| Analysis Date | 2014-10-10 19:01:42 |
|---|---|
| MD5 | bc75e5c03e200ddf6fc657de71a9b744 |
| SHA1 | ef68844bafc720db44631adceb884536e1d42a6d |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 8ba5adc7a003ad956f866b2a6ae8fa4d sha1: 9db343e7aef2805776f52fd4130bbffccca4e1dd size: 33001 | |
| Section | .data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
| Section | .rsrc md5: fb18b0a66157d9bd4f185e594e10b3ed sha1: eaad39fca71766a4543cf7d9f29a1896df49526c size: 153993 | |
| Timestamp | 2009-09-28 13:54:18 | |
| Version | InternalName: wmiprsve FileVersion: 1.00 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System ProductVersion: 1.00 OriginalFilename: wmiprsve.exe | |
| Packer | AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER | |
| PEhash | f79e77d90c068923e550d1ee1c36a6173e7903c4 | |
| IMPhash | 07bc5ebd01e0903e4b2020f5c61217f0 | |
| AV | 360 Safe | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | Ad-Aware | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
| AV | Arcabit (arcavir) | no_virus |
| AV | Authentium | W32/Risk.CYPY-5897 |
| AV | Avira (antivir) | TR/Spy.Gen |
| AV | BullGuard | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | CA (E-Trust Ino) | no_virus |
| AV | CAT (quickheal) | no_virus |
| AV | ClamAV | no_virus |
| AV | Dr. Web | Trojan.Click.37051 |
| AV | Emsisoft | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | Eset (nod32) | Win32/VB.ORT |
| AV | Fortinet | Malware_fam.A |
| AV | Frisk (f-prot) | W32/MalwareS.BAPO |
| AV | F-Secure | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | Grisoft (avg) | Dropper.Generic3.BIRV |
| AV | Ikarus | Trojan-Clicker.Win32.VB |
| AV | K7 | Trojan ( 0001140e1 ) |
| AV | Kaspersky | Trojan.Win32.Generic:Trojan-Clicker.Win32.VB.ddu |
| AV | MalwareBytes | no_virus |
| AV | Mcafee | RDN/Generic Dropper!vi |
| AV | Microsoft Security Essentials | Trojan:Win32/Provis!rts |
| AV | MicroWorld (escan) | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
| AV | Norman | win32:win32/SB/Obfuscated_FA |
| AV | Rising | no_virus |
| AV | Sophos | Mal/Behav-210 |
| AV | Symantec | Trojan Horse |
| AV | Trend Micro | no_virus |
| AV | VirusBlokAda (vba32) | TrojanClicker.VB |
| AV | Yara APT | no_virus |
| AV | Zillya! | Dropper.VB.Win32.20245 |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
|---|---|
| Creates File | PIPE\wkssvc |
| Creates File | C:\WINDOWS\system32\malware.exe |
| Creates File | C:\WINDOWS\system32\syswindows.ini |
| Creates Process | "C:\WINDOWS\system32\malware.exe" |
Process
↳ "C:\WINDOWS\system32\malware.exe"
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | PIPE\wkssvc |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates File | \Device\Netbios |
| Creates File | C:\WINDOWS\system32\spoolsrv.exe |
| Deletes File | C:\\malware.exe |
| Deletes File | C:\WINDOWS\system32\syswindows.ini |
| Creates Process | "C:\WINDOWS\system32\spoolsrv.exe" |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Creates Service | Windows Workstation System - C:\WINDOWS\system32\wmiprsve.exe |
| Winsock DNS | www.k75.cn |
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
| Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
|---|
Process
↳ Pid 1108
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
| Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
| Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1840
Process
↳ Pid 1140
Process
↳ "C:\WINDOWS\system32\spoolsrv.exe"
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFC48.tmp |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Netbios |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip138[1].htm |
Network Details:
| DNS | cname.huatian.net Type: A 74.207.247.129 |
|---|---|
| DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.19 |
| DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.20 |
| DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.21 |
| DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.18 |
| DNS | www.ip138.cn Type: A 218.133.22.66 |
| DNS | www.k75.cn Type: A |
| DNS | www.ip138.com Type: A |
| HTTP GET | http://www.k75.cn/Count.aspx?mac=00-00-00-00-00-00 User-Agent: MyAgent |
| HTTP GET | http://www.ip138.com/ips.asp User-Agent: MyAgent |
| HTTP GET | http://www.ip138.cn/ User-Agent: MyAgent |
| HTTP GET | http://www.k75.cn/Version.txt User-Agent: MyAgent |
| HTTP GET | http://www.k75.cn/GetDate.aspx?ip=127.0.0.1&mac=00-00-00-00-00-00&ver=1.0.0 User-Agent: MyAgent |
| Flows TCP | 192.168.1.1:1032 ➝ 74.207.247.129:80 |
| Flows TCP | 192.168.1.1:1033 ➝ 14.17.101.19:80 |
| Flows TCP | 192.168.1.1:1034 ➝ 218.133.22.66:80 |
| Flows TCP | 192.168.1.1:1035 ➝ 74.207.247.129:80 |
| Flows TCP | 192.168.1.1:1036 ➝ 74.207.247.129:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f436f75 6e742e61 7370783f GET /Count.aspx? 0x00000010 (00016) 6d61633d 30302d30 302d3030 2d30302d mac=00-00-00-00- 0x00000020 (00032) 30302d30 30204854 54502f31 2e310d0a 00-00 HTTP/1.1.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4d794167 User-Agent: MyAg 0x00000040 (00064) 656e740d 0a486f73 743a2077 77772e6b ent..Host: www.k 0x00000050 (00080) 37352e63 6e0d0a43 6f6e7465 6e742d4c 75.cn..Content-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f697073 2e617370 20485454 GET /ips.asp HTT 0x00000010 (00016) 502f312e 310d0a55 7365722d 4167656e P/1.1..User-Agen 0x00000020 (00032) 743a204d 79416765 6e740d0a 486f7374 t: MyAgent..Host 0x00000030 (00048) 3a207777 772e6970 3133382e 636f6d0d : www.ip138.com. 0x00000040 (00064) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x00000050 (00080) 6e6f2d63 61636865 0d0a0d0a 6e742d4c no-cache....nt-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 55736572 2d416765 6e743a20 4d794167 User-Agent: MyAg 0x00000020 (00032) 656e740d 0a486f73 743a2077 77772e69 ent..Host: www.i 0x00000030 (00048) 70313338 2e636e0d 0a436163 68652d43 p138.cn..Cache-C 0x00000040 (00064) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x00000050 (00080) 0d0a0d0a 61636865 0d0a0d0a 6e742d4c ....ache....nt-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f566572 73696f6e 2e747874 GET /Version.txt 0x00000010 (00016) 20485454 502f312e 310d0a55 7365722d HTTP/1.1..User- 0x00000020 (00032) 4167656e 743a204d 79416765 6e740d0a Agent: MyAgent.. 0x00000030 (00048) 486f7374 3a207777 772e6b37 352e636e Host: www.k75.cn 0x00000040 (00064) 0d0a4361 6368652d 436f6e74 726f6c3a ..Cache-Control: 0x00000050 (00080) 206e6f2d 63616368 650d0a0d 0a742d4c no-cache....t-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f476574 44617465 2e617370 GET /GetDate.asp 0x00000010 (00016) 783f6970 3d313237 2e302e30 2e31266d x?ip=127.0.0.1&m 0x00000020 (00032) 61633d30 302d3030 2d30302d 30302d30 ac=00-00-00-00-0 0x00000030 (00048) 302d3030 26766572 3d312e30 2e302048 0-00&ver=1.0.0 H 0x00000040 (00064) 5454502f 312e310d 0a557365 722d4167 TTP/1.1..User-Ag 0x00000050 (00080) 656e743a 204d7941 67656e74 0d0a486f ent: MyAgent..Ho 0x00000060 (00096) 73743a20 7777772e 6b37352e 636e0d0a st: www.k75.cn.. 0x00000070 (00112) 436f6e74 656e742d 4c656e67 74683a20 Content-Length: 0x00000080 (00128) 34340d0a 43616368 652d436f 6e74726f 44..Cache-Contro 0x00000090 (00144) 6c3a206e 6f2d6361 6368650d 0a0d0a69 l: no-cache....i 0x000000a0 (00160) 703d3132 372e302e 302e3126 6d61633d p=127.0.0.1&mac= 0x000000b0 (00176) 30302d30 302d3030 2d30302d 30302d30 00-00-00-00-00-0 0x000000c0 (00192) 30267665 723d312e 302e30 0&ver=1.0.0
Strings
[$$]
\*.*
00-00-00-00-00-00
080404B0
1.00
127.0.0.1
127.0.0.1|
51.la
@\90\DTS\Binn\;D:
90\Too
99.99.99
about:blank
/aclk?sa=
alimamaclick
alinkalink
baiduclick
baidusearch
_blank
body
<br>
<br><br>
<br/><br/></td>
classname
Click
&clickid=
CloseTab_Error
cnzz.com
CompanyName
continue
Count.aspx?
/count.html
CUSTOM
divgoogleclick
divgooglesearch
<div id="divalinkalink"><a id="alinkalink" href=
Document
DocumentComplete_Error
dows\Curren
;D:\Prog
EnLiveDownConfig.txt
.exe
execScript
Explorer.ini
False
FileName
FileVersion
Form_Load_Error
GetDate.aspx?
GetDateUpdate.aspx?
GetUrlKeyWord_Error
google
googleads.g.doubleclick.net/pagead/ads?
googleads.g.doubleclick.net/pagead/sdo?
googlebaiduservices
googleclick
googlesearch
G:\VBServiceIEBr
href
http://
HTTP/1.1
iexplore.exe
InnerHtml
innerText
INPUT
InternalName
&ip=
ips.asp
@isual Studio\VB98\C2.EXE.M
javascript
&jjclick=
@jjj
LegalTrademarks
Length
live800.com
liveupdate.8866.org
LocalSystem
&mac=
mac=
MainStar_Error
Microsoft Corporation
Microsoft(R)
Microsoft(R) Windows(R) Operating System
MyAgent
name
Name
> </a></div>
NewTab
NewWindow2
offsetLeft
offsetParent
offsetTop
OldPathFile
Open
OriginalFilename
otherclick
outerHTML
parentWindow
ProductName
ProductVersion
&ptclick=
&ptclicknub=
qq.com
quit
.rar
rosoft\Win
/search?
SelectBrowserTab
SelectBrowserTabRefresh_Error
ServiceName
&siteid=
@s\Micros
Software\Mic
spoolsrv
spoolsrv.exe
StarLoad_Error
StringFileInfo
submit
System Workstation System Event Service
syswindows.ini
tagName
tags
Target
tencent:
Translation
true
True
tVersion\R
&type=
Type
username=
Value
VarFileInfo
&ver=
Version.txt
VS_VERSION_INFO
@vXPEN\DeleteCookies.OBJ" -QIfd
window.alert=null;
WindowsUpdate.exe
WindowsUpdate.rar
Windows Workstation
Windows Workstation System
wmiprsve
wmiprsve.exe
www.google
www.ip138.cn
www.ip138.com
www.k75.cn
.zip
0-0000-
0W@W/f
-2_cb`bbb^(-
^/3IKNKH7"!W
4>-L2^3
6,L->;-
6&vb6chs.dll
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32
advapi32.dll
ADVAPI32.DLL
_allmul
brwWebBrowser
ChangeServiceConfig2W
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
ClientToScreen
CloseHandle
CloseServiceHandle
CloseTab
ControlService
CreateEventW
CreateServiceW
CreateThread
CreateToolhelp32Snapshot
`.data
DeleteAllTabs
DeleteCookies
DeleteFileA
DeleteService
DeleteTabsNub
DeleteTabsNubArr
DeleteTempInteFile
DeleteUrlCacheEntryA
DelIniKey
DelIniSec
DllFunctionCall
D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
dRsjWSs
dRs&rRs
Ds6nTs
,DUUD,
D:\WINDOWS\system32\ieframe.oca
D:\WINDOWS\system32\msvbvm60.dll\3
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FindCloseUrlCache
FindFirstUrlCacheEntryA
FindNextUrlCacheEntryA
FindProcess
FindWindowA
frmBrowser
\G{000iexpIore
*g~b0R
G^cbZ8
GetCursorPos
GetIniKey
GetPrivateProfileStringA
GetProcessHeap
GetSystemDirectoryA
GetTickCount
GetUrlKeyWord
GetVersionExA
GetWindowLongA
googlebaiduservices
HeapAlloc
HeapFree
HttpOpenRequestA
HttpSendRequestA
ieframe.dll
iexpIore
IniFile
INIFileName
InternetCloseHandle
InternetConnectA
InternetOpenA
InternetReadFile
intNub
jdh4>@
j|h(,@
j@h`>@
j\h4>@
jhh(,@
jPh(,@
jXh(,@
jXh|5@
kernel32
KERNEL32.DLL
keybd_event
KeyWord
kTs^bRs
l~b0RD
LocalAlloc
LocalFree
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
MainStar
MapVirtualKeyA
MessageBoxA
mouse_event
MoveFileExA
MsgWaitForMultipleObjects
MSVBVM60.DLL
N,`beggfedZ[#N
netapi32.dll
Netbios
New_IniPath
NewTab
NTService
NTServiceControl
nubarr
nygJcoj
OpenProcess
OpenSCManagerW
OpenServiceW
`OS_MR
O\U^PW
Process32First
Process32Next
PsD~Ss
Qs|5Ds
Qs|5DsO
QsA^Rs
QsA^RsZ
Qs^bRs
Qsb>Rsi
QsdjRsk
Qs{eRs
Qs.kTsL
QsqbRs
QsqbRs@
QsqOQs
Qs:_Rs
QsU#Qs
QueryServiceConfigW
QueryServiceStatus
ReadyState
RegCloseKey
RegisterServiceCtrlHandlerW
RegisterWindowMessageA
RegOpenKeyA
RegQueryValueExA
RegSetValueExA
?Rsb>Rsi
Rs{eRs
Rs.kTs
Rsq:Ts
Rs__Rs
<Rs[rSs=
RsSuTsQhRs
RtlMoveMemory
ScreenToClient
SectionName
SelectBrowserTab
SelectBrowserTabRefresh
SetCursorPos
SetEvent
SetForegroundWindow
SetLayeredWindowAttributes
SetServiceStatus
SetWindowLongA
SetWindowPos
SHDocVwCtl
SHDocVwCtl.WebBrowser
shell32.dll
ShellExecuteA
shfolder.dll
SHGetFolderPathA
ShowErrorMessageBox
ShowWindow
spoolsrv
SsbcRs
StarLoad
StarMain
StartServiceCtrlDispatcherW
StartServiceW
strKey
strSection
strValue
TerminateProcess
!This program cannot be run in DOS mode.
timeGetTime
Timer1
Timer2
Timer3
Ts0LRs
Ts__Rs
URLDownloadToFileA
urlmon
user32
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVar
__vbaBoolVarNull
__vbaCastObj
__vbaChkstk
__vbaCopyBytes
__vbaDateVar
__vbaEnd
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaFPException
__vbaFpI4
__vbaFPInt
__vbaFpR8
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Var
__vbaI4Var
__vbaInStr
__vbaInStrVar
__vbaLateIdCall
__vbaLateIdCallLd
__vbaLateIdSt
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstr
__vbaLsetFixstr
__vbaNew2
__vbaObjIs
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPutOwner3
__vbaR4Var
__vbaRecAnsiToUni
__vbaRecDestruct
__vbaRecDestructAnsi
__vbaRecUniToAnsi
__vbaRedim
__vbaRedimPreserve
__vbaRefVarAry
__vbaSetSystemError
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrFixstr
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1I4
__vbaVar2Vec
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpGt
__vbaVarCmpLt
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarForInit
__vbaVarForNext
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarLateMemCallLdRf
__vbaVarLateMemSt
__vbaVarMove
__vbaVarNot
__vbaVarOr
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGe
__vbaVarTstGt
__vbaVarTstLe
__vbaVarTstLt
__vbaVarTstNe
__vbaVarVargNofree
WaitForSingleObject
WebBrowser
wininet
wininet.dll
winIogon
winmm.dll
wmiprsve
WriteIniKey
WritePrivateProfileStringA
YFh*jPW