Download Link: hxxp://poramor85.t35.com/Mensagem23.exe File Name: Mensagem23.exe VirusTotal Result: 17/32 (53.13%) AntiVir 7.6.0.85 2008.04.11 TR/Spy.Banker.CIL Avast 4.8.1169.0 2008.04.12 Win32:Trojan-gen {Other} CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.12 PUA.Packed.UPack-2 eSafe 7.0.15.0 2008.04.09 Suspicious File F-Prot 4.4.2.54 2008.04.11 W32/Heuristic-CSU!Eldorado F-Secure 6.70.13260.0 2008.04.11 Suspicious:W32/Malware!Gemini Fortinet 3.14.0.0 2008.04.12 Spy/VBBanc Kaspersky 7.0.0.125 2008.04.12 Heur.Trojan.Generic McAfee 5272 2008.04.11 New Malware.aj Norman 5.80.02 2008.04.12 W32/Banker.BYNZ Rising 20.39.52.00 2008.04.12 Trojan.Spy.Bancos.fuj Sophos 4.28.0 2008.04.12 Mal/Behav-103 Sunbelt 3.0.1041.0 2008.04.12 VIPRE.Suspicious TheHacker 6.2.92.275 2008.04.12 W32/Behav-Heuristic-060 VirusBuster 4.3.26:9 2008.04.11 Packed/Upack Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Spy.Banker.CIL File Info: File size: 227480 bytes MD5...: 82bb23d71a91b2a85c719a6a095bc139 SHA1..: 65ac0099cc2dbb8c59c6b693bea596f40fbbcf8b SHA256: fc36909d8aa2e88d63a33b31123e42d22795f92039a501a921adfd146537bb34 SHA512: e8252578222d43e269cd492c85b75989797bd72d972ccbd5bea40572230b4a9a 7634bc9a07d646411498f364042f0192d3a6a3434e0a7b28362336ab683a879e PEiD..: Upack V0.37 -> Dwing PE Details: Entry Point Address.: 0x401018 Time Date Stamp.....: 0x4011b0be (Fri Jan 23 23:39:42 2004) Machine Type.......: 0x14c (I386) PE Sections name viradd virsiz rawdsiz ntrpy md5 PS 0x1000 0xa5e000 0x1f0 5.29 b3c401cf8682dc4811f1744ff650cf38 @ 0xa5f000 0x75000 0x6d2e0 8.00 e0f7fefae09cb6af6df14276c4262e8e @ 0xad4000 0x1000 0x1f0 5.29 b3c401cf8682dc4811f1744ff650cf38 Process Details: Process ID 1172 Filename C:\Mensagem23.exe Filesize 227480 bytes MD5 82bb23d71a91b2a85c719a6a095bc139 Start Reason AnalysisTarget File System Activity: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\drwtsn32.exe () Find File: drwtsn32.exe Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoReport" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ShowUI" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "AllOrNone" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeMicrosoftApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeWindowsApps" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "DoTextLog" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeKernelFaults" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "IncludeShutdownErrs" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfFaultPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "NumberOfHangPipes" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "MaxUserQueueSize" HKEY_LOCAL_MACHINE\Software\Microsoft\PCHealth\ErrorReporting "ForceQueueMode" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Exception Encountered and Dumping System Memory Process ID 1244 Filename C:\WINDOWS\system32\drwtsn32 -p 1172 -e 1208 -g Filesize 45568 bytes MD5 c9f5e1de6da983e89e714ed80c11f000 Start Reason CreateProcess New Files Created: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Opened Files: \\.\PIPE\lsarpc C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log C:\WINDOWS\system32\ntdll.pdb C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb\ntdll.pdb ntdll.pdb symbols\dll\ntdll.dbg dll\ntdll.dbg ntdll.dbg C:\\WINDOWS\system32\ntdll.dbg C:\WINDOWS\system32\kernel32.pdb C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb\kernel32.pdb kernel32.pdb symbols\dll\kernel32.dbg dll\kernel32.dbg kernel32.dbg C:\\WINDOWS\system32\kernel32.dbg Deleted Files: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Chronological order: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log (OPEN_EXISTING) Create File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log Open File: C:\WINDOWS\system32\ntdll.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\ntdll.pdb\symbols\dll\ntdll.pdb\dll\ntdll.pdb\ntdll.pdb (OPEN_EXISTING) Open File: ntdll.pdb (OPEN_EXISTING) Open File: symbols\dll\ntdll.dbg (OPEN_EXISTING) Open File: dll\ntdll.dbg (OPEN_EXISTING) Open File: ntdll.dbg (OPEN_EXISTING) Open File: C:\\WINDOWS\system32\ntdll.dbg (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb (OPEN_EXISTING) Open File: C:\WINDOWS\system32\kernel32.pdb\symbols\dll\kernel32.pdb\dll\kernel32.pdb\kernel32.pdb (OPEN_EXISTING) Open File: kernel32.pdb (OPEN_EXISTING) Open File: symbols\dll\kernel32.dbg (OPEN_EXISTING) Open File: dll\kernel32.dbg (OPEN_EXISTING) Open File: kernel32.dbg (OPEN_EXISTING) Open File: C:\\WINDOWS\system32\kernel32.dbg (OPEN_EXISTING) Create File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Delete File: C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Registry Changes: HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "NumberOfCrashes" = [REG_DWORD, value: 00000001] Registry Reads: HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "LogFilePath" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "WaveFile" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CrashDumpFile" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "DumpSymbols" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "DumpAllThreads" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "AppendToLogFile" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "VisualNotification" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "SoundNotification" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CreateCrashDump" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "Instructions" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "MaximumCrashes" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "CrashDumpType" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion "CurrentType" HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 "Identifier" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Windows "CSDVersion" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentBuildNumber" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentType" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner" HKEY_LOCAL_MACHINE\software\microsoft\DrWatson "NumberOfCrashes" Process Management: Kill Process - Filename () CommandLine: () Target PID: (1172) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1244) As User: () Creation Flags: () Enum Processes: Enum Modules - Target PID: (1172) Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172) Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172) Open Process - Filename () Target PID: (4) Open Process - Filename () Target PID: (568) Open Process - Filename () Target PID: (616) Open Process - Filename () Target PID: (640) Open Process - Filename () Target PID: (720) Open Process - Filename () Target PID: (736) Open Process - Filename () Target PID: (748) Open Process - Filename () Target PID: (944) Open Process - Filename () Target PID: (1012) Open Process - Filename () Target PID: (1104) Open Process - Filename () Target PID: (1160) Open Process - Filename () Target PID: (1204) Open Process - Filename (C:\WINDOWS\system32\userinit.exe) Target PID: (1536) Open Process - Filename (C:\WINDOWS\Explorer.exe) Target PID: (1552) Open Process - Filename () Target PID: (1692) Open Process - Filename () Target PID: (276) Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (924) Open Process - Filename (C:\ClickInstall.exe) Target PID: (724) Open Process - Filename (C:\WINDOWS\system32\cmd.exe) Target PID: (220) Open Process - Filename (C:\Mensagem23.exe) Target PID: (1172) drwtsn32.log details: Application exception occurred: App: E:\Infected\Mensagem23.exe (pid=212) When: 4/13/2008 @ 11:23:40.864 Exception number: c0000005 (access violation) *----> System Information <----* Computer Name: SANDBOX User Name: Administrator Terminal Session Id: 0 Number of Processors: 1 Processor Type: x86 Family 15 Model 6 Stepping 5 Windows Version: 5.1 Current Build: 2600 Service Pack: 2 Current Type: Uniprocessor Free Registered Organization: Malware Analysis Registered Owner: SandBox *----> Task List <----* 0 System Process 4 System 320 smss.exe 452 csrss.exe 476 winlogon.exe 536 services.exe 548 lsass.exe 732 svchost.exe 796 svchost.exe 864 svchost.exe 904 svchost.exe 960 svchost.exe 1216 Explorer.EXE 1284 vmusrvc.exe 1336 vmsrvc.exe 1432 SbieSvc.exe 1592 vpcmap.exe 1976 svchost.exe 572 firefox.exe 1504 Regmon.exe 212 Mensagem23.exe 160 drwtsn32.exe *----> Module List <----* (0000000000400000 - 0000000000ed5000: E:\Infected\Mensagem23.exe (0000000077dd0000 - 0000000077e6b000: C:\WINDOWS\system32\ADVAPI32.DLL (0000000077e70000 - 0000000077f01000: C:\WINDOWS\system32\RPCRT4.dll (000000007c800000 - 000000007c8f4000: C:\WINDOWS\system32\kernel32.dll (000000007c900000 - 000000007c9b0000: C:\WINDOWS\system32\ntdll.dll *----> State Dump for Thread Id 0x55c <----* eax=00000400 ebx=00ecc37c ecx=00000000 edx=ffffffff esi=00ed418c edi=00401000 eip=00ecc1cb esp=0012ffa8 ebp=0012fff0 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** WARNING: Unable to verify checksum for E:\Infected\Mensagem23.exe *** ERROR: Module load completed but symbols could not be loaded for E:\Infected\Mensagem23.exe function: Mensagem23 00ecc1b7 0000 add [eax],al 00ecc1b9 0000 add [eax],al 00ecc1bb 0000 add [eax],al 00ecc1bd 0000 add [eax],al 00ecc1bf 0000 add [eax],al 00ecc1c1 0000 add [eax],al 00ecc1c3 0000 add [eax],al 00ecc1c5 0000 add [eax],al 00ecc1c7 0000 add [eax],al 00ecc1c9 0000 add [eax],al FAULT ->00ecc1cb 0000 add [eax],al ds:0023:00000400=?? 00ecc1cd 0000 add [eax],al 00ecc1cf 0000 add [eax],al 00ecc1d1 0000 add [eax],al 00ecc1d3 0000 add [eax],al 00ecc1d5 0000 add [eax],al 00ecc1d7 0000 add [eax],al 00ecc1d9 0000 add [eax],al 00ecc1db 0000 add [eax],al 00ecc1dd 0000 add [eax],al 00ecc1df 0000 add [eax],al *----> Stack Back Trace <----* WARNING: Stack unwind information not available. Following frames may be wrong. ChildEBP RetAddr Args to Child 0012fff0 00000000 00401018 00000000 78746341 Mensagem23+0xacc1cb Module Details: start end module name 00400000 00ed5000 Mensagem23 C (no symbols) Loaded symbol image file: Mensagem23.exe Mapped memory image file: E:\Infected\Mensagem23.exe Image path: E:\Infected\Mensagem23.exe Image name: Mensagem23.exe Timestamp: Sat Jan 24 05:09:42 2004 (4011B0BE) CheckSum: 00000000 ImageSize: 00AD5000 File version: 9.1.0.2 Product version: 9.1.0.2 File flags: 0 (Mask 0) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0 Stored Exception Information: eax=00000400 ebx=00ecc37c ecx=00000000 edx=ffffffff esi=00ed418c edi=00401000 eip=00ecc1cb esp=0012ffa8 ebp=0012fff0 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 Mensagem23+0xacc1cb: 00ecc1cb 0000 add byte ptr [eax],al ds:0023:00000400=??