Download Link: hxxp://888.17qb.com/hexinddos.exe File Name: hexinddos.exe VirusTotal Result: 10/32 (31.25%) AntiVir 7.8.0.8 2008.04.22 TR/Dldr.Root.258048 AVG 7.5.0.516 2008.04.21 Agent.3.L CAT-QuickHeal 9.50 2008.04.21 (Suspicious) - DNAScan F-Secure 6.70.13260.0 2008.04.22 Rootkit.Win32.KernelBot.d Ikarus T3.1.1.26.0 2008.04.22 Virus.Win32.Visel.E Kaspersky 7.0.0.125 2008.04.22 Rootkit.Win32.KernelBot.d NOD32v2 3044 2008.04.21 a variant of Win32/NetGuy Panda 9.0.0.4 2008.04.21 Suspicious file Sunbelt 3.0.1056.0 2008.04.17 VIPRE.Suspicious Webwasher-Gateway 6.6.2 2008.04.21 Trojan.Dldr.Root.258048 File Info: File size: 341504 bytes MD5...: c321b997d4e8d442a7fb446c4107ba7b SHA1..: e7ab17a1d9ed8d3df9f7ca64eb387b514a294ca7 SHA256: 8b7c6faabec62387523795675416b1466db5691ce97afb9263ac1bc3ef92f16a SHA512: 58e3c865956beb9ffbb309f5faa0c532c8c0ea7d7bce664cb64f47fb980016b0 8427ccd742b21b043fb4ec1f94c5a3d3d80506d86efb54ab77cde6e803c8f191 PE Structure: entry point address.: 0x401000 time date stamp.....: 0x47f74d98 (Sat Apr 05 09:59:52 2008) machine type.......: 0x14c (I386) ***** Resources **************************************************** --- DLL ------------------------------------------------------------ SHELL_DLL --- SYS ------------------------------------------------------------ SHELL_BYPASS --- XP Manifest ---------------------------------------------------- 1 ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0007 Time/Date stamp: 47F74D98 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 07 Linker version (minor): 0A Size of code: 00003000 Size of initialized data: 0003A000 Size of uninitialized data: 00000000 Address of entry point: 00001000 Base of code: 00001000 Base of data: 00004000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00083000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags 00003000 00001000 00001800 00001000 E0000040 00001000 00004000 00000C00 00002800 E0000040 0000B000 00005000 00000200 00003400 E0000040 .rsrc 0002E000 00010000 0000D800 00003600 E0000040 00001000 0003E000 00000200 00010E00 E0000040 .data 00043000 0003F000 00042600 00011000 E0000040 .adata 00001000 00082000 00000000 00053600 E0000040 ***** Import/Export table ****************************************** --- Import table (libraries: 5) ------------------------------------ > kernel32.dll: GetProcAddress, GetModuleHandleA, LoadLibraryA > user32.dll: CreateWindowExW > advapi32.dll: RegisterServiceCtrlHandlerW > oleaut32.dll: VariantChangeTypeEx > kernel32.dll: RaiseException Process Details: Process ID 2420 Filename C:\file.exe Filesize 341504 bytes MD5 c321b997d4e8d442a7fb446c4107ba7b Start Reason AnalysisTarget New Files Created: C:\WINDOWS\system32\KernelBots.tmp C:\WINDOWS\system32\Spcvls.sys C:\WINDOWS\system32\drivers\Beep.sys C:\WINDOWS\system32\drivers\Beep.sys C:\WINDOWS\system32\Spcvls.exe C:\WINDOWS\system32\Spcvls.dll Opened Files: \\.\SICE \\.\NTICE \\.\SIWVID C:\WINDOWS\system32\drivers\Beep.sys C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\Spcvls.exe C:\WINDOWS\system32\Spcvls.dll Deleted Files: C:\WINDOWS\system32\Spcvls.sys C:\WINDOWS\system32\KernelBots.tmp C:\WINDOWS\system32\Spcvls.exe Chronological order: Find File: C:\aspr_keys.ini Open File: \\.\SICE (OPEN_EXISTING) Open File: \\.\NTICE (OPEN_EXISTING) Open File: \\.\SIWVID (OPEN_EXISTING) Open File: C:\WINDOWS\system32\drivers\Beep.sys (OPEN_EXISTING) Copy File: C:\file.exe to C:\WINDOWS\system32\KernelBots.tmp Delete File: C:\WINDOWS\system32\Spcvls.sys Copy File: C:\WINDOWS\system32\drivers\Beep.sys to C:\WINDOWS\system32\Spcvls.sys Create File: C:\WINDOWS\system32\drivers\Beep.sys Copy File: C:\WINDOWS\system32\Spcvls.sys to C:\WINDOWS\system32\drivers\Beep.sys Delete File: C:\WINDOWS\system32\KernelBots.tmp Delete File: C:\WINDOWS\system32\Spcvls.exe Copy File: C:\file.exe to C:\WINDOWS\system32\Spcvls.exe Open File: C:\WINDOWS\system32\winlogon.exe (OPEN_EXISTING) Open File: C:\WINDOWS\system32\Spcvls.exe (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\Spcvls.exe Create File: C:\WINDOWS\system32\Spcvls.dll Open File: C:\WINDOWS\system32\Spcvls.dll (OPEN_EXISTING) Set File Time: C:\WINDOWS\system32\Spcvls.dll Registry Changes: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spcvlsvs "Description" = ???????????????????????????????????,???????????????? Services: Open Service Manager - Name: "SCM" Open Service - Name: "beep" Open Service - Name: "SpcvlsvsDrv" Open Service - Name: "Spcvlsvs" Create Service - Name: (SpcvlsvsDrv) Display Name: (SpcvlsvsDrv) File Name: (C:\WINDOWS\system32\Spcvls.sys) Control: () Start Type: (SERVICE_DEMAND_START) Create Service - Name: (Spcvlsvs) Display Name: (Spcvl Srv) File Name: (C:\WINDOWS\system32\Spcvls.exe) Control: () Start Type: (SERVICE_AUTO_START) Start Service - Name: (beep) Display Name: () File Name: () Control: () Start Type: () Start Service - Name: (Spcvlsvs) Display Name: () File Name: () Control: () Start Type: () Control Service - Name: (beep) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: () Process Started: Process ID 692 Filename services.exe Filesize 108032 bytes MD5 c6ce6eec82f187615d1002bb3bb50ed4 Start Reason SCM Creates Process: Filename - C:\WINDOWS\system32\Spcvls.exe Service Management: Unload Driver - Name: (_HANDLE(0)_) Display Name: () File Name: () Control: () Start Type: () Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\Beep) File Name: () Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\SpcvlsvsDrv) File Name: () Process Started: Process ID 2500 Filename C:\WINDOWS\system32\Spcvls.exe Filesize 341504 bytes MD5 c321b997d4e8d442a7fb446c4107ba7b Start Reason CreateProcess New Files Created: C:\WINDOWS\system32\KernelBots.tmp C:\WINDOWS\system32\Spcvls.sys Opened Files: \\.\SICE \\.\NTICE \\.\SIWVID \\.\PIPE\lsarpc \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\Program Files\Internet Explorer\IEXPLORE.EXE Deleted Files: C:\WINDOWS\system32\Spcvls.sys C:\WINDOWS\system32\KernelBots.tmp Chronological order: Find File: C:\WINDOWS\system32\aspr_keys.ini Open File: \\.\SICE (OPEN_EXISTING) Open File: \\.\NTICE (OPEN_EXISTING) Open File: \\.\SIWVID (OPEN_EXISTING) Copy File: C:\WINDOWS\system32\Spcvls.exe to C:\WINDOWS\system32\KernelBots.tmp Create File: C:\WINDOWS\system32\Spcvls.sys Delete File: C:\WINDOWS\system32\Spcvls.sys Delete File: C:\WINDOWS\system32\KernelBots.tmp Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\Program Files\Internet Explorer\IEXPLORE.EXE () Find File: IEXPLORE.EXE Process Management: Creates Process - Filename () CommandLine: (C:\Program Files\Internet Explorer\IEXPLORE.EXE) As User: () Creation Flags: (CREATE_SUSPENDED) Enum Modules - Target PID: (692) Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (692) Open Process - Filename () Target PID: (2568) Services: Open Service Manager - Name: "SCM" Open Service - Name: "SpcvlsvsDrv" Start Service - Name: (SpcvlsvsDrv) Display Name: () File Name: () Control: () Start Type: () Process Started: Process ID 2568 Filename C:\Program Files\Internet Explorer\IEXPLORE.EXE Filesize 93184 bytes MD5 e7484514c0464642be7b4dc2689354c8 Start Reason CreateProcess COM Activities: COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({A5ACA655-7FB8-43DC-A433-8D87B69C70A0}) COM Create Instance: C:\WINDOWS\system32\mlang.dll, ProgID: (), Interface ID: ({275C23E1-3747-11D0-9FEA-00AA003F8646}) COM Create Instance: C:\WINDOWS\system32\msimtf.dll, ProgID: (), Interface ID: ({08C0E040-62D1-11D1-9326-0060B067B86E}) COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({062E1261-A60E-11D0-82C2-00C04FD5AE38}) COM Get Class Object: C:\WINDOWS\system32\shdocvw.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: %SystemRoot%\system32\mshtml.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046}) New Files Created: \Device\Tcp \Device\Ip \Device\Ip \Device\RasAcd C:\WINDOWS\system32\Spcvls.ini C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Deleted Files: C:\WINDOWS\system32\NTDLL.DLL Read INI File: C:\WINDOWS\system32\Spcvls.ini [UpdateServer] NewVersion = C:\WINDOWS\system32\Spcvls.ini [KernelSetting] IsDownFileRun0 = C:\WINDOWS\system32\Spcvls.ini [KernelSetting] IsReportState = C:\WINDOWS\system32\Spcvls.ini [KernelSetting] ReportStateUrl = C:\WINDOWS\system32\Spcvls.ini [KernelSetting] IsDownFileRun1 = WIN.INI [windows] DragScrollInset = WIN.INI [windows] DragScrollDelay = WIN.INI [windows] DragDelay = WIN.INI [windows] DragScrollInterval = C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini [DeleteOnCopy] Owner = C:\Documents and Settings\LocalService\Local Settings\History\desktop.ini [.ShellClassInfo] LocalizedResourceName = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] IsScriptFlood = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] CmdID = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] ScriptFloodUrl = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] ScriptFloodDNS = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] ScriptFloodPort = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] ThreadCount = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] Timer = C:\WINDOWS\system32\Spcvls.ini [DDOS_ScriptFlood] IsTimer = C:\WINDOWS\system32\Spcvls.ini [DDOS_TcpFlood] IsTcpFlood = C:\WINDOWS\system32\Spcvls.ini [KernelSetting] IsDownFileRun2 = Mutexes: Creates Mutex: RasPbFile Creates Mutex: CTF.LBES.MutexDefaultS-1-5-18 Creates Mutex: CTF.Compart.MutexDefaultS-1-5-18 Creates Mutex: CTF.Asm.MutexDefaultS-1-5-18 Creates Mutex: CTF.Layouts.MutexDefaultS-1-5-18 Creates Mutex: CTF.TMD.MutexDefaultS-1-5-18 Creates Mutex: MSIMGSIZECacheMutex Creates Mutex: _!SHMSFTHISTORY!_ Opens Mutex: WininetStartupMutex Opens Mutex: _!SHMSFTHISTORY!_ Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "10" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders "SecurityProviders" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\digest.dll "TokenSize" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Name" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Comment" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Capabilities" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "RpcId" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Version" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "Type" HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll "TokenSize" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" _HKEY(2032)_ "NumShape" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\ "CUAS" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\ "EnableAnchorContext" HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF "Disable Thread Input Manager" HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{ff393560-c2a7-11cf-bff4-444553540000}\InProcServer32 "" Network Activity: DNS Lookup: Host Name IP Address 218.61.20.195 218.61.20.195 Download URLs: hxxp://218.6.9.40/hexinddos.txt (218.6.9.40) hxxp://218.6.9.40/hexin.htm (218.6.9.40) hxxp://121.11.69.212/1814151.asp (121.11.69.212) hxxp://122.224.146.85/go.asp?we=A-Free-Service-for-Webmasters&svid=15&id=1814151&style=0&vpage=http%3A%2F%2F888%2E17qb%2Ecom%2Fhexin%2Ehtm&25187.45.gif (122.224.146.85) hxxp://218.61.20.195http://218.61.20.195/ (218.61.20.195) Outgoing connection to remote server: 218.6.9.40 TCP port 80 Outgoing connection to remote server: 121.11.69.212 TCP port 80 Outgoing connection to remote server: 122.224.146.85 TCP port 80 Outgoing connection to remote server: 218.61.20.195 TCP port 80