Download Link: hxxp://small-tool.net/new.exe File Name: new.exe VirusTotal Result: 18/32 (56.25%) AntiVir 7.6.0.85 2008.04.11 DR/Agent.cds Avast 4.8.1169.0 2008.04.13 Win32:Agent-PZA AVG 7.5.0.516 2008.04.12 Agent.MOU DrWeb 4.44.0.09170 2008.04.13 Trojan.DnsChange eSafe 7.0.15.0 2008.04.09 Win32.Agent.cds F-Prot 4.4.2.54 2008.04.13 W32/Malware!6db5 F-Secure 6.70.13260.0 2008.04.13 Trojan.Win32.Agent.cds FileAdvisor 1 2008.04.13 High threat detected Fortinet 3.14.0.0 2008.04.13 W32/Agent.CDS!tr Ikarus T3.1.1.26.0 2008.04.13 Virus.Trojan.Win32.Agent.cds Kaspersky 7.0.0.125 2008.04.13 Trojan.Win32.Agent.cds NOD32v2 3021 2008.04.12 Win32/Agent.CDS Panda 9.0.0.4 2008.04.13 Trj/Downloader.MDW Prevx1 V2 2008.04.13 Heuristic: Suspicious Self Modifying File Rising 20.39.62.00 2008.04.13 Trojan.Win32.Undef.ccg Sunbelt 3.0.1041.0 2008.04.12 Trojan.Win32.Agent.cds VBA32 3.12.6.4 2008.04.13 Trojan.Win32.Agent.cds Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Dropper.Agent.cds File Info: File size: 310728 bytes MD5...: e07d7d1707bd4f23ec92ebed471a3ad3 SHA1..: 1a0270cb6bb281f7928b3c6288b59f22cb7dcbbf SHA256: ee35ad1c084c9a917c7ca1822070931c43679879acfb2d59b582b433649cdf87 SHA512: 7e81907a10be74da6cb1e44c943f1391bb10fcf5be7f78d6795cb58bb924f3ea 4847e19179e1b7fc7c9ce07820dbc4807c962ca160704edafcfb1eacf4acb4bd Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=8B98308CC89A7821BD9304779283AA00B269EDCA Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=e07d7d1707bd4f23ec92ebed471a3ad3 PE Structure information: Entry Point Address.: 0x4097f0 Time Date Stamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992) Machine Type.......: 0x14c (I386) PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0008 Time/Date stamp: 2A425E19 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 818F Magic: 010B Linker version (major): 02 Linker version (minor): 19 Size of code: 00009000 Size of initialized data: 00004200 Size of uninitialized data: 00000000 Address of entry point: 000097F0 Base of code: 00001000 Base of data: 0000A000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0001 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00013000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00004000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags CODE 00008F14 00001000 00009000 00000400 60000020 DATA 00000248 0000A000 00000400 00009400 C0000040 BSS 00000E34 0000B000 00000000 00009800 C0000000 .idata 00000942 0000C000 00000A00 00009800 C0000040 .tls 00000008 0000D000 00000000 0000A200 C0000000 .rdata 00000018 0000E000 00000200 0000A200 50000040 .reloc 00000880 0000F000 00000000 0000A400 50000040 .rsrc 00002800 00010000 00002800 0000A400 50000040 Import table (libraries: 8) > kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, WideCharToMultiByte, TlsSetValue, TlsGetValue, MultiByteToWideChar, GetModuleHandleA, GetLastError, GetCommandLineA, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetSystemTime, GetFileType, ExitProcess, CreateFileA, CloseHandle > user32.dll: MessageBoxA > oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysAllocStringLen > advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA > kernel32.dll: WriteFile, VirtualQuery, VirtualProtect, VirtualFree, VirtualAlloc, Sleep, SizeofResource, SetLastError, SetFilePointer, SetErrorMode, SetEndOfFile, RemoveDirectoryA, ReadFile, LockResource, LoadResource, LoadLibraryA, IsDBCSLeadByte, GetWindowsDirectoryA, GetVersionExA, GetUserDefaultLangID, GetSystemInfo, GetSystemDefaultLCID, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeProcess, GetEnvironmentVariableA, GetCurrentProcess, GetCommandLineA, InterlockedExchange, FormatMessageA, FindResourceA, DeleteFileA, CreateProcessA, CreateFileA, CreateDirectoryA, CloseHandle > user32.dll: TranslateMessage, SetWindowLongA, PeekMessageA, MsgWaitForMultipleObjects, MessageBoxA, LoadStringA, ExitWindowsEx, DispatchMessageA, DestroyWindow, CreateWindowExA, CallWindowProcA, CharPrevA > comctl32.dll: InitCommonControls > advapi32.dll: AdjustTokenPrivileges File System Activities: Files Created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\send_task[1].htm 17KB C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cchost.lnk 1KB C:\Program Files\cchost 1KB C:\Program Files\cchost\cchost.exe 62KB C:\Program Files\cchost\unins000.dat 50KB C:\Program Files\cchost\unins000.exe 676KB C:\WINDOWS\cchost.INI 1KB Registry Entried Created: HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\cchost\cchost.exe "MFC-Anwendung cchost" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cchost.exe "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 Inno Setup: Setup Version "5.1.6" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 Inno Setup: App Path "C:\Program Files\cchost" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 InstallLocation "C:\Program Files\cchost\" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 Inno Setup: Icon Group "cchost" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 Inno Setup: User "Administrator" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 DisplayName "cchost version 2.0" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 DisplayIcon "C:\Program Files\cchost\cchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 UninstallString ""C:\Program Files\cchost\unins000.exe"" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 QuietUninstallString ""C:\Program Files\cchost\unins000.exe" /SILENT" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 NoModify dword:00000001 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\cchost_is1 NoRepair dword:00000001 HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\cchost\cchost.exe "MFC-Anwendung cchost" Process Details: cchost.exe 1636 MFC-Anwendung cchost (Unable to verify) Process: cchost.exe Pid: 1636 Type Name Directory \BaseNamedObjects Mutant \BaseNamedObjects\_!MSFTHISTORY!_ Section \BaseNamedObjects\__R_00000000001a_SMem__ Mutant \BaseNamedObjects\c:!documents and settings!administrator!cookies! Mutant \BaseNamedObjects\c:!documents and settings!administrator!local settings!history!history.ie5! Mutant \BaseNamedObjects\c:!documents and settings!administrator!local settings!temporary internet files!content.ie5! Section \BaseNamedObjects\C:_Documents and Settings_Administrator_Cookies_index.dat_49152 Section \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_History_History.IE5_index.dat_229376 Section \BaseNamedObjects\C:_Documents and Settings_Administrator_Local Settings_Temporary Internet Files_Content.IE5_index.dat_884736 Event \BaseNamedObjects\crypt32LogoffEvent Mutant \BaseNamedObjects\mvmkgnevfnei_1636 Mutant \BaseNamedObjects\ovmkgnevfnei_1636 Mutant \BaseNamedObjects\RasPbFile Section \BaseNamedObjects\SENS Information Cache Semaphore \BaseNamedObjects\shell._ie_sessioncount Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D} Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1} Section \BaseNamedObjects\UrlZonesSM_Administrator Event \BaseNamedObjects\userenv: User Profile setup event Mutant \BaseNamedObjects\WininetConnectionMutex Mutant \BaseNamedObjects\WininetProxyRegistryMutex Mutant \BaseNamedObjects\WininetStartupMutex Desktop \Default File \Device\Afd\AsyncConnectHlp File \Device\Afd\AsyncSelectHlp File \Device\Afd\Endpoint File \Device\Ip File \Device\Ip File \Device\Ip File \Device\KsecDD File \Device\NamedPipe\ROUTER File \Device\NamedPipe\ROUTER File \Device\Tcp File \Device\Tcp File \Device\Tcp File \Device\Tcp KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent Directory \KnownDlls Directory \Windows WindowStation \Windows\WindowStations\WinSta0 WindowStation \Windows\WindowStations\WinSta0 File C:\Documents and Settings\Administrator\Cookies\index.dat File C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat File C:\Program Files\cchost File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9 File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.2180_x-ww_522f9f82 Thread cchost.exe(1636): 1012 Thread cchost.exe(1636): 1012 Thread cchost.exe(1636): 1012 Thread cchost.exe(1636): 656 Content of the file C:\WINDOWS\cchost.INI: [afx] std=2af15d9058c021f9