Download Link: hxxp://down2.alibaba99.com/x0526/webinfs.exe File Name: webinfs.exe File size: 72238 bytes MD5: 016d9cdaa05f3f0b87291e402ca56316 SHA1: 244fcda9ee7e88a919d4a1dcc0a65150be09ac7f PEiD: NSPack 3.x -> Liu Xing Ping packers: NSPack, PE_Patch packers: NSPack VirusTotal Result: 11/32 (34.38%) AntiVir: TR/Crypt.CFI.Gen CAT-QuickHeal: Win32.Packed.Klone.ap03 eSafe: suspicious Trojan/Worm F-Secure: Suspicious:W32/Malware!Gemini Ikarus: Packed.Win32.Klone.af McAfee: New Malware.u Norman: W32/Suspicious_N.gen Sophos: Mal/Packer TheHacker: W32/Behav-Heuristic-067 VirusBuster: Packed/NSPack Webwasher-Gateway: Trojan.Crypt.CFI.Gen File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 059BFFA3 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 04 Linker version (minor): 00 Size of code: 00000000 Size of initialized data: 00012000 Size of uninitialized data: 00075000 Address of entry point: 00076589 Base of code: 00001000 Base of data: 00076000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0001 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0008A000 Size of headers: 00000400 Checksum: 0001E267 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .nsp0 00075000 00001000 00000000 00000400 E0000060 .nsp1 00012000 00076000 0001162E 00000400 E0000060 .nsp2 000015C2 00088000 00000000 00000400 E0000060 Import table (libraries: 3) KERNEL32.DLL (imports: 6) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess USER32.DLL (imports: 1) MessageBoxA ADVAPI32.DLL (imports: 1) RegQueryValueExA Executable modules Base Size Entry Name File version Path 00400000 0008A000 00476589 webinfs. webinfs E:\Infected\webinfs.exe 77D40000 00090000 77D50EB9 USER32.UserClientDllInitialize USER32 5.1.2600.2180 (x C:\WINDOWS\system32\USER32.DLL 77DD0000 0009B000 77DD70D4 ADVAPI32. ADVAPI32 5.1.2600.2180 (x C:\WINDOWS\system32\ADVAPI32.DLL 77E70000 00091000 77E76284 RPCRT4. RPCRT4 5.1.2600.2180 (x C:\WINDOWS\system32\RPCRT4.dll 77F10000 00046000 77F163CA GDI32. GDI32 5.1.2600.2180 (x C:\WINDOWS\system32\GDI32.dll 7C800000 000F4000 7C80B436 kernel32. kernel32 5.1.2600.2180 (x C:\WINDOWS\system32\kernel32.dll 7C900000 000B0000 7C913156 ntdll. ntdll 5.1.2600.2180 (x C:\WINDOWS\system32\ntdll.dll Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\USER32.DLL 0x7E410000 0x00090000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\ADVAPI32.DLL 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000 C:\WINDOWS\system32\msctfime.ime 0x755C0000 0x0002E000 C:\WINDOWS\system32\OLEAUT32.DLL 0x77120000 0x0008B000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\version.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 Process Details: Name: webinfs.exe Pid: 1656 KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent Directory \KnownDlls Directory \Windows WindowStation \Windows\WindowStations\WinSta0 WindowStation \Windows\WindowStations\WinSta0 File E:\Infected Key HKCU Key HKLM Popup Window: Window Name Window Text Error OK Not found the kernel library or the kernel library is invalid! Registry Reads: Key Name Value Times HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1 Memory File Mapped: File Name C:\WINDOWS\system32\Msimtf.dll The file failed to execute and gave the error message: --------------------------- Error --------------------------- Not found the kernel library or the kernel library is invalid! --------------------------- OK --------------------------- Opened with OllyDBG: --------------------------- Entry Point Alert --------------------------- Module 'webinfs' has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. --------------------------- OK ---------------------------