Download Link: hxxp://cab.malwaredestructor.com/install278.exe File size: 13344 bytes File Name: install278.exe MD5: e0412e9149fe97bb5c275949c4727858 SHA1: 5316a06b58459e0042adbc4aa5ae8b8e8421cc36 PEiD: Armadillo v1.71 Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=e0412e9149fe97bb5c275949c4727858 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=FA3E9DCE20F104FD349900E444B76700A07C84D7 VirusTotal Result: 26/32 (81.25%) AhnLab-V3 2008.4.1.2 2008.04.01 Win-Trojan/Agent.13344 AntiVir 7.6.0.78 2008.04.01 TR/Agent.8192.194 Avast 4.7.1098.0 2008.03.31 Win32:Trojan-gen {VC} AVG 7.5.0.516 2008.04.01 Downloader.Agent.TML CAT-QuickHeal 9.50 2008.03.31 TrojanDownloader.Agent.frv DrWeb 4.44.0.09170 2008.04.01 Trojan.DownLoader.49023 eSafe 7.0.15.0 2008.03.31 Win32.Agent.ccl eTrust-Vet 31.3.5661 2008.04.01 Win32/VMalum.USY Ewido 4.0 2008.04.01 Downloader.Agent.ccl F-Prot 4.4.2.54 2008.03.31 W32/Downloader!b297 F-Secure 6.70.13260.0 2008.04.01 Trojan-Downloader.Win32.Agent.ccl FileAdvisor 1 2008.04.01 High threat detected Fortinet 3.14.0.0 2008.04.01 W32/Small.HSP!tr.dldr Ikarus T3.1.1.20 2008.04.01 Trojan-Downloader.Win32.Agent.ccl Kaspersky 7.0.0.125 2008.04.01 Trojan-Downloader.Win32.Agent.ccl McAfee 5263 2008.03.31 Generic.dx NOD32v2 2992 2008.04.01 probably a variant of Win32/TrojanDownloader.Agent Norman 5.80.02 2008.04.01 W32/Agent.CXER Panda 9.0.0.4 2008.03.31 Trj/Downloader.MDW Prevx1 V2 2008.04.01 Heuristic: Suspicious Self Modifying File Rising 20.38.12.00 2008.04.01 Trojan.DL.Win32.Agent.ccl Sophos 4.28.0 2008.04.01 Mal/Generic-A Sunbelt 3.0.978.0 2008.03.18 Trojan.Nethell.B Symantec 10 2008.04.01 ExpertAntiVirus VBA32 3.12.6.3 2008.03.25 Trojan-Downloader.Win32.Agent.ccl Webwasher-Gateway 6.6.2 2008.04.01 Trojan.Agent.8192.194 Analysis Report: http://malwareinfo.freeforums.org/cab-malwaredestructor-com-install278-exe-t32.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0002 Time/Date stamp: 46D54BBE Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00000A00 Size of initialized data: 00001200 Size of uninitialized data: 00000000 Address of entry point: 00001686 Base of code: 00001000 Base of data: 00002000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00004000 Size of headers: 00000400 Checksum: 0000731A Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 0000080C 00001000 00000A00 00000400 60000020 .data 000010EE 00002000 00001200 00000E00 C0000040 Import table (libraries: 2) KERNEL32.dll (imports: 11) GetLastError CreateMutexA GetProcAddress LoadLibraryA LocalFree LocalAlloc CloseHandle FreeLibrary GetTickCount GetModuleHandleA GetStartupInfoA MSVCRT.dll (imports: 17) getenv _snprintf _except_handler3 _exit strtok exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type _controlfp ??3@YAXPAX@Z _XcptFilter Process Info: Process ID 1360 Filename C:\install278.exe Filesize 13344 bytes MD5 e0412e9149fe97bb5c275949c4727858 File System Activities: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Find File: C:\WINDOWS\System32\Ras\*.pbk Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Mutexes: Creates Mutex: #MTX# Creates Mutex: RasPbFile Process Management: Creates Process - Filename () CommandLine: (C:\WINDOWS\system32\cmd.exe /c del C:\install278.exe >>NUL) As User: () Creation Flags: () Kill Process - Filename () CommandLine: () Target PID: (1360) As User: () Creation Flags: () Service Management: Open Service Manager - Name: "SCM" System Info: Get System Directory Get Computer Name User Management: Impersonate User - Domain: () User: (Administrator) Network Activity: DNS Lookup: xxx.malwaredestructor.com Process Stsrted: Filename C:\WINDOWS\system32\cmd.exe /c del C:\install278.exe >>NUL Filesize 375808 bytes MD5 84ddf54db542b2eb9ef08144fb6e3645 Start Reason CreateProcess File System Activities: Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\ Open File: NUL (OPEN_EXISTING) Get File Attributes: C:\install278.exe Flags: (SECURITY_ANONYMOUS) Find File: C:\install278.exe Delete File: C:\install278.exe Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "EnableExtensions" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "DefaultColor" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "CompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor "AutoRun" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DisableUNCCheck" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "EnableExtensions" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DelayedExpansion" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "DefaultColor" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "CompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "PathCompletionChar" HKEY_CURRENT_USER\Software\Microsoft\Command Processor "AutoRun" Process Management: Kill Process - Filename () CommandLine: () Target PID: (1780) As User: () Creation Flags: ()