Download Link: hxxp://arenda.cc/inst253.exe File Name: inst253.exe File size: 155648 bytes MD5: 533edc69d1a58ce0187630d79f3600bf SHA1: 060bf3c92691088160bd6e64c91111a6ec117930 PEiD: - Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=2A182EC200307FD160CC026F5A213800E11080A8 AhnLab-V3: Win-Trojan/Pakes.155648.E AntiVir: TR/Pakes.chf AVG: SHeur.AWXD BitDefender: Trojan.Srizbi.BN CAT-QuickHeal: Trojan.Pakes.chf ClamAV: Trojan.Pakes-1278 eSafe: Win32.Pakes.chf F-Prot: W32/Trojan2.ACEG F-Secure: Trojan.Win32.Pakes.chf Ikarus: Trojan.Win32.Pakes.chf Kaspersky: Trojan.Win32.Pakes.chf NOD32v2: Win32/Srizbi.Gen Norman: W32/Smalltroj.dam Prevx1: Trojan.DoS.Win32.Opdos Sophos: Mal/EncPk-CK TheHacker: Trojan/Pakes.chf VBA32: Trojan.Win32.Pakes.chf Webwasher-Gateway: Trojan.Pakes.chf File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 47CDC18A Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 0002A000 Size of initialized data: 00002000 Size of uninitialized data: 00000000 Address of entry point: 000362B0 Base of code: 00001000 Base of data: 0002B000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0005B000 Size of headers: 00001000 Checksum: 000346C1 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0400 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Number of Objects = 0005 (dec), Imagebase = 00400000h Object01: f>J/sJNp RVA: 00001000 Offset: 00001000 Size: 00000000 Flags: E0000020 Object02: nLH$gar2 RVA: 0002B000 Offset: 00001000 Size: 00000000 Flags: C0000040 Object03: $_(,j6]a RVA: 0002C000 Offset: 00001000 Size: 00000000 Flags: C0000040 Object04: 'okURA@b RVA: 0002D000 Offset: 00001000 Size: 00000000 Flags: E0000060 Object05: cqG[k6vD RVA: 00036000 Offset: 00001000 Size: 00025000 Flags: E2000020 Import table (libraries: 3) KERNEL32.dll (imports: 11) MultiByteToWideChar GetModuleHandleA FlushInstructionCache VirtualProtect GetTickCount GetLastError GetProcAddress LoadLibraryA Sleep LocalFree LocalAlloc USER32.dll (imports: 1) wsprintfA KERNEL32.dll (imports: 1) VirtualProtect Process Activities: Process ID 1416 Filename C:\inst253.exe Filesize 155648 bytes MD5 533edc69d1a58ce0187630d79f3600bf COM: Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) File system Activities: Create File: C:\WINDOWS\system32\drivers\riode32.sys Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Documents and Settings\Sandbox\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat () Find File: _it.bat Read INI File: C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] Owner = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName = C:\Documents and Settings\Sandbox\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName = C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName = Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$DLL" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE} "$Function" HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography "MachineGuid" HKEY_USERS\S-1-5-21-1715567821-2139871995-725345543-1004\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing "State" HKEY_USERS\S-1-5-21-1715567821-2139871995-725345543-1004\Software\Microsoft\Internet Explorer\Security "Safety Warning Level" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Enums: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllIsMyFileType2 HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\OID Process Management: Creates Process - Filename (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat) CommandLine: () As User: () Creation Flags: () Service Management: Open Service Manager - Name: "SCM" Create Service - Name: (riode32) Display Name: (riode32) File Name: (C:\WINDOWS\system32\drivers\riode32.sys) Control: () Start Type: (SERVICE_AUTO_START) Start Service - Name: (riode32) Display Name: () File Name: () Control: () Start Type: () System Info: Get System Directory Get Windows Directory Get Computer Name Process Stsrted: Process ID 1088 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat Filesize 388608 bytes MD5 eeb024f2c81f0d55936fb825d21a91d6 Start Reason CreateProcess function call File System Activities: Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Get File Attributes: "C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat" Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\_it.bat (OPEN_EXISTING) Get File Attributes: C:\inst253.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\inst253.exe Delete File: C:\inst253.exe Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun"