Download Link: hxxp://findmx.com/conime.exe File Name: conime.exe File size: 69632 bytes MD5...: f8950f957f694940d06385d79cad8744 SHA1..: a9f2400c94dff5bcbf146911be1b751ab88ba4dd SHA256: 360da771d6bf741b8d505432edf15a67675117d43327ead624da39c70b412e53 SHA512: 12c80158f1ba1679344440d7e5852559022936a38e33ca511b46370319d86bf2 c172b5a919c40007248af98c10e0a46818240c422024e660fd9489298640f4b8 PEiD..: Armadillo v1.71 Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=F41D85CB00CFC8121038017BFDEF47009DEB6BE6 VirusTotal Result: 6/31 (19.36%) Fortinet 3.14.0.0 2008.04.05 W32/Cabat!tr Ikarus T3.1.1.20 2008.04.05 Trojan-PWS.Win32.OnLineGames.ssu Microsoft 1.3408 2008.04.05 PWS:Win32/Lineage.WI.dr Prevx1 V2 2008.04.05 Heuristic: Suspicious Self Modifying File Sophos 4.28.0 2008.04.05 Troj/Cabat-Gen PE Header Signature: 00004550 Machine: 014C - Intel 386 Number of sections: 0004 Time/Date stamp: 47F2288A Pointer to symbol table: 00000000 Number of symbols: 00000000 Size of optional header: 00E0 Characteristics: 010F Magic: 010B Linker version (major): 06 Linker version (minor): 00 Size of code: 00002000 Size of initialized data: 00010000 Size of uninitialized data: 00000000 Address of entry point: 00002640 Base of code: 00001000 Base of data: 00003000 Image base: 00400000 Section alignment: 00001000 File alignment: 00001000 OS version (major): 0004 OS version (minor): 0000 Image version (major): 0000 Image version (minor): 0000 Sub system version (major): 0004 Sub system version (minor): 0000 Win32 version: 00000000 Size of image: 00013000 Size of headers: 00001000 Checksum: 00000000 Sub system: 0002 - Windows graphical user interface (GUI) subsystem DLL characteristics: 0000 Size of stack reserve: 00100000 Size of stack commit: 00001000 Size of heap reserve: 00100000 Size of heap commit: 00001000 Loader flags: 00000000 Number of RVA: 00000010 PE Sections Section VirtSize VirtAddr PhysSize PhysAddr Flags .text 00001845 00001000 00002000 00001000 60000020 .rdata 000005F0 00003000 00001000 00003000 40000040 .data 00002480 00004000 00001000 00004000 C0000040 .rsrc 0000B060 00007000 0000C000 00005000 40000040 Import table (libraries: 4) KERNEL32.dll (imports: 16) FlushFileBuffers ReadFile SetFilePointer WriteFile CreateFileA CloseHandle GetModuleHandleA DeleteFileA SetFileAttributesA GetCurrentProcess GetSystemInfo GetLastError LoadLibraryA GetProcAddress SizeofResource GetStartupInfoA ADVAPI32.dll (imports: 8) OpenProcessToken LookupPrivilegeValueA AdjustTokenPrivileges RegDeleteValueA RegEnumValueA RegCreateKeyExA RegCloseKey RegOpenKeyExA WINMM.dll (imports: 6) mixerOpen mixerGetLineInfoA mixerGetLineControlsA mixerGetControlDetailsA mixerSetControlDetails mixerClose MSVCRT.dll (imports: 15) _controlfp _except_handler3 __set_app_type __p__fmode __p__commode ??3@YAXPAX@Z __CxxFrameHandler _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv When executed, drops the file: C:\WINDOWS\system32\donb32drv.dll File Name: donb32drv.dll File size: 45056 bytes MD5...: f661d5dadc0c0b128d7590454fa7425a SHA1..: 5405addeae410afc90a2bb038f64bfdd2d784746 SHA256: 95ffbe489032f948d5a9000f077bae37e54760063435fafa211727af563b1ce5 SHA512: 945b76d3b94d92557b80f28bafbfe86d1a82e0f7289938f259426a4a21e5317a 4f761cf0f6a9e4fdddf2932df5629a0961b4b95875323dceccc9f5d45bcacd15 PEiD..: Armadillo v1.xx - v2.xx Exported Functions: Function Name ID Number DllCanUnloadNow 14050144 DllGetClassObject 14050128 DllRegisterServer 14050144 DllUnregisterServer 14050144 VirusTotal Result: 4/32 (12.5%) F-Prot 4.4.2.54 2008.04.05 W32/Heuristic-166!Eldorado Ikarus T3.1.1.20 2008.04.05 Trojan-PWS.Win32.OnLineGames.ssu Microsoft 1.3408 2008.04.05 PWS:Win32/Lineage.WI.dll Sophos 4.28.0 2008.04.05 Mal/Emogen-R Load Time DLL: Module Name Base Address Size C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000B0000 C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F5000 C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000 C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000 C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000 C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000 C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00090000 C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00047000 C:\WINDOWS\system32\MSVCRT.dll 0x77C10000 0x00058000 C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000 Run Time DLL: Module Name Base Address Size C:\WINDOWS\system32\donb32drv.dll 0x10000000 0x00028000 C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000 C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000 C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000 C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000 C:\WINDOWS\system32\Apphelp.dll 0x77B40000 0x00022000 Registry Modified: Key Name New Value HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks {D60A0B68-EF3A-A1D2-FD09-3A81AE26D2BA} Registry Reads: Key Name Value Times HKLM\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks {AEB6717E-7E19-11d0-97EE-00C04FD91972} 4 HKLM\SYSTEM\WPA\MediaCenter Installed 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers AuthenticodeEnabled 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers DefaultLevel 262144 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers PolicyScope 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers TransparentEnabled 1 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemData 0x5eab304f957a49896a006c1c31154015 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ItemSize 779 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemData 0x67b0d48b343a3fd3bce9dc646704f394 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ItemSize 517 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemData 0x327802dcfef8c893dc8ab006dd847d1d 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ItemSize 918 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemData 0xbd9a2adb42ebd8560e250e4df8162f67 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ItemSize 229 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} HashAlg 32771 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemData 0x386b085f84ecf669d36b956a22c01e80 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ItemSize 370 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} SaferFlags 0 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ItemData %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* 1 HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} SaferFlags 0 1 HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ComputerName USER 1 HKU\S-1-5-21-1229272821-1004336348-527237240-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cache C:\Documents and Settings\user\Local Settings\Temporary Internet Files 1 Files Created: C:\WINDOWS\system32\donb32drv.dll C:\das.bat Files Read: C:\WINDOWS\system32\donb32drv.dll PIPE\lsarpc Files Modified: PIPE\lsarpc Memory Mapped Files: File Name C:\WINDOWS\system32\cmd.exe C:\Windows\AppPatch\sysmain.sdb C:\das.bat