Download Link: hxxp://60.191.129.150/yeSetup.exe File Name: yeSetup.exe VirusTotal Result: 28/32 (87.5%) AhnLab-V3 2008.4.15.0 2008.04.14 Win-Trojan/Xema.variant AntiVir 7.6.0.85 2008.04.14 TR/Dldr.Delphi.Gen Authentium 4.93.8 2008.04.13 Possibly a new variant of W32/NewMalware-LSU-based!Maximus Avast 4.8.1169.0 2008.04.14 Win32:Delf-JJF AVG 7.5.0.516 2008.04.14 Generic10.AWX CAT-QuickHeal 9.50 2008.04.14 Trojan.Delf.ayy ClamAV 0.92.1 2008.04.14 Trojan.Delf-3850 DrWeb 4.44.0.09170 2008.04.14 Trojan.DownLoader.51153 eSafe 7.0.15.0 2008.04.09 Win32.Delf.bgw eTrust-Vet 31.3.5697 2008.04.14 Win32/SillyDl.DOZ Ewido 4.0 2008.04.14 Trojan.Delf.bgw F-Prot 4.4.2.54 2008.04.14 W32/Trojan2.AHSM F-Secure 6.70.13260.0 2008.04.14 Trojan.Win32.Delf.bgw FileAdvisor 1 2008.04.14 High threat detected Fortinet 3.14.0.0 2008.04.14 W32/Heuri.BGW!tr Ikarus T3.1.1.26 2008.04.14 not-a-virus:AdWare.Win32.AdMoke.bx Kaspersky 7.0.0.125 2008.04.14 Trojan.Win32.Delf.bgw McAfee 5273 2008.04.14 Generic.dx NOD32v2 3025 2008.04.14 Win32/TrojanDownloader.Delf.OBA Norman 5.80.02 2008.04.14 W32/Delf.BQAY Panda 9.0.0.4 2008.04.14 Adware/Cinmus Prevx1 V2 2008.04.14 Trojan.DoS.Win32.Opdos Rising 20.40.02.00 2008.04.14 Trojan.DL.Win32.Mnless.zeg Sophos 4.28.0 2008.04.14 Mal/Heuri-E TheHacker 6.2.92.277 2008.04.14 Trojan/Delf.bgw VBA32 3.12.6.4 2008.04.14 Trojan.DownLoader VirusBuster 4.3.26:9 2008.04.14 Trojan.Delf.AXAZ Webwasher-Gateway 6.6.2 2008.04.14 Trojan.Dldr.Delphi.Gen File Info: File size: 56320 bytes MD5...: 6d230de78d84a99258eac50987748e86 SHA1..: d5a05fc988f2fdb9f8393c38a8b917005f046221 SHA256: 8793df3ebbe89e2b9bff42fa7db862d7e44c123252d1174f10ea5144147ed85e SHA512: 4a41344b6ef138de51fe85d0acc4464ee1186591ef93ed5584ffe1256b5939cc b27c3dc72627bc401ea707fcfff1683cf54084001296dfbd9af10bbfd072ef4c PE Structure: Entry Point Address.: 0x422001 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 000A Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818E Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00017E00 Size of initialized data: 00005000 Size of uninitialized data: 00000000 Address of entry point: 00022001 Base of code: 00001000 Base of data: 00019000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00025000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 00018000 00001000 0000AE00 00000400 C0000040 DATA 00001000 00019000 00000600 0000B200 C0000040 BSS 00001000 0001A000 00000000 0000B800 C0000040 .idata 00001000 0001B000 00000600 0000B800 C0000040 .tls 00001000 0001C000 00000000 0000BE00 C0000040 .rdata 00001000 0001D000 00000200 0000BE00 C0000040 .reloc 00002000 0001E000 00000000 0000C000 C0000040 .rsrc 00002000 00020000 00000A00 0000C000 C0000040 .aspack 00002000 00022000 00001200 0000CA00 C0000040 .adata 00001000 00024000 00000000 0000DC00 C0000040 Import table (libraries: 10) kernel32.dll (imports: 3) GetProcAddress GetModuleHandleA LoadLibraryA user32.dll (imports: 1) GetKeyboardType advapi32.dll (imports: 1) RegQueryValueExA oleaut32.dll (imports: 1) SysFreeString advapi32.dll (imports: 1) RegSetValueExA user32.dll (imports: 1) MessageBoxA oleaut32.dll (imports: 1) SafeArrayPtrOfIndex ws2_32.dll (imports: 1) WSACleanup netapi32.dll (imports: 1) Netbios urlmon.dll (imports: 1) URLDownloadToFileA Process Details: Process ID 192 Filename C:\yeSetup.exe Filesize 56320 bytes MD5 6d230de78d84a99258eac50987748e86 Start Reason AnalysisTarget New Files Created: C:\WINDOWS\System32\605243efc6.dll \Device\RasAcd C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DRSWIYUUGUFC.txt.328 Opened Files: \\.\PIPE\lsarpc c:\autoexec.bat Chronological order: Find File: C:\WINDOWS\System32\605243efc6.dll Create File: C:\WINDOWS\System32\605243efc6.dll Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Find File: Get File Attributes: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DRSWIYUUGUFC.txt Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\System32\Ras\*.pbk Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DRSWIYUUGUFC.txt.328 Mutexes: Creates Mutex: RasPbFile Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w32time\Parameters "ServiceDll" Network Activity: DNS Lookup: udp.hjob123.com (59.57.14.242) bestd.qqhudong.cn (59.60.30.210) Download URLs: hxxp://59.60.30.210/ver/alexa801.txt (bestd.qqhudong.cn) Outgoing connection to remote server: bestd.qqhudong.cn TCP port 80