search4top.net/MSPCA32.cab

maliciousbrains · **Posted:** Sun Apr 13, 2008 12:40 pm

Download Link: hxxp://search4top.net/MSPCA32.cab

File Name: MSPCA32.cab

File Info:
File size: 58280 bytes
MD5...: 927859db8e6e58fe14b1f9248f74da0c
SHA1..: 80061b51522b5e305cffc791892787797dbb5eb0
SHA256: 18572fa3713f64c92d246f20eee910287403b7d472c12ed3ca4d98cf4bb43a8f
SHA512: 959c4cc25c58d3adb895ab88c6574077d9a98f67020dac4dfe9f83bb88fe0f73
c77517ff64462b170a5801c02d2ac842bf2cff8eca9f65a83d7a386fa113ef03
packers: UPX

Archive preview
Modified Size Ratio CRC32 File name
12/26/2007 5:33:46 PM 374 B INSTALA.inf
12/27/2007 8:31:18 PM 61 KB MSPCA32.dll

File Name: MSPCA32.dll

VirusTotal Result: 9/32 (28.13%)
AntiVir 7.6.0.85 2008.04.11 TR/Bocata.62976
Ikarus T3.1.1.26 2008.04.13 Trojan.Bocata.62976
Norman 5.80.02 2008.04.12 W32/Dialer.CBLJ
Panda 9.0.0.4 2008.04.12 Adware/Search4Top
Prevx1 V2 2008.04.13 ADWARE.BHO
Sophos 4.28.0 2008.04.13 Mal/Emogen-G
Sunbelt 3.0.1041.0 2008.04.12 Trojan.Bocata.6
Symantec 10 2008.04.13 Dialer.Mostrar
Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Bocata.62976

File size: 62976 bytes
MD5...: 64461d4daf64258e8435ae6a74993970
SHA1..: c5be18cb7f77a2f1d424daa66c9e7ee2137a8fc4
SHA256: db51b4c38a5fb4164791c7f835b7dd66487224a606d7a072de7d85a2625442e2
SHA512: 363266e44d3d6f6b71b66f280cec4b1e7916d3268223fc48e84bce031c728852
fa6b722a7556e47385e19b8f9e8bae586a8ba6d66d94a6a3e6e10118e6faf1f5
PEiD..: -
PE Structure information:
Base Data:
Entry Point Address.: 0x10029d50
Time Date Stamp.....: 0x47754f05 (Fri Dec 28 19:31:17 2007)
Machine Type.......: 0x14c (I386)

PE Header
Signature: 00004550
Machine: 014C - Intel 386
Number of sections: 0003
Time/Date stamp: 47754F05
Pointer to symbol table: 00000000
Number of symbols: 00000000
Size of optional header: 00E0
Characteristics: 210E
Magic: 010B
Linker version (major): 06
Linker version (minor): 00
Size of code: 0000B000
Size of initialized data: 00005000
Size of uninitialized data: 0001E000
Address of entry point: 00029D50
Base of code: 0001F000
Base of data: 0002A000
Image base: 10000000
Section alignment: 00001000
File alignment: 00000200
OS version (major): 0004
OS version (minor): 0000
Image version (major): 0000
Image version (minor): 0000
Sub system version (major): 0004
Sub system version (minor): 0000
Win32 version: 00000000
Size of image: 0002F000
Size of headers: 00001000
Checksum: 00000000
Sub system: 0002 - Windows graphical user interface (GUI) subsystem
DLL characteristics: 0000
Size of stack reserve: 00100000
Size of stack commit: 00001000
Size of heap reserve: 00100000
Size of heap commit: 00001000
Loader flags: 00000000
Number of RVA: 00000010

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 0001E000 00001000 00000000 00000400 E0000080
UPX1 0000B000 0001F000 0000B000 00000400 E0000040
.rsrc 00005000 0002A000 00004200 0000B400 C0000040

Import table (libraries: 7)
KERNEL32.DLL (imports: 3)
LoadLibraryA, GetProcAddress, VirtualProtect
ADVAPI32.dll (imports: 1)
RegOpenKeyA
ole32.dll (imports: 1)
CoTaskMemFree
OLEAUT32.dll (imports: 1)
#2
SHLWAPI.dll (imports: 1)
SHDeleteKeyA
USER32.dll (imports: 1)
SetTimer
WS2_32.dll (imports: 1)
#111
Export table (names: 5, functions: 5)
#0 - DllCanUnloadNow, #1 - DllGetClassObject, #2 - DllRegisterServer, #3 - DllUnregisterServer, #4 - MSPCA32

Unpackig with UPX:
File size Ratio Format Name
-------------------- ------ ----------- -----------
155648 <- 62976 40.46% win32/pe MSPCA32.dll

PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
.text 00013C3C 00001000 00014000 00001000 60000020
.rdata 00001D0A 00015000 00002000 00015000 40000040
.data 00006134 00017000 00006000 00017000 C0000040
.idata 00001284 0001E000 00002000 0001D000 C0000040
.rsrc 00004BD9 00020000 00005000 0001F000 40000040
.reloc 000015B4 00025000 00002000 00024000 42000040

File System Activity:
CREATE C:\WINDOWS\system32\SET43.tmp
CREATE C:\WINDOWS\system32\MSPCA32.dll
WRITE C:\WINDOWS\system32\SET43.tmp
OPEN E:\infected\mspca32 extracted\instala.inf
OPEN E:\Infected\MSPCA32 Extracted\MSPCA32.dll
OPEN C:\WINDOWS\system32\SET43.tmp
OPEN C:\WINDOWS\system32\MSPCA32.dll
OPEN C:\WINDOWS\System32\ShimEng.dll
READ C:\WINDOWS\system32\MSPCA32.dll
SET INFORMATION C:\WINDOWS\system32\SET43.tmp
DELETE C:\WINDOWS\system32\SET43.tmp

Registry Values Changed:
HKCU\Software\Microsoft\Search Assistant\ACMru\5603 ---> C:\WINDOWS\system32\MSPCA32.dll
HKLM\Software\Microsoft\Search Assistant\ACMru\5603 ---> C:\WINDOWS\system32\MSPCA32.dll

search4top.net/MSPCA32.cab

Who is online