Download Link: hxxp://dssoaps.com/log.exe File Name: log.exe File size: 6656 bytes MD5: ef0ef97e50628fdf06c7194899282438 SHA1: 5d982ed3b258a44d860ae9184c4ef5e44d35330c PEiD: - VirusTotal Result: 13/31 (41.94%) AntiVir: TR/Qhost.aje AVG: Generic10.CVR CAT-QuickHeal: Trojan.Qhost.aje Ewido: Trojan.Qhost.aje F-Secure: Trojan.Win32.Qhost.aje Fortinet: W32/Qhost.AJE!tr Ikarus: Trojan.Win32.Qhost.aje Kaspersky: Trojan.Win32.Qhost.aje Norman: W32/Qhost.DQZ Sophos: Mal/Generic-A TheHacker: Trojan/Qhost.aje VBA32: Trojan.Win32.Qhost.aje Webwasher-Gateway: Trojan.Qhost.aje Analysis Report: http://malwareinfo.freeforums.org/dssoaps-com-log-exe-t39.html File Info: PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 47DE7291 Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 0103 Magic: 010B Linker version (major): 08 Linker version (minor): 00 Size of code: 00000800 Size of initialized data: 00000E00 Size of uninitialized data: 00000000 Address of entry point: 00001377 Base of code: 00001000 Base of data: 00002000 Image base: 00400000 Section alignment: 00001000 File alignment: 00000200 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00005000 Size of headers: 00000400 Checksum: 0000A338 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 000007E2 00001000 00000800 00000400 60000020 .rdata 000009C4 00002000 00000A00 00000C00 40000040 .data 0000051C 00003000 00000200 00001600 C0000040 .rsrc 000001AC 00004000 00000200 00001800 40000040 Import table (libraries: 2) ------------------------------------ KERNEL32.dll (imports: 17) CreateFileW WriteFile CloseHandle GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess GetStartupInfoW InterlockedCompareExchange Sleep InterlockedExchange GetSystemTimeAsFileTime MSVCR80.dll (imports: 25) _encode_pointer __set_app_type _crt_debugger_hook _unlock __p__fmode _lock _onexit _decode_pointer _except_handler4_common _invoke_watson _controlfp_s __p__commode _adjust_fdiv __setusermatherr _configthreadlocale _initterm_e _initterm _wcmdln exit _XcptFilter _exit _cexit __wgetmainargs _amsg_exit __dllonexit Files Modified: C:\WINDOWS\system32\drivers\etc\hosts (.text:00401014 push offset FileName ; "C:\\WINDOWS\\system32\\drivers\\etc\\hosts") Values Entered: .rdata:00402148 db 9,'# 102.54.94.97 rhino.acme.com # source server',0Dh,0Ah .rdata:00402148 db 9,'# 38.25.63.10 x.acme.com # x client host',0Dh,0Ah .rdata:00402148 db 9,'127.0.0.1 antichat.ru',0Dh,0Ah .rdata:00402148 db 9,'# 127.0.0.1 l2testauthd.lineage2.com',0Dh,0Ah .rdata:00402148 db 9,'# 127.0.0.1 l2authd.lineage2.com',0Dh,0Ah .rdata:00402148 db 9,'# 89.108.84.103 nprotect.lineage2.com',0Dh,0Ah .rdata:00402148 db 9,'67.228.86.37 login.osmp.ru #Alcohol Serial Check blocken',0Dh .rdata:00402148 db 0Ah .rdata:00402148 db 9,'80.71.255.10 l2testauthd.lineage2.com',0