Analysis Summary:

Analysis Date	23.11.2006 13:12:12
Sandbox Version	Beta 1.83
Filename	508ffdec653b5e75cdd7d7312d9648c1.exe

Technical Details:

Analysis Number

Parent ID

Process ID

1540

Filename

c:\508ffdec653b5e75cdd7d7312d9648c1.exe

Filesize

21879 bytes

MD5

508ffdec653b5e75cdd7d7312d9648c1

Start Reason

AnalysisTarget

Termination Reason

Timeout

Start Time

00:00.047

Stop Time

02:00.187

COM

COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})

DLL-Handling

Loaded DLLs

c:\508ffdec653b5e75cdd7d7312d9648c1.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\MSVBVM60.DLL
C:\WINDOWS\system32\USER32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\OLEAUT32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
C:\WINDOWS\system32\VB6DE.DLL
uxtheme.dll
OLEAUT32.DLL
comctl32.dll
urlmon
mlang.dll
advapi32.dll
kernel32.dll
WININET.dll
RASAPI32.DLL
RTUTILS.DLL
WS2_32.dll
SHELL32.dll
USERENV.dll
netapi32.dll
netapi32
ole32.dll
VERSION.dll

Filesystem

New Files
\Device\RasAcd c:\loaders.exe
Opened Files
\\.\PIPE\lsarpc c:\autoexec.bat C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\A360B5YU\loader[1].exe \\.\PIPE\wkssvc C:\WINDOWS\Registration\R000000000014.clb \SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer c:\loaders.exe
Chronological order
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\.pbk Find File: C:\WINDOWS\system32\Ras\.pbk Find File: C:\Documents and Settings\foobar\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\A360B5YU\loader[1].exe (OPEN_EXISTING) Create File: c:\loaders.exe Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\loaders.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\foobar\My Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Documents and Settings\All Users\Documents\desktop.ini Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000014.clb (OPEN_EXISTING) Get File Attributes: c:\loaders.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: c:\loaders.exe () Find File: loaders.exe

INI Files

Read INI File

C:\Documents and Settings\foobar\My Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\foobar\My Documents\desktop.ini [DeleteOnCopy.A] Owner =
C:\Documents and Settings\foobar\My Documents\desktop.ini [DeleteOnCopy] PersonalizedName =
C:\Documents and Settings\foobar\My Documents\desktop.ini [DeleteOnCopy.A] PersonalizedName =
C:\Documents and Settings\All Users\Documents\desktop.ini [DeleteOnCopy] Owner =
C:\Documents and Settings\All Users\Documents\desktop.ini [.ShellClassInfo] LocalizedResourceName =

Mutexes

Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex
Creates Mutex: ZonesLockedCacheCounterMutex
Creates Mutex: RasPbFile

Registry

Create or Open
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager
Reads
Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing" Control Panel\Desktop "LameButtonText" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck" HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager "CacheOk" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "User Agent" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "IsTextPlainHonored" HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\\\Registry\Machine\SYSTEM\WPA\MediaCenter "Installed" HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\\\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "c:\loaders.exe"
Enums
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\

Process Management

Creates Process - Filename (c:\loaders.exe) CommandLine: () As User: () Creation Flags: ()

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"

System Info

Get System Directory
Get Computer Name

User Management

Impersonate User - Domain: () User: (foobar)
Get User Name

Network Activity

UDP Connections

Download URLs
http://68.142.212.124/loader.exe

Outgoing connection to remote server: 68.142.212.124 TCP port 80

Analysis Number	2
Parent ID	0
Process ID	704
Filename	services.exe
Filesize	-1 bytes
MD5
Start Reason	SCM
Termination Reason	Timeout
Start Time	00:05.828
Stop Time	02:00.422
Process Management	Creates Process - Filename () CommandLine: ("C:\WINDOWS\system32\lxsys.exe") As User: () Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS)

The following process was started by process: 1

Analysis Number

Parent ID

Process ID

1416

Filename

c:\loaders.exe c:\loaders.exe

Filesize

-1 bytes

MD5

Start Reason

CreateProcess

Termination Reason

NormalTermination

Start Time

00:13.953

Stop Time

00:25.812

DLL-Handling

Loaded DLLs

c:\loaders.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
KERNEL32.DLL
MSVCRT.dll
user32.dll
advapi32.dll
ws2_32.dll
comctl32.dll
wininet.dll
icmp.dll
netapi32.dll
dnsapi.dll
iphlpapi.dll
mpr.dll
shell32.dll
C:\WINDOWS\system32\odbcint.dll
odbc32.dll
psapi.dll
shlwapi.dll

Filesystem

New Files
\Device\Tcp \Device\Ip \Device\Ip C:\WINDOWS\system32\lxsys.exe
Opened Files
\\.\Ip C:\WINDOWSExplorer.exe
Chronological order
Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\system32\lxsys.exe Flags: (SECURITY_ANONYMOUS) Copy File: c:\loaders.exe to C:\WINDOWS\system32\lxsys.exe Open File: C:\WINDOWSExplorer.exe (OPEN_EXISTING) Set File Attributes: C:\WINDOWS\system32\lxsys.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_READONLY,FILE_ATTRIBUTE_SYSTEM,SECURITY_ANONYMOUS)

Registry

Create or Open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions
Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions "jda30" = c:\loaders.exe
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"

Process Management

Kill Process - Filename () CommandLine: () Target PID: (1416) As User: () Creation Flags: ()

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "Window LFX Services"
Create Service - Name: (Window LFX Services) Display Name: (Window LFX Services) File Name: ("C:\WINDOWS\system32\lxsys.exe") Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (Window LFX Services) Display Name: () File Name: () Control: () Start Type: ()
Change Service Configuration - Name: (Window LFX Services) Display Name: () File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)
Change Service Configuration - Name: (Window LFX Services) Display Name: (Window LFX Services) File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)

System Info

Get Windows Directory

Network Activity

The following process was started by process: 2

Analysis Number

Parent ID

Process ID

1484

Filename

C:\WINDOWS\system32\lxsys.exe

Filesize

46372 bytes

MD5

ad09bf5997fc4a30012eb73e553c6830

Start Reason

CreateProcess

Termination Reason

Timeout

Start Time

00:20.734

Stop Time

02:00.250

DLL-Handling

Loaded DLLs

C:\WINDOWS\system32\lxsys.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
KERNEL32.DLL
MSVCRT.dll
user32.dll
advapi32.dll
ws2_32.dll
comctl32.dll
wininet.dll
icmp.dll
netapi32.dll
dnsapi.dll
iphlpapi.dll
mpr.dll
shell32.dll
C:\WINDOWS\system32\odbcint.dll
odbc32.dll
psapi.dll
shlwapi.dll
RASAPI32.DLL
RTUTILS.DLL

Filesystem

New Files
\Device\Tcp \Device\Ip \Device\Ip \Device\RasAcd
Opened Files
\\.\Ip \\.\PIPE\lsarpc \\.\PIPE\srvsvc
Deleted Files
c:\loaders.exe
Chronological order
Create/Open File: \Device\Tcp (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Create/Open File: \Device\Ip (OPEN_ALWAYS) Open File: \\.\Ip (OPEN_EXISTING) Set File Attributes: c:\loaders.exe Flags: (FILE_ATTRIBUTE_NORMAL,SECURITY_ANONYMOUS) Get File Attributes: c:\loaders.exe Flags: (SECURITY_ANONYMOUS) Delete File: c:\loaders.exe Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Open File: \\.\PIPE\srvsvc (OPEN_EXISTING)

Mutexes

Creates Mutex: NC�I_CHAR(0x08)_�
Creates Mutex: RasPbFile

Network Shares

Delete Share - Host: () Network Ressource: (IPC$) Filename: () As User: ()
Delete Share - Host: () Network Ressource: (ADMIN$) Filename: () As User: ()
Delete Share - Host: () Network Ressource: (C$) Filename: () As User: ()
Enum Network Shares - Network Ressource: () Host: ()

Registry

Create or Open
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate HKEY_LOCAL_MACHINE\Software\Microsoft\OLE
Changes
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control "WaitToKillServiceTimeout" = 7000 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "UpdatesDisableNotify" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusDisableNotify" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallDisableNotify" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "AntiVirusOverride" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center "FirewallOverride" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile "EnableFirewall" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile "EnableFirewall" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update "AUOptions" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc "Start" = [REG_DWORD, value: 00000004] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr "Start" = [REG_DWORD, value: 00000004] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry "Start" = [REG_DWORD, value: 00000004] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Messenger "Start" = [REG_DWORD, value: 00000004] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa "restrictanonymous" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters "AutoShareWks" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters "AutoShareServer" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters "AutoShareWks" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters "AutoShareServer" = [REG_DWORD, value: 00000000] HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate "DoNotAllowXPSP2" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\Software\Microsoft\OLE "EnableDCOM" = N
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions "jda30" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "TaskMon" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "PandaAVEngine" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "sysinfo.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "System MScvb" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "windows auto update" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "Microsoft Inet Xp.." HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "d3dupdate.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "ssate.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "rate.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "Tlntsvr"
Open Service - Name: "RemoteRegistry"
Open Service - Name: "RASMAN"
Open Service - Name: "Messenger"
Open Service - Name: "SharedAccess"
Open Service - Name: "wscsvc"
Control Service - Name: (Tlntsvr) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (RemoteRegistry) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (Messenger) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (SharedAccess) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()

System Info

Get Computer Name

Window

Find Window - Class Name (mIRC) Window Name ()
Find Window - Class Name (AIM_CSignOnWnd) Window Name ()

Network Activity

DNS Lookup
Host Name	IP Address
hi.ircstyle.net	85.17.40.94

C&C Server: 85.17.40.94:8080
Server Password: nadjoe
Username: XP-2940 * 0 :FOO
Nickname: [00|DEU|459044]
Channel: ##d.r

Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080
Outgoing connection to remote server: hi.ircstyle.net port 8080

Report generated at 23.11.2006 13:12:12 with CWSandbox Version Beta 1.83
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.