Analysis Summary:

Analysis Date	13.08.2006 23:36:56
Sandbox Version	Beta 1.73
Filename	9bc2f9e15a4802fe5be55a0510f2f0e3.exe

Technical Details:

Analysis Number

Parent ID

Process ID

1468

Filename

c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe

Filesize

25185 bytes

MD5

9bc2f9e15a4802fe5be55a0510f2f0e3

Start Reason

AnalysisTarget

Termination Reason

NormalTermination

Start Time

00:00.078

Stop Time

00:04.171

Detection

Trojan.Proxy.Ranky-29 (ClamAV)
Backdoor.Proxy.Piky.B (BDC/Linux-Console)
Trojan/Dldr.Bary.FL.2 (AntiVir Workstation)

DLL-Handling

Loaded DLLs

c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
ADVAPI32.dll
PSAPI.DLL
WSOCK32.dll
KERNEL32.dll

Filesystem

New Files
C:\WINDOWS\NT\nrcs.exe
Opened Files
\SystemRoot\AppPatch\sysmain.sdb \SystemRoot\AppPatch\systest.sdb \Device\NamedPipe\ShimViewer C:\WINDOWS\NT\nrcs.exe
Chronological order
Copy File: c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe to C:\WINDOWS\NT\nrcs.exe Set File Attributes: C:\WINDOWS\NT Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,SECURITY_ANONYMOUS) Set File Attributes: C:\WINDOWS\NT\nrcs.exe Flags: (FILE_ATTRIBUTE_HIDDEN,FILE_ATTRIBUTE_NOT_CONTENT_INDEXED,SECURITY_ANONYMOUS) Open File: \SystemRoot\AppPatch\sysmain.sdb (OPEN_EXISTING) Open File: \SystemRoot\AppPatch\systest.sdb (OPEN_EXISTING) Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING) Open File: C:\WINDOWS\NT\nrcs.exe () Find File: nrcs.exe

Registry

Create or Open
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp
Changes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "SFCDisable" = [REG_DWORD, value: 00000004] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer "NoFolderOptions" = [REG_DWORD, value: 00000001] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "Hidden" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "ShowSuperHidden" = [REG_DWORD, value: 00000000] HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced "HideFileExt" = [REG_DWORD, value: 00000001] HKEY_LOCAL_MACHINE\SOFTWARE\Tmp "Path" = c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp\Registry\Machine\SYSTEM\WPA\MediaCenter "Installed" HKEY_LOCAL_MACHINE\SOFTWARE\Tmp\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers "C:\WINDOWS\NT\nrcs.exe"

Process Management

Creates Process - Filename (C:\WINDOWS\NT\nrcs.exe) CommandLine: () As User: () Creation Flags: (DETACHED_PROCESS)

System Info

Get Windows Directory

The following process was started by process: 1

Analysis Number

Parent ID

Process ID

1908

Filename

C:\WINDOWS\NT\nrcs.exe

Filesize

25185 bytes

MD5

9bc2f9e15a4802fe5be55a0510f2f0e3

Start Reason

CreateProcess

Termination Reason

NormalTermination

Start Time

00:03.671

Stop Time

00:12.500

Detection

Trojan.Proxy.Ranky-29 (ClamAV)
Backdoor.Proxy.Piky.B (BDC/Linux-Console)
Trojan/Dldr.Bary.FL.2 (AntiVir Workstation)

DLL-Handling

Loaded DLLs

C:\WINDOWS\NT\nrcs.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
ADVAPI32.dll
PSAPI.DLL
WSOCK32.dll
KERNEL32.dll

Filesystem

Deleted Files
c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe
Chronological order
Delete File: c:\analysis\binary\9bc2f9e15a4802fe5be55a0510f2f0e3.exe

Registry

Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp "Path"

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "ntrcs"
Create Service - Name: (ntrcs) Display Name: (Windows Vista/NT Runtime Compatibility Service) File Name: (C:\WINDOWS\NT\nrcs.exe) Control: () Start Type: (SERVICE_AUTO_START)
Start Service - Name: (ntrcs) Display Name: () File Name: () Control: () Start Type: ()
Change Service Configuration - Name: (ntrcs) Display Name: () File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)
Change Service Configuration - Name: (ntrcs) Display Name: (Provides automated runtime support for Windows Vista applications. Stopping or disabling this service will result in system instability.) File Name: () Control: () Start Type: (SERVICE_NO_CHANGE)

System Info

Get Windows Directory

Analysis Number	3
Parent ID	0
Process ID	528
Filename	services.exe
Filesize	-1 bytes
MD5
Start Reason	SCM
Termination Reason	Timeout
Start Time	00:05.140
Stop Time	02:00.203
Process Management	Creates Process - Filename () CommandLine: (C:\WINDOWS\NT\nrcs.exe) As User: () Creation Flags: (CREATE_SUSPENDED,CREATE_UNICODE_ENVIRONMENT,DETACHED_PROCESS)

The following process was started by process: 3

Analysis Number

Parent ID

Process ID

416

Filename

C:\WINDOWS\NT\nrcs.exe

Filesize

25185 bytes

MD5

9bc2f9e15a4802fe5be55a0510f2f0e3

Start Reason

CreateProcess

Termination Reason

Timeout

Start Time

00:07.468

Stop Time

02:00.484

Detection

Trojan.Proxy.Ranky-29 (ClamAV)
Backdoor.Proxy.Piky.B (BDC/Linux-Console)
Trojan/Dldr.Bary.FL.2 (AntiVir Workstation)

DLL-Handling

Loaded DLLs

Filesystem

New Files
\Device\RasAcd
Opened Files
\\.\PIPE\lsarpc
Deleted Files
C:\WINDOWS\winsock\services.exe
Chronological order
Delete File: C:\WINDOWS\winsock\services.exe Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Create/Open File: \Device\RasAcd (OPEN_ALWAYS)

Mutexes

Creates Mutex: WVNRCS32_Class_

Registry

Changes
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows "load" = C:\WINDOWS\NT\nrcs.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Microsoft (R) Windows Vista/NT Runtime Compatibility Service" = C:\WINDOWS\NT\nrcs.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Userinit" = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\NT\nrcs.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = Explorer.exe C:\WINDOWS\NT\nrcs.exe HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\NT\nrcs.exe" = C:\WINDOWS\NT\nrcs.exe:*:Enabled:Microsoft (R) Windows Vista/NT Runtime Compatibility Service
Reads
HKEY_LOCAL_MACHINE\SOFTWARE\Tmp "Path" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel"

Process Management

Enum Processes
Open Process - Filename () Target PID: (4)
Open Process - Filename (\SystemRoot\System32\smss.exe) Target PID: (360)
Open Process - Filename (C:\WINDOWS\system32\csrss.exe) Target PID: (448)
Open Process - Filename (C:\WINDOWS\system32\winlogon.exe) Target PID: (472)
Open Process - Filename (C:\WINDOWS\system32\services.exe) Target PID: (528)
Open Process - Filename (C:\WINDOWS\system32\lsass.exe) Target PID: (540)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (724)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (944)
Open Process - Filename (C:\WINDOWS\System32\svchost.exe) Target PID: (1028)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1072)
Open Process - Filename (C:\WINDOWS\system32\svchost.exe) Target PID: (1116)
Open Process - Filename (C:\WINDOWS\system32\spoolsv.exe) Target PID: (1364)
Open Process - Filename (C:\WINDOWS\Explorer.EXE) Target PID: (1584)
Open Process - Filename (C:\WINDOWS\system32\inetsrv\inetinfo.exe) Target PID: (1728)
Open Process - Filename (C:\WINDOWS\System32\alg.exe) Target PID: (924)
Open Process - Filename (C:\WINDOWS\system32\wscntfy.exe) Target PID: (1516)
Open Process - Filename (C:\WINDOWS\NT\nrcs.exe) Target PID: (1908)

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "ntrcs"
Open Service - Name: "VistaRuntimeSvc"
Open Service - Name: "LocalSecurityService"
Open Service - Name: "ProtectedContentSvc"
Open Service - Name: "winsck"
Open Service - Name: "winsock"
Open Service - Name: "DeviceSynchronization"
Open Service - Name: "netagent"
Open Service - Name: "netshare"
Open Service - Name: "cmapsvc"
Open Service - Name: "CfgBackupSvc"
Open Service - Name: "NetServ"
Open Service - Name: "DllService"
Open Service - Name: "dllsvc"
Open Service - Name: "fps"
Open Service - Name: "NetAuth"
Open Service - Name: "NetManager"
Open Service - Name: "csrss"
Open Service - Name: "NetMap"
Open Service - Name: "lsass"
Open Service - Name: "ConfigMgr"
Open Service - Name: "RunDll32"
Open Service - Name: "UpdateSvc"
Open Service - Name: "ServiceMgr"
Open Service - Name: "AutoUpdateMgr"
Open Service - Name: "UpdateMgr"
Open Service - Name: "SharedAccess"
Open Service - Name: "Alerter"
Open Service - Name: "ALG"
Open Service - Name: "ERSvc"
Open Service - Name: "helpsvc"
Open Service - Name: "Messenger"
Open Service - Name: "wscsvc"
Open Service - Name: "srservice"
Open Service - Name: "SamSs"
Open Service - Name: "RemoteRegistry"
Open Service - Name: "SENS"
Control Service - Name: (SharedAccess) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (Alerter) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (ALG) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (ERSvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (helpsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (Messenger) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (wscsvc) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (srservice) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (SamSs) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (RemoteRegistry) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Control Service - Name: (SENS) Display Name: () File Name: () Control: (SERVICE_CONTROL_STOP) Start Type: ()
Change Service Configuration - Name: (SharedAccess) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (Alerter) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (ALG) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (ERSvc) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (helpsvc) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (Messenger) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (wscsvc) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (srservice) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (SamSs) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (RemoteRegistry) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)
Change Service Configuration - Name: (SENS) Display Name: () File Name: () Control: () Start Type: (SERVICE_DISABLED)

System Info

Get System Directory
Get Windows Directory
Get System Time

Virtual Memory

VM Read - Target: (4) Address: ($00000008) Size: (4)
VM Read - Target: (360) Address: ($7FFDB008) Size: (4)
VM Read - Target: (360) Address: ($7FFDB00C) Size: (4)
VM Read - Target: (360) Address: ($00261EA4) Size: (4)
VM Read - Target: (360) Address: ($00261EC0) Size: (80)
VM Read - Target: (360) Address: ($001106A0) Size: (60)
VM Read - Target: (448) Address: ($7FFDF008) Size: (4)
VM Read - Target: (448) Address: ($7FFDF00C) Size: (4)
VM Read - Target: (448) Address: ($00261EA4) Size: (4)
VM Read - Target: (448) Address: ($00261EC0) Size: (80)
VM Read - Target: (448) Address: ($00110534) Size: (68)
VM Read - Target: (472) Address: ($7FFDD008) Size: (4)
VM Read - Target: (472) Address: ($7FFDD00C) Size: (4)
VM Read - Target: (472) Address: ($00171EA4) Size: (4)
VM Read - Target: (472) Address: ($00171EC0) Size: (80)
VM Read - Target: (472) Address: ($00020534) Size: (74)
VM Read - Target: (528) Address: ($7FFDF008) Size: (4)
VM Read - Target: (528) Address: ($7FFDF00C) Size: (4)
VM Read - Target: (528) Address: ($00191EA4) Size: (4)
VM Read - Target: (528) Address: ($00191EC0) Size: (80)
VM Read - Target: (528) Address: ($00020598) Size: (66)
VM Read - Target: (540) Address: ($7FFDE008) Size: (4)
VM Read - Target: (540) Address: ($7FFDE00C) Size: (4)
VM Read - Target: (540) Address: ($00191EA4) Size: (4)
VM Read - Target: (540) Address: ($00191EC0) Size: (80)
VM Read - Target: (540) Address: ($00020598) Size: (60)
VM Read - Target: (724) Address: ($7FFD6008) Size: (4)
VM Read - Target: (724) Address: ($7FFD600C) Size: (4)
VM Read - Target: (724) Address: ($00191EA4) Size: (4)
VM Read - Target: (724) Address: ($00191EC0) Size: (80)
VM Read - Target: (724) Address: ($00020598) Size: (64)
VM Read - Target: (944) Address: ($7FFD8008) Size: (4)
VM Read - Target: (944) Address: ($7FFD800C) Size: (4)
VM Read - Target: (944) Address: ($00191EA4) Size: (4)
VM Read - Target: (944) Address: ($00191EC0) Size: (80)
VM Read - Target: (944) Address: ($00020598) Size: (64)
VM Read - Target: (1028) Address: ($7FFDF008) Size: (4)
VM Read - Target: (1028) Address: ($7FFDF00C) Size: (4)
VM Read - Target: (1028) Address: ($00191EA4) Size: (4)
VM Read - Target: (1028) Address: ($00191EC0) Size: (80)
VM Read - Target: (1028) Address: ($00020598) Size: (64)
VM Read - Target: (1072) Address: ($7FFDC008) Size: (4)
VM Read - Target: (1072) Address: ($7FFDC00C) Size: (4)
VM Read - Target: (1072) Address: ($00191EA4) Size: (4)
VM Read - Target: (1072) Address: ($00191EC0) Size: (80)
VM Read - Target: (1072) Address: ($00020598) Size: (64)
VM Read - Target: (1116) Address: ($7FFD7008) Size: (4)
VM Read - Target: (1116) Address: ($7FFD700C) Size: (4)
VM Read - Target: (1116) Address: ($00191EA4) Size: (4)
VM Read - Target: (1116) Address: ($00191EC0) Size: (80)
VM Read - Target: (1116) Address: ($00020598) Size: (64)
VM Read - Target: (1364) Address: ($7FFDB008) Size: (4)
VM Read - Target: (1364) Address: ($7FFDB00C) Size: (4)
VM Read - Target: (1364) Address: ($00191EA4) Size: (4)
VM Read - Target: (1364) Address: ($00191EC0) Size: (80)
VM Read - Target: (1364) Address: ($00020598) Size: (64)
VM Read - Target: (1584) Address: ($7FFD5008) Size: (4)
VM Read - Target: (1584) Address: ($7FFD500C) Size: (4)
VM Read - Target: (1584) Address: ($00191EA4) Size: (4)
VM Read - Target: (1584) Address: ($00191EC0) Size: (80)
VM Read - Target: (1584) Address: ($00020584) Size: (48)
VM Read - Target: (1728) Address: ($7FFDE008) Size: (4)
VM Read - Target: (1728) Address: ($7FFDE00C) Size: (4)
VM Read - Target: (1728) Address: ($00181EA4) Size: (4)
VM Read - Target: (1728) Address: ($00181EC0) Size: (80)
VM Read - Target: (1728) Address: ($000205A8) Size: (82)
VM Read - Target: (924) Address: ($7FFD4008) Size: (4)
VM Read - Target: (924) Address: ($7FFD400C) Size: (4)
VM Read - Target: (924) Address: ($00191EA4) Size: (4)
VM Read - Target: (924) Address: ($00191EC0) Size: (80)
VM Read - Target: (924) Address: ($00020598) Size: (56)
VM Read - Target: (1516) Address: ($7FFD7008) Size: (4)
VM Read - Target: (1516) Address: ($7FFD700C) Size: (4)
VM Read - Target: (1516) Address: ($00191EA4) Size: (4)
VM Read - Target: (1516) Address: ($00191EC0) Size: (80)
VM Read - Target: (1516) Address: ($00020598) Size: (64)
VM Read - Target: (1908) Address: ($7FFD7008) Size: (4)
VM Read - Target: (1908) Address: ($7FFD700C) Size: (4)
VM Read - Target: (1908) Address: ($00241EA4) Size: (4)
VM Read - Target: (1908) Address: ($00241EC0) Size: (80)
VM Read - Target: (1908) Address: ($000205CC) Size: (46)

Network Activity

DNS Lookup
Host Name	IP Address
yu.haxx.biz	66.185.126.44

UDP Connections
Remote IP Address: 66.185.126.44 Port: 3023 Send Datagram: packet(s) of size 4 (content: fndp)

Opened listening TCP connection on port: 3728

Report generated at 13.08.2006 23:36:56 with CWSandbox Version Beta 1.73
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.