Download Link: hxxp://netooo.com/down/server.exe File Name: server.exe VirusTotal Result: 22/31 (70.97%) AhnLab-V3 2008.4.10.2 2008.04.10 Win-Trojan/Bifrose.330044.B AntiVir 7.6.0.81 2008.04.10 TR/Crypt.CFI.Gen Avast 4.8.1169.0 2008.04.10 Win32:GrayBird-AD AVG 7.5.0.516 2008.04.10 BackDoor.Hupigon3.ASQV CAT-QuickHeal 9.50 2008.04.10 Backdoor.Bifrose.ezj eSafe 7.0.15.0 2008.04.09 SuspiciousR-Mytob6 Ewido 4.0 2008.04.10 Backdoor.Hupigon.nqr F-Prot 4.4.2.54 2008.04.08 W32/Backdoor2.IVT F-Secure 6.70.13260.0 2008.04.10 Backdoor.Win32.Bifrose.ezj Fortinet 3.14.0.0 2008.04.10 W32/Bifrose.EZJ!tr.bdr Ikarus T3.1.1.26 2008.04.10 Backdoor.Win32.Hupigon.mrv Kaspersky 7.0.0.125 2008.04.10 Backdoor.Win32.Bifrose.ezj McAfee 5271 2008.04.10 New Malware.dq NOD32v2 3016 2008.04.10 a variant of Win32/Hupigon Panda 9.0.0.4 2008.04.10 Suspicious file Prevx1 V2 2008.04.10 BACKDOOR.EGGDROP.DQ Rising 20.39.32.00 2008.04.10 Backdoor.Win32.Gpigeon2007.lns Sophos 4.28.0 2008.04.10 Mal/Behav-043 TheHacker 6.2.92.272 2008.04.10 Backdoor/Bifrose.ezj VBA32 3.12.6.4 2008.04.06 suspected of Backdoor.XiaoBird.1 VirusBuster 4.3.26:9 2008.04.10 Backdoor.Bifrose.ERE Webwasher-Gateway 6.6.2 2008.04.10 Trojan.Crypt.CFI.Gen File Info: File size: 330044 bytes MD5...: d88b93bf800eda2ff6ac74f787cbbd9b SHA1..: 8fdea9cfafd369edd3abd766f973bad5884d6bd2 SHA256: 7d2009a9798704b1850a83bffc34126b9df4e1fe9608c6e16e5780c9ab0108e9 SHA512: 4ae038f2a5ebae8105cbedabbc002585462ebb5b72db601a79a601ea33b1b9a9 170d7d085311cc96a4f360ee639491cde08dada2a412ec6c67c06b8bdb89e146 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0003 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818E Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00000000 Size of initialized data: 000018C0 Size of uninitialized data: 00000000 Address of entry point: 00112729 Base of code: 00112000 Base of data: 00000000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0011593C Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 Base Address: Entry Point Address.: 0x512729 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .data 00111000 00001000 0004D352 00000400 C0000020 .ex_cod 000017E4 00112000 000017D0 0004D800 C0000040 .ex_rsc 0000193C 00114000 0000193C 0004F000 40000040 Import table (libraries: 2) KERNEL32.dll (imports: 11) VirtualFree VirtualAlloc GetProcAddress ExitProcess LoadLibraryExA GetModuleHandleA VirtualProtect GetModuleFileNameA HeapAlloc GetProcessHeap HeapFree USER32.dll (imports: 2) wsprintfA MessageBoxA File System Activity: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: C:\Program Files\NetMeeting\ Flags: (SECURITY_ANONYMOUS) Find File: C:\Program Files\NetMeeting\*.dat Find File: C:\Program Files\NetMeeting\svchost.exe Copy File: C:\server.exe to C:\Program Files\NetMeeting\svchost.exe Set File Attributes: C:\Program Files\NetMeeting\svchost.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS) Set File Attributes: C:\server.exe Flags: (SECURITY_ANONYMOUS) Create File: C:\WINDOWS\uninstal.BAT Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\uninstal.BAT () Find File: uninstal.BAT Read ini files: SYSTEM.INI [DRIVERS32] = SYSTEM.INI [DRIVERS32] msacm.imaadpcm = SYSTEM.INI [DRIVERS32] msacm.msadpcm = SYSTEM.INI [DRIVERS32] msacm.msg711 = SYSTEM.INI [DRIVERS32] msacm.msgsm610 = SYSTEM.INI [DRIVERS32] msacm.trspch = SYSTEM.INI [DRIVERS32] msacm.msg723 = SYSTEM.INI [DRIVERS32] msacm.msaudio1 = SYSTEM.INI [DRIVERS32] msacm.sl_anet = SYSTEM.INI [DRIVERS32] msacm.iac2 = SYSTEM.INI [DRIVERS32] msacm.l3acm = Mutex: Creates Mutex: àÿ_CHAR(0x12)_ Registry Reads: _HKEY(1336)_\Software\Microsoft\Multimedia\Audio "SystemFormats" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM "NoPCMConverter" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 "Priority1" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Activity: Creates Process - C:\WINDOWS\uninstal.BAT Creates Process - C:\Program Files\NetMeeting\svchost.exe Service Management: Open Service Manager - Name: "SCM" Open Service - Name: "PowerShadow" Create Service - Name: (PowerShadow) Display Name: (PowerShadow) File Name: (C:\Program Files\NetMeeting\svchost.exe) Control: () Start Type: (SERVICE_AUTO_START) Start Service - Name: (PowerShadow) Display Name: () File Name: () Control: () Start Type: () Change Service Configuration - Name: (PowerShadow) Display Name: (¹ÜÀíÐéÄâµçԴϵͳ¡£Èç¹û¸Ã·þÎñ±»Í£Ö¹£¬Èí¼þ¾íÓ°¸´Öƽ«ÎÞ·¨¹ÜÀí¡£Èç¹û¸Ã·þÎñ±»Í£Óã¬ÈκÎÒÀÀµËüµÄ·þÎñ½«ÎÞ·¨) File Name: () Control: () Start Type: (SERVICE_NO_CHANGE) Process Started: Filename C:\Program Files\NetMeeting\svchost.exe Filesize 330044 bytes MD5 d88b93bf800eda2ff6ac74f787cbbd9b Start Reason CreateProcess File System Activity: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Find File: C:\windows\system32\services.exe Open File: C:\Program Files\NetMeeting\svchost.exe (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\windows\system32\services.exe () Find File: services.exe Ini file Reads: SYSTEM.INI [DRIVERS32] = SYSTEM.INI [DRIVERS32] msacm.imaadpcm = SYSTEM.INI [DRIVERS32] msacm.msadpcm = SYSTEM.INI [DRIVERS32] msacm.msg711 = SYSTEM.INI [DRIVERS32] msacm.msgsm610 = SYSTEM.INI [DRIVERS32] msacm.trspch = SYSTEM.INI [DRIVERS32] msacm.msg723 = SYSTEM.INI [DRIVERS32] msacm.msaudio1 = SYSTEM.INI [DRIVERS32] msacm.sl_anet = SYSTEM.INI [DRIVERS32] msacm.iac2 = SYSTEM.INI [DRIVERS32] msacm.l3acm = Registry Reads: _HKEY(1340)_\Software\Microsoft\Multimedia\Audio "SystemFormats" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "fdwSupport" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "cFormatTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "aFormatTagCache" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm "cFilterTags" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM "NoPCMConverter" HKEY_LOCAL_MACHINE\Software\Microsoft\AudioCompressionManager\DriverCache\Software\Microsoft\Multimedia\Audio Compression Manager\MSACM\Software\Microsoft\Multimedia\Audio Compression Manager\Priority v4.00 "Priority1" HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed" Process Started: Filename C:\WINDOWS\uninstal.BAT Filesize 388608 bytes MD5 eeb024f2c81f0d55936fb825d21a91d6 Start Reason CreateProcess File System Activity: Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Find File: C:\WINDOWS\uninstal.BAT Open File: C:\WINDOWS\uninstal.BAT (OPEN_EXISTING) Get File Attributes: C:\server.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\server.exe Delete File: C:\server.exe Get File Attributes: C:\WINDOWS\uninstal.BAT Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS Flags: (SECURITY_ANONYMOUS) Delete File: C:\WINDOWS\uninstal.BAT Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Network Activity: DNS Lookup Host Name IP Address 200300.oicp.net 58.211.16.15 Outgoing connection to remote server: 200300.oicp.net TCP port 8000