ArcadeFAQSearchLogin
Register
It is currently Mon Dec 28, 2009 2:21 am

View unanswered posts | View active topics


Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]


Welcome
Welcome to <strong>Malware Analysis Forum</strong>.

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. Registration is fast, simple, and absolutely free, so please, <a href="/profile.php?mode=register">join our community today</a>!


Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 
  Previous topic | Next topic 
Author Message
maliciousbrains
 Post subject: c9f00a33a626aeeb66b8e42260ab5a6c --> Svchost.exe
PostPosted: Tue May 13, 2008 8:50 am 
Offline
Site Admin
User avatar

Joined: Thu Mar 27, 2008 1:06 pm
Posts: 163
Location: India
File Name: svchost.exe
Scanned on 05.13.2008 03:50:26 (CET)
VirusTotal
AntiVir 7.8.0.17 2008.05.12 TR/StartPage.acm
AVG 7.5.0.516 2008.05.12 Worm/Autoit.AYA
CAT-QuickHeal 9.50 2008.05.12 Trojan.SystemPoser.a
ClamAV 0.92.1 2008.05.12 Worm.Autorun-907
eSafe 7.0.15.0 2008.05.12 Win32.AutoRun.dqj
F-Secure 6.70.13260.0 2008.05.13 Worm.Win32.AutoRun.dqj
GData 2.0.7306.1023 2008.05.12 Worm.Win32.AutoRun.dqj
Ikarus T3.1.1.26 2008.05.13 Virus.Worm.Win32.AutoRun.dqj
Kaspersky 7.0.0.125 2008.05.13 Worm.Win32.AutoRun.dqj
NOD32v2 3094 2008.05.12 archive damaged
Prevx1 V2 2008.05.13 Prevx Database Unreachable
Sophos 4.29.0 2008.05.13 Mal/Generic-A
Symantec 10 2008.05.13 W32.SillyFDC
VBA32 3.12.6.5 2008.05.12 Worm.Win32.AutoRun.dqj
Webwasher-Gateway 6.6.2 2008.05.12 Trojan.StartPage.acm

File size: 216064 bytes
MD5...: c9f00a33a626aeeb66b8e42260ab5a6c
SHA1..: d9788c3d3a2ab92a3c6dca704f2454d38254f4cf
SHA256: ebc0da09b8499636d95119f0066a35d1d543c6a9a660c468e21dc0ab4d6ec50a
SHA512: d49b7bc2b48c35337039367986d208f4131542bcf8a36ef69df32c6b7e639206
e44bfd0a8ff0e0887f5cafa641882406c316ce0b95405e32759a8bc038bb0966

PE Structure information

Base data
entrypointaddress.: 0x469770
timedatestamp.....: 0x440db829 (Tue Mar 07 16:43:21 2006)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
UPX0 0x1000 0x3d000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
UPX1 0x3e000 0x2c000 0x2ba00 7.92 01528cb0328cd72d5ed058cb87f84dce
.rsrc 0x6a000 0x8000 0x7e00 5.73 6a155de765d5fa0063afc7be000952b4

( 12 imports )
> KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess
> ADVAPI32.dll: RegCloseKey
> COMCTL32.dll: -
> comdlg32.dll: GetOpenFileNameA
> GDI32.dll: BitBlt
> ole32.dll: CoInitialize
> OLEAUT32.dll: -
> SHELL32.dll: DragFinish
> USER32.dll: GetDC
> VERSION.dll: VerQueryValueA
> WINMM.dll: mixerOpen
> WSOCK32.dll: -

File System Activity:
Find File: C:\svchost.exe
Open File: C:\svchost.exe (OPEN_EXISTING)
Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TunerSetup\paths.dat (OPEN_EXISTING)
Open File: \drives.dat (OPEN_EXISTING)
Find File: \spring\TunerSetup.exe
Get File Attributes: \spring\autorun.inf Flags: (SECURITY_ANONYMOUS)
Create/Open File: \spring\autorun.inf (OPEN_ALWAYS)
Find File: \spring\autorun.inf
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\shdocvw.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING)
Get File Attributes: C:\svchost.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk Flags: (SECURITY_ANONYMOUS)
Create File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk
Get File Attributes: C:\Documents and Settings\Administrator\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Start Menu\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\My Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Program Files\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: C:\Documents and Settings\All Users\Documents\My Music\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: \driveList.txt (OPEN_EXISTING)
Open File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk (OPEN_EXISTING)
Create File: C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ .lnk

Registry Activity:
Changes
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "NoFolderOptions" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = [REG_DWORD, value: 00000001]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main "Start Page"" = http://www.ultitech.blogspot.com/
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = explorer.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "installed" = present2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run "winlogon" = \svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "checkedvalue" = [REG_DWORD, value: 00000000]
Reads
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL "checkedvalue"

COM COM Create Instance: shell32.dll, ProgID: (lnkfile), Interface ID: ({000214EE-0000-0000-C000-000000000046})
COM Create Instance: %SystemRoot%\System32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046})

_________________
.:: MaliciousBrains ::.
http://www.malwareinfo.org

There are no patches or service packs for IGNORANCE!!

Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 1 post ] 

Board index » Malware Analysis » Analyze Malwares

All times are UTC + 5:30 hours [ DST ]

Who is online

Users browsing this forum: No registered users and 0 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Donate Now
Donate Now
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Hosted by FreeForums.org | Create a free forum