Download Link: hxxp://eroticscreensaver.org/ss.exe File Name: ss.exe File size: 868864 bytes MD5...: 6c3d46f2150acbcd8cf3b56cee48182f SHA1..: 49be31ca46a7859548559eaac84ab85abab1d566 SHA256: f048c29fbe3bedc22ee75535a0736ff1b5cc44b2d700a1f9af41f23b4886d1d5 SHA512: fee48bfbd0be25788a643660c90087cd6b2a1bcb1dd7c89dfe670d32410e738e bd744f6ddac5fb0891bc6c239abe398fba7618f867bcdbb5dcf19594b56fc7a6 packers: UPX Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=6c3d46f2150acbcd8cf3b56cee48182f packers: UPX Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=42CECD2600E4190042000D4D28C3FD00993748E1 VirusTotal Result: 27/32 (84.38%) AntiVir 7.6.0.81 2008.04.04 TR/Spy.Agent.P.5 Avast 4.7.1098.0 2008.04.04 Win32:Trojan-gen {UPX} AVG 7.5.0.516 2008.04.04 PSW.Agent.NCW BitDefender 7.2 2008.04.04 Trojan.Generic.58626 CAT-QuickHeal 9.50 2008.04.04 TrojanSpy.Agent.p ClamAV 0.92.1 2008.04.04 Trojan.Dropper-1385 DrWeb 4.44.0.09170 2008.04.04 Trojan.DownLoader.37803 eSafe 7.0.15.0 2008.04.01 Win32.Agent.p Ewido 4.0 2008.04.04 Logger.Agent.p F-Prot 4.4.2.54 2008.04.04 W32/TrojanX.XUS F-Secure 6.70.13260.0 2008.04.04 Trojan-Spy.Win32.Agent.p FileAdvisor 1 2008.04.04 High threat detected Fortinet 3.14.0.0 2008.04.04 Spy/Agent Ikarus T3.1.1.20 2008.04.04 Trojan-Spy.Win32.Agent.P Kaspersky 7.0.0.125 2008.04.04 Trojan-Spy.Win32.Agent.p McAfee 5267 2008.04.04 DNSChanger.is NOD32v2 3003 2008.04.04 probably a variant of Win32/Spy.Agent Norman 5.80.02 2008.04.04 Agent.BZSH Panda 9.0.0.4 2008.04.04 Generic Trojan Prevx1 V2 2008.04.04 Generic.Malware Sophos 4.28.0 2008.04.04 Mal/Generic-A Sunbelt 3.0.978.0 2008.03.18 Trojan-Spy.Win32.Agent.p Symantec 10 2008.04.04 Infostealer TheHacker 6.2.92.264 2008.04.04 Trojan/Spy.Agent.p VBA32 3.12.6.3 2008.03.25 Trojan-Spy.Win32.Agent.p VirusBuster 4.3.26:9 2008.04.04 TrojanSpy.Agent.KHT Webwasher-Gateway 6.6.2 2008.04.04 Trojan.Spy.Agent.P.5 Analysis Report: http://malwareinfo.freeforums.org/eroticscreensaver-org-ss-exe-t41.html PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 000D1000 Size of initialized data: 00004000 Size of uninitialized data: 00044000 Address of entry point: 001152D0 Base of code: 00045000 Base of data: 00116000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0011A000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00044000 00001000 00000000 00000400 E0000080 UPX1 000D1000 00045000 000D0600 00000400 E0000040 .rsrc 00004000 00116000 00003800 000D0A00 C0000040 Import table (libraries: 9) KERNEL32.DLL (imports: 3) LoadLibraryA GetProcAddress ExitProcess advapi32.dll (imports: 1) RegCloseKey comctl32.dll (imports: 1) ImageList_Add gdi32.dll (imports: 1) SaveDC oleaut32.dll (imports: 1) VariantCopy shell32.dll (imports: 1) ShellExecuteA user32.dll (imports: 1) GetDC version.dll (imports: 1) VerQueryValueA wininet.dll (imports: 1) InternetOpenA Unpacked with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 1097728 <- 868864 79.15% win32/pe ss_unpacked.exe Unpacked 1 file. PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00055A00 Size of initialized data: 000B6200 Size of uninitialized data: 00000000 Address of entry point: 00056870 Base of code: 00001000 Base of data: 00057000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00113000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 000558E4 00001000 00055A00 00000400 60000020 DATA 00001200 00057000 00001200 00055E00 C0000040 BSS 00000CE9 00059000 00000000 00057000 C0000000 .idata 00002270 0005A000 00002400 00057000 C0000040 .tls 00000010 0005D000 00000000 00059400 C0000000 .rdata 00000018 0005E000 00000200 00059400 50000040 .reloc 00006418 0005F000 00006600 00059600 50000040 .rsrc 000AC400 00066000 000AC400 0005FC00 50000040 Executable Modules: Executable modules Base Size Entry Name (system) File version Path 00400000 00113000 00456870 ss_unpac E:\Infected\ss_unpacked.exe 77120000 0008C000 77121558 oleaut32 (system) 5.1.2600.2180 C:\WINDOWS\system32\oleaut32.dll 771B0000 000A6000 771B154D wininet (system) 6.00.2900.2180 (xpsp_sp2_rtm.04 C:\WINDOWS\system32\wininet.dll 773D0000 00102000 773D42B3 comctl32 6.0 (xpsp_sp2_rtm.040803-2158) C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll 774E0000 0013C000 774F20C1 ole32 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\ole32.dll 77A80000 00094000 77A81642 CRYPT32 (system) 5.131.2600.2180 (xpsp_sp2_rtm.0 C:\WINDOWS\system32\CRYPT32.dll 77B20000 00012000 77B23399 MSASN1 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\MSASN1.dll 77C00000 00008000 77C01135 version (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\version.dll 77C10000 00058000 77C1F2A1 msvcrt (system) 7.0.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\msvcrt.dll 77D40000 00090000 77D50EB9 USER32 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\USER32.dll 77DD0000 0009B000 77DD70D4 advapi32 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\advapi32.dll 77E70000 00091000 77E76284 RPCRT4 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\RPCRT4.dll 77F10000 00046000 77F163CA GDI32 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\GDI32.dll 77F60000 00076000 77F651D3 SHLWAPI (system) 6.00.2900.2180 (xpsp_sp2_rtm.04 C:\WINDOWS\system32\SHLWAPI.dll 7C800000 000F4000 7C80B436 kernel32 (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\kernel32.dll 7C900000 000B0000 7C913156 ntdll (system) 5.1.2600.2180 (xpsp_sp2_rtm.040 C:\WINDOWS\system32\ntdll.dll 7C9C0000 00814000 7C9DFA10 shell32 (system) 6.00.2900.2180 (xpsp_sp2_rtm.04 C:\WINDOWS\system32\shell32.dll When Executed creates the following two files: C:\EroticScreenSaver\addon.exe C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GRYNOTA7\uincodec4441[1].exe File Name: addon.exe File size: 60416 bytes MD5...: b60d560831797e030fe320deebd8166b SHA1..: 739ed95be59bafc6c014e6d9643712b14574bae5 SHA256: 6a96d184d296571216a59b70189083cd4e5f5e6c0a90069709d0a66d2056888e SHA512: d3fd623f9de568be5f72b67c1bb515627727b68b5640ef38913c3ac219dbe27d c34578e8e321941fc3b6da7842408881d4b02aa41b4dd5853edcaeb6ba29afda Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=DD2DC0D100FFC635EC5E00E50C34C10037E94369 VirusTotal Result: 6/32 (18.75%) AVG 7.5.0.516 2008.04.04 DNSChanger.AA BitDefender 7.2 2008.04.04 Trojan.Downloader.Zlob.ABOU F-Prot 4.4.2.54 2008.04.04 W32/Trojan2.AIES F-Secure 6.70.13260.0 2008.04.04 Trojan.Win32.DNSChanger.arn Kaspersky 7.0.0.125 2008.04.04 Trojan.Win32.DNSChanger.arn Prevx1 V2 2008.04.04 Generic.Dropper.xCodec Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\advapi32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\oleaut32.dll 0x77120000 0x0008B000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000 C:\WINDOWS\system32\version.dll 0x77C00000 0x00008000 C:\WINDOWS\system32\wininet.dll 0x42C10000 0x000CF000 C:\WINDOWS\system32\Normaliz.dll 0x00330000 0x00009000 C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\uxtheme.dll 0x5AD70000 0x00038000 C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004B000 C:\WINDOWS\system32\msctfime.ime 0x755C0000 0x0002E000 Registry Reads: Key Name Value Times HKLM\Software\Microsoft\CTF\SystemShared CUAS 0 1 HKLM\Software\Microsoft\Windows NT\CurrentVersion\IMM Ime File msctfime.ime 1 Memory Mapped File: File Name C:\WINDOWS\system32\Msimtf.dll Mutex: CTF.TimListCache.FMPDefaultS-1-5-21- 1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21- 1229272821-1004336348-527237240-1003 MSCTF.Shared.MUTEX.AN Keyboard Monitored: Virtual Key Code Times VK_MENU (18) 1 Popup: EroticScreenSaver ErotiScreenSaver END-USER LICENSE AGREEMENT THIS IS A LEGALLY BINDING AGREEMENT BETWEEN EITHER AN INDIVIDUAL OR A SINGLE ENTITY HEREINAFTER REFERRED AS "YOU" AND ErotiScreenSaver. THE EXECUTABLE VERSIONS OF THE ErotiScreenSaver software IS REFERRED TO HEREIN AS THE "software." THIS END USER LICENSE AGREEMENT (THE "AGREEMENT") GOVERNS USE OF THE software AND ANY RELATED WEB SERVICES PROVIDED BY ErotiScreenSaver IN CONNECTION WITH THE software. BY CLICKING "I AGREE" YOU AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO THIS AGREEMENT CLICK "EXIT" AND DO NOT INSTALL OR USE THE software. 1. LICENSE GRANT. software is made available to you for your non-commercial use only. This means that you may use it at work or at home for personal and internal business purposes. But you first need to obtain ErotiScreenSaver's permission if you want to sell the software or any information, services, or software associated with or derived from it, or if you want to modify, copy (except as provided below), license, or create derivative works from the software. This license does not entitle you to receive any hard-copy documentation, support, telephone assistance, or enhancements or updates to the software. 2. COPYRIGHT. All title and copyrights in and to the software (including but not limited to any images, photographs, animations, video, audio, music, text, and "applets" incorporated into the software), the accompanying printed materials, and any copies of the software are owned by the owner of this Software. The software is protected by copyright laws and international treaty provisions. Therefore, you must treat the software like any other copyrighted material except that you may install the software on a single computer provided you keep the original solely for backup or archival purposes. 3. LIMITED WARRANTY NO WARRANTIES. The owner of this Software expressly disclaims any warranty for the software. The software and any related documentation is provided "as is" without warranty of any kind, either express or implied, including, without limitation, the implied warranties or merchantability, fitness for a particular purpose, or noninfringement. The entire risk arising out of use or performance of the software remains with you. NO LIABILITY FOR DAMAGES. In no event shall the owner of this Software be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use this product, even if the owner of this Software has been advised of the possibility of such damages. 4. COMMUNICATIONS. You are responsible for obtaining and paying for your own Internet access, and for determining whether you will be charged any fees for accessing services such as web browsing and instant messaging using the type of connection and device of your choice. 5. CHANGES TO THE software. ErotiScreenSaver may, at any time, change, modify, add to or discontinue or retire any aspect or feature of the software. ErotiScreenSaver has no obligation to provide you with notice of any such changes. 6. SOFTWARE UPDATES. ErotiScreenSaver does not warrant that it will provide you with updates, however, when any update appears, it is downloaded by software automatically. ErotiScreenSaver claims that no other software except software updates is being downloaded using this system and the update system does not harm you in any way. 7. THIRD PARTY OFFERINGS. Third parties may from time to time offer applications or services to access, "plug-into" or interact with the software. Your use of such third-party applications will be at your own risk and subject to the terms and conditions of those third parties. ErotiScreenSaver makes no representations or warranties with respect to such third party applications. You agree that ErotiScreenSaver is under no obligation to provide you with any error corrections, updates, upgrades, fixes and/or enhancements to make the software accessible through or compatible with these third party applications. 8. FEES. There is no license fee for the software. If the software is made available on media, and if you wish to receive the software on media, there may be a small charge for the media and for shipping and handling. You are responsible for any and all taxes. 9. YOUR REPRESENTATIONS. You represent and warrant that you have adequate legal capacity to enter into this Agreement, that you will use the software only for lawful purposes and in accordance with this Agreement, and that you will not use the software in violation of any law, regulation or ordinance or any right of ErotiScreenSaver or its licensors or any third party, including, without limitation, any right of privacy, publicity, copyright or trademark. You agree to indemnify ErotiScreenSaver, its parent, licensors, officers, agents, employees and directors for any damags incurred as a result of a violation of this paragraph. 10. U.S. GOVERNMENT END-USERS. The software is a "commercial item", as that term is defined in 48 C.F.R. 2.101, consisting of "commercial computer software" and "commercial computer software documentation," as such terms are used in 48 C.F.R. 12.212 (Sept. 1995) and 48 C.F.R. 227.7202 (June 1995). Consistent with 48 C.F.R. 12.212, 48 C.F.R. 27.405(b) (2) (June 1998) and 48 C.F.R. 227.7202, all U.S. Government End Users acquire the software with only those rights as set forth herein. 11. MISCELLANEOUS RIGHTS AND LIMITATIONS. Limitations on Reverse Engineering, Decompilation, and Disassembly. You may not reverse engineer, decompile, or disassemble the software, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation. 12. SEPARATION OF COMPONENTS. The Browse is licensed as a single product. Its component parts may not be separated for use on more than one computer. 13. SOFTWARE TRANSFER. You may permanently transfer all of your rights under this EULA, provided the recipient agrees to the terms of this EULA. 14. TERMINATION. Without prejudice to any other rights, the owner of this Software may terminate this EULA if you fail to comply with the terms and conditions of this EULA. In such event, you must destroy all copies of the software and all of its component parts. 15. USAGE As the software is generally created for adults you are obliged not to use it in case you are younger than 18 or 21 in some states for visiting adult links and reviewing adult-related content. Also you are obliged not to use the software in any way that violates this Agreement or any law. I Agree Exit