Download URL: hxxp://208.66.195.71/40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002 File Downloaded: 40e8001430303030303030303030303030303030303031306c0000004d66000000007600000002 Ripped with ExEinfo PE - Win32 Exe Identifier Files Created: File Name Size (Bytes) ---------------------------- file1~Rip.exe 326,156 file2~Rip.exe 318,844 file3~Rip.exe 303,868 file4~Rip.exe 292,360 file5~Rip.exe 228,356 file6~Rip.exe 11,264 file7~Rip.exe 6,544 File Analyzed: file1~Rip.exe File size: 326156 bytes MD5...: caf24562fb4efd43937986276fd7d0cf SHA1..: 1623daee8871c7257ba35ecbb5eef42871c6a1f6 SHA256: 9baccc362eff1255ae9cda277295cd84e7ddb516a0d69940e39f20abaa8276d8 SHA512: 31e26368bb6213e97538d6fdcd0bf25d1c5b21d5ab3aa0193b79c1080400f73e fec61e75027a6b6796d35c595f22f29c318e1d275ae341f6c318cbee6d8dab02 VirusTotal Result: 15/30 (50%) AntiVir 7.8.0.10 2008.04.25 TR/Spy.Gen Avast 4.8.1169.0 2008.04.27 Win32:Agent-NGJ BitDefender 7.2 2008.04.27 BehavesLike:Trojan.WinlogonHook ClamAV 0.92.1 2008.04.27 Trojan.Downloader-33127 DrWeb 4.44.0.09170 2008.04.27 BackDoor.Bulknet.origin Ewido 4.0 2008.04.27 Trojan.Agent.jyq F-Secure 6.70.13260.0 2008.04.26 Email-Worm.Win32.Agent.ev Ikarus T3.1.1.26 2008.04.27 Virus.Win32.Agent.NGJ Kaspersky 7.0.0.125 2008.04.27 Email-Worm.Win32.Agent.ev McAfee 5282 2008.04.25 Spy-Agent.bv NOD32v2 3057 2008.04.26 probably a variant of Win32/Wigon Sophos 4.28.0 2008.04.27 Mal/Emogen-Y Symantec 10 2008.04.27 Downloader VirusBuster 4.3.26:9 2008.04.27 Trojan.DR.Wigon.J Webwasher-Gateway 6.6.2 2008.04.27 Trojan.Spy.Gen ***** Resources **************************************************** --- BIN ------------------------------------------------------------ 101 102 ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 4811C77E Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0102 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 00001600 Size of initialized data: 00006C00 Size of uninitialized data: 00000000 Address of entry point: 00001CA0 Base of code: 00001000 Base of data: 00003000 Image base: 08000000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0006 OS version (minor): 0000 Image version (major): 0006 Image version (minor): 0000 Sub system version (major): 0005 Sub system version (minor): 0001 Win32 version: 00000000 Size of image: 0000C000 Size of headers: 00000400 Checksum: 0000848E Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 8540 Size of stack reserve: 00040000 Size of stack commit: 00002000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Structure ************************************************* entrypointaddress.: 0x8001ca0 timedatestamp.....: 0x4811c77e (Fri Apr 25 11:58:54 2008) machinetype.......: 0x14c (I386) ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 0000149A 00001000 00001600 00000400 60000020 .data 0000032C 00003000 00000200 00001A00 C0000040 .rsrc 00006310 00004000 00006400 00001C00 40000040 .reloc 0000020E 0000B000 00000400 00008000 42000040 ***** Import/Export table ****************************************** --- Export table --------------------------------------------------- --- Import table (libraries: 2) ------------------------------------ > ADVAPI32.dll: CloseServiceHandle, StartServiceA, CreateServiceA, OpenServiceA, OpenSCManagerA, RegCloseKey, RegSetValueA, RegCreateKeyA, RegSetValueExA > KERNEL32.dll: HeapAlloc, GetProcessHeap, HeapFree, ExitProcess, CreateProcessA, GetEnvironmentVariableA, lstrcatA, GetShortPathNameA, lstrlenA, lstrcpyA, GetCommandLineA, FreeResource, LockResource, SizeofResource, LoadResource, FindResourceA, CloseHandle, WriteFile, CreateFileA, QueryPerformanceCounter, GetLastError, GetProcAddress, LoadLibraryA, Sleep, DeviceIoControl, GetVersionExA, GetModuleHandleA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter Process Details: Filename C:\file1~Rip.exe Filesize 326156 bytes MD5 caf24562fb4efd43937986276fd7d0cf Start Reason AnalysisTarget New Files \\.\Prot2 C:\WINDOWS\System32\WinNt32.dll C:\WINDOWS\System32\drivers\Vad82.sys C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Opened Files \\.\PhysicalDrive0 C:\WINDOWS\AppPatch\sysmain.sdb C:\WINDOWS\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp C:\WINDOWS\System32\svchost.exe Chronological order Create File: \\.\Prot2 Create File: C:\WINDOWS\System32\WinNt32.dll Create File: C:\WINDOWS\System32\drivers\Vad82.sys Open File: \\.\PhysicalDrive0 (OPEN_EXISTING) Create File: C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp () Find File: BN3.tmp Open File: C:\WINDOWS\System32\svchost.exe () Find File: svchost.exe Registry Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = WinNt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = WLEventStartShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Vad82.sys "" = Driver HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Vad82.sys "" = Driver HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vad82 "" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vad82 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vad82 "" = System32\Drivers\Vad82.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vad82 "" = SCSI Class HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vad82 "" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vad82 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vad82 "" = System32\Drivers\Vad82.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vad82 "" = SCSI Class HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = [REG_DWORD, value: 00000032] Registry Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "" Process Management: Creates Process - C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Creates Process - C:\WINDOWS\System32\svchost.exe (CREATE_SUSPENDED) Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "Vad82" Create Service - Name: (Vad82) Display Name: () File Name: (C:\WINDOWS\System32\drivers\Vad82.sys) Control: () Start Type: (SERVICE_DEMAND_START) Process Started: Process ID 768 Filename services.exe Service Management: Load Driver - \Registry\Machine\System\CurrentControlSet\Services\Vad82 Load Driver - \Registry\Machine\System\CurrentControlSet\Services\Afi61 Load Driver - \Registry\Machine\System\CurrentControlSet\Services\tcpsr Process Started: Process ID 1744 Filename C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Filesize 33792 bytes MD5 94808a7bbffe996ecf526ecbd6218920 Start Reason CreateProcess New Files \\.\Prot2 C:\WINDOWS\System32\WinNt32.dll C:\WINDOWS\System32\drivers\Afi61.sys Opened Files C:\WINDOWS\AppPatch\sysmain.sdb C:\WINDOWS\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\system32\cmd.exe Chronological order Create File: \\.\Prot2 Create File: C:\WINDOWS\System32\WinNt32.dll Create File: C:\WINDOWS\System32\drivers\Afi61.sys Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\system32\cmd.exe () Find File: cmd.exe Registry Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = WinNt32.dll HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = WLEventStartShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WinNt32 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Afi61.sys "" = Driver HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Afi61.sys "" = Driver HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afi61 "" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afi61 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afi61 "" = System32\Drivers\Afi61.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Afi61 "" = SCSI Class HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afi61 "" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afi61 "" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afi61 "" = System32\Drivers\Afi61.sys HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Afi61 "" = SCSI Class Process Management: Creates Process - C:\WINDOWS\system32\cmd.exe CommandLine: (/c del C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp >> NUL Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "Afi61" Create Service - Name: (Afi61) File Name: (C:\WINDOWS\System32\drivers\Afi61.sys Process Started: Process ID 1416 Filename C:\WINDOWS\System32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason CreateProcess Opened Files \\.\PIPE\lsarpc C:\WINDOWS\system32\drivers\etc\hosts Chronological order Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\system32\drivers\etc\hosts (OPEN_EXISTING) Mutexes: Creates Mutex: gangrena Creates Mutex: germeona Creates Mutex: garbaga Creates Mutex: crypt32LogoffPortEvent Creates Mutex: memoryallocblock Creates Mutex: zone_dns_mutex Creates Mutex: MACLink0 Opens Mutex: gangrena Registry Changes: HKEY_CURRENT_USER\Software\Microsoft "" = 310763 Registry Reads: HKEY_CURRENT_USER\Software\Microsoft "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "" Process Started: Process ID 1828 Filename C:\WINDOWS\System32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason CreateProcess COM Activities: COM Create Instance: "C:\Program Files\Internet Explorer\iexplore.exe", ProgID: (InternetExplorer.Application.1), Interface ID: ({D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}) COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A}) New Files \\.\Runtime Opened Files \\.\PIPE\lsarpc C:\WINDOWS\system32\shdocvw.dll C:\WINDOWS\system32\stdole2.tlb C:\WINDOWS\system32\mshtml.tlb Chronological order Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING) Create File: \\.\Runtime Open File: C:\WINDOWS\system32\mshtml.tlb (OPEN_EXISTING) Mutexes: Creates Mutex: Wininet.Instance.Control Opens Mutex: Wininet.Instance.Control Registry Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer "" = [REG_DWORD, value: 002AA1B2] Registry Reads HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32 "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" Registry Enums HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0 Process Started: Process ID 1856 Filename C:\WINDOWS\System32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason CreateProcess COM Activity: COM Create Instance: "C:\Program Files\Internet Explorer\iexplore.exe", ProgID: (InternetExplorer.Application.1), Interface ID: ({D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}) COM Create Instance: %SystemRoot%\system32\msxml3.dll, ProgID: (Microsoft.XMLDOM.1.0), Interface ID: ({2933BF81-7B36-11D2-B20E-00C04F983E60}) COM Get Class Object: oleaut32.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A}) New Files: \Device\RasAcd Opened Files: \\.\PIPE\lsarpc C:\WINDOWS\system32\shdocvw.dll C:\WINDOWS\system32\stdole2.tlb C:\WINDOWS\system32\mshtml.tlb Chronological order: Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING) Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: C:\WINDOWS\system32\mshtml.tlb (OPEN_EXISTING) Find File: C:\Documents and Settings\Owner\Cookies\*@live[* Find File: C:\Documents and Settings\Owner\Cookies\*.live[* Find File: C:\Documents and Settings\Owner\Cookies\*hotmail* Find File: C:\Documents and Settings\Owner\Cookies\*@msn[* Find File: C:\Documents and Settings\Owner\Cookies\*.msn[* Find File: C:\Documents and Settings\Owner\Cookies\*@msnaccountservices.* Find File: C:\Documents and Settings\Owner\Cookies\*@atdmt[* Find File: C:\Documents and Settings\Owner\Cookies\*@advertising[* Find File: C:\Documents and Settings\Owner\Cookies\*msnportal* Find File: C:\Documents and Settings\Owner\Cookies\*pointroll[* Find File: C:\Documents and Settings\Owner\Cookies\*doubleclick[* Mutexes: Creates Mutex: 70ksjhdgdff Creates Mutex: 7123ohghbdg Opens Mutex: 70ksjhdgdff Registry Changes HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current "" = [REG_EXPAND_SZ, value: ] HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default "" = [REG_EXPAND_SZ, value: ] HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current "" = HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.default "" = HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current "" = [REG_EXPAND_SZ, value: ] HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Default "" = [REG_EXPAND_SZ, value: ] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows "" = no HKEY_CURRENT_USER\Software\Microsoft "" = 805897 Registry Reads HKEY_CURRENT_USER\Software\Microsoft "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Current "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\Navigating\.Default "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.current "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\BlockedPopup\.default "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Current "" HKEY_CURRENT_USER\AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Default "" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "" HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\New Windows "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\win32 "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{332C4425-26CB-11D0-B483-00C04FD90119}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32 "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F1FF-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F21F-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F21F-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_CLASSES_ROOT "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F485-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3050F485-98B5-11CF-BB82-00AA00BDCE0B}\TypeLib "" Enums HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B} HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0 Process Started: Process ID 1896 Filename C:\WINDOWS\System32\svchost.exe Filesize 14336 bytes MD5 8f078ae4ed187aaabc0a305146de6716 Start Reason CreateProcess New Files C:\WINDOWS\System32\drivers\tcpsr.sys \\.\Filt Chronological order Create File: C:\WINDOWS\System32\drivers\tcpsr.sys Create File: \\.\Filt Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "tcpsr" Create Service - C:\WINDOWS\System32\drivers\tcpsr.sys Process Started: Process ID 1372 Filename C:\WINDOWS\system32\cmd.exe /c del C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp >> NUL Opened Files NUL Deleted Files C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Chronological order Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Open File: NUL (OPEN_EXISTING) Get File Attributes: C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Owner\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Delete File: C:\DOCUME~1\Owner\LOCALS~1\Temp\BN3.tmp Registry Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "" Network Activity: Download URLs hxxp://208.66.195.15/40E800142020202057202D444D574D414C393644383133376C0000003266000000017600000064EB00053013181A1E (208.66.195.15) Outgoing connection to remote server: 208.66.195.15 TCP port 80 UDP Connections Remote IP Address: 192.203.230.10 Port: 53 Send Datagram: packet(s) of size 21 Recv Datagram: packet(s) of size 509 Remote IP Address: 192.203.230.10 Port: 53 Send Datagram: packet(s) of size 21 Send Datagram: packet(s) of size 20 Recv Datagram: packet(s) of size 351 Recv Datagram: packet(s) of size 278 Remote IP Address: 192.203.230.10 Port: 53 Send Datagram: packet(s) of size 45 Recv Datagram: packet(s) of size 162 Outgoing connection to remote server: 209.66.122.176 TCP port 2508 SMTP: 194.67.23.20:25 SMTP: 72.14.221.114:25 SMTP: 64.233.183.27:25 SMTP: 66.111.4.70:25 SMTP: 216.157.145.27:25 DNS Lookup Host Name IP Address 216.195.61.215 216.195.61.215 208.66.194.236 208.66.194.236 Download URLs hxxp://208.66.194.236/?bot_id=0&mode=1 (208.66.194.236) Outgoing connection to remote server: 216.195.61.215 TCP port 2698 Outgoing connection to remote server: 208.66.194.236 TCP port 3078