StartPage.1788
AVEmsisoftTrojan.Clicker.Vb.PM
AVEset (nod32)no_virus
AVFortinetW32/VB.ISG!tr
AVFrisk (f-prot)W32/Trojan.WRO
AVF-SecureTrojan.Clicker.Vb.PM
AVGrisoft (avg)Downloader.Generic3.JNR
AVIkarusTrojan-Clicker.Win32.VB.pm
AVK7Riskware ( 0040eff71 )
AVKasperskyTrojan-Clicker.Win32.VB.pm
AVMalwareBytesno_virus
AVMcafeeGeneric Downloader.b
AVMicrosoft Security EssentialsTrojanDownloader:Win32/VB.GN
AVMicroWorld (escan)Trojan.Clicker.Vb.PM
AVRisingTrojan.Clicker.VB.akp
AVSophosMal/Behav-109
AVSymantecTrojan.Popper
AVTrend Microno_virus
AVVirusBlokAda (vba32)TrojanClicker.VB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\system32\Macromed\sikogobi.cmd
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\WinSxS\quhada.exe
Creates Process"C:\WINDOWS\system32\Macromed\sikogobi.cmd"

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe -k http://ads.k8l.info/advertpro/servlet/view/dynamic/url/zone?zid=57&pid=41

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe -k http://ads.k8l.info/advertpro/servlet/view/dynamic/url/zone?zid=57&pid=41

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ "C:\WINDOWS\system32\Macromed\sikogobi.cmd"

Creates ProcessC:\WINDOWS\WinSxS\quhada.exe

Process
↳ C:\WINDOWS\WinSxS\quhada.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\quhada ➝
C:\WINDOWS\WinSxS\quhada.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\srchasst\corunujo.log
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe -k http://ads.k8l.info/advertpro/servlet/view/dynamic/url/zone?zid=57&pid=41
Creates ProcessC:\Program Files\Internet Explorer\iexplore.exe -k http://ads.k8l.info/advertpro/servlet/view/dynamic/url/zone?zid=57&pid=41
Winsock DNSads.k8l.info
Winsock DNSwww.k8l.info
Winsock URLhttp://www.k8l.info/upgrade41.txt

Network Details:

DNSwww.k8l.info
Type: A
8.5.1.46
DNSads.k8l.info
Type: A
8.5.1.46
HTTP GEThttp://www.k8l.info/upgrade41.txt
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://ads.k8l.info/advertpro/servlet/view/dynamic/url/media?mid=903&pid=41
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1032 ➝ 8.5.1.46:80
Flows TCP192.168.1.1:1033 ➝ 8.5.1.46:80

Raw Pcap
0x00000000 (00000)   47455420 2f757067 72616465 34312e74   GET /upgrade41.t
0x00000010 (00016)   78742048 5454502f 312e310d 0a416363   xt HTTP/1.1..Acc
0x00000020 (00032)   6570743a 202a2f2a 0d0a4163 63657074   ept: */*..Accept
0x00000030 (00048)   2d456e63 6f64696e 673a2067 7a69702c   -Encoding: gzip,
0x00000040 (00064)   20646566 6c617465 0d0a5573 65722d41    deflate..User-A
0x00000050 (00080)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000060 (00096)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000070 (00112)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000080 (00128)   204e5420 352e313b 20535631 3b202e4e    NT 5.1; SV1; .N
0x00000090 (00144)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000a0 (00160)   290d0a48 6f73743a 20777777 2e6b386c   )..Host: www.k8l
0x000000b0 (00176)   2e696e66 6f0d0a43 6f6e6e65 6374696f   .info..Connectio
0x000000c0 (00192)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000d0 (00208)   0a                                    .

0x00000000 (00000)   47455420 2f616476 65727470 726f2f73   GET /advertpro/s
0x00000010 (00016)   6572766c 65742f76 6965772f 64796e61   ervlet/view/dyna
0x00000020 (00032)   6d69632f 75726c2f 6d656469 613f6d69   mic/url/media?mi
0x00000030 (00048)   643d3930 33267069 643d3431 20485454   d=903&pid=41 HTT
0x00000040 (00064)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000050 (00080)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000060 (00096)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000070 (00112)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000080 (00128)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000090 (00144)   70617469 626c653b 204d5349 4520362e   patible; MSIE 6.
0x000000a0 (00160)   303b2057 696e646f 7773204e 5420352e   0; Windows NT 5.
0x000000b0 (00176)   313b2053 56313b20 2e4e4554 20434c52   1; SV1; .NET CLR
0x000000c0 (00192)   20322e30 2e353037 3237290d 0a486f73    2.0.50727)..Hos
0x000000d0 (00208)   743a2061 64732e6b 386c2e69 6e666f0d   t: ads.k8l.info.
0x000000e0 (00224)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000f0 (00240)   702d416c 6976650d 0a0d0a              p-Alive....


Strings

 = "
                             
040904B0
 "%1"
1.00
225-159-77-43-16-188-228-175-81-186-104-21-112-3-193-219-14-198-118-192-153-131
225-159-80-43-12-188-233-175-80-186-98-21-107-3-225-219
225-159-94-43-12-188-243-175-83-186-100-21-118-3-235-219
226-159-90-43-11-188-244-175-77-186-101-21-99-3-252-219
226-159-92-43-13-188-239-175-72-186-103-21-102-3-238-219-29-198-104-192
227-159-94-43-17-188-228-175-75-186-102-21
228-159-109-43-51-188
228-159-79-43-27-188-225-175-80-186-110-21
229-159-80-43-15-188-195-175-65-186-101-21-112-3-234-219-29-198
229-159-80-43-15-188-204-175-65-186-109-21-112-3
229-159-80-43-15-188-210-175-77-186-108-21-108-3-251-219
229-159-86-43-18-188-229-175-112-186-100-21-87-3-231-219-0-198-108-192
230-159-86-43-27-188-244-175-76-186
240-159-79-43-15-188-236-175-77-186-104-21-101-3-251-219-6-198-116-192-146-131-168-7-148-103-42-134-203-88-204-164-153-172-54-138-125-241-45-145-39-39-130-172-202-136-83-248-213-245-194-147-101-125-131-45-162-29-70-93-203-51-224-86-246-104-126-78-113-170-243-102-183-21-21-43-117-146-160-225-210-205-47-19-201-240-183-122
240-159-89-43-11-188-229-175-86-186-66-21-106-3-252-219-27-198-122-192-144-131-183-7
242-159-80-43-10-188-238-175-80-186-110-21-118-3
242-159-80-43-18-188-240-175-69-186-101-21-125-3-193-219-14-198-118-192-153-131
242-159-90-43-17-188-244-175-65-186-121-21-71-3-234-219-1-198-111-192-153-131-169-7
242-159-90-43-17-188-244-175-65-186-121-21-72-3-234-219-9-198-111-192
242-159-90-43-17-188-244-175-65-186-121-21-86-3-230-219-8-198-115-192-136-131
243-159-80-43-11-188-244-175-75-186-102-21-71-3-234-219-1-198-111-192-153-131-169-7
243-159-80-43-11-188-244-175-75-186-102-21-72-3-234-219-9-198-111-192
243-159-80-43-11-188-244-175-75-186-102-21-86-3-230-219-8-198-115-192-136-131
244-159-82-43-15-188-244-175-93-186
245-159-90-43-19-188-225-175-93-186-70-21-101-3-247-219-6-198-118-192-137-131-182-7
245-159-90-43-19-188-225-175-93-186-70-21-109-3-225-219-6-198-118-192-137-131-182-7
247-159-86-43-19-188-229-175-96-186-110-21-119-3-236-219-29-198-114-192-140-131-175-7-161-103-44-134-192-88
248-159-122-43-45-188-245-175-74-186
248-159-81-43-11-188-229-175-86-186-101-21-101-3-227-219-33-198-122-192-145-131-190-7
249-159-90-43-22-188-231-175-76-186-127-21
253-159-90-43-24-188-225-175-72-186-72-21-107-3-255-219-22-198-105-192-149-131-188-7-160-103-55-134
253-159-90-43-24-188-225-175-72-186-95-21-118-3-238-219-11-198-126-192-145-131-186-7-186-103-40-134-221-88
254-159-77-43-22-188-231-175-77-186-101-21-101-3-227-219-41-198-114-192-144-131-190-7-166-103-34-134-195-88-209-164
7D4150333A63C8A0639576AB5257DAB9
 /a "%1"
A*\AD:\RAC\AdPower\IERun\IERun.vbp
about:
about:blank
ADODB.Stream
^AHA
An error occurred occurred whilst trying to open or print the selected file.
A sharing violation occurred.
 as string
beve                 
beve.exe  
beve.exe      
body
Close
.cmd
\command
CompanyName
/compile
 Const 
CONST_
.cRegistry
debug.log
\DefaultIcon
del 
Display Name
: dloop
 = EncryptText(
End Function
Error
Error - attempt to create additional associations before class defined.
.exe
.EXE
Failed to create registry Key: '
Failed to delete registry Key: '
Failed to open key '
Failed to set registry value Key: '
FileDescription
File not found
FileVersion
' for delete access
 goto dloop
.GShell
HARDWARE\DESCRIPTION\System
hidden
{ID}
IERun
iexplore.exe
if exist 
&Install 
InternalName
Invalid parameter list passed to CreateAdditionalEXEAssociations - expected Name/Text/Command
',Key: '
LegalCopyright
LegalTrademarks
LoadFromFile
location
.log
Microsoft.XMLHTTP
 /n "%1"
&New
No application is associated with this file type.
No settings
open
&Open
OriginalFilename
Out of memory
overflow
 /p "%1"
Path/file access error
Path not found
@Position
&Print
Private
ProductName
ProductVersion
Public Function 
Read
res://
SaveToFile
Scroll
',Section: '
send
\shell\
\shell\add
\shell\add\command
\shell\new
\shell\new\command
\shell\open
\shell\open\command
\shell\print
\shell\print\command
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
start 
STR_
StringFileInfo
Style
SystemBiosDate
taller.vbp
The executable file is invalid or corrupt
The file could not be opened because the DDE transaction failed. Please try again in a moment.
The file could not be opened because the target application is busy. Please try again in a moment.
The file could not be opened due to time out. Please try again in a moment.
The specified dynamic-link library was not found.
This file type does not have a valid file association.
' to value: '
Translation
Type
VarFileInfo
VS_VERSION_INFO
Write
www.google.com
www.w3c.com
XUTU                 
XUTU                       
!:::::::::::&!
!!!!!!!!!!!!
!]]60=R/
!]]][8'#.LUQN!
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
_allmul
bSupportInstall
bSupportNew
bSupportPrint
!CCCCBA@?>543!
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
ClassKey
CoCreateGuid
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
C:\RAC\_resources\ico\window_earth.ico
CreateAdditionalEXEAssociations
CreateEXEAssociation
CreateKey
cRegistry
csCaes
cs__es
C:\WINDOWS\system32\msvbvm60.dll\3
`.data
Default
DeleteKey
DeleteValue
desjWfshres
DigestFileToHexStr
DigestStrToHexStr
DllFunctionCall
ds|5WsO
dsb>es
dsD;gs
ds{ees-jes
ds.kgs
dspsgs
dsSugsQhes
dstugs
dsvegs
EnumerateSections
EnumerateValues
esA^es
`esbces
esC`gs!
esNJes
esq:gs
<es[rfsD~fs=
eValueType
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
ExpandEnvironmentStringsA
FileName
GetClassNameA
GetDesktopWindow
GetTempPathA
GetValues
GetWindow
GetWindowLongA
GetWindowTextA
gsqbes@
{h	i]&X
ierunierun
iKeyCount
InputBuffer
InputLen
IsDestinationReachableA
iSectCount
j0hDX@
j0hlc@
j4hDX@
j8hDX@
jDhDX@
jdhlc@
}#jDhlP@
jDhlP@
jes:_es
j<hDX@
j@hDX@
jHhHk@
j,hlP@
jxhHk@
kernel32
KeyExists
kgs^bes
+<KHE!
lDefaultIconIndex
$l"MN=I
LongLeftRotate
MAppSettings
MConstants
MConstBuider
MD5Final
MD5Init
MD5Update
MGUIDFunctions
MIEHelper
MInetFunc
MInstallator
modCrypt
MPacker
MShell
MSVBVM60.DLL
MSysInfo
MSystem
MWindows
ole32.dll
p&f;l$ 
&Print
P_R_O_J_E_C_T_N_A_M_E
Qj?SRP
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteValueA
RegEnumKeyA
RegEnumKeyExA
RegEnumValueA
RegisterA
RegisterB
RegisterC
RegisterD
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegSetValueExA
RtlMoveMemory
sAssociation
sClassDescription
sClassName
SectionKey
sensapi.dll
SetWindowLongA
SetWindowPlacement
sExePath
shell32.dll
ShellExecuteA
sInstallMenuText
sKeyNames
sNewMenuText
sOpenMenuText
SourceString
sPrintMenuText
sSectionKey
StringFromGUID2
sValueKey
!This program cannot be run in DOS mode.
T_I_T_L_E
T$,QRWV
T$(QRWV
T$$QRWV
URLDownloadToFileA
urlmon
user32
!UUUUTSPNKIED!
ValueKey
ValueType
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaCastObj
__vbaCastObjVar
__vbaCheckTypeVar
__vbaChkstk
__vbaDateR8
__vbaEnd
__vbaErase
__vbaError
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitEachColl
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFixstrConstruct
__vbaForEachCollObj
__vbaForEachCollVar
__vbaFPException
__vbaFpI2
__vbaFpI4
__vbaFpUI1
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGetOwner3
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLbound
__vbaLenBstr
__vbaLenBstrB
__vbaLsetFixstr
__vbaNew
__vbaNew2
__vbaNextEachCollObj
__vbaNextEachCollVar
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaRedim
__vbaRedimPreserve
__vbaRefVarAry
__vbaSetSystemError
__vbaStopExe
__vbaStrCat
__vbaStrCmp
__vbaStrComp
__vbaStrCompVar
__vbaStrCopy
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaVar2Vec
__vbaVarAdd
__vbaVarCat
__vbaVarCopy
__vbaVarDiv
__vbaVarDup
__vbaVargVarMove
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarLateMemSt
__vbaVarMove
__vbaVarMul
__vbaVarNot
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarTstNe
__vbaVarVargNofree
vDefault
vItems
vValue
!VVVF)
Ws6ngs