Download Link: hxxp://infomarket.cc/ZZZ/ldr.exe File Name: ldr.exe VirusTotal Result: 4/32 (12.50%) BitDefender 7.2 2008.04.22 Trojan.Spy.ZBot.BN eSafe 7.0.15.0 2008.04.21 Suspicious File F-Secure 6.70.13260.0 2008.04.22 Suspicious:W32/Malware!Gemini Sophos 4.28.0 2008.04.22 Mal/Behav-066 File Info: File size: 44544 bytes MD5...: 0a0b6b875bba32b85e7afa0349bbe5f4 SHA1..: 37338fba303d7c6d0819e11db4484366f2038777 SHA256: bdd7c7e4adc56e0fbac6e8c79915c7864825da3304894c66057d92bde3f66621 SHA512: aa4f98cf28e5e3ceb474e0ba8b4e8b498982e22fbbd286b86ad2eb07abe1afb8 d2e2801931ed17ccc4f1ee7722c6fec617e1ffe14d97ead48633ef5323595fc2 ***** PE Structure ************************************************* entrypointaddress.: 0x4102be timedatestamp.....: 0x45b6cc16 (Wed Jan 24 03:01:42 2007) machinetype.......: 0x14c (I386) ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 45B6CC16 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0102 Magic: 010B Linker version (major): 63 Linker version (minor): 2D Size of code: 00009000 Size of initialized data: 00000000 Size of uninitialized data: 00000000 Address of entry point: 000102BE Base of code: 00010000 Base of data: 00001000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0005 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00024000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .retgn 0000E1B7 00001000 00009000 00000400 40000040 .mnmxsx 00001348 00010000 00000600 00009400 E0000020 .ghuzef 00012000 00012000 00001400 00009A00 40000040 ***** Import/Export table ****************************************** --- Import table (libraries: 2) ------------------------------------ > user32.dll: CharLowerBuffA, GetDlgItemTextW > kernel32.dll: SetFilePointer Process Details: Process ID 1708 Filename C:\ldr.exe Filesize 44544 bytes MD5 0a0b6b875bba32b85e7afa0349bbe5f4 Start Reason AnalysisTarget New Files Created: C:\Documents and Settings\Administrator\Application Data\ntos.exe Opened Files: \\.\PIPE\lsarpc C:\Documents and Settings\Administrator\Application Data\ntos.exe C:\WINDOWS\System32\ntdll.dll Deleted Files: C:\Documents and Settings\Administrator\Application Data\ntos.exe Chronological order: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Set File Attributes: C:\Documents and Settings\Administrator\Application Data\ntos.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\Documents and Settings\Administrator\Application Data\ntos.exe Copy File: C:\ldr.exe to C:\Documents and Settings\Administrator\Application Data\ntos.exe Set File Attributes: C:\Documents and Settings\Administrator\Application Data\ntos.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Open File: C:\Documents and Settings\Administrator\Application Data\ntos.exe (OPEN_EXISTING) Open File: C:\WINDOWS\System32\ntdll.dll (OPEN_EXISTING) Set File Time: C:\Documents and Settings\Administrator\Application Data\ntos.exe Set File Attributes: C:\Documents and Settings\Administrator\Application Data\ntos.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_READONLY,SECURITY_ANONYMOUS) Mutexes: Creates Mutex: __SYSTEM__91C38905__ Opens Mutex: __SYSTEM__64AD0625__ Registry Changes: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon "userinit" = C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Administrator\Application Data\ntos.exe, Registry Reads: HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon "userinit"