Download Link: hxxp://all.2088pm.com/sob2088y-9519.exe File Name: sob2088y.exe VirusTotal Result: 4/32 (12.50%) BitDefender 7.2 2008.04.22 Trojan.Peed.Gen ClamAV 0.92.1 2008.04.22 Trojan.Rbot.GEN-3 Sophos 4.28.0 2008.04.22 Mal/Dorf-D Sunbelt 3.0.1056.0 2008.04.17 Trojan.Peed.Gen File Info: File size: 393060 bytes MD5...: 0d36cb5ec055adacf2cdef1aae9e2f9a SHA1..: 40e1075e34b6b0942efc18aee0bbf75d987b8526 SHA256: d0154878ea7722e634268cc8dbd8c3d62e785a26e83e19ff9e156b0607c23f5e SHA512: 2fbf35d16dc4fc1f693f4fed3507f8e379d1dc0dc3a057c347e24e4edfbbf6a1 4aecc458763e44ea65db944dbd482c1eca8832f0a2225f5d40c46998e72e4ff3 ***** PE Structure ************************************************* entry point address.: 0x4032d9 time date stamp.....: 0x446e0e8d (Fri May 19 18:29:33 2006) machine type.......: 0x14c (I386)] ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 446E0E8D Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005C00 Size of initialized data: 0001DA00 Size of uninitialized data: 00000400 Address of entry point: 000032D9 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00033000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005A3A 00001000 00005C00 00000400 60000020 .rdata 000010F2 00007000 00001200 00006000 40000040 .data 0001B414 00009000 00000400 00007200 C0000040 .ndata 00009000 00025000 00000000 00000000 C0000080 .rsrc 00004110 0002E000 00004200 00007600 40000040 ***** Import/Export table ****************************************** --- Import table (libraries: 8) ------------------------------------ > KERNEL32.dll: CloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, lstrcmpiA, CopyFileA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetCurrentProcess > USER32.dll: ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow > GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject > SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation > ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA > COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create > ole32.dll: OleInitialize, OleUninitialize, CoCreateInstance > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA Process Details: Process ID 1544 Filename C:\file.exe Filesize 393060 bytes MD5 0d36cb5ec055adacf2cdef1aae9e2f9a Start Reason AnalysisTarget New Files Created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse4.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-header.bmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\InstallOptions.dll C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\InstallOptions.dll Opened Files: \\.\PIPE\lsarpc \\.\PIPE\ntsvcs C:\file.exe Deleted Files: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp2.tmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp Chronological order: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING) Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp2.tmp Get File Attributes: C:\file.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\file.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse4.tmp Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp Delete File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-header.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-header.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-header.bmp Set File Time: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-header.bmp Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\InstallOptions.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\InstallOptions.dll Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\InstallOptions.dll Read INI File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] Title = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] CancelButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] NextButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] BackButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] NumFields = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] Rect = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] BackEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] CancelEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] CancelShow = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] RTL = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] TxtColor = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] TxtColor = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] TYPE = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] Flags = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] State = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] ListItems = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] TEXT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] ROOT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] ValidateText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] Filter = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] LEFT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] TOP = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] RIGHT = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] BOTTOM = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] MinLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] MaxLen = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] TxtColor = Read INI File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] RTL = 0 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] Text = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\modern-wizard.bmp C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] NumFields = 3 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] NextButtonText = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Settings] CancelEnabled = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] Text = Вас приветствует мастер установки Собутыльник 2088 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] Bottom = 48 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] Top = 55 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] Bottom = 185 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] Text = Эта программа установит Собутыльник 2088 на ваш компьютер.\r\n\r\nПеред началом установки рекомендует C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 1] HWND = 65906 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 2] HWND = 65908 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsz6.tmp\ioSpecial.ini [Field 3] HWND = 65910 Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir"