| Analysis Date | 2015-01-17 17:40:04 |
|---|---|
| MD5 | 8e418896982b799befee43a85824200f |
| SHA1 | f12f5e081ae1f6ca509a94d67c354c81225046c9 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: e37def91a1a570a864b6372fc2b1d790 sha1: b0a66c84415bc4672de9c9eef7bf9f887a276457 size: 13824 | |
| Section | .rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024 | |
| Section | .data md5: 90a767364c861679a1045fa8a9a64faf sha1: 7cd065b6cc579e7cb9ea4517593946e109d325a7 size: 113152 | |
| Section | .rsrc md5: f2814ec3ef9326940fb4f02244e83beb sha1: a70dd0b58b182446eaaf9480a8556714add41e6c size: 5120 | |
| Timestamp | 2010-01-20 09:40:00 | |
| Version | LegalCopyright: Copyright © 2010 z PC Tools. E All rights reserved. A InternalName: Rvertum0 FileVersion: 7.0.0.61 CompanyName: PC Tools LegalTrademarks: Comments: ProductName: y ProductVersion: 7.0.0.61 FileDescription: Spyware Doctor ComponentT OriginalFilename: Rvertum0 | |
| PEhash | be59610fb5a67f3f3bf9daff3cd7490d0836992f | |
| IMPhash | 54ad6e7c960129ea2e4510a951bdb22a | |
| AV | 360 Safe | no_virus |
| AV | Ad-Aware | Gen:Heur.IPZ.7 |
| AV | Alwil (avast) | Renosator [Cryp] |
| AV | Arcabit (arcavir) | Gen:Heur.IPZ.7 |
| AV | Authentium | no_virus |
| AV | Avira (antivir) | TR/Crypt.XPACK.Gen2 |
| AV | BullGuard | Gen:Heur.IPZ.7 |
| AV | CA (E-Trust Ino) | Win32/Renos.D!generic |
| AV | CAT (quickheal) | Trojan.Renos.LN |
| AV | ClamAV | W32.Trojan.Skor-7 |
| AV | Dr. Web | Trojan.DownLoader2.39064 |
| AV | Emsisoft | Gen:Heur.IPZ.7 |
| AV | Eset (nod32) | Win32/Kryptik.AEUK |
| AV | Fortinet | W32/Diple.IZ!tr |
| AV | Frisk (f-prot) | no_virus |
| AV | F-Secure | Gen:Heur.IPZ.7 |
| AV | Grisoft (avg) | Win32/Cryptor |
| AV | Ikarus | Trojan.Win32.Jorik |
| AV | K7 | Trojan ( 002456451 ) |
| AV | Kaspersky | Trojan.Win32.Generic |
| AV | MalwareBytes | Trojan.Downloader |
| AV | Mcafee | Downloader-CEW.ap |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Renos.LX |
| AV | MicroWorld (escan) | Gen:Heur.IPZ.7 |
| AV | Rising | Trojan.Win32.Generic.128B8EC1 |
| AV | Sophos | Mal/FakeAV-IZ |
| AV | Symantec | Downloader |
| AV | Trend Micro | TROJ_RENOS.SMRK |
| AV | VirusBlokAda (vba32) | Malware-Cryptor.Limpopo |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Creates Process | C:\malware.exe |
|---|---|
| Creates Mutex | Global\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1} |
| Creates Mutex | {A14B1A1D-023F-40dc-BBFE-208B1DAD2F82} |
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝ C:\malware.exe |
|---|---|
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝ xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00 |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat |
| Creates File | C:\Documents and Settings\Administrator\Cookies\index.dat |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat |
| Creates Mutex | c:!documents and settings!administrator!local settings!history!history.ie5! |
| Creates Mutex | Global\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1} |
| Creates Mutex | WininetConnectionMutex |
| Creates Mutex | c:!documents and settings!administrator!cookies! |
| Creates Mutex | c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! |
| Creates Mutex | {A14B1A1D-023F-40dc-BBFE-208B1DAD2F82} |
| Winsock DNS | lacvictoria.com |
| Winsock DNS | qqplot.com |
Network Details:
| DNS | wsj.com Type: A 205.203.132.1 |
|---|---|
| DNS | wsj.com Type: A 205.203.132.65 |
| DNS | wsj.com Type: A 205.203.140.1 |
| DNS | wsj.com Type: A 205.203.140.65 |
| DNS | fastclick.com Type: A 64.156.167.84 |
| DNS | nifty.com Type: A 210.131.4.217 |
| DNS | qqplot.com Type: A 209.99.40.219 |
| DNS | lacvictoria.com Type: A |
| DNS | paulo-fg.com Type: A |
| DNS | bonreligion.com Type: A |
| HTTP POST | http://qqplot.com/borders.php User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) |
| Flows TCP | 192.168.1.1:1031 ➝ 209.99.40.219:80 |
Raw Pcap
0x00000000 (00000) 504f5354 202f626f 72646572 732e7068 POST /borders.ph 0x00000010 (00016) 70204854 54502f31 2e310d0a 41636365 p HTTP/1.1..Acce 0x00000020 (00032) 70743a20 2a2f2a0d 0a436f6e 74656e74 pt: */*..Content 0x00000030 (00048) 2d547970 653a2061 70706c69 63617469 -Type: applicati 0x00000040 (00064) 6f6e2f78 2d777777 2d666f72 6d2d7572 on/x-www-form-ur 0x00000050 (00080) 6c656e63 6f646564 0d0a5573 65722d41 lencoded..User-A 0x00000060 (00096) 67656e74 3a204d6f 7a696c6c 612f342e gent: Mozilla/4. 0x00000070 (00112) 30202863 6f6d7061 7469626c 653b204d 0 (compatible; M 0x00000080 (00128) 53494520 362e303b 2057696e 646f7773 SIE 6.0; Windows 0x00000090 (00144) 204e5420 352e3029 0d0a486f 73743a20 NT 5.0)..Host: 0x000000a0 (00160) 7171706c 6f742e63 6f6d0d0a 436f6e74 qqplot.com..Cont 0x000000b0 (00176) 656e742d 4c656e67 74683a20 3334310d ent-Length: 341. 0x000000c0 (00192) 0a436f6e 6e656374 696f6e3a 204b6565 .Connection: Kee 0x000000d0 (00208) 702d416c 6976650d 0a436163 68652d43 p-Alive..Cache-C 0x000000e0 (00224) 6f6e7472 6f6c3a20 6e6f2d63 61636865 ontrol: no-cache 0x000000f0 (00240) 0d0a0d0a 64617461 3d2f436a 45665a44 ....data=/CjEfZD 0x00000100 (00256) 53767871 43694b30 6c74554d 31757932 SvxqCiK0ltUM1uy2 0x00000110 (00272) 2f797534 55355970 4e6d3176 2f2f6a54 /yu4U5YpNm1v//jT 0x00000120 (00288) 6e675663 2b774d73 2b2b5a42 6a375a53 ngVc+wMs++ZBj7ZS 0x00000130 (00304) 59547233 69426b47 2f672b37 5643432f YTr3iBkG/g+7VCC/ 0x00000140 (00320) 31396b66 694f4870 37655263 48506959 19kfiOHp7eRcHPiY 0x00000150 (00336) 6f393930 4d55756a 67555734 62765449 o990MUujgUW4bvTI 0x00000160 (00352) 644e2f6a 50587547 506a6142 7a786c63 dN/jPXuGPjaBzxlc 0x00000170 (00368) 63356d70 4e303161 36742f51 69535858 c5mpN01a6t/QiSXX 0x00000180 (00384) 77707a39 486d306b 7a396642 6661556e wpz9Hm0kz9fBfaUn 0x00000190 (00400) 3130782f 474c636f 66526948 344c7646 10x/GLcofRiH4LvF 0x000001a0 (00416) 73416947 59467361 696f4d57 30374b30 sAiGYFsaioMW07K0 0x000001b0 (00432) 4533726b 6b334d65 5a557967 44654c47 E3rkk3MeZUygDeLG 0x000001c0 (00448) 77327331 322b6f50 4d4e726e 4a5a637a w2s12+oPMNrnJZcz 0x000001d0 (00464) 687a5a38 78694e57 75355467 4f687134 hzZ8xiNWu5TgOhq4 0x000001e0 (00480) 4f715553 30424d54 644b3262 5a792f68 OqUS0BMTdK2bZy/h 0x000001f0 (00496) 7833546e 6d477954 464c4868 4c635266 x3TnmGyTFLHhLcRf 0x00000200 (00512) 2b76417a 494f424e 6d763433 43444b32 +vAzIOBNmv43CDK2 0x00000210 (00528) 51303541 56636d41 38324b68 54665573 Q05AVcmA82KhTfUs 0x00000220 (00544) 732f476f 6c77786c 6d396b4c 6e726e6c s/Golwxlm9kLnrnl 0x00000230 (00560) 49367034 366e3336 642f3334 6b705656 I6p46n36d/34kpVV 0x00000240 (00576) 32623651 672f413d 3d 2b6Qg/A==
Strings
.[_...
.
.
..Go.
..
.
040904E4
2010 z PC Tools. E All rights reserved. A
7.0.0.61
7qDp
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
fdT9
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
Rvertum0
Spyware Doctor ComponentT
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
yJGDC
=0>1KO
%'02x;)?#
}0AJt$
0oY3`>
0uD4o@8]c-~
13*2557s
_17ovpUHy3VjYGG@8
1[dhXg
}1gB`+
1WoQpj
2a`9)Y|yc
2aWqj=he
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
48<[.t
4|Bg?t[
|=4FQ^uNN
5%5\^)W
~$5(7,
6Rt:.
`72;pDtg
7eb,8n9f
7=lSa>&
!:7*MX
"<^8fP
8nbM|vj|
8)P7;%
8q'D%v
8_)$tEYP
8XWU+5|9
96,[KtS
9A!t2P
9ok!6"5
_9^(u!!
>Alp?a/
<aNt##
a#P~=-i
AP"o:O q'R
AwR8C_7YF
aZMHvK9366@4
{%b(=|
&b\9;8
,BD^[R
BeginPaint
B.EIP.D
bk"rNlf
b#X6Rdq
c6/0HYc
CallNextHookEx
CallWindowProcA
CharLowerA
CharNextA
cr19xH
CX[YZq
CYJ~%;
cYn5G2Tze
c&z;c7
D8yMp][o?/
@.data
dg,ZOi
dh+Zn}r
)DmnvW
d-nuLD
dr#saV
Du47RL
DZOLkc
e28BR"
E~~J?<
epn0Yt
eQgPt@
esaH6pmm
ExitProcess
=;!F\}
f\a}[L<gI
F,^F \Y
]!`fHV"
FindFirstFileA
]fI)!rS
FMeznb`
FormatMessageA
F<Pc8a
FU+AQPoSR
#\'G7+
gDyAPK
GetCurrentThreadId
GetMenu
GetModuleHandleA
GetProcessHeap
GetTickC-ounD
GetWindow
GlobalAlloc
g"n!PUA
GNv]E&
GQcY5}
_H85hmM
Hb?lA;T
hhjDY13
`H$*P}
hpS5`.rd
HuTMBa
h!vl{5pV
HV V5
~ hXn61o
I} 8i90
idjAcJ
_iQkCD@12
i:Ufv,
'-)%j@
jFq`Q>
j>h8E%J
(J J "3
jMA,}z}Mj&
k%[7=s
k_9p%4tTe
KERNEL32.dll
*k'hcK
K%W8]>
KXx.1WrY;
L:#) #!
lcOCURdt
lInS[mu
Lj5y7x)
LoadIconA
LoadLibraryA
LRq~LM
&!ls=jks
lstrlenA
_L*U]w$Ki
LV\1w<
LWysx,
@lzm}Y
M"B`:Sjf@{8
_MNMMQKh0W50Xt@8
MTau:'
mV[+3}
]mYQa,
;MZu{\
nb}Xc8
nexg#8
~N^F.
nfYjSbZ
n;MO|Y5x
NQJtbqA
n"(:sK
*nVG#%%]
O?aNHR|
+~OL9EAUTi
o:RTJ5
;oX!tF
OY1PX@16
p0T&#{
&P%8q`ekY
p`~G23
pKjyWCW
p)sa79
p)v6?+N
^Q4D1s
#qFeCr
Q<IP)|X
qJ\6QQ
@:Qm6t
qqX{rs
?q:R0*
qT,OSlXg
Qv;LJrQ
R6wc8T
R7TNx6
`.rdata
rHT/PPoc
rj|zF1
_R_lY2SZ
r/q=}ui
_rsJfQog
Rvertum0
RVj6j(
_rydl4@20
s4.m18
SCNUymZ
SgAP8S
shlwapi
SRQ2PWja
,s.tex
.S%UKaf
s YUBvsS
`Sz18;
|sZ;n}
t(20\$
t/bRSPX
tb!tlQu
This program must be run under Win32
t{kZlz
trrQHA
tWa^[whOXu
'tYK|_
^U054LbV
UN4IQSTRm
updrPXJx7kO6
u[Q_'}
user32.dll
*@V0uV
V1K-bB5+
V6; H
VirtualAlloc
VirtualAllocEx
vQ"|cw^
+vxXS%,
w6i?Uc
WDSFv@12
wF:O6O
*WIN7E
=$wJKu
~$W@Kk
?WSAKF
W"xf W
x{_/0C
X{cjp:
\ {Xe-2I
%Xfq[dU+
x$g"Zm;
x;=h"8t?
XJd'92m
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
X:%PSJ
Xq&$)7'
xSjt'92}[T
X{tiY7*ux$
xtMImF
Xw,TK|
xwVq3'
xWWYwG
y;D"'d
$y'j<!
YkWHcg
YO3TEGiVuBDJ
_yPBF7GbS@4
yqdBMr
Ytn!8B
z8g4'k8
Z8uHLk
zGKcH;
ZgWvxOcqi
ZiByi-ToW.d
ZjMdE4u0zj8
zNB BW
ZQLr6O&
ZtXlV'2M
zUIM 2
Z.v;*}