Download Link: hxxp://hopelessromantic.com/set/sdm_videos.exe File Name: sdm_videos.exe File size: 126254 bytes MD5...: 5bf0bc2665a0bbf2d4025c30200991b3 SHA1..: 4e1b64494a3856bd30bd826dbaa0ec0feb798681 SHA256: 78c3ccd61724169d7f6c8f75a353140825fb8c928ebff4a07a613cf24670a54c SHA512: 978c4bd3da44fcddf4c54baea930458ba756370a2d165213fdc85444ffab881a 83fc26e823aff43d0e29ece1f24efff723a5e8c6eb6eb9becbe45aa916b44a66 VirusTotal Result: 16/31 (51.62%) AntiVir 7.6.0.81 2008.04.05 DR/StartPage.aum Avast 4.7.1098.0 2008.04.06 Win32:Trojan-gen {Other} AVG 7.5.0.516 2008.04.06 Startpage.CCK BitDefender 7.2 2008.04.06 Trojan.StartPage.AUM DrWeb 4.44.0.09170 2008.04.06 Trojan.StartPage.20556 eSafe 7.0.15.0 2008.04.01 Win32.StartPage.aum Ewido 4.0 2008.04.06 Hijacker.StartPage.aum Fortinet 3.14.0.0 2008.04.06 W32/StartPage.AUM!tr Ikarus T3.1.1.20 2008.04.06 Trojan.Win32.StartPage.aum Kaspersky 7.0.0.125 2008.04.06 Trojan.Win32.StartPage.aum NOD32v2 3005 2008.04.06 Win32/StartPage.NHT Prevx1 V2 2008.04.06 Trojan.Zlob Sophos 4.28.0 2008.04.06 Mal/Generic-A Symantec 10 2008.04.06 Trojan.Zlob VBA32 3.12.6.4 2008.04.06 Trojan.Win32.StartPage.aum Webwasher-Gateway 6.6.2 2008.04.05 Trojan.Dropper.StartPage.aum File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 3FEDD615 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005E00 Size of initialized data: 0001D600 Size of uninitialized data: 00008000 Address of entry point: 0000409B Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00031000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005CCA 00001000 00005E00 00000400 60000020 .rdata 000011B8 00007000 00001200 00006200 40000040 .data 0001B08C 00009000 00000400 00007400 C0000040 .ndata 00008000 00025000 00000000 00000000 C0000080 .rsrc 00004000 0002D000 00004000 00007800 40000040 Import table (libraries: 8) COMCTL32.dll (imports: 4) ImageList_Create #17 ImageList_AddMasked ImageList_Destroy KERNEL32.dll (imports: 66) GetExitCodeProcess WaitForSingleObject ExpandEnvironmentStringsA GetEnvironmentVariableA lstrcmpiA FindNextFileA DeleteFileA FindFirstFileA SetFileTime GetFileAttributesA CompareFileTime SearchPathA GetShortPathNameA GetFullPathNameA MoveFileA lstrcatA SetCurrentDirectoryA CreateDirectoryA SetFileAttributesA CreateFileA GetFileSize GetModuleFileNameA GetTickCount CopyFileA SetErrorMode lstrcpynA GetCommandLineA GetWindowsDirectoryA GetTempPathA GetUserDefaultLangID GetDiskFreeSpaceA GetVersion GlobalUnlock GlobalLock GlobalAlloc CreateProcessA RemoveDirectoryA GetTempFileNameA SetEndOfFile UnmapViewOfFile MapViewOfFile CreateFileMappingA lstrcpyA lstrlenA GetSystemDirectoryA EnterCriticalSection Sleep LeaveCriticalSection InitializeCriticalSection CloseHandle GlobalFree GetModuleHandleA LoadLibraryA CreateThread GetProcAddress FreeLibrary MultiByteToWideChar GetCurrentProcess WritePrivateProfileStringA GetPrivateProfileStringA WriteFile ReadFile SetFilePointer FindClose MulDiv ExitProcess USER32.dll (imports: 60) CreateDialogParamA DialogBoxParamA GetClassInfoA CreateWindowExA SystemParametersInfoA RegisterClassA EndDialog SetFocus ScreenToClient GetWindowRect GetWindowLongA SetClassLongA IsWindowEnabled SetWindowPos LoadCursorA SetCursor GetDlgItemTextA MapWindowPoints GetMessagePos LoadBitmapA CallWindowProcA CloseClipboard SetClipboardData EmptyClipboard OpenClipboard TrackPopupMenu AppendMenuA CreatePopupMenu GetSystemMetrics SetDlgItemTextA MessageBoxA CharPrevA DestroyWindow SetTimer SetForegroundWindow ShowWindow CharNextA wsprintfA SendMessageTimeoutA FindWindowExA IsWindow GetDlgItem GetSysColor SetWindowLongA LoadImageA GetDC EnableWindow PeekMessageA DispatchMessageA ExitWindowsEx PostQuitMessage SendMessageA DefWindowProcA BeginPaint GetClientRect FillRect GetWindowTextA DrawTextA EndPaint InvalidateRect GDI32.dll (imports: 10) SetBkColor GetDeviceCaps CreateFontIndirectA DeleteObject CreateSolidBrush CreateFontA SetBkMode SetTextColor CreateBrushIndirect SelectObject ADVAPI32.dll (imports: 9) RegEnumValueA RegEnumKeyA RegQueryValueExA RegSetValueExA RegDeleteKeyA RegOpenKeyExA RegDeleteValueA RegCreateKeyA RegCloseKey SHELL32.dll (imports: 6) ShellExecuteA SHBrowseForFolderA SHGetPathFromIDListA SHGetMalloc SHGetSpecialFolderLocation SHFileOperationA ole32.dll (imports: 3) OleInitialize OleUninitialize CoCreateInstance VERSION.dll (imports: 3) GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA On execution installs the malware and opens up the IE pointing to the below url: hxxp://www.awesomehomepage.com/done.php?list=startdigitalmedia Sets the start page to: hxxp://start-digital-media.com Dumps the cookie: administrator@awesomehomepage[2].txt content: -------- homepage_installed1awesomehomepage.com/1536358566131229928928231709099229923473*homepage_installedListstartdigitalmedia.exeawesomehomepage.com/1536358566131229928928231759099229923473* Changes Mozilla Firefox start Page by editing \Application Data\Mozilla\Firefox\Profiles\g2hs00s6.default\prefs.js user_pref("browser.startup.homepage", "hxxp://start-digital-media.com"); user_pref("browser.startup.page", 1); Files Added: C:\Documents and Settings\Administrator\Cookies\administrator@awesomehomepage[2].txt 1KB A 4/7/2008 3:16:03 PM C:\Documents and Settings\Administrator\Local Settings\Temp\nsfA.tmp\registry.dll 18KB A 4/7/2008 3:15:59 PM C:\Documents and Settings\Administrator\Local Settings\Temp\Perflib_Perfdata_5bc.dat 17KB A 4/7/2008 3:15:36 PM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\conversion[1].htm 1KB A 4/7/2008 3:16:04 PM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GRYNOTA7\done[1].htm 1KB A 4/7/2008 3:16:03 PM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5WZAXEX\conversion[1].htm 1KB A 4/7/2008 3:16:04 PM C:\Program Files\laughnetwork 1KB D 1/1/1601 5:30:00 AM C:\Program Files\laughnetwork\Uninst.exe 57KB A 4/7/2008 3:15:59 PM C:\Program Files\laughnetwork\update.exe 64KB A 11/9/2007 12:12:07 AM Modified Files: C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g2hs00s6.default\prefs.js 3KB 3KB A A 4/7/2008 3:13:23 PM 4/7/2008 3:15:59 PM C:\Documents and Settings\Administrator\Cookies\index.dat 33KB 33KB A A 4/7/2008 3:05:57 PM 4/7/2008 3:16:00 PM C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat 66KB 66KB A A 4/7/2008 3:05:57 PM 4/7/2008 3:16:00 PM C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008040720080408\index.dat 33KB 33KB A A 4/6/2008 7:53:11 PM 4/7/2008 3:16:01 PM C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat 66KB 66KB A A 4/7/2008 3:05:57 PM 4/7/2008 3:16:00 PM Registry Keys Added: HKEY_CURRENT_USER\Software\laughnetwork HKEY_CURRENT_USER\Software\laughnetwork @ "C:\Program Files\laughnetwork" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings PrivDiscUiShown dword:00000001 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\laughnetwork HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\laughnetwork DisplayName "laughnetwork (remove only) " HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\laughnetwork UninstallString ""C:\Program Files\laughnetwork\uninst.exe"" HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\laughnetwork HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\laughnetwork @ "C:\Program Files\laughnetwork" HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings PrivDiscUiShown dword:00000001 AutoRun Entry Added: HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Run Videos ""C:\Program Files\laughnetwork\update.exe" /background" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Videos ""C:\Program Files\laughnetwork\update.exe" /background" Registry Keys Modified: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Start Page "about:blank" "http://start-digital-media.com" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon @ hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,33,32,00, hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,68,65,6c,6c,33,32,2e,64,6c,6c,2c,33,31,00,