Download Link: hxxp://58.65.239.42/ldc3hs/system.exe File Name: system.exe VirusTotal Result: 16/31 (51.62%) AntiVir 7.8.0.8 2008.04.24 DR/Dldr.DNSChanger.Gen Avast 4.8.1169.0 2008.04.24 Win32:Trojan-gen {Other} AVG 7.5.0.516 2008.04.24 DNSChanger.AA BitDefender 7.2 2008.04.24 Dropped:Trojan.DNSChanger.SL CAT-QuickHeal 9.50 2008.04.24 Win32.Trojan.DNSChanger.arn.5 eSafe 7.0.15.0 2008.04.21 Win32.DNSChanger.bov Ewido 4.0 2008.04.24 Trojan.DNSChanger.bov F-Prot 4.4.2.54 2008.04.23 W32/Trojan2.AIES F-Secure 6.70.13260.0 2008.04.24 W32/Malware Fortinet 3.14.0.0 2008.04.23 W32/DNSChanger.BOV!tr Ikarus T3.1.1.26 2008.04.24 Virus.Win32.Trojan Kaspersky 7.0.0.125 2008.04.24 Trojan.Win32.DNSChanger.bov Norman 5.80.02 2008.04.24 DNSChanger.APER Sunbelt 3.0.1056.0 2008.04.17 Trojan.DNSChanger VBA32 3.12.6.5 2008.04.24 MalwareScope.Trojan.DnsChange.2 Webwasher-Gateway 6.6.2 2008.04.24 Trojan.Dropper.Dldr.DNSChanger.Gen File Info: File size: 235079 bytes MD5...: daca37a80e68f3cb9b2313fe887238a3 SHA1..: fede9669826a7fca6abe0ec0ebacdfbf075f872d SHA256: ae6f0dca3a3d435b0a4efb4db0b450378bf91e3ef8581c7af86e76d5520816df SHA512: 67da778b51c6757ac9dcc7fd4a2bcd542f3c7d928f2d4f9292c73300ed504d82 a18bacadc5b0d6d565b747d8e446320a52b309991252c1361ca317f8253d27cc ***** PE Structure ************************************************* entrypointaddress.: 0x403247 timedatestamp.....: 0x47acc8bc (Fri Feb 08 21:25:16 2008) machinetype.......: 0x14c (I386) ***** PE Header **************************************************** Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 47ACC8BC Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005E00 Size of initialized data: 00028400 Size of uninitialized data: 00000400 Address of entry point: 00003247 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0003E000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 ***** PE Sections ************************************************** Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005CA2 00001000 00005E00 00000400 60000020 .rdata 0000129C 00007000 00001400 00006200 40000040 .data 00025C78 00009000 00000400 00007600 C0000040 .ndata 0000A000 0002F000 00000000 00000000 C0000080 .rsrc 000041F8 00039000 00004200 00007A00 40000040 ***** Import/Export table ****************************************** --- Import table (libraries: 8) ------------------------------------ > KERNEL32.dll: CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA > USER32.dll: EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow > GDI32.dll: SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject > SHELL32.dll: SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation > ADVAPI32.dll: RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA > COMCTL32.dll: ImageList_AddMasked, ImageList_Destroy, -, ImageList_Create > ole32.dll: CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance > VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA Process Details: Filename: system.exe MD5: daca37a80e68f3cb9b2313fe887238a3 SHA-1: fede9669826a7fca6abe0ec0ebacdfbf075f872d File Size: 235079 Bytes Registry Modified: Key Name New Value HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83ce-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\ Windows\CurrentVersion\Explorer\MountPoints2\ {d14d83cf-7d74-11dc-97e2-806d6172696f}\ BaseClass Drive Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\freebsd.exe C:\DOCUME~1\user\LOCALS~1\Temp\freebsd.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\linux C:\DOCUME~1\user\LOCALS~1\Temp\notepad.exe Files Read: C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\freebsd.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\linux C:\DOCUME~1\user\LOCALS~1\Temp\notepad.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\nsj2.tmp C:\WINDOWS\win.ini Files Deleted: C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\freebsd.exe C:\DOCUME~1\user\LOCALS~1\Temp\freebsd.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\linux C:\DOCUME~1\user\LOCALS~1\Temp\notepad.exe.dat C:\DOCUME~1\user\LOCALS~1\Temp\nsr3.tmp Folder Created: C:\DOCUME~1\user\LOCALS~1\Temp\nsr3.tmp Files Created: C:\DOCUME~1\user\LOCALS~1\Temp\nsj2.tmp MountPointManager PIPE\lsarpc Process Created: C:\DOCUME~1\user\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\user\LOCALS~1\Temp\nsr3.tmp\ns4.tmp" C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe Process Killed: C:\DOCUME~1\user\LOCALS~1\Temp\nsr3.tmp\ns4.tmp Mutex: CTF.TimListCache.FMPDefaultS-1-5-21- 1229272821-1004336348-527237240-1003MUTEX.DefaultS-1-5-21- 1229272821-1004336348-527237240-1003 MSCTF.Shared.MUTEX.AN MSCTF.Shared.MUTEX.INB Process Started: Filename: notepad.exe MD5: 515766c168ee6d079598dd9b7c6e8aa8 SHA-1: 54851a95eef16838dd1f410d2cd9cbf6b31611ae File Size: 29184 Bytes Command Line: C:\DOCUME~1\user\LOCALS~1\Temp\notepad.exe Registry Modified: Key Name New Value HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} DhcpNameServer 85.255.115.114,85.255.112.176 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B2B51064-BBF5-4528-B62B-E6D62A782874} NameServer 85.255.115.114,85.255.112.176 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7C75F97-CEE5-40F7-8B3F-AC3137A65E2A} DhcpNameServer 85.255.115.114,85.255.112.176 HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{C7C75F97-CEE5-40F7-8B3F-AC3137A65E2A} NameServer 85.255.115.114,85.255.112.176 HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Common AppData C:\Documents and Settings\All Users\Application Data HKLM\System\CurrentControlSet\Services\Tcpip\Parameters DhcpNameServer 85.255.115.114 85.255.112.176 HKLM\System\CurrentControlSet\Services\Tcpip\Parameters NameServer 85.255.115.114 85.255.112.176 Process Started: Filename: ns4.tmp Command Line: "C:\DOCUME~1\user\LOCALS~1\Temp\nsr3.tmp\ns4.tmp" C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe Process Created: C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe Process Started: Filename: calc.exe MD5: e1d8a8d394a435aacf09a7c9a17bd7bc SHA-1: ebe1bb419c419e790f7cb19e65b0618fc176797b File Size: 62976 Bytes Command Line: C:\DOCUME~1\user\LOCALS~1\Temp\calc.exe Registry Changed: Key Name New Value HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon System kdbwt.exe HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies C:\Documents and Settings\user\Cookies HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders History C:\Documents and Settings\user\Local Settings\History Affected Process: C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\alg.exe Process Started: Analysis Reason: csrss.exe injected a remote thread into this process Filename: popupKiller.exe MD5: b8ccbffde3c450d938921b77edd31e0c SHA-1: a1d5f57a6fb6871d35dd3545d752a43bd0fc4482 File Size: 183797 Bytes Process Started: Filename: ftvmdmsrv.exe MD5: 0e6bf97243e1b33bf9537cc645ee5ce2 SHA-1: c13272c321530fa09693df85a95feb4d5b173eac File Size: 364544 Bytes Command Line: C:\WINDOWS\system32\ftvmdmsrv.exe