File Name: windowsupdate.exe VirusTotal Result: 16/32 (50%) AntiVir 7.6.0.85 2008.04.13 TR/Crypt.XPACK.Gen Avast 4.8.1169.0 2008.04.14 Win32:Crypt-AWG AVG 7.5.0.516 2008.04.13 Generic10.BRU BitDefender 7.2 2008.04.14 MemScan:Backdoor.IRCBot.ABVI CAT-QuickHeal 9.50 2008.04.12 TrojanDownloader.Agent.gen DrWeb 4.44.0.09170 2008.04.14 BackDoor.IRC.Sdbot.2602 eSafe 7.0.15.0 2008.04.09 Suspicious File F-Secure 6.70.13260.0 2008.04.14 W32/Malware Kaspersky 7.0.0.125 2008.04.14 Backdoor.Win32.Rbot.jum NOD32v2 3022 2008.04.14 Win32/IRCBot.AEO Norman 5.80.02 2008.04.12 W32/Malware Panda 9.0.0.4 2008.04.13 Suspicious file Prevx1 V2 2008.04.14 Heuristic: Suspicious File With Outbound Communications Sophos 4.28.0 2008.04.14 Sus/UnkPacker VBA32 3.12.6.4 2008.04.13 Backdoor.Win32.Rbot.pfd Webwasher-Gateway 6.6.2 2008.04.13 Trojan.Crypt.XPACK.Gen File Info: File size: 64833 bytes MD5...: 1065d290ff7857db1eaec0c82d52bbe0 SHA1..: d0a1a2c667d291745ddf82dd8130f317ce475f7f SHA256: 08be165d21260f284373547c21746ae8062c1034ee0acc448fba343c255977c0 SHA512: ae2b2337b675269b56a160ce41252ba7c8c7751ba16eb9f91ee67330e912bb2b f9e88cafa2a2e104adc393e4904d5016c5563d98604d25578a90c8d8514f9b05 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 47BDBB97 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 030F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00028941 Size of initialized data: 00058400 Size of uninitialized data: 00000000 Address of entry point: 00073000 Base of code: 00001000 Base of data: 0001A000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00089000 Size of headers: 00000200 Checksum: 0001417E Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Structure: Entry Point Address.: 0x473000 Time Date Stamp.....: 0x47bdbb97 (Thu Feb 21 17:57:43 2008) Machine Type.......: 0x14c (I386) PE Section: name viradd virsiz rawdsiz ntrpy md5 .XPack0 0x1000 0x72000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e .XPack 0x73000 0x15b41 0xfb41 7.99 8963f2184ad233087d6e1d05ee3cc8a8 Import table (libraries: 1) KERNEL32.DLL (imports: 3) GetProcAddress LoadLibraryA VirtualProtect Process Details: Process ID 868 Filename C:\windowsupdate.exe Filesize 64833 bytes MD5 1065d290ff7857db1eaec0c82d52bbe0 Start Reason AnalysisTarget New Files Created: \Device\Tcp \Device\Ip \Device\Ip C:\WINDOWS\system32\windowsupdate.exe Opened Files: \\.\Ip C:\WINDOWS\explorer.exe C:\WINDOWS\system32\windowsupdate.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\windowsupdate.exe Sequence of File System Activity: Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\windowsupdate.exe Flags: (SECURITY_ANONYMOUS) Copy File: C:\windowsupdate.exe to C:\WINDOWS\system32\windowsupdate.exe Open File: C:\WINDOWS\explorer.exe (OPEN_EXISTING) Open File: C:\WINDOWS\system32\windowsupdate.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\windowsupdate.exe Set File Attributes: C:\WINDOWS\system32\windowsupdate.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\windowsupdate.exe () Find File: windowsupdate.exe Mutexes: Creates Mutex: dkdj Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename (C:\WINDOWS\system32\windowsupdate.exe) CommandLine: (C:\WINDOWS\system32\windowsupdate.exe 1592 "C:\windowsupdate.exe") As User: () Creation Flags: (DETACHED_PROCESS) Kill Process - Filename () CommandLine: () Target PID: (868) As User: () Creation Flags: () Process Started: Process ID 1080 Filename C:\WINDOWS\system32\windowsupdate.exe 1592 C:\windowsupdate.exe Filesize 64833 bytes MD5 1065d290ff7857db1eaec0c82d52bbe0 Start Reason CreateProcess New Files Created: \Device\Tcp \Device\Ip \Device\Ip \Device\RasAcd Opened Files: \\.\Ip \\.\PIPE\ROUTER \\.\PIPE\lsarpc c:\autoexec.bat \\.\PIPE\SfcApi C:\WINDOWS\system32\drivers\tcpip.sys C:\WINDOWS\system32\drivers\tcpip.sys C:\WINDOWS\system32\drivers\tcpip.sys Deleted Files: C:\windowsupdate.exe Sequence of File System Activity: Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Delete File: C:\windowsupdate.exe Open File: \\.\PIPE\ROUTER (OPEN_EXISTING) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\system32\Ras\*.pbk Find File: C:\Documents and Settings\Sandbox\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: \\.\PIPE\SfcApi (OPEN_EXISTING) Set File Attributes: C:\WINDOWS\system32\drivers\tcpip.sys Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\drivers\tcpip.sys (OPEN_EXISTING) Open File: C:\WINDOWS\system32\drivers\tcpip.sys (OPEN_EXISTING) Open File: C:\WINDOWS\system32\drivers\tcpip.sys (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\drivers\tcpip.sys Mutexes: Creates Mutex: dkdj Creates Mutex: RasPbFile Registry Changes: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "windowsupdate" = C:\WINDOWS\system32\windowsupdate.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices "windowsupdate" = C:\WINDOWS\system32\windowsupdate.exe HKEY_CURRENT_USER\Software\Microsoft\OLE "windowsupdate" = C:\WINDOWS\system32\windowsupdate.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\system32\windowsupdate.exe" = C:\WINDOWS\system32\windowsupdate.exe:*:Enabled:windowsupdate Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" Network Activity: DNS Lookup: iams.wearabz.net (66.252.13.215) * C&C Server: 66.252.13.215:21321 * Server Password: * Username: * Nickname: