File Name: vertrag.exe VirusTotal Result: 17/32 (53.12%) AntiVir 7.6.0.85 2008.04.11 TR/Spy.ZBot.DI Authentium 4.93.8 2008.04.11 W32/Downldr2.BLMW AVG 7.5.0.516 2008.04.12 Dropper.Delf.AQP BitDefender 7.2 2008.04.12 Trojan.Dropper.RTY CAT-QuickHeal 9.50 2008.04.12 (Suspicious) - DNAScan ClamAV 0.92.1 2008.04.12 Trojan.Dropper-5907 eSafe 7.0.15.0 2008.04.09 Suspicious File F-Prot 4.4.2.54 2008.04.11 W32/Downldr2.BLMW F-Secure 6.70.13260.0 2008.04.11 Trojan-Spy.Win32.Zbot.awx Fortinet 3.14.0.0 2008.04.12 W32/Agent.S!tr Ikarus T3.1.1.26.0 2008.04.12 Packer.Malware.FriCryptor.B Kaspersky 7.0.0.125 2008.04.12 Trojan-Spy.Win32.Zbot.awx Microsoft 1.3408 2008.04.12 VirTool:Win32/Fcrypter.gen!A Norman 5.80.02 2008.04.12 W32/Agent.FEYT Sophos 4.28.0 2008.04.12 Mal/Dropper-G Symantec 10 2008.04.12 Infostealer.Banker.C Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Spy.ZBot.DI File Info: File size: 64122 bytes MD5...: 88c6f4706e5d4a5467cfff38a2624b7b SHA1..: 2b6b0e81f3fba9ac4f5c207e59c526e8f4fe9337 SHA256: 806546f8fd86461c761033ffc592c71d4e0ea32e191a3f3b6b84fcd467d0420f SHA512: 9513057232924069b0c0c355c2c940f707b7ec9c3d09cd1c73d8cf7a380c9646 2ff084f9aa7178516501fd24d997af92a5a176ce947eab1a92d7026bb4081b1e PE Structure information Base Data Entry Point Address.: 0x403f54 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 000C Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818E Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 000030FC Size of initialized data: 0000C000 Size of uninitialized data: 00000000 Address of entry point: 00003F54 Base of code: 00001000 Base of data: 00004000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0001A000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CENSORED 00002F70 00001000 00003000 00000400 E0000020 CENSORED 000000C0 00004000 00000200 00003400 C0000040 CENSORED 00000681 00005000 00000000 00003600 C0000000 CENSORED 0000052A 00006000 00000600 000036FF C0000040 CENSORED 00000008 00007000 00000000 00003C00 C0000000 CENSORED 00000018 00008000 00000200 00003C00 D0000040 CENSORED 00000370 00009000 00000400 00003E00 D0000040 CENSORED 0000B088 0000A000 0000B200 00004200 50000040 CENSORED 00001000 00016000 00000200 0000F400 E0000020 CENSORED 00001000 00017000 00000052 0000F600 E0000020 CENSORED 00001000 00018000 FF000066 0000F800 E0000020 CENSORED 00001000 00019000 0000007A 0000FA00 60000020 Process Details: Filename: vertrag.exe MD5: 88c6f4706e5d4a5467cfff38a2624b7b SHA-1: 2b6b0e81f3fba9ac4f5c207e59c526e8f4fe9337 File Size: 64122 Bytes Command Line: C:\vertrag.exe Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\user32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\advapi32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\Normaliz.dll 0x00890000 0x00009000 C:\WINDOWS\system32\iertutil.dll 0x42990000 0x00045000 C:\WINDOWS\system32\wininet.dll 0x42C10000 0x000CF000 C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000 C:\WINDOWS\system32\psapi.dll 0x76BF0000 0x0000B000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll 0x773D0000 0x00103000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\crypt32.dll 0x77A80000 0x00094000 C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000 C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000 C:\WINDOWS\system32\shell32.dll 0x7C9C0000 0x00815000 Registry Values Modified: Key Name New Value HKLM\software\microsoft\windows nt\currentversion\winlogon userinit C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, Registry Reads: Key Name Value Times HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1 HKLM\software\microsoft\windows nt\currentversion\winlogon userinit C:\WINDOWS\system32\userinit.exe, 2 Files Created: C:\WINDOWS\system32\ntos.exe Files Read: PIPE\lsarpc Files Modified: PIPE\lsarpc Affected Process: C:\WINDOWS\system32\winlogon.exe Foreign Memory Accessed: Process: C:\WINDOWS\system32\winlogon.exe ------------------------------------------------------------------------------ Process Started: Analysis Reason: vertrag.exe injected a remote thread into this process Filename: winlogon.exe Command Line: winlogon.exe Files Created: C:\WINDOWS\system32\wsnpoem\audio.dll C:\WINDOWS\system32\wsnpoem\video.dll pipe\__SYSTEM__64AD0625__ Files Read & Modified: PIPE\lsarpc Directory Monitored: Directory Watch subtree Notify Filter Count C:\WINDOWS\system32 0 File Name Change,Directory Name Change,Name Change,Size Change,Last Write Change,Creation Change,Stream Size Change,Stream Write Change 1 Process Thread Created: Affected Process C:\WINDOWS\system32\svchost.exe ------------------------------------------------------------------------------ Process Started: Analysis Reason: winlogon.exe injected a remote thread into this process Filename: svchost.exe MD5: 8f078ae4ed187aaabc0a305146de6716 SHA-1: da0ff4006859a7580aba81f486f692dead2014fe File Size: 14336 Bytes Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch Registry Changed: Key Name New Value HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\WINDOWS\system32\config\systemprofile\Cookies HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\WINDOWS\system32\config\systemprofile\Local Settings\History Registry Read: Key Name Value Times HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile EnableFirewall 0 1 HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 C:\WINDOWS\system32\hnetcfg.dll 1 HKLM\Software\Classes\\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32 ThreadingModel Both 1 HKLM\Software\Microsoft\COM3 Com+Enabled 1 2 HKLM\Software\Microsoft\COM3 REGDBVersion 0x0f00000000000000 2 HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableNegotiate 1 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cache %USERPROFILE%\Local Settings\Temporary Internet Files 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders Cookies %USERPROFILE%\Cookies 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders History %USERPROFILE%\Local Settings\History 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache Signature Client UrlCache MMF Ver 5.2 2 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CacheLimit 163410 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content CachePrefix 2 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content PerUserItem 1 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CacheLimit 8192 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies CachePrefix Cookie: 2 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies PerUserItem 1 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History CacheLimit 8192 1 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History CachePrefix Visited: 2 HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History PerUserItem 1 1 Monitored Registry Key: Key Name Watch subtree Notify Filter Count HKLM\Software\Classes 1 Key Change,Value Change 3 HKLM\Software\Classes\CLSID 1 Key Change,Value Change 2 HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 6 HKU 1 Key Change,Value Change 3 File Read & Modified: PIPE\lsarpc ------------------------------------------------------------------------------ NETWORK ACTIVITY: TCP Connection Attempts: From SandBox:1884 to 207.159.41.205:139 IP Information - 207.159.41.205 IP address: 207.159.41.205 Reverse DNS: [No reverse DNS entry per b.ns.verio.net.] Reverse DNS authenticity: [Unknown] ASN: 2914 ASN Name: NTTA-2914 IP range connectivity: 4 Registrar (per ASN): ARIN Country (per IP registrar): US [United States] WHOIS - 207.159.41.205 Location: United States [City: ] OrgName: NTT America, Inc. OrgID: NTTAM-1 Address: 8005 South Chester Street Address: Suite 200 City: Centennial StateProv: CO PostalCode: 80112 Country: US NetRange: 207.159.0.0 - 207.159.63.255 CIDR: 207.159.0.0/18 NetName: NTTA-207-159 NetHandle: NET-207-159-0-0-1 Parent: NET-207-0-0-0-0 NetType: Direct Allocation NameServer: AUTH21.NS.GIN.NTT.NET NameServer: AUTH22.NS.GIN.NTT.NET NameServer: AUTH23.NS.GIN.NTT.NET NameServer: AUTH24.NS.GIN.NTT.NET NameServer: AUTH25.NS.GIN.NTT.NET ------------------------------------------------------------------------------