Download Link: hxxp://60.191.187.15/alexa240.exe File Name: alexa240.exe VirusTotal Result: 18/32 (56.25%) AntiVir 7.6.0.85 2008.04.14 TR/Dldr.Delphi.Gen Authentium 4.93.8 2008.04.13 Possibly a new variant of W32/NewMalware-LSU-based!Maximus AVG 7.5.0.516 2008.04.14 Downloader.Generic7.GHL BitDefender 7.2 2008.04.14 Trojan.Downloader.Pusrac.A CAT-QuickHeal 9.50 2008.04.14 TrojanDownloader.Agent.mvb eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm F-Prot 4.4.2.54 2008.04.14 W32/NewMalware-LSU-based!Maximus F-Secure 6.70.13260.0 2008.04.14 Trojan-Downloader.Win32.Agent.mvb Fortinet 3.14.0.0 2008.04.14 W32/DelpDldr.C!tr.dldr Ikarus T3.1.1.26.0 2008.04.14 Trojan-Downloader.Win32.Agent.mvb Kaspersky 7.0.0.125 2008.04.14 Trojan-Downloader.Win32.Agent.mvb NOD32v2 3025 2008.04.14 a variant of Win32/TrojanDownloader.Dadobra.IA Norman 5.80.02 2008.04.14 W32/Agent.FFFU Panda 9.0.0.4 2008.04.14 Suspicious file Prevx1 V2 2008.04.14 Trojan.Downloader Sophos 4.28.0 2008.04.14 Mal/Generic-A VBA32 3.12.6.4 2008.04.14 suspected of Win32.Trojan.Downloader Webwasher-Gateway 6.6.2 2008.04.14 Trojan.Dldr.Delphi.Gen File Info: File size: 23552 bytes MD5...: 7ed3b0d3d4d257868645a4463cbbba84 SHA1..: b1e75663aae18a68dcf553eb1860df1c76827111 SHA256: 1398af413a6ec6abe9e1d71ad4a8f05891d3410fc18b893450916183e99a27d5 SHA512: 567db75e3d66901b97fe097398fab24867686269603e4257745e593bfb5816ba 31c8e400b3b7465890a30e6098e5f903c1a73da96532b09ddb17bc6338c0cee5] packers (F-Prot): UPX PE Structure: Entry Point Address.: 0x412170 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00006000 Size of initialized data: 00001000 Size of uninitialized data: 0000C000 Address of entry point: 00012170 Base of code: 0000D000 Base of data: 00013000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00014000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 0000C000 00001000 00000000 00000400 E0000080 UPX1 00006000 0000D000 00005400 00000400 E0000040 .rsrc 00001000 00013000 00000400 00005800 C0000040 Import table (libraries: 5) KERNEL32.DLL (imports: 4) LoadLibraryA GetProcAddress VirtualProtect ExitProcess advapi32.dll (imports: 1) RegCloseKey oleaut32.dll (imports: 1) SysFreeString URLMON.DLL (imports: 1) URLDownloadToFileA user32.dll (imports: 1) CharNextA Unpacked with UPX: File size Ratio Format Name -------------------- ------ ----------- ----------- 46592 <- 23552 50.55% win32/pe alexa240.exe File Info: File Name: alexa240_unpacked.exe File size: 46592 bytes MD5...: 3d303f687d01ce0c5c68838e217d66e8 SHA1..: 8d19fc61930ceb2535973bdf2ebf34d116733deb SHA256: ec2cace997b9fc75a2d8c70bc468b9752db01882ef119f08948020d736e865ee SHA512: 9bbd4fd33bc365e46a3daef69a7c0a8d525909cab8f4a64744a6f08d9cf0df8c 2681d6112694308e4f5f9cb5da6d4dc1c6f7db62bc7fca7faf65d002ba320a62 VirusTotal Result: AntiVir 7.6.0.85 2008.04.14 TR/Dldr.Delphi.Gen AVG 7.5.0.516 2008.04.14 Downloader.Generic7.GHL BitDefender 7.2 2008.04.14 Trojan.Downloader.Pusrac.A F-Secure 6.70.13260.0 2008.04.14 Trojan-Downloader.Win32.Agent.mvb Kaspersky 7.0.0.125 2008.04.14 Trojan-Downloader.Win32.Agent.mvb NOD32v2 3025 2008.04.14 a variant of Win32/TrojanDownloader.Dadobra.IA Panda 9.0.0.4 2008.04.14 Suspicious file Sophos 4.28.0 2008.04.14 Mal/Heuri-E VBA32 3.12.6.4 2008.04.14 suspected of Win32.Trojan.Downloader Webwasher-Gateway 6.6.2 2008.04.14 Trojan.Dldr.Delphi.Gen PE Structure: Entry Point Address.: 0x408fc0 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 00008390 00001000 00008400 00000400 60000020 DATA 00000408 0000A000 00000600 00008800 C0000040 BSS 00000981 0000B000 00000000 00008E00 C0000000 .idata 00000892 0000C000 00000A00 00008E00 C0000040 .tls 00000008 0000D000 00000000 00009800 C0000000 .rdata 00000018 0000E000 00000200 00009800 50000040 .reloc 00000C60 0000F000 00000E00 00009A00 50000040 .rsrc 00000E00 00010000 00000E00 0000A800 50000040 Import table (libraries: 10) > KERNEL32.DLL: Sleep > KERNEL32.DLL: TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA > KERNEL32.DLL: WriteFile, WinExec, VirtualQuery, OpenMutexA, GetVersionExA, GetThreadLocale, GetTempPathA, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetShortPathNameA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetDiskFreeSpaceA, GetCPInfo, GetACP, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, DeleteFileA, CreateProcessA, CreateMutexA, CloseHandle > KERNEL32.DLL: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, WideCharToMultiByte, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle > advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey > advapi32.dll: RegSetValueExA, RegCreateKeyExA, RegCloseKey > oleaut32.dll: SysFreeString > URLMON.DLL: URLDownloadToFileA > user32.dll: GetKeyboardType, LoadStringA, MessageBoxA, CharNextA > user32.dll: MessageBoxA, LoadStringA, GetSystemMetrics, CharNextA, CharToOemA Registry Keys Created: HKLM\Software\Microsoft\DownloadManager Registry Values Changed: Key Name New Value HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders AppData C:\Documents and Settings\user\Application Data HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AutoDetect 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ IntranetName 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ProxyBypass 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UNCAsIntranet 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings MigrateProxy 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\windows\CurrentVersion\Internet Settings ProxyEnable 0 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ windows\CurrentVersion\Internet Settings\Connections SavedLegacySettings 0x460000005f00000001000000000000000000000000000000040000000000 Files Created: C:\$$336699.bat C:\DOCUME~1\user\LOCALS~1\Temp\tmp10.txt C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\setupconfig[1].htm C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\wxpSetup240[1].txt C:\WINDOWS\system32\Windows240.exe Files Read: C:\DOCUME~1\user\LOCALS~1\Temp\tmp10.txt C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\BNPHK11H\setupconfig[1].htm C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\C4H05OWL\wxpSetup240[1].txt PIPE\ROUTER PIPE\lsarpc c:\autoexec.bat Files Modified: PIPE\ROUTER PIPE\lsarpc \Device\Afd\AsyncConnectHlp \Device\RasAcd Process Created: C:\WINDOWS\system32\Windows240.exe Network Activities: HTTP Conversations: Name Query Type Query Result Successful Protocol config.lianyixia.cn DNS_TYPE_A 60.191.239.150 1 xxx.lianyixia.cn DNS_TYPE_A 60.191.239.150 1 HTTP Concersation: From SandBox:1035 to 60.191.239.150:80 - [www.lianyixia.cn] Request: GET /download/setupconfig.asp?V=1003&Webid=240 Response: 200 "OK" Request: GET /download/wxpSetup240.txt Response: 200 "OK" From SandBox: 1036 to 60.191.239.150:80 State: Connection established, not terminated - Transferred outbound Bytes: 286 - Transferred inbound Bytes: 1036520