Download Link: hxxp://smileydistrict.com/sds.cab File Name: sds.cab VirusTotal Result: 8/32 (25%) Avast 4.8.1169.0 2008.04.13 Win32:Trojan-gen {Other} DrWeb 4.44.0.09170 2008.04.13 DLOADER.Trojan F-Secure 6.70.13260.0 2008.04.13 Trojan-Spy.Win32.Agent.bnl Fortinet 3.14.0.0 2008.04.13 Spy/Agent Ikarus T3.1.1.26.0 2008.04.13 Win32.SuspectCrc Kaspersky 7.0.0.125 2008.04.13 Trojan-Spy.Win32.Agent.bnl Prevx1 V2 2008.04.13 Heuristic: Suspicious Self Modifying File Rising 20.39.62.00 2008.04.13 Trojan.Spy.Agent.wb File Info: File size: 883026 bytes MD5...: 9b12ce934ebbded843891687ab5b0342 SHA1..: 71026fa8ee534cdc4b5b159e6b35754f6c98ac47 SHA256: 95884865045015033dedd9fdc2eb9f563685b6020cbb9637b8bbf503e25178ed SHA512: d8aebe6a3ba674127d86ed1830159f1fb59ce1bb8892622f201359a138b7dfe6 235e0fe82c0780c201c6529f273d1d0c8f0db98cf9afa7b32a960b71cef59f4b Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=DE03BC6990AD71EEF45F0D4D917C0C00FD2F3FCB Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=9b12ce934ebbded843891687ab5b0342 Archive preview Modified Size Ratio CRC32 File name 3/3/2004 2:57:44 PM 893 KB sds.exe 2/4/2004 5:09:20 PM 195 B sds.INF File Name: sds.exe VirusTotal Result: 5/32 (15.62%) Avast - - Win32:Trojan-gen {Other} DrWeb - - DLOADER.Trojan Ikarus - - Win32.SuspectCrc Prevx1 - - Heuristic: Suspicious Self Modifying File Rising - - Trojan.Spy.Agent.wb File Info: MD5: 454ad6e930b95be87eabd0ba4122e3d2 SHA1: 2d4e38bd388d49fccd623d7da7d96174fc63fe27 SHA256: ffa7b76d953b30b8f5af3e3d5149861d122a8aaa1bd586b0553d02b37bb18943 SHA512: 0893b13bedc333c3884973e531c8b31be6c6c025575834c74351985b8f21ed59060329309dcd4ab7df7a156c96ea4ec30ab8a5bfb23f91826e34718b05da63c4 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 0000BE00 Size of initialized data: 00005200 Size of uninitialized data: 00000000 Address of entry point: 0000C5D8 Base of code: 00001000 Base of data: 0000D000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0001 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00018000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 0000BD68 00001000 0000BE00 00000400 60000020 DATA 00001800 0000D000 00001800 0000C200 C0000040 BSS 000010B4 0000F000 00000000 0000DA00 C0000000 .idata 00000850 00011000 00000A00 0000DA00 C0000040 .tls 00000008 00012000 00000000 0000E400 C0000000 .rdata 00000018 00013000 00000200 0000E400 50000040 .reloc 000008D4 00014000 00000000 00000000 50000040 .rsrc 00002400 00015000 00002400 0000E600 50000040 Import table (libraries: 8) kernel32.dll (imports: 28) DeleteCriticalSection LeaveCriticalSection EnterCriticalSection InitializeCriticalSection VirtualFree VirtualAlloc LocalFree LocalAlloc WideCharToMultiByte TlsSetValue TlsGetValue MultiByteToWideChar GetModuleHandleA GetLastError GetCommandLineA WriteFile SetFilePointer SetEndOfFile RtlUnwind ReadFile RaiseException GetStdHandle GetFileSize GetSystemTime GetFileType ExitProcess CreateFileA CloseHandle user32.dll (imports: 1) MessageBoxA oleaut32.dll (imports: 5) VariantChangeTypeEx VariantCopyInd VariantClear SysStringLen SysAllocStringLen advapi32.dll (imports: 5) RegQueryValueExA RegOpenKeyExA RegCloseKey OpenProcessToken LookupPrivilegeValueA kernel32.dll (imports: 28) VirtualQuery VirtualProtect Sleep SetLastError SetErrorMode RemoveDirectoryA GetWindowsDirectoryA GetVersionExA GetUserDefaultLangID GetSystemInfo GetSystemDefaultLCID GetProcAddress GetModuleHandleA GetModuleFileNameA GetLocaleInfoA GetLastError GetFullPathNameA GetFileAttributesA GetExitCodeProcess GetEnvironmentVariableA GetCurrentProcess GetCommandLineA GetCPInfo FormatMessageA DeleteFileA CreateProcessA CreateDirectoryA CloseHandle user32.dll (imports: 14) TranslateMessage SetWindowLongA PeekMessageA MsgWaitForMultipleObjects MessageBoxA LoadStringA GetSystemMetrics ExitWindowsEx DispatchMessageA DestroyWindow CreateWindowExA CallWindowProcA CharPrevA CharNextA comctl32.dll (imports: 1) InitCommonControls advapi32.dll (imports: 1) AdjustTokenPrivileges Process Details: Process ID 224 Filename C:\sds.exe Filesize 914576 bytes MD5 454ad6e930b95be87eabd0ba4122e3d2 Start Reason AnalysisTarget New Files Created: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp Opened Files: C:\sds.exe \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp Sequence of File System Activity: Open File: C:\sds.exe (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp () Find File: is-B054N.tmp Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Management: Creates Process - Filename () CommandLine: (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp /SL4 $100C8 C:\sds.exe 902992 68096 ) As User: () Creation Flags: () Process Created: Process ID 756 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-4BHQG.tmp\is-B054N.tmp /SL4 $100C8 C:\sds.exe 902992 68096 Filesize 555520 bytes MD5 b9a25ddbc177eced2ad1fbeb8c872139 Start Reason CreateProcess COM Activity: COM Create Instance: %SystemRoot%\System32\cscui.dll, ProgID: (), Interface ID: ({0C6C4200-C589-11D0-999A-00C04FD655E1}) New Files Created: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-I8BM5.tmp\_shfoldr.dll Opened Files: C:\sds.exe C:\WINDOWS\System32\cscui.dll \\.\shadow \\.\PIPE\lsarpc Sequence of File System Activity: Open File: C:\sds.exe (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-I8BM5.tmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\is-I8BM5.tmp\_shfoldr.dll Open File: C:\WINDOWS\System32\cscui.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: \\.\shadow (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Find File: C:\*.* Find File: Program Files Find File: C:\Program Files\*.* Find File: C:\Documents and Settings\All Users\Start Menu\Programs\* Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "CommonFilesDir" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32 "" System Info: Get System Directory Get Windows Directory Get System Time Window: Destroy Window - Class Name (TWizardForm) Window Name (Setup - Smiley District)