Sep 21, 2009 CVE-2009-3957 PDF w Trojan Scar - 2009 Defense Seminar Invitation from randinfodesk@gmail.com Sep 21, 2009

• CVE-2009-3957 Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, might allow attackers to cause a denial of service (NULL pointer dereference) via unspecified vectors.

Link updated: Jan 18, 2023

Download the files below as a password protected archive (please contact me if you need the password)


Original
E42F8E662D39A31B596D86504B9DC287 RandInfo.pdf  104165 bytes

Embedded / Dropped Files
590a6e6c811e41505bebd4a976b9e7f3 msapt.exe 41472 bytes
590a6e6c811e41505bebd4a976b9e7f3 update.exe 41472 bytes  230040293ED381E32FAA081B76634FCB wshipa.dll 32768 bytes 74180904D2F9DF2553C478F7AC480527 tpdefense.dat 103 bytes E73C3121EE1ED30643E1D1982393F978 RANDInfo.pdf 37822 bytes

Details E42F8E662D39A31B596D86504B9DC287 RandInfo.pdf

From: RAND Corporation [mailto:randinfodesk@gmail.com]
Sent: Monday, September 21, 2009 8:04 AM
Subject: 2009 Defense Seminar Invitation

       
RAND  Defense Security Seminar

October 19-23, 2009
1200 South Hayes Street
Arlington, VA 22202-5050

RAND Coporation will hold 2009 Defense Seminar at RAND’s Washington office at Pentagon City, Arlington, VA. Sessions will be held from 9:00 to 5:00 with an hour lunch break on Monday through Thursday, October 19–22, and from 9:00 to 1:00 on Friday, October 23, 2009.

Topics covered will include the following:
- The evolution of alliance and coalition partnerships
- The major issues and challenges in East Asia
- Gaming techniques for strategists and planners
- Missile defense technology and policy
- Transforming intelligence agencies to be better prepared to deal with today's threats
For more information, you can see attached file.
  

______________________________

Contact:

RAND Corporation
1200 South Hayes Street

Arlington, VA 22202

Phone: 703/412-1100 x5409

Fax: 703/413-8181

Attached file

 File RANDInfo.pdf received on 2010.02.01 21:24:53 (UTC)

http://www.virustotal.com/analisis/8978a152ebf292dea755309fd179e0d68df4c7fbcca796cc51dbf63a7da3e430-1265059493
Result: 19/41 (46.34%)
Antiy-AVL     2.0.3.7     2010.02.01     Exploit/Win32.Pidief
Authentium     5.2.0.5     2010.01.31     PDF/Pidief.AB
Avast     4.8.1351.0     2010.02.01     JS:Pdfka-gen
AVG     9.0.0.730     2010.02.01     Script/Exploit
BitDefender     7.2     2010.02.01     Exploit.PDF-JS.Gen
eTrust-Vet     35.2.7274     2010.02.01     PDF/Pidief.LH
F-Secure     9.0.15370.0     2010.02.01     Trojan.Script.213454
GData     19     2010.02.01     Trojan.Script.213454
Kaspersky     7.0.0.125     2010.02.01     Exploit.Win32.Pidief.cln
McAfee     5879     2010.02.01     Exploit-PDF.w
McAfee+Artemis     5879     2010.02.01     Exploit-PDF.w
McAfee-GW-Edition     6.8.5     2010.02.01     Heuristic.BehavesLike.PDF.Suspicious.Z
Microsoft     1.5406     2010.02.01     Exploit:Win32/Pdfjsc.CA
NOD32     4824     2010.02.01     JS/Exploit.Pdfka.NNB
PCTools     7.0.3.5     2010.02.01     Trojan.Pidief
Rising     22.33.00.04     2010.02.01     Hack.Exploit.Win32.PDF.jxr
Sunbelt     3.2.1858.2     2010.01.31     Exploit.PDF.Pidief.am (v)
Symantec     20091.2.0.41     2010.02.01     Trojan.Pidief.G
File size: 104165 bytes
MD5   : e42f8e662d39a31b596d86504b9dc287

 Vicheck.ca

https://www.vicheck.ca/md5query.php?hash=e42f8e662d39a31b596d86504b9dc287

  Detected entities:
PDF Exploit suspicious use of Colors tag CVE-2009-3957
Javascript obfuscation using unescape

Key Length: 256 bytes
Key Location: @52222 bytes
File XOR Offset: @254 bytes
XOR Key Length: 256 bytes
XOR Key:
0x[9f9e9d9c9b9a999897969594939291908f8e8d8c8b8a898887868584838281807f7e7d7c7b7a797877767574737271706f6e6d6c6b6a696867666564636261605f5e5d5c5b5a595857565554535251504f4e4d4c4b4a494847464544434241403f3e3d3c3b3a393837363534333231302f2e2d2c2b2a292827262524232221201f1e1d1c1b1a191817161514131211100f0e0d0c0b0a09080706050403020100fffefdfcfbfaf9f8f7f6f5f4f3f2f1f0efeeedecebeae9e8e7e6e5e4e3e2e1e0dfdedddcdbdad9d8d7d6d5d4d3d2d1d0cfcecdcccbcac9c8c7c6c5c4c3c2c1c0bfbebdbcbbbab9b8b7b6b5b4b3b2b1b0afaeadacabaaa9a8a7a6a5a4a3a2a1a0]

Files dropped in the user %TEMP% directory

590a6e6c811e41505bebd4a976b9e7f3 msapt.exe 41472 bytes 
590a6e6c811e41505bebd4a976b9e7f3 update.exe 41472 bytes 
230040293ED381E32FAA081B76634FCB wshipa.dll 32768 bytes
74180904D2F9DF2553C478F7AC480527 tpdefense.dat 103 bytes
E73C3121EE1ED30643E1D1982393F978 RANDInfo.pdf 37822 bytes

 Registry change to start msapt.exe every time Windows starts 
HKU\S-1-5-21-839522115-725345543-2147116355-500\Software\Microsoft\Windows\CurrentVersion\Run\msapt: "C:\Documents and Settings\Administrator\Local Settings\Temp\msapt.exe -installkys"


Virustotal Trojan.Win32.Scar

590a6e6c811e41505bebd4a976b9e7f3 msapt.exe 41472 bytes 
590a6e6c811e41505bebd4a976b9e7f3 update.exe 41472 bytes 

other known names for that MD5 hash is serverw.exe

http://www.virustotal.com/analisis/d11bbf55e7473d1293616cf1ba67127600795abc6d9c62288bdc00d15933e154-1254124740

  File update.exe received on 2010.03.06 18:54:16 (UTC)
Result: 31/40 (77.50%)
a-squared     4.5.0.50     2010.03.06     Trojan.Win32.Scar!IK
AntiVir     8.2.1.180     2010.03.05     TR/Dropper.Gen
Authentium     5.2.0.5     2010.03.06     W32/Sisron.A!Generic
Avast     4.8.1351.0     2010.03.06     Win32:Malware-gen
Avast5     5.0.332.0     2010.03.06     Win32:Malware-gen
AVG     9.0.0.787     2010.03.06     Generic14.NGD
BitDefender     7.2     2010.03.06     Gen:Trojan.Heur.PT.cqW@a0Tsc7nb
CAT-QuickHeal     10.00     2010.03.06     Trojan.Scar.yia
ClamAV     0.96.0.0-git     2010.03.06     Trojan.Agent-126367
Comodo     4091     2010.02.28     TrojWare.Win32.Scar.yia
DrWeb     5.0.1.12222     2010.03.06     BACKDOOR.Trojan
F-Prot     4.5.1.85     2010.03.06     W32/Sisron.A!Generic
F-Secure     9.0.15370.0     2010.03.06     Gen:Trojan.Heur.PT.cqW@a0Tsc7nb
Fortinet     4.0.14.0     2010.03.06     W32/Dropper.P!tr
GData     19     2010.03.06     Gen:Trojan.Heur.PT.cqW@a0Tsc7nb
Ikarus     T3.1.1.80.0     2010.03.06     Trojan.Win32.Scar
Jiangmin     13.0.900     2010.03.06     Trojan/Scar.bbv
K7AntiVirus     7.10.990     2010.03.04     Trojan.Win32.Malware.1
Kaspersky     7.0.0.125     2010.03.06     Trojan.Win32.Scar.yia
McAfee     5912     2010.03.06     Generic.dx!fmd
McAfee+Artemis     5912     2010.03.06     Generic.dx!fmd
Microsoft     1.5502     2010.03.06     Trojan:Win32/Orsam!rts
NOD32     4921     2010.03.06     probably unknown NewHeur_PE
nProtect     2009.1.8.0     2010.03.06     Trojan/W32.Scar.41472.B
Panda     10.0.2.2     2010.03.06     Generic Trojan
PCTools     7.0.3.5     2010.03.04     Trojan.Generic
Sophos     4.51.0     2010.03.06     Mal/Dropper-P
Sunbelt     5771     2010.03.06     BehavesLike.Win32.Malware (v)
Symantec     20091.2.0.41     2010.03.06     Trojan Horse
TheHacker     6.5.1.9.222     2010.03.06     Trojan/Scar.yia
VBA32     3.12.12.2     2010.03.05     Trojan.Win32.Inject.2
Additional information
File size: 41472 bytes
MD5   : 590a6e6c811e41505bebd4a976b9e7f3

Threatexpert report on 590a6e6c811e41505bebd4a976b9e7f3 

http://www.threatexpert.com/report.aspx?md5=590a6e6c811e41505bebd4a976b9e7f3
Analysis of the file resources indicate the following possible country of origin:

	China

Anubis report of 590a6e6c811e41505bebd4a976b9e7f3

http://anubis.iseclab.org/?action=result&task_id=1e8b897ab4b985f74052edcbfd91752a2

Files Created:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wshipa.dll

[#############################################################################] Anubis Analysis Report for update.exe MD5: 590a6e6c811e41505bebd4a976b9e7f3 [#############################################################################] Summary: - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - update.exe a) Registry Activities b) File Activities c) Process Activities - update.exe a) Registry Activities b) File Activities c) Process Activities - cmd.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 241 s Report created: 03/06/10, 19:17:39 UTC Termination reason: Timeout Program version: 1.74.2603 [#############################################################################] 2. update.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: update.exe MD5: 590a6e6c811e41505bebd4a976b9e7f3 SHA-1: b9bd45207b3e28f725b982372d04723ffffabdc3 File Size: 41472 Bytes Command Line: "C:\update.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan.Win32.Scar (Sig-Id: 32891426) [=============================================================================] 2.a) update.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ], Value Name: [ msapt ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temp\msapt.exe -installkys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time [=============================================================================] 2.b) update.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\msapt.exe ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\msapt.exe ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] File Name: [ C:\WINDOWS\system32\cmd.exe ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] File Name: [ C:\update.exe ] [=============================================================================] 2.c) update.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ], Command Line: [ ] Executable: [ C:\WINDOWS\system32\cmd.exe ], Command Line: [ ] Executable: [ ], Command Line: [ C:\WINDOWS\system32\cmd.exe /c del C:\update.exe > nul ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] Affected Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] Process: [ C:\WINDOWS\system32\cmd.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] Process: [ C:\WINDOWS\system32\cmd.exe ] [#############################################################################] 3. update.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by update.exe Filename: update.exe Command Line: "C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] [=============================================================================] 3.a) update.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time [=============================================================================] 3.b) update.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wshipa.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wshipa.dll ] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\msapt.exe ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] File Name: [ C:\WINDOWS\system32\PSAPI.DLL ] [=============================================================================] 3.c) update.exe - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\Documents and Settings\Administrator\Local Settings\Temp\update.exe ] Process: [ C:\Program Files\Messenger\msmsgs.exe ] Process: [ C:\WINDOWS\explorer.exe ] Process: [ C:\WINDOWS\system32\alg.exe ] Process: [ C:\WINDOWS\system32\cmd.exe ] Process: [ C:\WINDOWS\system32\csrss.exe ] Process: [ C:\WINDOWS\system32\ctfmon.exe ] Process: [ C:\WINDOWS\system32\lsass.exe ] Process: [ C:\WINDOWS\system32\services.exe ] Process: [ C:\WINDOWS\system32\smss.exe ] Process: [ C:\WINDOWS\system32\spoolsv.exe ] Process: [ C:\WINDOWS\system32\svchost.exe ] Process: [ C:\WINDOWS\system32\wbem\wmiprvse.exe ] Process: [ C:\WINDOWS\system32\winlogon.exe ] Process: [ C:\WINDOWS\system32\wscntfy.exe ] Process: [ C:\WINDOWS\system32\wuauclt.exe ] Process: [ C:\nwor.exeor.exe ] Process: [ C:\rjher.exeer.exe ] Process: [ C:\update.exe ] [#############################################################################] 4. cmd.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by update.exe Filename: cmd.exe MD5: 6d778e0f95447e6546553eeea709d03c SHA-1: 811a005cf787c6ccbe0d9f1c36c1d49a9cb71fd1 File Size: 389120 Bytes Command Line: C:\WINDOWS\system32\cmd.exe /c del C:\update.exe > nul Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] 4.a) cmd.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ AutoRun ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Command Processor ], Value Name: [ PathCompletionChar ], Value: [ 64 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ imaadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ msg723.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ msgsm32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], Value Name: [ 1 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], Value Name: [ 00000C07 ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ CompletionChar ], Value: [ 9 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ DefaultColor ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Command Processor ], Value Name: [ EnableExtensions ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=============================================================================] 4.b) cmd.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\update.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ nul ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ]  
 Virustotal  wshipa.dll 
 http://www.virustotal.com/analisis/5d6ebaee77424e035d1d34473818d00bf4760ad2cdd38195b0ce865c2897977c-1267901791
File wshipa.dll received on 2010.03.06 18:56:31 (UTC)
Result: 3/42 (7.14%)
Antivirus     Version     Last Update     Result
Prevx     3.0     2010.03.06     Medium Risk Malware
Symantec     20091.2.0.41     2010.03.06     Suspicious.Insight
VBA32     3.12.12.2     2010.03.05     suspected of Win32.Trojan-Downloader
File size: 32768 bytes
MD5   : 230040293ed381e32faa081b76634fcb
 
Randinfo.pdf e73c3121ee1ed30643e1d1982393f978- as expected, this embedded PDF is clean


The trojan contains reference to
hxxps://music.defense-association.com/asp/kys_allow_get.asp?name=getkys.kys, which is not reachable at the time of this writing

 

Robtex information for music.defense-association.com

Sorry, we have no information about music.defense-association.com

defense-association.com is a domain controlled by two nameservers having a total of four IP numbers. All of them are on different IP networks. ctt.hk, 8jy.cn, ghcn.cn, 33cc.cn, jhcp.cn and at least 56 other hosts share nameservers with this domain. Reputation is not yet known.It is not listed in any blacklists.  

defense-association.com 

http://www.robtex.com/dns/defense-association.com.html 

 Domain Name: DEFENSE-ASSOCIATION.COM
Registrar: BIZCN.COM, INC.
Whois Server: whois.bizcn.com
Referral URL: http://www.bizcn.com
Name Server: NS1.ORAY.NET
Name Server: NS2.ORAY.NET
Status: clientDeleteProhibited
Status: clientTransferProhibited
Updated Date: 25-oct-2009
Creation Date: 21-dec-2007
Expiration Date: 21-dec-2010

Domain name: defense-association.com

Registrant Contact:
jieqing
iang li lavinmondo@yahoo.com
0371-52140322 fax: 0371-25104796
jinshui,zhengzhou,henan
washingtondc washingtondc 450000
us

Administrative Contact:
qi zhang lavinmondo@yahoo.com
0371-45210368 fax: 0371-45210398
jinshui,zhengzhou,henan
washingtondc washingtondc 450000
us

Technical Contact:
iang li lavinmondo@yahoo.com
0371-52140322 fax: 0371-25104796
jinshui,zhengzhou,henan
washingtondc washingtondc 450000
us

Billing Contact:
iang li lavinmondo@yahoo.com
0371-52140322 fax: 0371-25104796
jinshui,zhengzhou,henan
washingtondc washingtondc 450000
us

DNS:
ns1.oray.net
ns2.oray.net