Download Link: hxxp://downloadb.mikebox.com/ocx/setup/MikeAccelerator.exe File Name: MikeAccelerator.exe File size: 679007 bytes MD5: 254c8c1924de237aabd3e715d40f26cf SHA1: 2426aa3654c71237b267818b79cf62d021e89e51 PEiD: - packers: ASPack Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8B98308C5FFC6C075CD20AF5DAD5DE0088E6AB73 VirusTotal Result: 4/32 (12.5%) AntiVir: ADSPY/Cdnup Ikarus: Worm.Win32.Delf.bg Prevx1: Heuristic: Suspicious Self Modifying File Webwasher-Gateway: Ad-Spyware.Cdnup Analysis Report: http://malwareinfo.freeforums.org/downloadb-mikebox-com-ocx-setup-mikeaccelerator-exe-t38.html PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00009000 Size of initialized data: 00004200 Size of uninitialized data: 00000000 Address of entry point: 000098D8 Base of code: 00001000 Base of data: 0000A000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0001 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00013000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 8000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 00008FFC 00001000 00009000 00000400 60000020 DATA 00000248 0000A000 00000400 00009400 C0000040 BSS 00000E34 0000B000 00000000 00009800 C0000000 .idata 00000950 0000C000 00000A00 00009800 C0000040 .tls 00000008 0000D000 00000000 0000A200 C0000000 .rdata 00000018 0000E000 00000200 0000A200 50000040 .reloc 000008A0 0000F000 00000000 0000A400 50000040 .rsrc 00002400 00010000 00002400 0000A400 50000040 Import table (libraries: 8) kernel32.dll (imports: 28) DeleteCriticalSection LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc WideCharToMultiByte TlsSetValue TlsGetValue MultiByteToWideChar GetModuleHandleA GetLastError GetCommandLineA WriteFile SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType ExitProcess CreateFileA CloseHandle user32.dll (imports: 1) MessageBoxA oleaut32.dll (imports: 5) VariantChangeTypeEx VariantCopyInd VariantClear SysStringLen SysAllocStringLen advapi32.dll (imports: 5) RegQueryValueExA RegOpenKeyExA RegCloseKey OpenProcessToken LookupPrivilegeValueA kernel32.dll (imports: 43) WriteFile VirtualQuery VirtualProtect VirtualFree VirtualAlloc Sleep SizeofResource SetLastError SetFilePointer SetErrorMode SetEndOfFile RemoveDirectoryA ReadFile LockResource LoadResource LoadLibraryA IsDBCSLeadByte GetWindowsDirectoryA GetVersionExA GetUserDefaultLangID GetSystemInfo GetSystemDefaultLCID GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetFullPathNameA GetFileSize GetFileAttributesA GetExitCodeProcess GetEnvironmentVariableA GetCurrentProcess GetCommandLineA GetACP InterlockedExchange FormatMessageA FindResourceA DeleteFileA CreateProcessA CreateFileA CreateDirectoryA CloseHandle user32.dll (imports: 12) TranslateMessage SetWindowLongA PeekMessageA MsgWaitForMultipleObjects MessageBoxA LoadStringA ExitWindowsEx DispatchMessageA DestroyWindow CreateWindowExA CallWindowProcA CharPrevA comctl32.dll (imports: 1) InitCommonControls advapi32.dll (imports: 1) AdjustTokenPrivileges VERSIONINFO: FILEVERSION 2,0,0,0 PRODUCTVERSION 0,0,0,0 FILEOS 0x4 FILETYPE 0x1 { BLOCK "StringFileInfo" { BLOCK "080403a8" { VALUE "Comments", "?????? Inno Setup ??: hxxp://www.innosetup.com,??: ???·?" VALUE "CompanyName", "???? " VALUE "FileDescription", "????????? ?? " VALUE "FileVersion", "2.0.0.0 " VALUE "LegalCopyright", " " } } BLOCK "VarFileInfo" { VALUE "Translation", 0x0804 0x03A8 } } Executable Modules: Executable modules Base Size Entry Name File version Path 00400000 00013000 004098D8 MikeAcce 2.0.0.0 E:\Infected\MikeAccelerator.exe 77120000 0008C000 77121558 oleaut32 5.1.2600.2180 C:\WINDOWS\system32\oleaut32.dll 773D0000 00102000 773D42B3 comctl32 6.0 (xpsp_sp2_rt C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 774E0000 0013C000 774F20C1 ole32 5.1.2600.2180 (x C:\WINDOWS\system32\ole32.dll 77C10000 00058000 77C1F2A1 msvcrt 7.0.2600.2180 (x C:\WINDOWS\system32\msvcrt.dll 77D40000 00090000 77D50EB9 user32 5.1.2600.2180 (x C:\WINDOWS\system32\user32.dll 77DD0000 0009B000 77DD70D4 ADVAPI32 5.1.2600.2180 (x C:\WINDOWS\system32\ADVAPI32.dll 77E70000 00091000 77E76284 RPCRT4 5.1.2600.2180 (x C:\WINDOWS\system32\RPCRT4.dll 77F10000 00046000 77F163CA GDI32 5.1.2600.2180 (x C:\WINDOWS\system32\GDI32.dll 77F60000 00076000 77F651D3 SHLWAPI 6.00.2900.2180 ( C:\WINDOWS\system32\SHLWAPI.dll 7C800000 000F4000 7C80B436 kernel32 5.1.2600.2180 (x C:\WINDOWS\system32\kernel32.dll 7C900000 000B0000 7C913156 ntdll 5.1.2600.2180 (x C:\WINDOWS\system32\ntdll.dll Process Info: Process ID 1052 Filename C:\MikeAccelerator.exe Filesize 679007 bytes MD5 254c8c1924de237aabd3e715d40f26cf Start Reason AnalysisTarget File System Activity: Open File: C:\MikeAccelerator.exe (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp () Find File: is-AEIBR.tmp Process Management: Creates Process - Filename () CommandLine: ("C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp" /SL4 $100F4 "C:\MikeAccelerator.exe" 445707 51200 ) As User: () Creation Flags: () Process Stsrted: Process ID 1124 Filename C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp /SL4 $100F4 C:\MikeAccelerator.exe 445707 51200 Filesize 660992 bytes MD5 b648dcea8917936fb4eddbea705ac5b4 Start Reason CreateProcess File System Activity: Open File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-I2HR1.tmp\is-AEIBR.tmp (OPEN_EXISTING) Open File: C:\MikeAccelerator.exe (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-DNTA9.tmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-DNTA9.tmp\_isetup\_RegDLL.tmp Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\is-DNTA9.tmp\_isetup\_shfoldr.dll Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "CommonFilesDir" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization" System Info: Get System Directory Get Windows Directory Get System Time