File Name: gamecodec4441.exe VirusTotal Result: 10/31 (32.26%) AntiVir 7.6.0.85 2008.04.11 DR/Dldr.DNSChanger.Gen AVG 7.5.0.516 2008.04.11 DNSChanger.AA BitDefender 7.2 2008.04.11 Dropped:Trojan.Downloader.Zlob.ABOU F-Prot 4.4.2.54 2008.04.10 W32/Trojan2.AIES F-Secure 6.70.13260.0 2008.04.11 W32/Malware Kaspersky 7.0.0.125 2008.04.11 Trojan.Win32.DNSChanger.arn Norman 5.80.02 2008.04.11 W32/Malware Prevx1 V2 2008.04.11 Generic.Dropper.xCodec VBA32 3.12.6.4 2008.04.06 MalwareScope.Trojan.DnsChange.2 Webwasher-Gateway 6.6.2 2008.04.11 Trojan.Dropper.Dldr.DNSChanger.Gen File Info: File size: 236318 bytes MD5...: e89c33de832611039b8e310a0a5c78d8 SHA1..: a0b674cf0852570f888e1b55173e53836fc96fb0 SHA256: 669ffcb1ebeadbba30bb88118ddd397b1d45aa1b734e2e2d785776821e27b787 SHA512: 969b279aa1ba15bc81d16ef16c289d0f56111da1ea7d2f2be00a12f18571d907 5327cabc90d4329f2711d592ebafe9b99545e9886fea850b81af9629662b3d36 PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0005 Time/Date stamp: 47ACC8BC Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00005E00 Size of initialized data: 00028400 Size of uninitialized data: 00000400 Address of entry point: 00003247 Base of code: 00001000 Base of data: 00007000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 0003E000 Size of headers: 00000400 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00005CA2 00001000 00005E00 00000400 60000020 .rdata 0000129C 00007000 00001400 00006200 40000040 .data 00025C78 00009000 00000400 00007600 C0000040 .ndata 0000A000 0002F000 00000000 00000000 C0000080 .rsrc 000041F8 00039000 00004200 00007A00 40000040 Import table (libraries: 8) KERNEL32.dll (imports: 59) CompareFileTime SearchPathA GetShortPathNameA GetFullPathNameA MoveFileA SetCurrentDirectoryA GetFileAttributesA GetLastError CreateDirectoryA SetFileAttributesA Sleep GetTickCount CreateFileA GetFileSize GetModuleFileNameA GetCurrentProcess CopyFileA ExitProcess SetFileTime GetTempPathA GetCommandLineA SetErrorMode LoadLibraryA lstrcpynA GetDiskFreeSpaceA GlobalUnlock GlobalLock CreateThread CreateProcessA RemoveDirectoryA GetTempFileNameA lstrlenA lstrcatA GetSystemDirectoryA GetVersion CloseHandle lstrcmpiA lstrcmpA ExpandEnvironmentStringsA GlobalFree GlobalAlloc WaitForSingleObject GetExitCodeProcess GetModuleHandleA LoadLibraryExA GetProcAddress FreeLibrary MultiByteToWideChar WritePrivateProfileStringA GetPrivateProfileStringA WriteFile ReadFile MulDiv SetFilePointer FindClose FindNextFileA FindFirstFileA DeleteFileA GetWindowsDirectoryA USER32.dll (imports: 62) EndDialog ScreenToClient GetWindowRect EnableMenuItem GetSystemMenu SetClassLongA IsWindowEnabled SetWindowPos GetSysColor GetWindowLongA SetCursor LoadCursorA CheckDlgButton GetMessagePos LoadBitmapA CallWindowProcA IsWindowVisible CloseClipboard SetClipboardData EmptyClipboard RegisterClassA TrackPopupMenu AppendMenuA CreatePopupMenu GetSystemMetrics SetDlgItemTextA GetDlgItemTextA MessageBoxIndirectA CharPrevA DispatchMessageA PeekMessageA DestroyWindow CreateDialogParamA SetTimer SetWindowTextA PostQuitMessage SetForegroundWindow wsprintfA SendMessageTimeoutA FindWindowExA SystemParametersInfoA CreateWindowExA GetClassInfoA DialogBoxParamA CharNextA OpenClipboard ExitWindowsEx IsWindow GetDlgItem SetWindowLongA LoadImageA GetDC EnableWindow InvalidateRect SendMessageA DefWindowProcA BeginPaint GetClientRect FillRect DrawTextA EndPaint ShowWindow GDI32.dll (imports: 8) SetBkColor GetDeviceCaps DeleteObject CreateBrushIndirect CreateFontIndirectA SetBkMode SetTextColor SelectObject SHELL32.dll (imports: 6) SHGetPathFromIDListA SHBrowseForFolderA SHGetFileInfoA ShellExecuteA SHFileOperationA SHGetSpecialFolderLocation ADVAPI32.dll (imports: 9) RegQueryValueExA RegSetValueExA RegEnumKeyA RegEnumValueA RegOpenKeyExA RegDeleteKeyA RegDeleteValueA RegCloseKey RegCreateKeyExA COMCTL32.dll (imports: 4) ImageList_AddMasked ImageList_Destroy #17 ImageList_Create ole32.dll (imports: 4) CoTaskMemFree OleInitialize OleUninitialize CoCreateInstance VERSION.dll (imports: 3) GetFileVersionInfoSizeA GetFileVersionInfoA VerQueryValueA Process Details: Process ID 684 Filename C:\gamecodec4441.exe Filesize 236318 bytes MD5 e89c33de832611039b8e310a0a5c78d8 Start Reason AnalysisTarget New Files Created: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr1D.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\dcryptdll.dll C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\dcryptdll.dll C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\nsExec.dll C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\modern-header.bmp Opened Files: \\.\PIPE\lsarpc \\.\PIPE\ntsvcs C:\gamecodec4441.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp Deleted Files: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr1B.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Chronological order of File System Activity: Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr1B.tmp Get File Attributes: C:\gamecodec4441.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\gamecodec4441.exe (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsr1D.tmp Find File: C:\Program Files\VideoKey\Uninstall.exe Get File Attributes: C:\DOCUME~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1 Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\dcryptdll.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\dcryptdll.dll Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\dcryptdll.dll Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat (OPEN_EXISTING) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe () Find File: notepad.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\nsExec.dll Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\nsExec.dll Copy File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\nsExec.dll to C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp (OPEN_EXISTING) Open File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp () Find File: ns2B.tmp Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\lzma.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp Find File: C:\DOCUME~1\Sandbox\LOCALS~1 Find File: C:\DOCUME~1\Sandbox Find File: C:\DOCUME~1 Get File Attributes: C:\ Flags: (SECURITY_ANONYMOUS) Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\linux Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe.dat Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\freebsd.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Find File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Flags: (SECURITY_ANONYMOUS) Set File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Flags: (FILE_ATTRIBUTE_ARCHIVE,SECURITY_ANONYMOUS) Delete File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Get File Attributes: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\modern-header.bmp Flags: (SECURITY_ANONYMOUS) Create File: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\modern-header.bmp Set File Time: C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\modern-header.bmp Read INI File: WIN.INI [windows] ScrollInset = WIN.INI [windows] DragDelay = WIN.INI [windows] DragMinDist = WIN.INI [windows] ScrollDelay = WIN.INI [windows] ScrollInterval = WIN.INI [richedit30] flags = Mutexes: Creates Mutex: __B_GJ Registry Changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_DLLs" = [REG_EXPAND_SZ, value: bauhgnem.dll,eohsom.dll,fyom.dll,sauhad.dll,ijougiemnaw.dll,taijoad.dll,lnaixnauhqq.dll,idtj.dll,vhqq.dll,atgnehz.dll,rsqq.dll,tsqc.dll,vauyiqvlnaix.dll,wQ.dll,fmxh.dll,cty.dll,pahzij.dll,jz.dll,bz.dll,pyomielnux.dll,mhtd.dll,qnefnaiº_CHAR(0x03)_ Registry Reads: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion "ProgramFilesDir" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion "CurrentVersion" Process Management: Creates Process - Filename () CommandLine: (C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe) As User: () Creation Flags: () Creates Process - Filename () CommandLine: ("C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp" C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe) As User: () Creation Flags: (CREATE_NEW_CONSOLE) Kill Process - Filename () CommandLine: () Target PID: (1260) As User: () Creation Flags: () Enum Processes Enum Modules - Target PID: (1472) Process Started: Process ID 516 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\notepad.exe Filesize 31744 bytes MD5 689440d45ef2c11e17e11b508cb762f5 Start Reason CreateProcess New Files Created: C:\WINDOWS\System32\DRIVERS\msacpe.sys Opened Files: \\.\PIPE\lsarpc \\.\fpidsdos Chronological order: Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \\.\fpidsdos (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\System32\DRIVERS\msacpe.sys Flags: (SECURITY_ANONYMOUS) Move File: to C:\WINDOWS\System32\DRIVERS\msacpe.sys Read INI File: WIN.INI [dohs] dohs = Mutexes: Creates Mutex: _M_204msosdohs00.dll Creates Mutex: __B_WL Registry Reads: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mseqsy "ImagePath" HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mseqsy "Start" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows "AppInit_Dlls" Process Started: Process ID 1260 Filename C:\DOCUME~1\Sandbox\LOCALS~1\Temp\nsm23.tmp\ns2B.tmp C:\DOCUME~1\Sandbox\LOCALS~1\Temp\calc.exe Filesize 6144 bytes MD5 886cbcd0829ffb358168911f9cb1b149 Start Reason CreateProcess