Download Link: hxxp://search4top.net/MSPCA32.cab

File Name: MSPCA32.cab

File Info:
File size: 58280 bytes
MD5...: 927859db8e6e58fe14b1f9248f74da0c
SHA1..: 80061b51522b5e305cffc791892787797dbb5eb0
SHA256: 18572fa3713f64c92d246f20eee910287403b7d472c12ed3ca4d98cf4bb43a8f
SHA512: 959c4cc25c58d3adb895ab88c6574077d9a98f67020dac4dfe9f83bb88fe0f73
c77517ff64462b170a5801c02d2ac842bf2cff8eca9f65a83d7a386fa113ef03
packers: UPX

Archive preview 
            Modified     Size Ratio    CRC32 File name 
12/26/2007  5:33:46 PM    374 B                INSTALA.inf
12/27/2007  8:31:18 PM    61 KB                MSPCA32.dll

File Name: MSPCA32.dll 

VirusTotal Result: 9/32 (28.13%)
AntiVir	7.6.0.85	2008.04.11	TR/Bocata.62976
Ikarus	T3.1.1.26	2008.04.13	Trojan.Bocata.62976
Norman	5.80.02	2008.04.12	W32/Dialer.CBLJ
Panda	9.0.0.4	2008.04.12	Adware/Search4Top
Prevx1	V2	2008.04.13	ADWARE.BHO
Sophos	4.28.0	2008.04.13	Mal/Emogen-G
Sunbelt	3.0.1041.0	2008.04.12	Trojan.Bocata.6
Symantec	10	2008.04.13	Dialer.Mostrar
Webwasher-Gateway	6.6.2	2008.04.11	Trojan.Bocata.62976

File size: 62976 bytes
MD5...: 64461d4daf64258e8435ae6a74993970
SHA1..: c5be18cb7f77a2f1d424daa66c9e7ee2137a8fc4
SHA256: db51b4c38a5fb4164791c7f835b7dd66487224a606d7a072de7d85a2625442e2
SHA512: 363266e44d3d6f6b71b66f280cec4b1e7916d3268223fc48e84bce031c728852
fa6b722a7556e47385e19b8f9e8bae586a8ba6d66d94a6a3e6e10118e6faf1f5
PEiD..: -
PE Structure information:
Base Data:
Entry Point Address.: 0x10029d50
Time Date Stamp.....: 0x47754f05 (Fri Dec 28 19:31:17 2007)
Machine Type.......: 0x14c (I386)

PE Header 
                    Signature: 00004550
                      Machine: 014C - Intel 386
           Number of sections: 0003
              Time/Date stamp: 47754F05
      Pointer to symbol table: 00000000
            Number of symbols: 00000000
      Size of optional header: 00E0
              Characteristics: 210E
                        Magic: 010B
       Linker version (major): 06
       Linker version (minor): 00
                 Size of code: 0000B000
     Size of initialized data: 00005000
   Size of uninitialized data: 0001E000
       Address of entry point: 00029D50
                 Base of code: 0001F000
                 Base of data: 0002A000
                   Image base: 10000000
            Section alignment: 00001000
               File alignment: 00000200
           OS version (major): 0004
           OS version (minor): 0000
        Image version (major): 0000
        Image version (minor): 0000
   Sub system version (major): 0004
   Sub system version (minor): 0000
                Win32 version: 00000000
                Size of image: 0002F000
              Size of headers: 00001000
                     Checksum: 00000000
                   Sub system: 0002 - Windows graphical user interface (GUI) subsystem
          DLL characteristics: 0000
        Size of stack reserve: 00100000
         Size of stack commit: 00001000
         Size of heap reserve: 00100000
          Size of heap commit: 00001000
                 Loader flags: 00000000
                Number of RVA: 00000010

PE Sections 
 Section VirtSize VirtAddr PhysSize PhysAddr    Flags 
    UPX0 0001E000 00001000 00000000 00000400 E0000080
    UPX1 0000B000 0001F000 0000B000 00000400 E0000040
   .rsrc 00005000 0002A000 00004200 0000B400 C0000040


Import table (libraries: 7) 
  KERNEL32.DLL (imports: 3)                                         
    LoadLibraryA, GetProcAddress, VirtualProtect                                                  
  ADVAPI32.dll (imports: 1)                                         
    RegOpenKeyA                                                     
  ole32.dll (imports: 1)                                            
    CoTaskMemFree                                                   
  OLEAUT32.dll (imports: 1)                                         
    #2                                                              
  SHLWAPI.dll (imports: 1)                                          
    SHDeleteKeyA                                                    
  USER32.dll (imports: 1)                                           
    SetTimer                                                        
  WS2_32.dll (imports: 1)                                           
    #111                   
Export table (names: 5, functions: 5) 
  #0 - DllCanUnloadNow, #1 - DllGetClassObject, #2 - DllRegisterServer, #3 - DllUnregisterServer, #4 - MSPCA32               

Unpackig with UPX:
        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
    155648 <-     62976   40.46%    win32/pe     MSPCA32.dll

PE Sections 
 Section VirtSize VirtAddr PhysSize PhysAddr    Flags 
   .text 00013C3C 00001000 00014000 00001000 60000020
  .rdata 00001D0A 00015000 00002000 00015000 40000040
   .data 00006134 00017000 00006000 00017000 C0000040
  .idata 00001284 0001E000 00002000 0001D000 C0000040
   .rsrc 00004BD9 00020000 00005000 0001F000 40000040
  .reloc 000015B4 00025000 00002000 00024000 42000040

File System Activity:
CREATE		C:\WINDOWS\system32\SET43.tmp
CREATE		C:\WINDOWS\system32\MSPCA32.dll
WRITE 		C:\WINDOWS\system32\SET43.tmp
OPEN		E:\infected\mspca32 extracted\instala.inf
OPEN		E:\Infected\MSPCA32 Extracted\MSPCA32.dll
OPEN		C:\WINDOWS\system32\SET43.tmp
OPEN		C:\WINDOWS\system32\MSPCA32.dll
OPEN		C:\WINDOWS\System32\ShimEng.dll
READ 		C:\WINDOWS\system32\MSPCA32.dll
SET INFORMATION C:\WINDOWS\system32\SET43.tmp
DELETE 		C:\WINDOWS\system32\SET43.tmp

Registry Values Changed:
HKCU\Software\Microsoft\Search Assistant\ACMru\5603  ---> C:\WINDOWS\system32\MSPCA32.dll
HKLM\Software\Microsoft\Search Assistant\ACMru\5603  ---> C:\WINDOWS\system32\MSPCA32.dll