Apr 5 CVE-2010-0188 PDF with Bifrose- nov varianty evro SPO SHA from lukin@mail.ru

• CVE-2010-0188 Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors

Download nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211 as a password protected archive (please contact me if you need the password)

Details nov varianty evro SPO SHA  176fa5b6dbc10b78a6f21c18f2e4d211

-----Original Message-----
From: Lukin Aleksandr [mailto:lukin@mail.ru]
Sent: Monday, April 05, 2010 4:59 AM
To: XXXXXXXXXX
 Subject: nov varianty evro SPO SHA


 




Virustotal
http://www.virustotal.com/analisis/12112cd97c7fb05f8b4719ce70f49e9ebab815cc11fab4263255c93e3455a659-1270562041
 File nov_varianty_evro_SPO_SHA.pdf received on 2010.04.06 13:54:01 (UTC)
Result: 2/39 (5.13%)
Sophos    4.52.0    2010.04.06    Troj/PDFJs-II
Symantec    20091.2.0.41    2010.04.06    Trojan.Pidief.I
File size: 220944 bytes
MD5...: 176fa5b6dbc10b78a6f21c18f2e4d211

CVE-2010-0188 PDF

Новый варианты европейской СПО США
В четверг высокопоставленный сотрудник министерства обороны США заявил, что Америка
помимо планов, предполагающих размещение системы европейской противоракетной обороны
в Польше и в Чехии, рассматривает и альтернативные варианты.
В ходе посвященных отношениям с Россией слушаний в Палате представителей заместитель
министра обороны Александр Вершбоу (Alexander Vershbow) сообщил конгрессменам, что
администрация Обамы ведет пересмотр планов по ПРО и анализирует различные
конфигурации.
'Рассматриваются все варианты, которые могут выполнить задачу, в том числе вариант с базой
в Польше и радаром в Чехии', - заявил Вершбоу.
Администрация Обамы стремится улучшить отношения с Россией, твердо выступающей
против планов предыдущей администрации разместить 10 ракет-перехватчиков в Польше и
радарную систему в Чехии. Как утверждает Россия, дальнейшее осуществление этих планов
может сорвать начатые американским и российским президентами переговоры о
возобновлении сотрудничества.
Несмотря на то, что администрация Обамы решила пересмотреть планы, она продолжает
утверждать, что в задачи ПРО входит отражение угрозы со стороны иранских ракет и что
России система не угрожает. Кроме того, администрация учитывает, что отказ развернуть ПРО
в Польше и Чехии повредит отношениям с этими двумя союзниками.
Вершбоу отметил, что администрация рассмотрит разные варианты, но не будет принимать во
внимание возражения России.
'Пересмотр программы - наше внутренне дело; на этой стадии мы не собираемся дискутировать
с русскими об альтернативах, - утверждает он. - Наши выводы будут основываться только на
оценке иранской угрозы, а также эффективности и стоимости системы'.
 See machine translation in the end of the post


Dropped malware information

Files added
%Temp%\686953_Res.tmp
%Temp%\688031_Res.tmp
%Temp%\nov varianty evro SPO SHA.pdf
%Temp%\svchost.exe

Registry changes
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Control\ActiveService: "6to4" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Service: "6to4" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Legacy: 0x00000001 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\Class: "LegacyDriver" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\0000\DeviceDesc: "TCP/IP Protocol Service" HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_6TO4\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\RasMan\Parameters\NbfOutLowWatermark: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\RasMan\Parameters\NbfOutHighWatermark: 0x00000005 HKLM\SYSTEM\ControlSet001\Services\RasMan\Parameters\NbfInLowWatermark: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\RasMan\Parameters\NbfInHighWatermark: 0x00000005 HKLM\SYSTEM\ControlSet001\Services\6to4\Enum\0: "Root\LEGACY_6TO4\0000" HKLM\SYSTEM\ControlSet001\Services\6to4\Enum\Count: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\6to4\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\6to4\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\ControlSet001\Services\6to4\Parameters\ServiceDll: "C:\WINDOWS\system32\config\6to4nt.dll" HKLM\SYSTEM\ControlSet001\Services\6to4\Type: 0x00000004 HKLM\SYSTEM\ControlSet001\Services\6to4\Start: 0x00000002 HKLM\SYSTEM\ControlSet001\Services\6to4\ErrorControl: 0x00000001 HKLM\SYSTEM\ControlSet001\Services\6to4\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\ControlSet001\Services\6to4\DisplayName: "TCP/IP Protocol Service" HKLM\SYSTEM\ControlSet001\Services\6to4\ObjectName: "LocalSystem" HKLM\SYSTEM\ControlSet001\Services\6to4\Description: "Resolves TCP/IP Protocol for this computer. If this service is stopped, this computer will not be able to resolve TCP/IP Protocol. If this service is disabled, any services that explicitly depend on it will fail to start." HKLM\SYSTEM\ControlSet001\Services\6to4\InstallModule: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RASMAN\0000\Control\ActiveService: "RasMan" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TAPISRV\0000\Control\ActiveService: "TapiSrv" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control\*NewlyCreated*: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control\ActiveService: "6to4" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Service: "6to4" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Legacy: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\ConfigFlags: 0x00000000 HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Class: "LegacyDriver" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\ClassGUID: "{8ECC055D-047F-11D1-A537-0000F8753ED1}" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\DeviceDesc: "TCP/IP Protocol Service" HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_6TO4\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\NbfOutLowWatermark: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\NbfOutHighWatermark: 0x00000005 HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\NbfInLowWatermark: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\NbfInHighWatermark: 0x00000005 HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum\0: "Root\LEGACY_6TO4\0000" HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum\Count: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\6to4\Enum\NextInstance: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\6to4\Security\Security: 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00 HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters\ServiceDll: "C:\WINDOWS\system32\config\6to4nt.dll" HKLM\SYSTEM\CurrentControlSet\Services\6to4\Type: 0x00000004 HKLM\SYSTEM\CurrentControlSet\Services\6to4\Start: 0x00000002 HKLM\SYSTEM\CurrentControlSet\Services\6to4\ErrorControl: 0x00000001 HKLM\SYSTEM\CurrentControlSet\Services\6to4\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs" HKLM\SYSTEM\CurrentControlSet\Services\6to4\DisplayName: "TCP/IP Protocol Service" HKLM\SYSTEM\CurrentControlSet\Services\6to4\ObjectName: "LocalSystem" HKLM\SYSTEM\CurrentControlSet\Services\6to4\Description: "Resolves TCP/IP Protocol for this computer. If this service is stopped, this computer will not be able to resolve TCP/IP Protocol. If this service is disabled, any services that explicitly depend on it will fail to start." HKLM\SYSTEM\CurrentControlSet\Services\6to4\InstallModule: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchost.exe"

http://www.virustotal.com/analisis/1cd77175e3b1ecf366409ff362ef05180a4e8a21b08089e09e17341d2acbe478-1270563466
File 686953_Res.tmp received on 2010.04.06 14:17:46 (UTC)
Result: 12/39 (30.77%)
AntiVir 7.10.6.30 2010.04.06 HEUR/Malware
Authentium 5.2.0.5 2010.04.06 W32/OnlineGames.BX.gen!Eldorado
BitDefender 7.2 2010.04.06 Gen:Trojan.Heur.dy8@dJ799sjb
F-Prot 4.5.1.85 2010.04.05 W32/OnlineGames.BX.gen!Eldorado
F-Secure 9.0.15370.0 2010.04.06 Gen:Trojan.Heur.dy8@dJ799sjb
Fortinet 4.0.14.0 2010.04.06 W32/Bifrose.CBQE!tr.bdr
GData 19 2010.04.06 Gen:Trojan.Heur.dy8@dJ799sjb
Jiangmin 13.0.900 2010.04.06 Trojan/Agent.desr
McAfee-GW-Edition 6.8.5 2010.04.06 Heuristic.Malware
Panda 10.0.2.2 2010.04.05 Suspicious file
Rising 22.42.01.04 2010.04.06 Trojan.Win32.AvKiller.nq
Symantec 20091.2.0.41 2010.04.06 Suspicious.Insight
Additional information
File size: 63488 bytes
MD5...: 296ef9ae32909633c09320765bf2582f

http://www.virustotal.com/analisis/13245d160694fd94275d35fb3978aa44544cee7f3df98b4b45b18b4b6287e0a9-1270563441
File 688031_Res.tmp received on 2010.04.06 14:17:21 (UTC)
Result: 11/39 (28.21%)
AntiVir 7.10.6.30 2010.04.06 HEUR/Malware
Authentium 5.2.0.5 2010.04.06 W32/OnlineGames.BX.gen!Eldorado
BitDefender 7.2 2010.04.06 Gen:Trojan.Heur.dy9@dJ799sjb
F-Prot 4.5.1.85 2010.04.05 W32/OnlineGames.BX.gen!Eldorado
F-Secure 9.0.15370.0 2010.04.06 Gen:Trojan.Heur.dy9@dJ799sjb
Fortinet 4.0.14.0 2010.04.06 W32/Bifrose.CBQE!tr.bdr
GData 19 2010.04.06 Gen:Trojan.Heur.dy9@dJ799sjb
Jiangmin 13.0.900 2010.04.06 Trojan/Agent.desr
McAfee-GW-Edition 6.8.5 2010.04.06 Heuristic.Malware
Rising 22.42.01.04 2010.04.06 Trojan.Win32.AvKiller.nq
Symantec 20091.2.0.41 2010.04.06 Suspicious.Insight
File size: 63541 bytes
MD5...: 2f881cd6f1a98bc8d7c9b67e15216a0b


http://www.virustotal.com/analisis/3f6791d73f773dded5616a52fedba36606b0fbb198b80e9dd0c67dd553f90a6e-1270563456
File svchost.exe received on 2010.04.06 14:17:36 (UTC)
Result: 10/39 (25.65%)
Antiy-AVL 2.0.3.7 2010.04.06 Backdoor/Win32.Bifrose.gen
Authentium 5.2.0.5 2010.04.06 W32/OnlineGames.BX.gen!Eldorado
F-Prot 4.5.1.85 2010.04.05 W32/OnlineGames.BX.gen!Eldorado
Fortinet 4.0.14.0 2010.04.06 W32/Bifrose.CBQE!tr.bdr
Jiangmin 13.0.900 2010.04.06 Backdoor/Bifrose.slb
Kaspersky 7.0.0.125 2010.04.06 -
McAfee-GW-Edition 6.8.5 2010.04.06 Heuristic.BehavesLike.Win32.Downloader.L
Sunbelt 6143 2010.04.06 Backdoor.Win32.Farfli.A (v)
Symantec 20091.2.0.41 2010.04.06 Suspicious.Insight
TheHacker 6.5.2.0.256 2010.04.06 Backdoor/Bifrose.cbqe
VBA32 3.12.12.4 2010.04.05 BScope.Dropper.Gen.7
File size: 75008 bytes
MD5...: d4dc2d1b658b480973f9bebde0c33e3d


Anubis report svchost.exe
http://anubis.iseclab.org/?action=result&task_id=130e1cf65a2892404f14172e28e865cf4

[#############################################################################] Anubis Analysis Report for svchost.exe MD5: d4dc2d1b658b480973f9bebde0c33e3d [#############################################################################] Summary: - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Performs File Modification and Destruction: The executable modifiesand destructs files which are not temporary. - Performs Registry Activities: The executable reads and modifies registry values. It also creates and monitors registry keys. [=============================================================================] Table of Contents [=============================================================================] - General information - svchost.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Other Activities - services.exe a) Registry Activities b) File Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 31 s Report created: 04/06/10, 14:38:57 UTC Termination reason: All tracked processes have exited Program version: 1.74.2681 [#############################################################################] 2. svchost.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: svchost.exe MD5: d4dc2d1b658b480973f9bebde0c33e3d SHA-1: 44a1592ce93faca111f1d8d22586b531ebf6e243 File Size: 75008 Bytes Command Line: "C:\svchost.exe" Process-status at analysis end: dead Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\MSVCRT.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ], Base Address: [0x6F880000 ], Size: [0x001CA000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\MSACM32.dll ], Base Address: [0x77BE0000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\SHELL32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\UxTheme.dll ], Base Address: [0x5AD70000 ], Size: [0x00038000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_ex.tmp ], Base Address: [0x10000000 ], Size: [0x00014000 ] Module Name: [ C:\WINDOWS\system32\MSCTF.dll ], Base Address: [0x74720000 ], Size: [0x0004C000 ] Module Name: [ C:\WINDOWS\system32\IMM32.dll ], Base Address: [0x76390000 ], Size: [0x0001D000 ] [=============================================================================] 2.a) svchost.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\6to4 ], Value Name: [ Description ], New Value: [ Resolves TCP/IP Protocol for this computer. If this service is stopped, this computer will not be able to resolve TCP/IP Protocol. If this service is disabled, any services that explicitly depend on it will fail to start. ] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\6to4 ], Value Name: [ InstallModule ], New Value: [ C:\svchost.exe ] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\6to4 ], Value Name: [ Type ], New Value: [ 4 ] Key: [ HKLM\SYSTEM\CurrentControlSet\Services\6to4\Parameters ], Value Name: [ ServiceDll ], New Value: [ C:\WINDOWS\system32\config\6to4nt.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], Value Name: [ CUAS ], Value: [ 0 ], 1 time Key: [ HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost ], Value Name: [ netsvcs ], Value: [ 0x360074006f00340000004100700070004d0067006d007400000041007500 ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\CurrentControlSet\Services\AppMgmt ], Value Name: [ DisplayName ], Value: [ Application Management ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\AudioSrv ], Value Name: [ DisplayName ], Value: [ Windows Audio ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\BITS ], Value Name: [ DisplayName ], Value: [ Background Intelligent Transfer Service ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Browser ], Value Name: [ DisplayName ], Value: [ Computer Browser ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\CryptSvc ], Value Name: [ DisplayName ], Value: [ Cryptographic Services ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\DHCP ], Value Name: [ DisplayName ], Value: [ DHCP Client ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\DMServer ], Value Name: [ DisplayName ], Value: [ Logical Disk Manager ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\ERSvc ], Value Name: [ DisplayName ], Value: [ Error Reporting Service ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\EventSystem ], Value Name: [ DisplayName ], Value: [ COM+ Event System ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\FastUserSwitchingCompatibility ], Value Name: [ DisplayName ], Value: [ Fast User Switching Compatibility ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\HidServ ], Value Name: [ DisplayName ], Value: [ Human Interface Device Access ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer ], Value Name: [ DisplayName ], Value: [ Server ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation ], Value Name: [ DisplayName ], Value: [ Workstation ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Messenger ], Value Name: [ DisplayName ], Value: [ Messenger ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Netman ], Value Name: [ DisplayName ], Value: [ Network Connections ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Nla ], Value Name: [ DisplayName ], Value: [ Network Location Awareness (NLA) ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Ntmssvc ], Value Name: [ DisplayName ], Value: [ Removable Storage ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Rasauto ], Value Name: [ DisplayName ], Value: [ Remote Access Auto Connection Manager ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Rasman ], Value Name: [ DisplayName ], Value: [ Remote Access Connection Manager ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Remoteaccess ], Value Name: [ DisplayName ], Value: [ Routing and Remote Access ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SENS ], Value Name: [ DisplayName ], Value: [ System Event Notification ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\SRService ], Value Name: [ DisplayName ], Value: [ System Restore Service ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Schedule ], Value Name: [ DisplayName ], Value: [ Task Scheduler ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Seclogon ], Value Name: [ DisplayName ], Value: [ Secondary Logon ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Sharedaccess ], Value Name: [ DisplayName ], Value: [ Windows Firewall/Internet Connection Sharing (ICS) ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\ShellHWDetection ], Value Name: [ DisplayName ], Value: [ Shell Hardware Detection ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Tapisrv ], Value Name: [ DisplayName ], Value: [ Telephony ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Themes ], Value Name: [ DisplayName ], Value: [ Themes ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\TrkWks ], Value Name: [ DisplayName ], Value: [ Distributed Link Tracking Client ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\W32Time ], Value Name: [ DisplayName ], Value: [ Windows Time ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\WZCSVC ], Value Name: [ DisplayName ], Value: [ Wireless Zero Configuration ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\WmdmPmSN ], Value Name: [ DisplayName ], Value: [ Portable Media Serial Number Service ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\Wmi ], Value Name: [ DisplayName ], Value: [ Windows Management Instrumentation Driver Extensions ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\helpsvc ], Value Name: [ DisplayName ], Value: [ Help and Support ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\hkmsvc ], Value Name: [ DisplayName ], Value: [ Health Key and Certificate Management Service ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\napagent ], Value Name: [ DisplayName ], Value: [ Network Access Protection Agent ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\winmgmt ], Value Name: [ DisplayName ], Value: [ Windows Management Instrumentation ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\wscsvc ], Value Name: [ DisplayName ], Value: [ Security Center ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\wuauserv ], Value Name: [ DisplayName ], Value: [ Automatic Updates ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Services\xmlprov ], Value Name: [ DisplayName ], Value: [ Network Provisioning Service ], 2 times Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\SYSTEM\WPA\MediaCenter ], Value Name: [ Installed ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000204000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.iac2 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000001100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.imaadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000550000001e000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.l3acm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000000200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msadpcm ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000120000006001000016000000610100001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msaudio1 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ aFormatTagCache ], Value: [ 0x010000001000000006000000120000000700000012000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ cFormatTags ], Value: [ 3 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg711 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ aFormatTagCache ], Value: [ 0x0100000010000000420000001c000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msg723 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003100000014000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.msgsm610 ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000003001000016000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.sl_anet ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ aFormatTagCache ], Value: [ 0x01000000100000002200000032000000 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFilterTags ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ cFormatTags ], Value: [ 2 ], 1 time Key: [ HKLM\Software\Microsoft\AudioCompressionManager\DriverCache\msacm.trspch ], Value Name: [ fdwSupport ], Value: [ 1 ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ midimapper ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.iac2 ], Value: [ C:\WINDOWS\system32\iac25_32.ax ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.imaadpcm ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.l3acm ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msadpcm ], Value: [ msadp32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msaudio1 ], Value: [ msaud32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg711 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msg723 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.msgsm610 ], Value: [ ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.sl_anet ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ msacm.trspch ], Value: [ tssoft32.acm ], 3 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.I420 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M261 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.M263 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.cvid ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv31 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv32 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv41 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iv50 ], Value: [ ], 1 time Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.iyuv ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.mrle ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.msvc ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.uyvy ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yuy2 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvu9 ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ vidc.yvyu ], Value: [ ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32 ], Value Name: [ wavemapper ], Value: [ ], 2 times Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Language Hotkey ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], Value Name: [ Layout Hotkey ], Value: [ 2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Multimedia\Audio ], Value Name: [ SystemFormats ], Value: [ CD Quality,Radio Quality,Telephone Quality ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time [=============================================================================] 2.b) svchost.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_ex.tmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_Res.tmp ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\501781_Res.tmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\svchost.exe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_Res.tmp ] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\501781_Res.tmp ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Renamed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Old File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_Res.tmp ], New File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_ex.tmp ] Old File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\501781_Res.tmp ], New File Name: [ C:\WINDOWS\system32\config\6to4nt.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\500531_ex.tmp ] File Name: [ C:\WINDOWS\AppPatch\AcGenral.DLL ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\IMM32.dll ] File Name: [ C:\WINDOWS\system32\MSACM32.dll ] File Name: [ C:\WINDOWS\system32\MSCTF.dll ] File Name: [ C:\WINDOWS\system32\SHELL32.dll ] File Name: [ C:\WINDOWS\system32\ShimEng.dll ] File Name: [ C:\WINDOWS\system32\UxTheme.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\imm32.dll ] File Name: [ C:\Windows\AppPatch\sysmain.sdb ] [=============================================================================] 2.c) svchost.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ 6to4 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ 6to4 ], Type: [ SERVICE_AUTO_START ], Path: [ %SystemRoot%\System32\svchost.exe -k netsvcs ] [=============================================================================] 2.d) svchost.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutexes Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Mutex: [ AgMmR1BYfVYGGzdZRHdgBVlZJVIZA2ABWVkxWUUeP1YNEiEYBBImRwsEIRkLBCIMAAAoNQA* ] Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ] Mutex: [ SHIMLIB_LOG_MUTEX ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Windows SEH exceptions: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Description: [ Exception 0xe06d7363 at 0x7c812aeb ], 1 time Description: [ Exception 0x6 at 0x7c812aeb ], 2 times [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_6TO4\0000\Control ], Value Name: [ ActiveService ], New Value: [ 6to4 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\6to4\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_6TO4\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\6to4\Enum ], Value Name: [ Count ], Value: [ 1 ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\6to4 ], Value Name: [ ImagePath ], Value: [ %SystemRoot%\System32\svchost.exe -k netsvcs ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\6to4 ], Value Name: [ ObjectName ], Value: [ LocalSystem ], 2 times [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\net\NtControlPipe4, Flags: Named pipe ], Control Code: [ 0x0011C017 ], 1 time [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org

Traffic to

      Hostname:    61.139.126.23
      ISP:    CHINANET Sichuan province network
      Organization:    CHINANET Sichuan province network
      Country:    China
      City:    Chengdu

Robtex.com:

Summary

Summary

z-mgo.com, e-yzr.com, 7cxsp.com, szeol.net, star138.com and at least two other hosts point to 61.139.126.23. It is blacklisted in three lists.

inetnum: 61.139.126.0 - 61.139.126.63
netname: SC-MY-XIWEISHUMA-LYD
descr: SC-MY-XIWEISHUMA-LYD
descr: Sichuan China
country: CN
admin-c: CS408-AP
tech-c: CS408-AP
status: ASSIGNED NON-PORTABLE
mnt-by: MAINT-CHINANET-SC
changed: ipadmin@my-public.sc.cninfo.net 20050425
source: APNIC

role: CHINANET SICHUAN
address: No.72,Wen Miao Qian Str Chengdu SiChuan PR China
country: CN
phone: +86-28-86190657
fax-no: +86-25-86190641
e-mail: ipadmin@my-public.sc.cninfo.net
trouble: send anti-spam reports to anti-spam@mail.sc.cninfo.net
trouble: send abuse reports to security@mail.sc.cninfo.net
trouble: times in GMT+8
admin-c: YZ43-AP
tech-c: RL357-AP
tech-c: XS16-AP
nic-hdl: CS408-AP
remarks: noc.cd.sc.cn
notify: ipadmin@my-public.sc.cninfo.net
mnt-by: MAINT-CHINANET-SC
changed: zhangys@mail.sc.cninfo.net 20030318
source: APNIC

Machine translation of the pdf doc

New variants of the American ABM in Europe.On Thursday, a senior U.S. Defense Department said that America in addition to plans involving the deployment of European missile defense in Poland and the Czech Republic, and considering alternatives. In dealing with relations with Russia hearings in the House of Representatives Deputy Defense Minister Alexander Vershbow (Alexander Vershbow) told the congressmen that Obama's administration has reviewed plans for missile defense and examines the various configuration. 'We consider all options that can accomplish the task, including the option to base in Poland and radar in the Czech Republic ', - said Vershbow. Obama Administration seeks to improve relations with Russia, firmly supports against plans by the previous administration to place 10 missile interceptors in Poland and radar system in the Czech Republic. According to Russia, the further implementation of these plans could disrupt started American and Russian presidents negotiated resumption of cooperation. Despite the fact that the Obama administration has decided to reconsider its plans, it continues to argue that the ABM problem is a reflection of the threat posed by Iranian missiles, and that Russia does not threaten the system. In addition, the Administration considers that the refusal to deploy missile defense in Poland and the Czech Republic will damage relations with these two allies. Vershbow noted that the Administration will consider various options, but will not take into account Russian objections. 'Revision of the program - our internal affair, at this stage we are not going to debate with the Russian on alternatives - he says. - Our conclusions are based only on assessing the Iranian threat, as well as the effectiveness and cost of the system '.