ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:25 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: 37a1579a13ccf47a98c22a1da7ed0091 --> wow.exe
PostPosted: Fri May 16, 2008 1:58 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
Download Link: hxxp://qiuxuewow.cn/wow.exe

File Name: wow.exe
MD5: 37a1579a13ccf47a98c22a1da7ed0091
SHA1: d9269d6ac56503b8402747439a007f9185c53bbc
SHA256: ad60a399c519637407df33381a8a2552f58704c4b517ed6e53c37c077f3d3fd7
SHA512:

4070b755d17176e7ed6cb8c67244fe77babf4171d5cd2e2f21c729409bc1069f8ebbdc7b8c20e9156f33953849100f48988ca93775d344586e94

131c5f4ae89f

VirusTotal Result: 24/32 (75.00%)
Scanned on 05.14.2008 18:53:11 (CET)

AntiVir - - TR/Dropper.Gen
AVG - - Agent.UNN
BitDefender - - Trojan.PWS.OnLineGames.WOM
CAT-QuickHeal - - Trojan.Agent.lpv
ClamAV - - Trojan.Agent-23164
DrWeb - - Trojan.MulDrop.15082
eSafe - - suspicious Trojan/Worm
eTrust-Vet - - Win32/Konvoy.F
F-Secure - - Trojan.Win32.Agent.lpv
Fortinet - - Dropper.BB!tr
GData - - Trojan.Win32.Agent.lpv
Ikarus - - Virus.Trojan.Win32.Agent.lpv
Kaspersky - - Trojan.Win32.Agent.lpv
McAfee - - Generic Dropper.bb
Microsoft - - TrojanDropper:Win32/Rootkit.AFH
NOD32v2 - - Win32/TrojanDropper.Agent.NKK
Norman - - W32/Smalltroj.EGWF
Panda - - Generic Malware
Prevx1 - - Malware Dropper
Sophos - - Troj/Agent-GYS
Symantec - - Trojan.Dropper
TheHacker - - Trojan/Agent.lpv
VBA32 - - Trojan.Win32.Agent.lpv
Webwasher-Gateway - - Trojan.Dropper.Gen

***** Resources ****************************************************
--- DLL ------------------------------------------------------------
101
102

***** PE Header ****************************************************
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 48149298
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 010F
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 00008000
Size of initialized data: 00001000
Size of uninitialized data: 00008000
Address of entry point: 00010E90
Base of code: 00009000
Base of data: 00011000
Image base: 00400000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 00012000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

***** PE Sections **************************************************
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00008000 00001000 00000000 00000400 E0000080
UPX1 00008000 00009000 00008000 00000400 E0000040
.rsrc 00001000 00011000 00000200 00008400 C0000040

***** Import table *************************************************
KERNEL32.DLL (imports: 3)
LoadLibraryA
GetProcAddress
ExitProcess
ADVAPI32.dll (imports: 1)
RegCloseKey
MSVCRT.dll (imports: 1)
memcpy

Process Details:
Process ID 2420
Filename C:\file.exe
Filesize 38400 bytes
MD5 37a1579a13ccf47a98c22a1da7ed0091
Start Reason AnalysisTarget

New Files
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat6.tmp
C:\file.exe

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\system32\Rundll32.exe
\\.\PIPE\lsarpc

Deleted Files
C:\WINDOWS\system32\VERCLSID.exe
C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_re1D.tmp

Chronological order
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat6.tmp
Set File Attributes: C:\WINDOWS\system32\VERCLSID.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\system32\VERCLSID.exe
Set File Attributes: C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Delete File: C:\WINDOWS\system32\DLLCACHE\VERCLSID.exe
Create/Open File: C:\file.exe (OPEN_ALWAYS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\Rundll32.exe ()
Find File: Rundll32.exe
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_re1D.tmp

Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = C:\file.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = C:\file.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 228 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 228 bytes]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 47 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 47 bytes]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 94 bytes]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop "" = [REG_BINARY, size: 94 bytes]
HKEY_CURRENT_USER\_reg "" = "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL

"C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "" =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C} "" =
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "" =

C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "" = Apartment

Reads
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""

Creates Process:
Filename () CommandLine: ("C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL

"C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp") As User: () Creation Flags: ()

Start Process:
Process ID 2436
Filename C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\shell32.dll,Control_RunDLL

C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp

New Files
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp
C:\WINDOWS\system32\drivers\beep.sys

Opened Files
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp
\\.\PIPE\lsarpc

Chronological order
Get File Attributes: C:\WINDOWS\system32\shell32.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\system32\shell32.dll.manifest Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp.manifest Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\dat3.tmp ()
Find File: dat3.tmp
Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp
Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\datA.tmp to C:\WINDOWS\system32\drivers\beep.sys
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)

Reads
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility ""
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop ""

Kill Process - Filename () CommandLine: () Target PID: (2436) As User: () Creation Flags: ()
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1640)

Open Service Manager - Name: "SCM"
Open Service - Name: "beep"
Start Service - Name: (beep) Display Name: () File Name: () Control: () Start Type: ()
Control Service - Name: (beep) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()

Create Process:
Process ID 688
Filename services.exe

Unload Driver - Name: (_HANDLE(0)_) Display Name: () File Name: () Control: () Start Type: ()
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\Beep) File Name: ()

Process ID 1640
Filename C:\WINDOWS\Explorer.EXE
Filesize 1032192 bytes
MD5 a0732187050030ae399b241436565e64
Start Reason InjectedCode

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum