Analysis Date2014-10-10 19:01:42
MD5bc75e5c03e200ddf6fc657de71a9b744
SHA1ef68844bafc720db44631adceb884536e1d42a6d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8ba5adc7a003ad956f866b2a6ae8fa4d sha1: 9db343e7aef2805776f52fd4130bbffccca4e1dd size: 33001
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: fb18b0a66157d9bd4f185e594e10b3ed sha1: eaad39fca71766a4543cf7d9f29a1896df49526c size: 153993
Timestamp2009-09-28 13:54:18
VersionInternalName: wmiprsve
FileVersion: 1.00
CompanyName: Microsoft Corporation
ProductName: Microsoft(R) Windows(R) Operating System
ProductVersion: 1.00
OriginalFilename: wmiprsve.exe
PackerAHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER
PEhashf79e77d90c068923e550d1ee1c36a6173e7903c4
IMPhash07bc5ebd01e0903e4b2020f5c61217f0
AV360 SafeGen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVAd-AwareGen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Risk.CYPY-5897
AVAvira (antivir)TR/Spy.Gen
AVBullGuardGen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Click.37051
AVEmsisoftGen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVEset (nod32)Win32/VB.ORT
AVFortinetMalware_fam.A
AVFrisk (f-prot)W32/MalwareS.BAPO
AVF-SecureGen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVGrisoft (avg)Dropper.Generic3.BIRV
AVIkarusTrojan-Clicker.Win32.VB
AVK7Trojan ( 0001140e1 )
AVKasperskyTrojan.Win32.Generic:Trojan-Clicker.Win32.VB.ddu
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Dropper!vi
AVMicrosoft Security EssentialsTrojan:Win32/Provis!rts
AVMicroWorld (escan)Gen:Trojan.Heur.GZ.lm0@bWyQNkdl
AVNormanwin32:win32/SB/Obfuscated_FA
AVRisingno_virus
AVSophosMal/Behav-210
AVSymantecTrojan Horse
AVTrend Microno_virus
AVVirusBlokAda (vba32)TrojanClicker.VB
AVYara APTno_virus
AVZillya!Dropper.VB.Win32.20245

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\malware.exe
Creates FileC:\WINDOWS\system32\syswindows.ini
Creates Process"C:\WINDOWS\system32\malware.exe"

Process
↳ "C:\WINDOWS\system32\malware.exe"

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Netbios
Creates FileC:\WINDOWS\system32\spoolsrv.exe
Deletes FileC:\\malware.exe
Deletes FileC:\WINDOWS\system32\syswindows.ini
Creates Process"C:\WINDOWS\system32\spoolsrv.exe"
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates ServiceWindows Workstation System - C:\WINDOWS\system32\wmiprsve.exe
Winsock DNSwww.k75.cn

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1840

Process
↳ Pid 1140

Process
↳ "C:\WINDOWS\system32\spoolsrv.exe"

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFFC48.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Netbios
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip138[1].htm

Network Details:

DNScname.huatian.net
Type: A
74.207.247.129
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.19
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.20
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
14.17.101.18
DNSwww.ip138.cn
Type: A
218.133.22.66
DNSwww.k75.cn
Type: A
DNSwww.ip138.com
Type: A
HTTP GEThttp://www.k75.cn/Count.aspx?mac=00-00-00-00-00-00
User-Agent: MyAgent
HTTP GEThttp://www.ip138.com/ips.asp
User-Agent: MyAgent
HTTP GEThttp://www.ip138.cn/
User-Agent: MyAgent
HTTP GEThttp://www.k75.cn/Version.txt
User-Agent: MyAgent
HTTP GEThttp://www.k75.cn/GetDate.aspx?ip=127.0.0.1&mac=00-00-00-00-00-00&ver=1.0.0
User-Agent: MyAgent
Flows TCP192.168.1.1:1032 ➝ 74.207.247.129:80
Flows TCP192.168.1.1:1033 ➝ 14.17.101.19:80
Flows TCP192.168.1.1:1034 ➝ 218.133.22.66:80
Flows TCP192.168.1.1:1035 ➝ 74.207.247.129:80
Flows TCP192.168.1.1:1036 ➝ 74.207.247.129:80

Raw Pcap
0x00000000 (00000)   47455420 2f436f75 6e742e61 7370783f   GET /Count.aspx?
0x00000010 (00016)   6d61633d 30302d30 302d3030 2d30302d   mac=00-00-00-00-
0x00000020 (00032)   30302d30 30204854 54502f31 2e310d0a   00-00 HTTP/1.1..
0x00000030 (00048)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000040 (00064)   656e740d 0a486f73 743a2077 77772e6b   ent..Host: www.k
0x00000050 (00080)   37352e63 6e0d0a43 6f6e7465 6e742d4c   75.cn..Content-L
0x00000060 (00096)   656e6774 683a2032 310d0a43 61636865   ength: 21..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a6d61 633d3030 2d30302d   he....mac=00-00-
0x00000090 (00144)   30302d30 302d3030 2d3030              00-00-00-00

0x00000000 (00000)   47455420 2f697073 2e617370 20485454   GET /ips.asp HTT
0x00000010 (00016)   502f312e 310d0a55 7365722d 4167656e   P/1.1..User-Agen
0x00000020 (00032)   743a204d 79416765 6e740d0a 486f7374   t: MyAgent..Host
0x00000030 (00048)   3a207777 772e6970 3133382e 636f6d0d   : www.ip138.com.
0x00000040 (00064)   0a436163 68652d43 6f6e7472 6f6c3a20   .Cache-Control: 
0x00000050 (00080)   6e6f2d63 61636865 0d0a0d0a 6e742d4c   no-cache....nt-L
0x00000060 (00096)   656e6774 683a2032 310d0a43 61636865   ength: 21..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a6d61 633d3030 2d30302d   he....mac=00-00-
0x00000090 (00144)   30302d30 302d3030 2d3030              00-00-00-00

0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4d794167   User-Agent: MyAg
0x00000020 (00032)   656e740d 0a486f73 743a2077 77772e69   ent..Host: www.i
0x00000030 (00048)   70313338 2e636e0d 0a436163 68652d43   p138.cn..Cache-C
0x00000040 (00064)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x00000050 (00080)   0d0a0d0a 61636865 0d0a0d0a 6e742d4c   ....ache....nt-L
0x00000060 (00096)   656e6774 683a2032 310d0a43 61636865   ength: 21..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a6d61 633d3030 2d30302d   he....mac=00-00-
0x00000090 (00144)   30302d30 302d3030 2d3030              00-00-00-00

0x00000000 (00000)   47455420 2f566572 73696f6e 2e747874   GET /Version.txt
0x00000010 (00016)   20485454 502f312e 310d0a55 7365722d    HTTP/1.1..User-
0x00000020 (00032)   4167656e 743a204d 79416765 6e740d0a   Agent: MyAgent..
0x00000030 (00048)   486f7374 3a207777 772e6b37 352e636e   Host: www.k75.cn
0x00000040 (00064)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x00000050 (00080)   206e6f2d 63616368 650d0a0d 0a742d4c    no-cache....t-L
0x00000060 (00096)   656e6774 683a2032 310d0a43 61636865   ength: 21..Cache
0x00000070 (00112)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000080 (00128)   68650d0a 0d0a6d61 633d3030 2d30302d   he....mac=00-00-
0x00000090 (00144)   30302d30 302d3030 2d3030              00-00-00-00

0x00000000 (00000)   47455420 2f476574 44617465 2e617370   GET /GetDate.asp
0x00000010 (00016)   783f6970 3d313237 2e302e30 2e31266d   x?ip=127.0.0.1&m
0x00000020 (00032)   61633d30 302d3030 2d30302d 30302d30   ac=00-00-00-00-0
0x00000030 (00048)   302d3030 26766572 3d312e30 2e302048   0-00&ver=1.0.0 H
0x00000040 (00064)   5454502f 312e310d 0a557365 722d4167   TTP/1.1..User-Ag
0x00000050 (00080)   656e743a 204d7941 67656e74 0d0a486f   ent: MyAgent..Ho
0x00000060 (00096)   73743a20 7777772e 6b37352e 636e0d0a   st: www.k75.cn..
0x00000070 (00112)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x00000080 (00128)   34340d0a 43616368 652d436f 6e74726f   44..Cache-Contro
0x00000090 (00144)   6c3a206e 6f2d6361 6368650d 0a0d0a69   l: no-cache....i
0x000000a0 (00160)   703d3132 372e302e 302e3126 6d61633d   p=127.0.0.1&mac=
0x000000b0 (00176)   30302d30 302d3030 2d30302d 30302d30   00-00-00-00-00-0
0x000000c0 (00192)   30267665 723d312e 302e30              0&ver=1.0.0


Strings

[$$]
\*.*
00-00-00-00-00-00
080404B0
1.00
127.0.0.1
127.0.0.1|
51.la
@\90\DTS\Binn\;D:
90\Too
99.99.99
about:blank
/aclk?sa=
alimamaclick
alinkalink
baiduclick
baidusearch
_blank
body
<br>
<br><br>
<br/><br/></td>
classname
Click
&clickid=
CloseTab_Error
cnzz.com
CompanyName
continue
Count.aspx?
/count.html
CUSTOM
divgoogleclick
divgooglesearch
<div id="divalinkalink"><a id="alinkalink" href=
Document
DocumentComplete_Error
dows\Curren
;D:\Prog
EnLiveDownConfig.txt
.exe
execScript
Explorer.ini
False
FileName
FileVersion
Form_Load_Error
GetDate.aspx?
GetDateUpdate.aspx?
GetUrlKeyWord_Error
google
googleads.g.doubleclick.net/pagead/ads?
googleads.g.doubleclick.net/pagead/sdo?
googlebaiduservices
googleclick
googlesearch
G:\VBServiceIEBr
href
http://
HTTP/1.1
iexplore.exe
InnerHtml
innerText
INPUT
InternalName
&ip=
ips.asp
@isual Studio\VB98\C2.EXE.M
javascript
&jjclick=
@jjj
LegalTrademarks
Length
live800.com
liveupdate.8866.org
LocalSystem
&mac=
mac=
MainStar_Error
Microsoft Corporation
Microsoft(R)  
Microsoft(R) Windows(R) Operating System
MyAgent
name
Name
>&nbsp;&nbsp;</a></div>
NewTab
NewWindow2
offsetLeft
offsetParent
offsetTop
OldPathFile
Open
OriginalFilename
otherclick
outerHTML
parentWindow
ProductName
ProductVersion
&ptclick=
&ptclicknub=
qq.com
quit
.rar
rosoft\Win
/search?
SelectBrowserTab
SelectBrowserTabRefresh_Error
ServiceName
&siteid=
@s\Micros
Software\Mic
spoolsrv
spoolsrv.exe
StarLoad_Error
StringFileInfo
submit
System Workstation System Event Service
syswindows.ini
tagName
tags
Target
tencent:
Translation
true
True
tVersion\R
&type=
Type
username=
Value
VarFileInfo
&ver=
Version.txt
VS_VERSION_INFO
@vXPEN\DeleteCookies.OBJ" -QIfd
window.alert=null;
WindowsUpdate.exe
WindowsUpdate.rar
Windows Workstation
Windows Workstation System
wmiprsve
wmiprsve.exe
www.google
www.ip138.cn
www.ip138.com
www.k75.cn
.zip
0-0000-
0W@W/f
-2_cb`bbb^(-
^/3IKNKH7"!W
4>-L2^3
6,L->;-
6&vb6chs.dll
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
ADVAPI32.DLL
_allmul
brwWebBrowser
ChangeServiceConfig2W
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
ClientToScreen
CloseHandle
CloseServiceHandle
CloseTab
ControlService
CreateEventW
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
`.data
DeleteAllTabs
DeleteCookies
DeleteFileA
DeleteService
DeleteTabsNub
DeleteTabsNubArr
DeleteTempInteFile
DeleteUrlCacheEntryA
DelIniKey
DelIniSec
DllFunctionCall
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
dRsjWSs
dRs&rRs
Ds6nTs
,DUUD,
D:\WINDOWS\system32\ieframe.oca
D:\WINDOWS\system32\msvbvm60.dll\3
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindProcess
FindWindowA
frmBrowser
\G{000iexpIore
*g~b0R
G^cbZ8
GetCursorPos
GetIniKey
GetPrivateProfileStringA
GetProcessHeap
GetSystemDirectoryA
GetTickCount
GetUrlKeyWord
GetVersionExA
GetWindowLongA
googlebaiduservices
HeapAlloc
HeapFree
HttpOpenRequestA
HttpSendRequestA
ieframe.dll
iexpIore
IniFile
INIFileName
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetReadFile
intNub
jdh4>@
j|h(,@
j@h`>@
j\h4>@
jhh(,@
jPh(,@
jXh(,@
jXh|5@
kernel32
KERNEL32.DLL
keybd_event
KeyWord
kTs^bRs
l~b0RD
LocalAlloc
LocalFree
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
MainStar
MapVirtualKeyA
MessageBoxA
mouse_event
MoveFileExA
MsgWaitForMultipleObjects
MSVBVM60.DLL
N,`beggfedZ[#N
netapi32.dll
Netbios
New_IniPath
NewTab
NTService
NTServiceControl
nubarr
nygJcoj
OpenProcess
OpenSCManagerW
OpenServiceW
`OS_MR
O\U^PW
Process32First
Process32Next
PsD~Ss
Qs|5Ds
Qs|5DsO
QsA^Rs
QsA^RsZ
Qs^bRs
Qsb>Rsi
QsdjRsk
Qs{eRs
Qs.kTsL
QsqbRs
QsqbRs@
QsqOQs
Qs:_Rs
QsU#Qs
QueryServiceConfigW
QueryServiceStatus
ReadyState
RegCloseKey
RegisterServiceCtrlHandlerW
RegisterWindowMessageA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
?Rsb>Rsi
Rs{eRs
Rs.kTs
Rsq:Ts
Rs__Rs
<Rs[rSs=
RsSuTsQhRs
RtlMoveMemory
ScreenToClient
SectionName
SelectBrowserTab
SelectBrowserTabRefresh
SetCursorPos
SetEvent
SetForegroundWindow
SetLayeredWindowAttributes
SetServiceStatus
SetWindowLongA
SetWindowPos
SHDocVwCtl
SHDocVwCtl.WebBrowser
shell32.dll
ShellExecuteA
shfolder.dll
SHGetFolderPathA
ShowErrorMessageBox
ShowWindow
spoolsrv
SsbcRs
StarLoad
StarMain
StartServiceCtrlDispatcherW
StartServiceW
strKey
strSection
strValue
TerminateProcess
!This program cannot be run in DOS mode.
timeGetTime
Timer1
Timer2
Timer3
Ts0LRs
Ts__Rs
URLDownloadToFileA
urlmon
user32
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVar
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaCopyBytes
__vbaDateVar
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFPException
__vbaFpI4
__vbaFPInt
__vbaFpR8
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstr
__vbaLsetFixstr
__vbaNew2
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPutOwner3
__vbaR4Var
__vbaRecAnsiToUni
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaRefVarAry
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaVar2Vec
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGt
__vbaVarCmpLt
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarLateMemSt
__vbaVarMove
__vbaVarNot
__vbaVarOr
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstLe
__vbaVarTstLt
__vbaVarTstNe
__vbaVarVargNofree
WaitForSingleObject
WebBrowser
wininet
wininet.dll
winIogon
winmm.dll
wmiprsve
WriteIniKey
WritePrivateProfileStringA
YFh*jPW