Apr 10 CVE-2010-0188 PDF Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

• CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download  Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa as a password protected archive (please contact me if you need the password)

Details Research Paper on Nuclear Posture Review 2010.PDF 8ae20aabfb207f5bb4e3918b043d37fa

Ok, let's see - the Nuclear Summit starts in DC on Monday

From: [Redacted]@yahoo.com;

Date: Sat, Apr 10, 2010 at 10:02 AM

Subject: [Redacted] Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit

To: [Redacted]

Dear Sir/Madam,

The 2010 Nuclear Posture Review (NPR) outlines the Administration’s approach to promoting the President’s agenda for reducing nuclear dangers and pursuing the goal of a world without nuclear weapons, while simultaneously advancing broader U.S. security interests.

According to the White House, the end goal of the upcoming Nuclear Security Summit 2010 will be “a communiqué pledging efforts to attain the highest levels of nuclear security, which is essential for international security as well as the development and expansion of peaceful nuclear energy worldwide.”

Accompanying this letter is the [Redacted]Research Paper on Nuclear Posture Review 2010 and the upcoming Nuclear Security Summit. Please let us know whether you find it useful, and whether there is additional information you would like to see included in future editions. We very much value your support and assistance.

[Redacted address and signature]

Header info

Sender  174.139.92.6

Received: (qmail 32240 invoked by uid 60001); 10 Apr 2010 08:02:01 -0000

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1270886521; bh=2tVtzPiN2q8LTxw5hs/fzwRo62bOjhWpm4283Sg9FiU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=GBBCANmJTi+Vd8WPrPdg0A60ZhZ+z8bKVPaAgKB1nn2/7TI7otWMCtpRvecxwfjEzyMZ6Ex5NwDczw90m8XRq5Qedcxdhw2Oqmyx+2fUUc8ECPGejQAPhbFIdxAO3byGQolXILXw4NGNviJ9YkABWcXOEp0jz8gZG4MjZiMz9G8=
DomainKey-Signature:a=rsa-sha1; q=dns; c=nofws;
  s=s1024; d=yahoo.com;
  h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type;
  b=QrLDUXjtUu5Y65+czVR6Fwmw/5PB8qfi3rdwZYHFGKlTgfrbcNkZSCJvZ/LqbW62vT3rqbpkXuh+mDo3MDYW4W0WYvJ1iYHr2No4W1f+SgpDE26A+50ECRxrsI0nVmqO9w9mSwNshfms64QlRhLFQcewz63LMdr/MjoqHF5XenI=;
Message-ID: <197929.29181.qm@web113108.mail.gq1.yahoo.com>
X-YMail-OSG: CFQsBtgVM1lXpDCBIaFH3fawifbGkB4yrT4AuuGLJQkt_xt
YYzj9YZ7fg4zcPi4axvKpLIBB93mP3E2QmjFJok0Ci7G1FBJsyjjEh4tINno
MCSYNdXDqJlfKIkQYjWUoGKWPIUyJMOAf.BYtYh5e_qOHXMCplW7t84cIkVO
57SiyqE2kEZnP4Q4yNRXn41WL9l2sjAQ7iRpVUQiighLiDdrMlNPd.JrS4qZ
nTbeLCUhFeb6RED8pSoX8Ah8xdVWLHP4yOjLlpTUq2vJ009J_63PxOOGucuD
B_jfI
Received: from [174.139.92.6] by web113108.mail.gq1.yahoo.com via HTTP; Sat, 10 Apr 2010 01:02:01 PDT
X-Mailer: YahooMailClassic/10.0.8 YahooMailWebService/0.8.100.260964
Date: Sat, 10 Apr 2010 01:02:01 -0700 (PDT)

Malware binaries generate traffic to the same IP

File Research_Paper_on_Nuclear_Posture  received on 2010.04.10 14:12:49 (UTC)
http://www.virustotal.com/analisis/5e29cf69389e3b1d15dcf50df1c0e28ec53382ec7ece4451f29ac28acf94876e-1270908769
Result: 5/39 (12.83%)
Avast    4.8.1351.0    2010.04.10    PDF:CVE-2010-0188
Avast5    5.0.332.0    2010.04.10    PDF:CVE-2010-0188
GData    19    2010.04.10    PDF:CVE-2010-0188
Kaspersky    7.0.0.125    2010.04.10    Exploit.JS.Pdfka.bzh
Sophos    4.52.0    2010.04.10    Troj/PDFJs-II
File size: 80065 bytes
MD5...: 8ae20aabfb207f5bb4e3918b043d37fa

Malicious PDF results

CVE-2010-0188

Created files

1. %Temp%\AcrRd32.EXE     MD5 5a67c2a64e17a2e3e5efd0ae94db715c
   
   AcrRd32.EXE creates and opens

•      %Temp%\11111111.pdf   MD5 6b4162954594a6c6e4287773fced7e5f
•       %Temp%\wuweb.exe   MD5  8ae20aabfb207f5bb4e3918b043d37fa

 AcrRd32.EXE
http://www.virustotal.com/analisis/4ee80dcbba4142f4207345c684c6a6802ad356dc16f07d21b5828b62deb5f75d-1270912091
  File AcrRd32.EXE received on 2010.04.10 15:08:11 (UTC)
Result: 15/39 (38.47%)
a-squared    4.5.0.50    2010.04.10    Trojan-Dropper.Win32.Bewbeu!IK
AhnLab-V3    5.0.0.2    2010.04.10    Win-Trojan/Pincav.167936
AntiVir    7.10.6.55    2010.04.09    TR/Crypt.ZPACK.Gen
Antiy-AVL    2.0.3.7    2010.04.09    Trojan/Win32.Pincav.gen
Avast    4.8.1351.0    2010.04.10    Win32:Malware-gen
Avast5    5.0.332.0    2010.04.10    Win32:Malware-gen
AVG    9.0.0.787    2010.04.10    Agent2.AMXA
GData    19    2010.04.10    Win32:Malware-gen
Ikarus    T3.1.1.80.0    2010.04.10    Trojan-Dropper.Win32.Bewbeu
Jiangmin    13.0.900    2010.04.10    Trojan/PSW.Small.lz
McAfee-GW-Edition    6.8.5    2010.04.09    Trojan.Crypt.ZPACK.Gen
Microsoft    1.5605    2010.04.10    TrojanDropper:Win32/Bewbeu.A
Sophos    4.52.0    2010.04.10    Mal/PdfExDr-A
Symantec    20091.2.0.41    2010.04.10    Trojan.Dropper
VBA32    3.12.12.4    2010.04.09    Trojan-PSW.Win32.Small.ma
File size: 76800 bytes
MD5...: 5a67c2a64e17a2e3e5efd0ae94db715c

http://anubis.iseclab.org/?action=result&task_id=12e29997f49bc0484690d863b50580e46


[#############################################################################] Anubis Analysis Report for AcrRd32.EXE MD5: 5a67c2a64e17a2e3e5efd0ae94db715c [#############################################################################] Summary: - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Spawns Processes: The executable produces processes during the execution. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - AcrRd32.EXE a) Registry Activities b) File Activities c) Process Activities d) Other Activities - wuweb.exe a) Registry Activities b) File Activities c) Network Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 241 s Report created: 04/10/10, 15:12:01 UTC Termination reason: Timeout Program version: 1.74.2681 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ sinmail.byinter.net ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ] Name: [ 88521.kwik.to ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ] [#############################################################################] 2. AcrRd32.EXE [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: AcrRd32.EXE MD5: 5a67c2a64e17a2e3e5efd0ae94db715c SHA-1: 4a798ee87fd2788bd14b6c16c2b2f020c635e3a8 File Size: 76800 Bytes Command Line: "C:\AcrRd32.EXE" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\MFC42.DLL ], Base Address: [0x73DD0000 ], Size: [0x000FE000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\netapi32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ], Base Address: [0x76FD0000 ], Size: [0x0007F000 ] Module Name: [ C:\WINDOWS\system32\COMRes.dll ], Base Address: [0x77050000 ], Size: [0x000C5000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ], Base Address: [0x77920000 ], Size: [0x000F3000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\shell32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\urlmon.dll ], Base Address: [0x7E1E0000 ], Size: [0x000A2000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan-Dropper.Win32.Bewbeu (Sig-Id: 1360748) [=============================================================================] 2.a) AcrRd32.EXE - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common Desktop ], New Value: [ C:\Documents and Settings\All Users\Desktop ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common Documents ], New Value: [ C:\Documents and Settings\All Users\Documents ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ BaseClass ], New Value: [ Drive ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ BaseClass ], New Value: [ Drive ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Desktop ], New Value: [ C:\Documents and Settings\Administrator\Desktop ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Personal ], New Value: [ C:\Documents and Settings\Administrator\My Documents ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ IntranetName ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ ProxyBypass ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ], Value Name: [ UNCAsIntranet ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\ ], Value Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ], New Value: [ Adobe Acrobat Internet Update ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\CLASSES\.ASP ], Value Name: [ ], Value: [ aspfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.BAT ], Value Name: [ ], Value: [ batfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CER ], Value Name: [ ], Value: [ CERFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CHM ], Value Name: [ ], Value: [ chm.file ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CMD ], Value Name: [ ], Value: [ cmdfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.COM ], Value Name: [ ], Value: [ comfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CPL ], Value Name: [ ], Value: [ cplfile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.CRT ], Value Name: [ ], Value: [ CERFile ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\.EXE ], Value Name: [ ], Value: [ exefile ], 3 times Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ], Value Name: [ ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ], Value Name: [ ], Value: [ C:\WINDOWS\system32\urlmon.dll ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\INPROCSERVER32 ], Value Name: [ ThreadingModel ], Value: [ Both ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{AEB6717E-7E19-11D0-97EE-00C04FD91972}\INPROCSERVER32 ], Value Name: [ ], Value: [ shell32.dll ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\DIRECTORY ], Value Name: [ AlwaysShowExt ], Value: [ ], 1 time Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ], Value Name: [ DriveMask ], Value: [ 32 ], 2 times Key: [ HKLM\SOFTWARE\CLASSES\EXEFILE\SHELL\OPEN\COMMAND ], Value Name: [ ], Value: [ "%1" %* ], 2 times Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Value Name: [ REGDBVersion ], Value: [ 0x0700000000000000 ], 2 times Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], Value Name: [ * ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\FileAssociation ], Value Name: [ CutList ], Value: [ 0x4100700070006c00690063006100740069006f006e002000460069006c00 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ], Value Name: [ {AEB6717E-7E19-11d0-97EE-00C04FD91972} ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common Desktop ], Value: [ %ALLUSERSPROFILE%\Desktop ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common Documents ], Value: [ %ALLUSERSPROFILE%\Documents ], 1 time Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ LogLevel ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], Value Name: [ SourcePath ], Value: [ D:\ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ AuthenticodeEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ DefaultLevel ], Value: [ 262144 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ ExecutableTypes ], Value: [ 0x410044004500000041004400500000004200410053000000420041005400 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ PolicyScope ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 4 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemData ], Value: [ 0x5eab304f957a49896a006c1c31154015 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ ItemSize ], Value: [ 779 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemData ], Value: [ 0x67b0d48b343a3fd3bce9dc646704f394 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ ItemSize ], Value: [ 517 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemData ], Value: [ 0x327802dcfef8c893dc8ab006dd847d1d ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ ItemSize ], Value: [ 918 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemData ], Value: [ 0xbd9a2adb42ebd8560e250e4df8162f67 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ ItemSize ], Value: [ 229 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ HashAlg ], Value: [ 32771 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemData ], Value: [ 0x386b085f84ecf669d36b956a22c01e80 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ ItemSize ], Value: [ 370 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ ItemData ], Value: [ %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33} ], Value Name: [ SaferFlags ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 2 times Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKLM\System\WPA\PnP ], Value Name: [ seed ], Value: [ 1274198464 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ], Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ Filter ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ Hidden ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ HideFileExt ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ HideIcons ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], Value Name: [ WebView ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Generation ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], Value Name: [ Generation ], Value: [ 1 ], 5 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Desktop ], Value: [ %USERPROFILE%\Desktop ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], Value Name: [ 1806 ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 ], Value Name: [ Flags ], Value: [ 33 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1 ], Value Name: [ Flags ], Value: [ 219 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2 ], Value Name: [ Flags ], Value: [ 71 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 ], Value Name: [ Flags ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4 ], Value Name: [ Flags ], Value: [ 3 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\MUICache ], Value Name: [ LangID ], Value: [ 0x0904 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Classes ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times Key: [ HKLM\Software\Classes\CLSID ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times Key: [ HKLM\Software\Microsoft\COM3 ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times Key: [ HKU ], Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times [=============================================================================] 2.b) AcrRd32.EXE - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11111111.pdf ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] File Name: [ C:\Documents and Settings\Administrator\My Documents\desktop.ini ] File Name: [ C:\Documents and Settings\All Users\Documents\desktop.ini ] File Name: [ C:\WINDOWS\Registration\R000000000007.clb ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\wkssvc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\11111111.pdf ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] File Name: [ MountPointManager ] File Name: [ PIPE\lsarpc ] File Name: [ PIPE\wkssvc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ PIPE\wkssvc ], Control Code: [ 0x0011C017 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 2 times File: [ STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time File: [ MountPointManager ], Control Code: [ 0x006D0034 ], 4 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\Apphelp.dll ] File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ] File Name: [ C:\WINDOWS\system32\COMRes.dll ] File Name: [ C:\WINDOWS\system32\MFC42.DLL ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\MSVCP60.dll ] File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\WINDOWS\system32\rpcss.dll ] File Name: [ C:\WINDOWS\system32\shell32.dll ] File Name: [ C:\WINDOWS\system32\urlmon.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) AcrRd32.EXE - Process Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Processes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ], Command Line: [ ] Executable: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ], Command Line: [ "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe" ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Remote Threads Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Affected Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Foreign Memory Regions Written: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Process: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] [=============================================================================] 2.d) AcrRd32.EXE - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ DBWinMutex ] Mutex: [ ZonesCacheCounterMutex ] Mutex: [ ZonesCounterMutex ] Mutex: [ ZonesLockedCacheCounterMutex ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0x40010006 at 0x7c812aeb ], 1 time [#############################################################################] 3. wuweb.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Started by AcrRd32.EXE Filename: wuweb.exe MD5: 4c7ef8790f9be0adf666f39b468a8ca0 SHA-1: 7b62a2488414fbf5128e08b4fc4ae503b281fc23 File Size: 29696 Bytes Command Line: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] [=============================================================================] 3.a) wuweb.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ HelperDllName ], Value: [ %SystemRoot%\System32\wshtcpip.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MaxSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MinSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ UseDelayedAcceptance ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time [=============================================================================] 3.b) wuweb.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wuweb.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ \Device\Afd\Endpoint ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_INFO (0x0001207B) ], 2 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_CONTEXT (0x00012047) ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\System32\wshtcpip.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\hnetcfg.dll ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] [=============================================================================] 3.c) wuweb.exe - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ corepiper.sexidude.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ NO ], Protocol: [ ] Name: [ sinmail.ByInter.net ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ NO ], Protocol: [ ] Name: [ corepiper.sexidude.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ NO ], Protocol: [ udp ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

DNS Queries:
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]
        Name: [ sinmail.byinter.net ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ]
        Name: [ 88521.kwik.to ], Query Type: [ DNS_TYPE_A ],
            Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ]

wuweb.exe

File wuweb.exe received on 2010.04.10 14:56:49 (UTC)

http://www.virustotal.com/analisis/38c3fb2100b2e8f7c5b821ac3716c791628e89a761cf24f18e18800fc9e6f109-1270911409
Result: 2/37 (5.41%)
AntiVir  7.10.6.55  2010.04.09  TR/Crypt.ZPACK.Gen
McAfee-GW-Edition  6.8.5  2010.04.09  Heuristic.BehavesLike.Win32.Worm.B
File size: 29696 bytes
sdsdMD5   : 4c7ef8790f9be0adf666f39b468a8ca0

http://anubis.iseclab.org/?action=result&task_id=1bc2f09c6536ef9d4d93363c76394b70a [#############################################################################] Anubis Analysis Report for wuweb.exe MD5: 4c7ef8790f9be0adf666f39b468a8ca0 [#############################################################################] Summary: - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - wuweb.exe a) Registry Activities b) File Activities c) Network Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 240 s Report created: 04/10/10, 15:11:16 UTC Termination reason: Timeout Program version: 1.74.2681 [=============================================================================] Global Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ sinmail.byinter.net ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ] Name: [ 88521.kwik.to ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ 0 ], Protocol: [ udp ] [#############################################################################] 2. wuweb.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: wuweb.exe MD5: 4c7ef8790f9be0adf666f39b468a8ca0 SHA-1: 7b62a2488414fbf5128e08b4fc4ae503b281fc23 File Size: 29696 Bytes Command Line: "C:\wuweb.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\hnetcfg.dll ], Base Address: [0x662B0000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\System32\wshtcpip.dll ], Base Address: [0x71A90000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] [=============================================================================] 2.a) wuweb.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Winsock\Parameters ], Value Name: [ Transports ], Value: [ 0x5400630070006900700000004e0065007400420049004f00530000000000 ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ HelperDllName ], Value: [ %SystemRoot%\System32\wshtcpip.dll ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ Mapping ], Value: [ 0x0b0000000300000002000000010000000600000002000000010000000000 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MaxSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ MinSockaddrLength ], Value: [ 16 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock ], Value Name: [ UseDelayedAcceptance ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1012 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 11 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time [=============================================================================] 2.b) wuweb.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\wuweb.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ \Device\Afd\Endpoint ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_GET_INFO (0x0001207B) ], 2 times File: [ \Device\Afd\Endpoint ], Control Code: [ AFD_SET_CONTEXT (0x00012047) ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\System32\wshtcpip.dll ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\hnetcfg.dll ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] [=============================================================================] 2.c) wuweb.exe - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ corepiper.sexidude.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ NO ], Protocol: [ ] Name: [ sinmail.ByInter.net ], Query Type: [ DNS_TYPE_A ], Query Result: [ ], Successful: [ NO ], Protocol: [ ] Name: [ corepiper.sexidude.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ 0 ], Successful: [ NO ], Protocol: [ udp ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org =================================================================

Domain names used (Robtex.com)

SINMAIL.BYINTER.NET
sinmail.byinter.net has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. byinter.net is a domain controlled by five nameservers at sitelutions.com. Two of them are on the same IP network. byinter.net has one IP number. It is blacklisted in one list.

not whoisable

 And this is the traffic produced on the test machine

 Information about the IP  174.139.92.6 - The malware traffic and the sender share the same IP address this time.


http://www.robtex.com/ip/174.139.92.6.html#whois
      Hostname:    yum6.pinewoodchips.com
      ISP:    VPLS Inc. d/b/a Krypt Technologies
      Organization:    VPLS Inc. d/b/a Krypt Technologies
      Proxy:    None detected
      Type:    Corporate
      Assignment:    Static IP
      Country:    United States
      State/Region:    California
      City:    Orange

 The ip address belongs to Krypt - a hosting company  in CA

 =====================================================

SEXIDUDE.COM

Summary sexidude.com ("Dynamic Dns >> Sexidude.com > How-to") is a domain controlled by three nameservers at changeip.org. Two of them are on the same IP network. Incoming mail for sexidude.com is handled by one mailserver at changeip.com. sexidude.com has one IP number , but the reverse is vanity.changeip.com. 3-a.net, 25u.com, ddns.us, 4pu.com, ns01.us and at least 35 other hosts point to the same IP and also shares both nameservers and mailservers. ns02.biz, ns01.biz, ocry.com, myz.info, toh.info and at least 30 other hosts point to the same IP and also shares nameservers. wha.la, ns02.us, ddns.ms, epac.to, dns2.us and at least 93 other hosts point to the same IP and also shares mailservers. dns1.us, zyns.com, ns3.name, my03.com, jkub.com and at least 97 other hosts point to the same IP. h1x.com, ns1.name, dhcp.biz, ns02.info, dumb1.com and at least 26 other hosts share both nameservers and mailservers with this domain. sixth.biz, jetos.com, ddns.info, ns01.info, mrface.com and at least 21 other hosts share nameservers with this domain. dns1.us, 4dq.com, ns02.biz, zyns.com, ns3.name and at least 100 other hosts share mailservers with this domain. a.sexidude.com, http://www.blogger.com/www.sexidude.com.html, is-a.sexidude.com, info.sexidude.com, tel-mag.sexidude.com and at least three other hosts are subdomains to this hostname. sexidude.com is ranked #6264971 world wide and is hosted on a server in United States. Child safety of this site is very poor. (more on reputation).It is blacklisted in three lists. It has 4 organic keywords. It has been online for nine years.  Domain Name: SEXIDUDE.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: NS1.CHANGEIP.ORG Name Server: NS2.CHANGEIP.ORG Name Server: NS3.CHANGEIP.ORG Status: clientTransferProhibited Updated Date: 04-jan-2010 Creation Date: 14-jan-2001 Expiration Date: 14-jan-2011  ======================================================================== 88521.KWIK.TO 88521.kwik.to has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. kwik.to is delegated to three nameservers, however two extra nameservers are listed in the zone. kwik.to has one IP number. It is blacklisted in one list. not whoisable  =======================================================================  COREPIPER.SEXIDUDE.COM Incoming mail for corepiper.sexidude.com is handled by one mailserver at sexidude.com. corepiper.sexidude.com has one IP number , but the reverse is localhost. ns4.de, sunx.org, cabi.net, celox.nl, jcaa.com and at least 100 other hosts point to the same IP. corepiper.sexidude.com use this as a mailserver. www.corepiper.sexidude.com and ftp.corepiper.sexidude.com are subdomains to this hostname. sexidude.com is a domain controlled by three nameservers at changeip.org. Two of them are on the same IP network. Incoming mail for sexidude.com is handled by one mailserver at changeip.com. sexidude.com has one IP number. It is blacklisted in two lists. ======================================================================