Download Link: hxxp://centerfornonviolence.com/bitches.exe File Name: bitches.exe VirusTotal Result: 18/32 (56.25%) AntiVir 7.8.0.8 2008.04.21 BDS/IRC.Zapchas.A.2 Avast 4.8.1169.0 2008.04.21 Win32:Zapchast-Z AVG 7.5.0.516 2008.04.21 IRC/BackDoor.Flood BitDefender 7.2 2008.04.21 Application.Closeproc.A ClamAV 0.92.1 2008.04.21 Trojan.IRCBot-96 DrWeb 4.44.0.09170 2008.04.21 Tool.HideApp eSafe 7.0.15.0 2008.04.21 Win32.IRC Fortinet 3.14.0.0 2008.04.21 Misc/Closeproc Ikarus T3.1.1.26 2008.04.21 Virus.Win32.Zapchast.Z Kaspersky 7.0.0.125 2008.04.21 Backdoor.Win32.mIRC-based McAfee 5278 2008.04.21 potentially unwanted program CloseProc NOD32v2 3043 2008.04.21 Win32/CloseProc.A Panda 9.0.0.4 2008.04.20 Application/CloseProc.A Rising 20.41.02.00 2008.04.21 Trojan.Zapchast.gd Symantec 10 2008.04.21 IRC Trojan VBA32 3.12.6.4 2008.04.16 BackDoor.IRC.based Webwasher-Gateway 6.6.2 2008.04.21 Trojan.Backdoor.IRC.Zapchas.A.2 File Info: File size: 915745 bytes MD5...: c339a72fd0f49f91dab916f5a785b5c4 SHA1..: d1db9fdfcdd39e37bb9cf99745c4f388f79ebbaf SHA256: c68812ad22118c3b1eded7dcd3ae379ac5464723f3c8f1e108f0369cec3370e6 SHA512: 8d0a543ec5478e03a3b4343dbb3a266cbcfc334f2e716625119bd2ab875ee356 c696b62b3922509ca5585fce10422ff5a08fd9f3fc787271e9a6bf33c0dda2c7 ***** Resources **************************************************** --- Bitmap -------------- 101 --- Icon ---------------- 1 2 3 4 --- Dialog -------------- GETPASSWORD1 LICENSEDLG RENAMEDLG REPLACEFILEDLG STARTDLG --- String Table -------- --- RCData -------------- DVCLAL --- Icon Group ---------- 100 --- XP Manifest --------- 1 ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 3E2472A6 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 05 Linker version (minor): 00 Size of code: 00007000 Size of initialized data: 00002000 Size of uninitialized data: 0001A000 Address of entry point: 000215D0 Base of code: 0001B000 Base of data: 00022000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00024000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00002000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Structure **************************************************** entry point address.: 0x4215d0 time date stamp.....: 0x3e2472a6 (Tue Jan 14 20:27:18 2003) machine type.......: 0x14c (I386) ***** PE Sections **************************************************** name viradd virsiz rawdsiz ntrpy md5 UPX0 0x1000 0x1a000 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e UPX1 0x1b000 0x7000 0x6800 7.88 671229648c44d877ef92b43995ad0333 .rsrc 0x22000 0x2000 0x1c00 5.05 67e394f4a018212a86a900810a222e36 ***** Import/Export table ****************************************** --- Import table (libraries: 7) ------------------------------------ > KERNEL32.DLL: LoadLibraryA, GetProcAddress, ExitProcess > ADVAPI32.DLL: RegCloseKey > COMCTL32.DLL: - > GDI32.DLL: DeleteObject > OLE32.DLL: OleInitialize > SHELL32.DLL: SHGetMalloc > USER32.DLL: SetMenu When executed gives the following error: --------------------------- c:\windows\system32\XtremX\svchost.exe --------------------------- Windows cannot find 'c:\windows\system32\XtremX\svchost.exe'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. --------------------------- OK --------------------------- Creates the folders: c:\windows\system32\pesda c:\windows\system32\pesda\sounds c:\windows\system32\pesda\channels c:\windows\system32\pesda\download c:\windows\system32\pesda\logs Drops the files: c:\windows\system32\pesda\aliases.ini c:\windows\system32\pesda\Away.txt c:\windows\system32\pesda\close.dll c:\windows\system32\pesda\control.ini c:\windows\system32\pesda\edll.dll c:\windows\system32\pesda\fullname.txt c:\windows\system32\pesda\idents.txt c:\windows\system32\pesda\mflood.txt c:\windows\system32\pesda\mirc.ico c:\windows\system32\pesda\mirc.ini c:\windows\system32\pesda\msg1.txt c:\windows\system32\pesda\msg2.txt c:\windows\system32\pesda\msg3.txt c:\windows\system32\pesda\nflood.txt c:\windows\system32\pesda\nicks.txt c:\windows\system32\pesda\ns.txt c:\windows\system32\pesda\regedit c:\windows\system32\pesda\remote.ini c:\windows\system32\pesda\script.ini c:\windows\system32\pesda\servers.ini c:\windows\system32\pesda\spammsg.txt c:\windows\system32\pesda\svchost.exe Registry Changes: [HKEY_CURRENT_CONFIG\Software\Microsoft\Windows NT\CurrentVersion\Windows] run = "C:\Documents and Settings\Administrator\Desktop\XtremX\XtremX\svchost.exe" [HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Windows] run = "C:\Documents and Settings\Administrator\Desktop\XtremX\XtremX\svchost.exe" [HKEY_CURRENT_CONFIG\Software\Microsoft\Windows NT\CurrentVersion\Windows] run = "C:\Documents and Settings\Administrator\Desktop\XtremX\XtremX\svchost.exe" [HKEY_CURRENT_CONFIG\Software\Microsoft\Windows\CurrentVersion\Windows] run = "C:\Documents and Settings\Administrator\Desktop\XtremX\XtremX\svchost.exe"