7: Alters the correct functioning of the following system modules used for network communications to bypass firewalls and to perform network packet manipulations :

tcpip.sys
wanarp.ss
ndis.sys

The operations of the iframecash.biz gang has been covered in our blog before. Basically, they've been buying traffic from anybody who's been willing to sell it to them - then they use exploits to take over innocent surfer's computers and install trojans and spyware on them.

Now, the good news is that at least for the present, their main site www.iframecash.biz is offline. Hopefully it stays that way.

Removing a hidden data stream, especially one attached to a Windows system directory, is quite tricky.

Since the rootkit is also active in Safe Mode, the easiest solution is to reboot to Windows Recovery Console and write out the data stream from there.

You can do this by copying a suitable file on top of the stream ("copy c:\windows\SomeNonExecutableFile c:\windows\system32:18467"). The copy operation won't succeed, but it will clear out the stream.

--

CWSandbox Analysis report for file: 0e6eb631f6d0db70790b1b1246eab1ea.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\0e6eb631f6d0db70790b1b1246eab1ea.exe MD5: [0e6eb631f6d0db70790b1b1246eab1ea], PID 120, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (c:\temp\0e6eb631f6d0db70790b1b1246eab1ea.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (advapi32.dll)
Loaded DLL - DLL: (ntdll.dll)
Loaded DLL - DLL: (USER32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)

==============================================================================
Process Management
==============================================================================
Enum Processes

Open Process - Filename (C:\WINDOWS\Explorer.EXE) CommandLine: () Target PID: (1712) As User: () Creation Flags: ()

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Create Service - Name: (pe386) Display Name: (Win23 lzx files loader) File Name: (C:\WINDOWS\System32:lzx32.sys) Control: () Start Type: (SERVICE_SYSTEM_START)
Start Service - Name: (pe386) Display Name: () File Name: () Control: () Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory

==============================================================================
Threads
==============================================================================
Create Remote Thread - Target PID (1712) Thread ID ($0510) Thread ID ($00BA0100) Parameter Address ($00123456) Creation Flags (CREATE_SUSPENDED)

==============================================================================
Virtual Memory
==============================================================================
VM Allocate - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: (MEM_COMMIT,MEM_RESERVE)
VM Allocate - Target: (1712) Address: ($00BD0000) Size: (65536) Protect: (PAGE_READWRITE) Allocation Type: (MEM_RESERVE)
VM Allocate - Target: (1712) Address: ($00BDE000) Size: (8192) Protect: (PAGE_READWRITE) Allocation Type: (MEM_COMMIT)
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_EXECUTE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BA0000) Size: (4096) Protect: (PAGE_READWRITE) Allocation Type: ()
VM Protect - Target: (1712) Address: ($00BDE000) Size: (4096) Protect: (PAGE_READWRITE,PAGE_GUARD) Allocation Type: ()
VM Write - Target: (1712) Address: ($00BA0000) Size: (256) Protect: () Allocation Type: ()
VM Write - Target: (1712) Address: ($00BA0100) Size: (2306) Protect: () Allocation Type: ()

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 2 (services.exe MD5: [], PID 536, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
Service Management
==============================================================================
Load Driver - Name: (\Registry\Machine\System\CurrentControlSet\Services\pe386) File Name: ()

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 3 (C:\WINDOWS\Explorer.EXE MD5: [a82b28bfc2e4455fe43022a498c0ef0a], PID 1712, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\Explorer.EXE)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\BROWSEUI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SHDOCVW.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\UxTheme.dll)
Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\appHelp.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CLBCATQ.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\COMRes.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\VERSION.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\cscui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CSCDLL.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\themeui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\MSIMG32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USERENV.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SAMLIB.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\LINKINFO.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntshrui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\SETUPAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\urlmon.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\NETSHELL.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\credui.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINSTA.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\webcheck.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\stobject.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\BatMeter.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\POWRPROF.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WTSAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\msi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WININET.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\CRYPT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSASN1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\printui.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINSPOOL.DRV)
Loaded DLL - DLL: (C:\WINDOWS\System32\ACTIVEDS.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\adsldpc.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\CFGMGR32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MPR.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WINMM.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\browselc.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\drprov.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntlanman.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETUI0.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETUI1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\NETRAP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\davclnt.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\hgfs1.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DUSER.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\MSGINA.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ODBC32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\comdlg32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\odbcint.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\shdoclc.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\SXS.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (RTUTILS.DLL)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (netapi32.dll)
Loaded DLL - DLL: (WININET.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\analysis\cwsandbox.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: RasPbFile

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (RASMAN) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name
Get System Time

==============================================================================
User Management
==============================================================================
Impersonate User - Domain: () User: (Administrator) Host: () Handle: (2380)

==============================================================================
Window
==============================================================================
Enum Windows

==============================================================================
Winsock
==============================================================================


Report generated at 8/8/2006 3:10:40 PM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.

Troj/Manager-A is a backdoor Trojan.

The Trojan listens for backdoor commands on a random port number.

Troj/Manager-A copies itself to the Windows system folder as TASKMGN.EXE and sets the following registry entry to run itself on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
Windows Task Manager = "C:\windows\system32\taskmgn.exe"

Troj/Manager-A also creates registry entries in the following location:
HKCU\Software\Microsoft\DMSDOS\

Troj/Spammit-E
http://www.sophos.com/security/analyses/trojspammite.html

Trojan
Summary
Name Troj/Spammit-E
Type Trojan

Affected operating systems Windows

Side effects Uses its own emailing engine
Downloads code from the internet
Reduces system security
Installs itself in the Registry

Aliases SpamTool.Win32.Agent.h

Description
Troj/Spammit-E is an email spamming Trojan for the Windows platform.

Troj/Spammit-E includes functionality to access the internet and communicate with a remote server via HTTP.

When first run Troj/Spammit-E copies itself to <System>\rpcc.exe.

The following registry entry is created to run rpcc.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rpcc
rpcc.exe

Troj/Spammit-E also attempts to send commands to circumvent the Windows Firewall to allow the Trojan to spam.

The following registry entry is also set:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinOpts
Id
<number>

@echo off
:Repeat
del "c:\bgcg.exe">nul
ping 0.0.0.0>nul
if exist "c:\bgcg.exe" goto Repeat
del "%0"

Problems at iframecash.biz?

The operations of the iframecash.biz gang has been covered in our blog before. Basically, they've been buying traffic from anybody who's been willing to sell it to them - then they use exploits to take over innocent surfer's computers and install trojans and spyware on them.

Now, the good news is that at least for the present, their main site www.iframecash.biz is offline. Hopefully it stays that way.

http://www.f-secure.com/weblog/archives/ar...6.html#00000900

Domain Name: DKGATE.BIZ
Domain ID: D13747371-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6580705-SRSPLUS
Registrant Name: Ivan Soto
Registrant Organization: Private person
Registrant Address1: Paulison Avenue
Registrant City: Passaic
Registrant State/Province: NJ
Registrant Postal Code: 07055
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.9738828080
Registrant Email:
Administrative Contact ID: 6580706-SRSPLUS
Administrative Contact Name: Ivan Soto
Administrative Contact Organization: Private person
Administrative Contact Address1: Paulison Avenue
Administrative Contact City: Passaic
Administrative Contact State/Province: NJ
Administrative Contact Postal Code: 07055
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.9738828080
Administrative Contact Email:
Billing Contact ID: 6580706-SRSPLUS
Billing Contact Name: Ivan Soto
Billing Contact Organization: Private person
Billing Contact Address1: Paulison Avenue
Billing Contact City: Passaic
Billing Contact State/Province: NJ
Billing Contact Postal Code: 07055
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.9738828080
Billing Contact Email:
Technical Contact ID: 6580707-SRSPLUS
Technical Contact Name: Ivan Soto
Technical Contact Organization: Private person
Technical Contact Address1: Paulison Avenue
Technical Contact City: Passaic
Technical Contact State/Province: NJ
Technical Contact Postal Code: 07055
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.9738828080
Technical Contact Email:
Name Server: NS1.DKGATE.BIZ
Name Server: NS2.DKGATE.BIZ
Created by Registrar: TLDS INC.
Last Updated by Registrar: TLDS INC.
Domain Registration Date: Mon Jun 19 04:35:27 GMT 2006
Domain Expiration Date: Mon Jun 18 23:59:59 GMT 2007
Domain Last Updated Date: Wed Jun 21 08:31:21 GMT 2006

>>>> Whois database was last updated on: Mon Aug 07 22:58:38 GMT 2006 <<<<

Website Title: iframeCASH.biz
Record Type: Domain Name

Meta Description: Partnership program. We buy iframe traffic. $61/1000 unique installs or it's up to 15$ per 1000 unique visitors. Weekly payments. Payment by Fethard, Webmoney, E-Gold, Wire

Meta Keywords: traffic purchase iframe trafic traff traf adult webmaster partnership affiliate program afiliate exploit fethard fet webmoney wm i-frame money dollars purchase traffic trade buy toolbar dialer homepage unique visitors $ installs refferal system referral


Domain Name: IFRAMECASH.BIZ
Domain ID: D10183589-BIZ
Sponsoring Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Sponsoring Registrar IANA ID: 303
Domain Status: clientTransferProhibited
Registrant ID: DI_1876530
Registrant Name: Ezhi Brozkevitsh1
Registrant Organization: Hober Aus1
Registrant Address1: Al. Armii Ludowej 24
Registrant City: Warszawa
Registrant State/Province: Warazawa
Registrant Postal Code: 00-609
Registrant Country: Poland
Registrant Country Code: PL
Registrant Phone Number: +22.5798400
Registrant Email: webmaster@iframecash.biz
Administrative Contact ID: DI_1876530
Administrative Contact Name: Ezhi Brozkevitsh1
Administrative Contact Organization: Hober Aus1
Administrative Contact Address1: Al. Armii Ludowej 24
Administrative Contact City: Warszawa
Administrative Contact State/Province: Warazawa
Administrative Contact Postal Code: 00-609
Administrative Contact Country: Poland
Administrative Contact Country Code: PL
Administrative Contact Phone Number: +22.5798400
Billing Contact ID: DI_1876530
Billing Contact Name: Ezhi Brozkevitsh1
Billing Contact Organization: Hober Aus1
Billing Contact Address1: Al. Armii Ludowej 24
Billing Contact City: Warszawa
Billing Contact State/Province: Warazawa
Billing Contact Postal Code: 00-609
Billing Contact Country: Poland
Billing Contact Country Code: PL
Billing Contact Phone Number: +22.5798400
Email: webmaster@iframecash.biz
Technical Contact ID: DI_1876530
Technical Contact Name: Ezhi Brozkevitsh1
Technical Contact Organization: Hober Aus1
Technical Contact Address1: Al. Armii Ludowej 24
Technical Contact City: Warszawa
Technical Contact State/Province: Warazawa
Technical Contact Postal Code: 00-609
Technical Contact Country: Poland
Technical Contact Country Code: PL
Technical Contact Phone Number: +22.5798400
Technical Contact Email:
Name Server: NS1.IFRAMECASH.BIZ
Name Server: NS2.IFRAMECASH.BIZ
Created by Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Last Updated by Registrar: DIRECT INFORMATION PVT LTD DBA PUBLICDOMAINREGISTRY.COM
Domain Registration Date: Thu Jun 23 16:12:36 GMT 2005
Domain Expiration Date: Fri Jun 22 23:59:59 GMT 2007
Domain Last Updated Date: Fri Jul 28 06:49:26 GMT 2006

Domain Name: ZABYWJWZLR.BIZ
Domain ID: D13747367-BIZ
Sponsoring Registrar: TLDS INC.
Sponsoring Registrar IANA ID: 320
Domain Status: clientTransferProhibited
Registrant ID: 6580702-SRSPLUS
Registrant Name: Greg Roa
Registrant Organization: Private person
Registrant Address1: Zion rd Cleves
Registrant City: Cleves
Registrant State/Province: OH
Registrant Postal Code: 45002
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.5134676554
Registrant Email:
Administrative Contact ID: 6580703-SRSPLUS
Administrative Contact Name: Greg Roa
Administrative Contact Organization: Private person
Administrative Contact Address1: Zion rd Cleves
Administrative Contact City: Cleves
Administrative Contact State/Province: OH
Administrative Contact Postal Code: 45002
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +1.5134676554
Administrative Contact Email:
Billing Contact ID: 6580703-SRSPLUS
Billing Contact Name: Greg Roa
Billing Contact Organization: Private person
Billing Contact Address1: Zion rd Cleves
Billing Contact City: Cleves
Billing Contact State/Province: OH
Billing Contact Postal Code: 45002
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +1.5134676554
Billing Contact Email:
Technical Contact ID: 6580704-SRSPLUS
Technical Contact Name: Greg Roa
Technical Contact Organization: Private person
Technical Contact Address1: Zion rd Cleves
Technical Contact City: Cleves
Technical Contact State/Province: OH
Technical Contact Postal Code: 45002
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +1.5134676554
Technical Contact Email:
Name Server: NS1.ZABYWJWZLR.BIZ
Name Server: NS2.ZABYWJWZLR.BIZ
Created by Registrar: TLDS INC.
Last Updated by Registrar: TLDS INC.
Domain Registration Date: Mon Jun 19 04:34:55 GMT 2006
Domain Expiration Date: Mon Jun 18 23:59:59 GMT 2007
Domain Last Updated Date: Wed Jun 21 08:32:00 GMT 2006

Domain Name: ZHMBSCWDGK.BIZ
Domain ID: D13770072-BIZ
Sponsoring Registrar: ESTDOMAINS INC
Sponsoring Registrar IANA ID: 832
Domain Status: clientTransferProhibited
Registrant ID: DI_3206151
Registrant Name: Bill Passmore
Registrant Organization: N/A
Registrant Address1: Oak Creek Drive
Registrant City: Austin
Registrant State/Province: Texas
Registrant Postal Code: 78727
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +001.5122445985
Registrant Email:
Administrative Contact ID: DI_3206151
Administrative Contact Name: Bill Passmore
Administrative Contact Organization: N/A
Administrative Contact Address1: Oak Creek Drive
Administrative Contact City: Austin
Administrative Contact State/Province: Texas
Administrative Contact Postal Code: 78727
Administrative Contact Country: United States
Administrative Contact Country Code: US
Administrative Contact Phone Number: +001.5122445985
Administrative Contact Email:
Billing Contact ID: DI_3206151
Billing Contact Name: Bill Passmore
Billing Contact Organization: N/A
Billing Contact Address1: Oak Creek Drive
Billing Contact City: Austin
Billing Contact State/Province: Texas
Billing Contact Postal Code: 78727
Billing Contact Country: United States
Billing Contact Country Code: US
Billing Contact Phone Number: +001.5122445985
Billing Contact Email:
Technical Contact ID: DI_3206151
Technical Contact Name: Bill Passmore
Technical Contact Organization: N/A
Technical Contact Address1: Oak Creek Drive
Technical Contact City: Austin
Technical Contact State/Province: Texas
Technical Contact Postal Code: 78727
Technical Contact Country: United States
Technical Contact Country Code: US
Technical Contact Phone Number: +001.5122445985
Technical Contact Email:
Name Server: NS1.ZHMBSCWDGK.BIZ
Name Server: NS2.ZHMBSCWDGK.BIZ
Created by Registrar: ESTDOMAINS INC
Last Updated by Registrar: ESTDOMAINS INC
Domain Registration Date: Wed Jun 21 07:49:59 GMT 2006
Domain Expiration Date: Wed Jun 20 23:59:59 GMT 2007
Domain Last Updated Date: Wed Jul 26 11:49:00 GMT 2006

CWSandbox Analysis report for file: ce302aad98fb79e168e36dbe70484c3b.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\ce302aad98fb79e168e36dbe70484c3b.exe MD5: [ce302aad98fb79e168e36dbe70484c3b], PID 652, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


====================================================
COM
====================================================
COM Create Instance: %SystemRoot%\system32\SHELL32.dll, ProgID: (), Interface ID: ({F490EB00-1240-11D1-9888-006097DEACF9})

====================================================
DLL-Handling
====================================================
Loaded DLL - DLL: (c:\temp\ce302aad98fb79e168e36dbe70484c3b.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WSOCK32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\msvcrt.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHELL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\SHLWAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\COMCTL32.dll)
Loaded DLL - DLL: (C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1612_x-ww_7c379b08\)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (.\UxTheme.dll)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (ole32.dll)
====================================================
Filesystem Changes
====================================================
Copy File: c:\temp\ce302aad98fb79e168e36dbe70484c3b.exe to C:\winstall.exe
Create File: C:\Program Files\SpySheriff\base.avd
Create File: C:\Program Files\SpySheriff\base001.avd
Create File: C:\Program Files\SpySheriff\base002.avd
Create File: C:\Program Files\SpySheriff\found.wav
Create File: C:\Program Files\SpySheriff\heur000.dll
Create File: C:\Program Files\SpySheriff\heur001.dll
Create File: C:\Program Files\SpySheriff\heur002.dll
Create File: C:\Program Files\SpySheriff\heur003.dll
Create File: C:\Program Files\SpySheriff\notfound.wav
Create File: C:\Program Files\SpySheriff\removed.wav
Create File: C:\Program Files\SpySheriff\SpySheriff.exe
Create File: C:\Program Files\SpySheriff\Uninstall.exe
Create File: C:\Program Files\SpySheriff\SpySheriff.dvm
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\ntsvcs (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: C:\Program Files\SpySheriff\SpySheriff.exe (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Create/Open File: C:\Documents and Settings\Administrator\Application Data\Install.dat (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Documents and Settings\Administrator\Application Data\desktop.ini Flags: (SECURITY_ANONYMOUS)

====================================================
INI Files
====================================================
Read from INI file: C:\Documents and Settings\Administrator\Application Data\desktop.ini [DeleteOnCopy] Owner =
Read from INI file: C:\Documents and Settings\Administrator\Application Data\desktop.ini [.ShellClassInfo] LocalizedResourceName =

====================================================
Registry Changes
====================================================
Create or Open:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -
HKEY_CURRENT_USER\SOFTWARE\Install -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General -


Registry Changes:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "Windows installer" = (C:\winstall.exe)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoChangingWallpaper" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoComponents" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoAddingComponents" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoDeletingComponents" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoEditingComponents" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\ "NoHTMLWallPaper" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "NoActiveDesktop" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ClassicShell" = ([REG_DWORD, value: 00000000])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ "ForceActiveDesktopOn" = ([REG_DWORD, value: 00000001])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "Wallpaper" = ()
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "WallpaperStyle" = (2)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "TileWallpaper" = (0)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "ComponentsPositioned" = ([REG_DWORD, value: 00000002])
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "WallpaperFileTime" = ([REG_BINARY, size: 8 bytes])
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "WallpaperLocalFileTime" = ([REG_BINARY, size: 8 bytes])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "WallpaperFileTime" = ([REG_BINARY, size: 8 bytes])
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ "WallpaperLocalFileTime" = ([REG_BINARY, size: 8 bytes])


Registry Reads:
Software\Microsoft\Windows\CurrentVersion\ThemeManager\ "Compositing"
Control Panel\Desktop\ "LameButtonText"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ "AppData"
HKEY_CURRENT_USER\SOFTWARE\Install\ "Version"


Registry Enums:

====================================================
System Info
====================================================
Get System Directory
Get Windows Directory

====================================================
Window
====================================================
Find Window - Class Name () Window Name (Windows Security Alert)
Find Window - Class Name () Window Name (Create rule for CE302AAD98FB79E168E36DBE70484C3B.EXE)
Find Window - Class Name () Window Name (Hidden Process Requests Network Access)
Find Window - Class Name () Window Name (Warning: Components Have Changed)
Find Window - Class Name () Window Name (PermissionDlg)

====================================================
Winsock
====================================================

Report generated at 8/8/2006 4:29:58 PM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.

CWSandbox Analysis report for file: 338411fe5f203486aa1a5b526d11f75e.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\338411fe5f203486aa1a5b526d11f75e.exe MD5: [338411fe5f203486aa1a5b526d11f75e], PID 652, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

NtVdmControl

====================================================
DLL-Handling
====================================================
Loaded DLL - DLL: (C:\WINDOWS\system32\ntvdm.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\Secur32.dll)
Loaded DLL - DLL: (WINMM.DLL)
Loaded DLL - DLL: (NTVDMD.DLL)
Loaded DLL - DLL: (Userenv.dll)
Loaded DLL - DLL: (.\UxTheme.dll)

====================================================
Filesystem Changes
====================================================
Find File: C:\MSDOS.SYS
Find File: C:\IO.SYS
Delete File: C:\WINDOWS\TEMP\scs5.tmp
Delete File: C:\WINDOWS\TEMP\scs6.tmp
Open File: \DosDevices\A: (), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \DosDevices\B: (), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\ntio.sys (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\ntdos.sys (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\CONFIG.NT (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\TEMP\SCS5.TMP (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\HIMEM.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\HIMEM.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COUNTRY.SYS (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \DosDevices\C: (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY,FILE_READ_A
TTRIBUTES), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COMMAND.COM (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\COMMAND.COM (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32 (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\AUTOEXEC.NT (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\TEMP\SCS6.TMP (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\MSCDEXNT.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\REDIR.??? (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\REDIR.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\DOSX.??? (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM32\DOSX.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\SYSTEM.INI (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ATTRIBUTES), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\TEMP\338411~1.EXE (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_DELETE,SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: C:\WINDOWS\TEMP\scs5.tmp (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_TEMPORARY,SECURITY_ANONYMOUS)
Create/Open File: C:\WINDOWS\TEMP\scs6.tmp (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_TEMPORARY,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\_default.pif Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM32\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM.INI Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\SYSTEM32\KRNL386.EXE Flags: (SECURITY_ANONYMOUS)

====================================================
Registry Changes
====================================================
Create or Open:


Registry Changes:


Registry Reads:
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\ "Identifier"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW\ "RomFontPointers"
\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\ "Configuration Data"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers\ "VDD"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\ "BootDir"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\ "RootDrive"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Software\Microsoft\Windows\CurrentVersion\ThemeManager\ "Compositing"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Control Panel\Desktop\ "LameButtonText"


Registry Enums:


====================================================
System Info
====================================================
Get System Directory
Get Windows Directory
Get System Time

====================================================
Window
====================================================
Find Window - Class Name (ConsoleWindowClass) Window Name (ntvdm-28c.2ac.320002)

Report generated at 8/8/2006 4:34:38 PM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.

CWSandbox Analysis report for file: 0f216f13d2a8a73f2bdde8120fb20c18.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe MD5: [0f216f13d2a8a73f2bdde8120fb20c18], PID 652, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (MSVCRT.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (WININET.dll)
Loaded DLL - DLL: (WS2_32.dll)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (RTUTILS.DLL)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (netapi32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: vdrvNQ[M.exe
Find File: TheMatrixHasYou.exe
Create File: C:\WINDOWS\System32\vdrvNQ[M.exe
Create File: C:\WINDOWS\System32\TheMatrixHasYou.exe
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE,FILE_ADD_SUBDIR
ECTORY,FILE_APPEND_DATA,FILE_CREATE_PIPE_INSTANCE,FILE_WRITE_EA,FILE_WRITE_ATTRIB
UTES), (), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\vdrvNQ[M.exe (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\TheMatrixHasYou.exe (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY,FILE_WRITE_
ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: RasPbFile
Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex

==============================================================================
Registry Changes
==============================================================================
Create or Open:


Registry Changes:


Registry Reads:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ "DisableImprovedZoneCheck"


Registry Enums:
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\ -


==============================================================================
Process Management
==============================================================================
Creates Process - Filename () CommandLine: (C:\WINDOWS\System32\vdrvNQ[M.exe) Target PID: (212) As User: () Creation Flags: (DETACHED_PROCESS)
Creates Process - Filename (C:\WINDOWS\System32\TheMatrixHasYou.exe) CommandLine: (/k c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe) Target PID: (288) As User: () Creation Flags: (DETACHED_PROCESS)

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (RASMAN) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name

==============================================================================
User Management
==============================================================================
Impersonate User - Domain: () User: (Administrator) Host: () Handle: (1416)
Get User Name


==============================================================================
Winsock
==============================================================================


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 2 (services.exe MD5: [], PID 536, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 3 (C:\WINDOWS\System32\vdrvNQ[M.exe MD5: [c05c5f92e4a86c99c6996de040a31b6d], PID 212, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\vdrvNQ[M.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (MSVCRT.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (WININET.dll)
Loaded DLL - DLL: (WS2_32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Copy File: c:\windows\system32\vdrvnq[m.exe to C:\WINDOWS\System32\truetype.exe
Find File: truetype.exe
Find File: TheMatrixHasYou.exe
Create File: C:\WINDOWS\System32\TheMatrixHasYou.exe
Delete File: C:\WINDOWS\System32\truetype.exe
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE,FILE_ADD_SUBDIR
ECTORY,FILE_APPEND_DATA,FILE_CREATE_PIPE_INSTANCE,FILE_WRITE_EA,FILE_WRITE_ATTRIB
UTES), (), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\truetype.exe (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\TheMatrixHasYou.exe (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)

==============================================================================
Registry Changes
==============================================================================
Create or Open:
HKEY_LOCAL_MACHINE\Software\Microsoft\ -


Registry Changes:
HKEY_LOCAL_MACHINE\Software\Microsoft\\ "ATI_VER" = ([REG_DWORD, value: 44D8F956])


Registry Reads:


Registry Enums:


==============================================================================
Process Management
==============================================================================
Creates Process - Filename () CommandLine: (C:\WINDOWS\System32\truetype.exe) Target PID: (200) As User: () Creation Flags: (DETACHED_PROCESS)
Creates Process - Filename (C:\WINDOWS\System32\TheMatrixHasYou.exe) CommandLine: (/k c:\windows\system32\vdrvnq[m.exe) Target PID: (460) As User: () Creation Flags: (DETACHED_PROCESS)

==============================================================================
System Info
==============================================================================
Get System Directory

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 4 (C:\WINDOWS\System32\TheMatrixHasYou.exe /k c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe MD5: [], PID 288, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\TheMatrixHasYou.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Delete File: c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe
Open File: c:\temp\0f216f13d2a8a73f2bdde8120fb20c18.exe (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 5 (C:\WINDOWS\System32\truetype.exe MD5: [c05c5f92e4a86c99c6996de040a31b6d], PID 200, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\truetype.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (MSVCRT.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (WININET.dll)
Loaded DLL - DLL: (WS2_32.dll)
Loaded DLL - DLL: (ICMP.DLL)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (RTUTILS.DLL)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (netapi32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: dxvwlvpo.exe
Create File: C:\WINDOWS\System32\win.ini.t00
Create File: C:\WINDOWS\System32\dxvwlvpo.exe
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING), (FILE_ANY_ACCESS,FILE_WRITE_ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE,FILE_ADD_SUBDIR
ECTORY,FILE_APPEND_DATA,FILE_CREATE_PIPE_INSTANCE,FILE_WRITE_EA,FILE_WRITE_ATTRIB
UTES), (), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\dxvwlvpo.exe (), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS), (FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY,FILE_WRITE_
ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\win.ini.t00 Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: 4457319-QdmJgU
Creates Mutex: RasPbFile
Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex

==============================================================================
Registry Changes
==============================================================================
Create or Open:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run -
HKEY_LOCAL_MACHINE\Software\Microsoft\ -


Registry Changes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ "truetype" = (C:\WINDOWS\System32\truetype.exe)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "truetype" = (C:\WINDOWS\System32\truetype.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "truetype" = (C:\WINDOWS\System32\truetype.exe)


Registry Reads:
HKEY_LOCAL_MACHINE\Software\Microsoft\\ "ATI_VER"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ "DisableImprovedZoneCheck"


Registry Enums:
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\ -


==============================================================================
Process Management
==============================================================================
Creates Process - Filename () CommandLine: (C:\WINDOWS\System32\dxvwlvpo.exe) Target PID: (896) As User: () Creation Flags: (DETACHED_PROCESS)

==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (RASMAN) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name

==============================================================================
User Management
==============================================================================
Impersonate User - Domain: () User: (Administrator) Host: () Handle: (500)
Get User Name


==============================================================================
Winsock
==============================================================================

Opening Listening TCP Connection - Local Port: 43633 - Connection Established: 0 - Socket: 756

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 6 (C:\WINDOWS\System32\TheMatrixHasYou.exe /k c:\windows\system32\vdrvnq[m.exe MD5: [], PID 460, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\TheMatrixHasYou.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Delete File: c:\windows\system32\vdrvnq[m.exe
Open File: c:\windows\system32\vdrvnq[m.exe (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 7 (C:\WINDOWS\System32\dxvwlvpo.exe MD5: [3bbb65107d22226f6dfd9c762522d7ff], PID 896, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
COM
==============================================================================
COM Create Instance: C:\WINDOWS\System32\hnetcfg.dll, ProgID: (HNetCfg.HNetShare.1), Interface ID: ({C08956B7-1CD3-11D1-B1C5-00805FC1270E})
COM Create Instance: C:\WINDOWS\System32\hnetcfg.dll, ProgID: (), Interface ID: ({85D18B6C-3032-11D4-9348-00C04F8EEB71})
COM Create Instance: C:\WINDOWS\System32\wbem\wbemprox.dll, ProgID: (), Interface ID: ({DC12A687-737F-11CF-884D-00AA004B2E24})
COM Create Instance: C:\WINDOWS\System32\wbem\wbemprox.dll, ProgID: (), Interface ID: ({00000000-0000-0000-C000-000000000046})
COM Create Instance: , ProgID: (), Interface ID: ({C08956A2-1CD3-11D1-B1C5-00805FC1270E})
COM Create Instance: , ProgID: (), Interface ID: ({00000149-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\System32\wbem\wbemsvc.dll, Interface ID: ({D5F569D0-593B-101A-B569-08002B2DBF7A})

==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\dxvwlvpo.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ole32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\USER32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLEAUT32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.DLL)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (ole32.dll)
Loaded DLL - DLL: (OLEAUT32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (WS2_32.dll)
Loaded DLL - DLL: (.\UxTheme.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (OLE32)
Loaded DLL - DLL: (rpcrt4.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\WINDOWS
Find File: C:\WINDOWS\system32
Find File: C:\WINDOWS\system32\WBEM
Find File: C:\WINDOWS\system32\WBEM\Logs
Create File: C:\WINDOWS\System32\drivers\etc\hosts
Open File: C:\WINDOWS\System32\drivers\etc\hosts (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\Documents and Settings\Administrator\Application Data\Microsoft\2238.dat (OPEN_EXISTING), (FILE_ANY_ACCESS), (), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Create/Open File: \Device\Tcp (OPEN_ALWAYS), (FILE_ANY_ACCESS), (SHARE_READ,SHARE_WRITE), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: hs5pdllv42238
Creates Mutex: RasPbFile

==============================================================================
Registry Changes
==============================================================================
Create or Open:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run -
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32 -
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM -
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM -


Registry Changes:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "Explorer 2238" = (C:\WINDOWS\System32\dxvwlvpo.exe)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32\ "" = (C:\WINDOWS\System32\dxvwlvpo.exe)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32\ "ThreadingModel" = (Apartment)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\ "{2C1CD3D7-86AC-4068-93BC-A02304BB2238}" = (DCOM Server 2238)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ "DCOM Server 2238" = ({2C1CD3D7-86AC-4068-93BC-A02304BB2238})


Registry Reads:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2238}\InProcServer32\ ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\ "AppData"
Software\Microsoft\Windows\CurrentVersion\ThemeManager\ "Compositing"
Control Panel\Desktop\ "LameButtonText"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "Logging Directory"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "Logging"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "Log File Max Size"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "Repository Directory"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\TRANSPORTS\Network Transport Modules\ "Stack Order"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\TRANSPORTS\Network Transport Modules\{F7CE2E13-8C90-11D1-9E7B-00C04FC324A8}\ "Independent"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\ "EnableObjectValidation"


Registry Enums:


==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (SharedAccess) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name
Get System Time

==============================================================================
Window
==============================================================================
Enum Windows

==============================================================================
Winsock
==============================================================================

Opening Listening TCP Connection - Local Port: 43633 - Connection Established: 0 - Socket: 512

Report generated at 8/8/2006 4:54:29 PM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.


.

download.lavasoftupdate.com = [ 85.255.114.149 ]
Registration Service Provided By: ESTDOMAINS
Contact: 1.3027224217
Website: http ://www.estdomains.com
Domain Name: LAVASOFTUPDATE.COM
Registrant:
Deloitte corp.
Andrzej Zborowski andrzboro@yahoo.com
Kielbasniza 16
Wroclaw
50127
PL
Tel. 48.223799110
Creation Date: 02-Jun-2005
Expiration Date: 02-Jun-2007
Domain servers in listed order:
ns1.lavasoftupdate.com
ns2.lavasoftupdate.com
Administrative Contact:
Deloitte corp.
Andrzej Zborowski andrzboro@yahoo.com
Kielbasniza 16
Wroclaw
50127
PL
Tel. 48.223799110
Status: ACTIVE

--------------------------------------------------------------------------------

Apache/2.0.53 (Fedora) Server at zdfttygzjm.biz Port 80

------------------------------------------------------------------------------

STATUS: FINISHED
Complete scanning result of "isksxj.exe",
received in VirusTotal at 08.14.2006, 16:54:49 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 08.14.2006 TR/Agent.TW.1
Authentium 4.93.8 08.13.2006 no virus found
Avast 4.7.844.0 08.14.2006 no virus found
AVG 386 08.14.2006 Clicker.CQU
BitDefender 7.2 08.14.2006 Trojan.Agent.TW
CAT-QuickHeal 8.00 08.14.2006 (Suspicious) - DNAScan
ClamAV devel-20060426 08.14.2006 no virus found
DrWeb 4.33 08.14.2006 Trojan.Spambot
eTrust-InoculateIT 23.72.94 08.14.2006 no virus found
eTrust-Vet 30.3.3019 08.14.2006 no virus found
Ewido 4.0 08.13.2006 no virus found
Fortinet 2.77.0.0 08.13.2006 suspicious
F-Prot 3.16f 08.13.2006 no virus found
F-Prot4 4.2.1.29 08.13.2006 no virus found
Ikarus 0.2.65.0 08.14.2006 no virus found
Kaspersky 4.0.2.24 08.14.2006 Trojan-Clicker.Win32.Costrat.k
McAfee 4828 08.13.2006 no virus found
Microsoft 1.1560 08.14.2006 no virus found
NOD32v2 1.1705 08.14.2006 probably unknown NewHeur_PE virus
Norman 5.90.23 08.14.2006 no virus found
Panda 9.0.0.4 08.14.2006 no virus found
Sophos 4.08.0 08.14.2006 no virus found
Symantec 8.0 08.14.2006 no virus found
TheHacker 5.9.8.192 08.14.2006 no virus found
UNA 1.83 08.11.2006 no virus found
VBA32 3.11.0 08.13.2006 no virus found

Aditional Information
File size: 73216 bytes
MD5: 444a499c5413999a8a21f6d4c4e5608b
SHA1: 46f5cd4e1cf912e37339eac5157288e7f5bf64cd
packers: embedded

STATUS: FINISHED
Complete scanning result of "lzx32.sys",
received in VirusTotal at 08.14.2006, 18:27:24 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 08.14.2006 no virus found
Authentium 4.93.8 08.14.2006 no virus found
Avast 4.7.844.0 08.14.2006 no virus found
AVG 386 08.14.2006 no virus found
BitDefender 7.2 08.14.2006 no virus found
CAT-QuickHeal 8.00 08.14.2006 no virus found
ClamAV devel-20060426 08.14.2006 no virus found
DrWeb 4.33 08.14.2006 Trojan.Spambot
eTrust-InoculateIT 23.72.94 08.14.2006 no virus found
eTrust-Vet 30.3.3019 08.14.2006 no virus found
Ewido 4.0 08.14.2006 no virus found
Fortinet 2.77.0.0 08.13.2006 suspicious
F-Prot 3.16f 08.14.2006 no virus found
F-Prot4 4.2.1.29 08.14.2006 no virus found
Ikarus 0.2.65.0 08.14.2006 no virus found
Kaspersky 4.0.2.24 08.14.2006 Trojan-Clicker.Win32.Costrat.j
McAfee 4829 08.14.2006 no virus found
Microsoft 1.1560 08.14.2006 no virus found
NOD32v2 1.1706 08.14.2006 no virus found
Norman 5.90.23 08.14.2006 no virus found
Panda 9.0.0.4 08.14.2006 no virus found
Sophos 4.08.0 08.14.2006 no virus found
Symantec 8.0 08.14.2006 no virus found
TheHacker 5.9.8.192 08.14.2006 no virus found
UNA 1.83 08.11.2006 no virus found
VBA32 3.11.0 08.13.2006 no virus found
VirusBuster 4.3.7:9 08.14.2006 no virus found

File Size: 68120 bytes
MD5: b948ddcc9d665f3cf668f65bb4deb4d9
SHA1: 287c789473b516ce3b49e643ba382707274ab09a

vdrvVAR^.exe : [SANDBOX] contains a security risk - W32/Malware (Signature: NO_VIRUS)
[ General information ]
* File might be compressed.
* Decompressing FSG.
* File length: 14864 bytes.
* MD5 hash: 016fab21854de4881f261a5b2e55fdb7.

[ Changes to filesystem ]
* Deletes file C:\WINDOWS\SYSTEM32\pigglett.exe.
* Creates file C:\WINDOWS\SYSTEM32\pigglett.exe.

[ Changes to registry ]
* Sets value "ATI_VER"="Cs7?" in key "HKLM\Software\Microsoft".
* Creates value "pigglett"="c:\windows\system32\pigglett.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "pigglett"="c:\windows\system32\pigglett.exe" in key
"HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "pigglett"="c:\windows\system32\pigglett.exe" in key
"HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Opens URL: http:///pukaka/access.php.

[ Security issues ]
* Possible backdoor functionality [UNKNOWN] port 5899.

[ Process/window information ]
* Creates a mutex 4457319-QdmJgU.
* Will automatically restart after boot (I'll be back...).

[ Signature Scanning ]
* C:\WINDOWS\SYSTEM32\pigglett.exe (14864 bytes) : no signature detection.

CWSandbox Analysis report for file: 016fab21854de4881f261a5b2e55fdb7.exe

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 1 (c:\temp\016fab21854de4881f261a5b2e55fdb7.exe MD5:
[016fab21854de4881f261a5b2e55fdb7], PID 652, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (c:\temp\016fab21854de4881f261a5b2e55fdb7.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (MSVCRT.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (WININET.dll)
Loaded DLL - DLL: (WS2_32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Copy File: c:\temp\016fab21854de4881f261a5b2e55fdb7.exe to
C:\WINDOWS\System32\pigglett.exe
Find File: pigglett.exe
Delete File: C:\WINDOWS\System32\pigglett.exe
Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING),
(FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ),
(FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING),
(FILE_ANY_ACCESS,FILE_READ_ATTRIBUTES), (SHARE_READ),
(FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING),
(FILE_ANY_ACCESS,FILE_WRITE_ACCESS,FILE_WRITE_DATA,FILE_ADD_FILE,FILE_ADD_SUBDIR
ECTORY,FILE_APPEND_DATA,FILE_CREATE_PIPE_INSTANCE,FILE_WRITE_EA,FILE_WRITE_ATTRIB
UTES),
(), (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\System32\pigglett.exe (),
(FILE_ANY_ACCESS,FILE_READ_ACCESS,FILE_READ_DATA,FILE_LIST_DIRECTORY),
(SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)

==============================================================================
Registry Changes
==============================================================================
Create or Open:
HKEY_LOCAL_MACHINE\Software\Microsoft\ -


Registry Changes:
HKEY_LOCAL_MACHINE\Software\Microsoft\\ "ATI_VER" = ([REG_DWORD, value: 44E0891C])


Registry Reads:


Registry Enums:


==============================================================================
Process Management
==============================================================================
Creates Process - Filename () CommandLine: (C:\WINDOWS\System32\pigglett.exe)
Target PID: (1664) As User: () Creation Flags: (DETACHED_PROCESS)

==============================================================================
System Info
==============================================================================
Get System Directory

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 2 (C:\WINDOWS\System32\pigglett.exe MD5:
[016fab21854de4881f261a5b2e55fdb7], PID 1664, User: Administrator)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


==============================================================================
DLL-Handling
==============================================================================
Loaded DLL - DLL: (C:\WINDOWS\System32\pigglett.exe)
Loaded DLL - DLL: (C:\WINDOWS\System32\ntdll.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\kernel32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\user32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\GDI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\ADVAPI32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\RPCRT4.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\oleaut32.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\MSVCRT.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\OLE32.DLL)
Loaded DLL - DLL: (C:\WINDOWS\system32\comctl32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\wsock32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2_32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\WS2HELP.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Wship6.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\iphlpapi.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\pstorec.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\ATL.DLL)
Loaded DLL - DLL: (C:\WINDOWS\System32\mswsock.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\DNSAPI.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\winrnr.dll)
Loaded DLL - DLL: (C:\WINDOWS\system32\WLDAP32.dll)
Loaded DLL - DLL: (C:\WINDOWS\System32\Secur32.dll)
Loaded DLL - DLL: (KERNEL32.dll)
Loaded DLL - DLL: (USER32.dll)
Loaded DLL - DLL: (ADVAPI32.dll)
Loaded DLL - DLL: (MSVCRT.dll)
Loaded DLL - DLL: (comctl32.dll)
Loaded DLL - DLL: (WININET.dll)
Loaded DLL - DLL: (WS2_32.dll)
Loaded DLL - DLL: (ICMP.DLL)
Loaded DLL - DLL: (RASAPI32.DLL)
Loaded DLL - DLL: (RTUTILS.DLL)
Loaded DLL - DLL: (SHELL32.dll)
Loaded DLL - DLL: (netapi32.dll)

==============================================================================
Filesystem Changes
==============================================================================
Find File: C:\Documents and Settings\All Users\Application
Data\Microsoft\Network\Connections\Pbk\*.pbk
Find File: C:\WINDOWS\System32\Ras\*.pbk
Find File: C:\Documents and Settings\Administrator\Application
Data\Microsoft\Network\Connections\Pbk\*.pbk
Create File: C:\WINDOWS\System32\popspig
Open File: \\.\PIPE\svcctl (OPEN_EXISTING), (FILE_ANY_ACCESS),
(SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING), (FILE_ANY_ACCESS),
(SHARE_READ,SHARE_WRITE), (SECURITY_ANONYMOUS)
Open File: c:\autoexec.bat (OPEN_EXISTING), (FILE_ANY_ACCESS), (SHARE_READ),
(FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\System32\popspig Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS)

==============================================================================
Mutex Changes
==============================================================================
Creates Mutex: 4457319-QdmJgU
Creates Mutex: RasPbFile

==============================================================================
Registry Changes
==============================================================================
Create or Open:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices -
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run -
HKEY_LOCAL_MACHINE\Software\Microsoft\ -


Registry Changes:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
"pigglett" = (c:\windows\system32\pigglett.exe)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ "pigglett" =
(c:\windows\system32\pigglett.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ "pigglett" =
(c:\windows\system32\pigglett.exe)


Registry Reads:
HKEY_LOCAL_MACHINE\Software\Microsoft\\ "ATI_VER"


Registry Enums:


==============================================================================
Service Management
==============================================================================
Open Service Manager - Name: (SCM) Start Type: ()
Open Service - Name: (RASMAN) Start Type: ()

==============================================================================
System Info
==============================================================================
Get System Directory
Get Computer Name

==============================================================================
User Management
==============================================================================
Impersonate User - Domain: () User: (Administrator) Host: () Handle: (532)

==============================================================================
Winsock
==============================================================================

Opening Listening TCP Connection - Local Port: 43633 - Connection Established: 0 -
Socket: 744

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Processes 3 (services.exe MD5: [], PID 536, User: SYSTEM)
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@


Report generated at 8/14/2006 10:33:52 AM with CWSandbox Version Beta 1.80
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.