Download Link: hxxp://ultraticket.net/download/pageticket2000.exe File Name: pageticket2000.exe VirusTotal Result: 12/32 (37.5%) AntiVir 7.8.0.8 2008.04.23 TR/Zlob.72484 Avast 4.8.1169.0 2008.04.24 Win32:Zlob-ARJ AVG 7.5.0.516 2008.04.23 Downloader.Zlob.TSF BitDefender 7.2 2008.04.24 DeepScan:Generic.Zlob.7.1FED44BB CAT-QuickHeal 9.50 2008.04.23 Win32.Trojan.DNSChanger.jc F-Prot 4.4.2.54 2008.04.23 W32/Zlob.F.gen!Eldorado FileAdvisor 1 2008.04.24 High threat detected McAfee 5279 2008.04.23 Puper Prevx1 V2 2008.04.24 Trojan.Zlob Symantec 10 2008.04.24 Trojan.Zlob TheHacker 6.2.92.290 2008.04.24 Trojan/DNSChanger.ik Webwasher-Gateway 6.6.2 2008.04.24 Trojan.Zlob.72484 File Info: File size: 72484 bytes MD5...: d7b134bf1ac0ba700b836e88957d4609 SHA1..: 1a1ca10c3d42dda8e3449e32f9a50ec65f559a6c SHA256: 2e28c8e51cc604563173d68533ae6fc9e67043011c4e9c0f8c5fbf26bd2b0660 SHA512: 647b0915258bb37e7d133fbb72ad839d80f68946f5fda59c9a26c0eaad7db652 e3664f58b49598980676c7e3795805e5531907a89edf8e2231dd72b0cf0acffc ***** PE Structure ************************************************* entrypointaddress.: 0x4032d9 timedatestamp.....: 0x44a6b982 (Sat Jul 01 18:05:54 2006) machinetype.......: 0x14c (I386) ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 44A6B982 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005C00 Size of initialized data: 0001DE00 Size of uninitialized data: 00000400 Address of entry point: 000032D9 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00033000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005A3C 00001000 00005C00 00000400 60000020 .rdata 000010F2 00007000 00001200 00006000 40000040 .data 0001B814 00009000 00000400 00007200 C0000040 .ndata 00009000 00025000 00000000 00000000 C0000080 .rsrc 000041F8 0002E000 00004200 00007600 40000040 ***** Import/Export table ****************************************** --- Import table (libraries: 8) ------------------------------------ > KERNEL32.dll: CloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, lstrcmpiA, CopyFileA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetCurrentProcess > USER32.dll: ScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow > GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject > SHELL32.dll: SHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation > ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA > COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create > ole32.dll: OleInitialize, OleUninitialize, CoCreateInstance > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA Process Description: Parent ID 0 Process ID 1364 Filename c:\pageticket2000.exe Filesize 72484 bytes MD5 d7b134bf1ac0ba700b836e88957d4609 New Files Created: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr3.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp\modern-header.bmp Opened Files: \\.\PIPE\lsarpc c:\pageticket2000.exe Deleted Files: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsh1.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp Chronological order: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsh1.tmp Get File Attributes: c:\pageticket2000.exe Flags: (SECURITY_ANONYMOUS) Open File: c:\pageticket2000.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr3.tmp Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp\modern-header.bmp Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp\modern-header.bmp Flags: (FILE_ATTRIBUTE_ARCHIVE,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NORMAL,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_SYSTEM,FILE_ATTRIBUTE_TEMPORARY,FILE_ATTRIBUTE_SPARSE_FILE,FILE_ATTRIBUTE_REPARSE_POINT,FILE_ATTRIBUTE_COMPRESSED,FILE_ATTRIBUTE_OFFLINE,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,FILE_ATTRIBUTE_ENCRYPTED,SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp\modern-header.bmp Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsx5.tmp\modern-header.bmp INI Files Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir"