Analysis Summary:

Analysis Date	27.09.2006 21:02:15
Sandbox Version	Beta 1.81
Filename	2759b3a4dcb3350d5e0ca7af7e2f6396.exe

Technical Details:

Analysis Number

Parent ID

Process ID

1040

Filename

c:\analysis\binary\2759b3a4dcb3350d5e0ca7af7e2f6396.exe

Filesize

13480 bytes

MD5

2759b3a4dcb3350d5e0ca7af7e2f6396

Start Reason

AnalysisTarget

Termination Reason

NormalTermination

Start Time

00:00.063

Stop Time

00:12.641

Detection

OK (ClamAV)
OK (BDC/Linux-Console)
OK (AntiVir Workstation)

COM

COM Create Instance: %SystemRoot%\system32\shdocvw.dll, ProgID: (), Interface ID: ({000214E6-0000-0000-C000-000000000046})
COM Get Class Object: C:\WINDOWS\system32\urlmon.dll, Interface ID: ({00000001-0000-0000-C000-000000000046})

DLL-Handling

Loaded DLLs

c:\analysis\binary\2759b3a4dcb3350d5e0ca7af7e2f6396.exe
C:\WINDOWS\system32\ntdll.dll
C:\WINDOWS\system32\kernel32.dll
C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\GDI32.dll
C:\WINDOWS\system32\advapi32.dll
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\oleaut32.dll
C:\WINDOWS\system32\msvcrt.dll
C:\WINDOWS\system32\ole32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\Wship6.dll
C:\WINDOWS\system32\pstorec.dll
C:\WINDOWS\system32\ATL.DLL
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\system32\WLDAP32.dll
C:\WINDOWS\system32\Secur32.dll
comctl32.dll
urlmon.dll
WSOCK32.dll
KERNEL32.dll
USER32.dll
GDI32.dll
ADVAPI32.dll
SHELL32.dll
uxtheme.dll
mlang.dll
WININET.dll
WS2_32.dll
RASAPI32.DLL
RTUTILS.DLL
USERENV.dll
netapi32.dll
netapi32
appHelp.dll
ole32.dll
RichEd20.dll
VERSION.dll

Filesystem

New Files
\Device\RasAcd a.exe drsmartload1135a.exe mny.exe msgs.exe
Opened Files
\\.\PIPE\lsarpc c:\autoexec.bat C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\A360B5YU\jackjohnson[1].mp3 \\.\PIPE\wkssvc C:\WINDOWS\system32\shdocvw.dll C:\WINDOWS\Registration\R000000000014.clb C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\VXZ0R7B8\drsmartload1135a[1].exe C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\R4AWLO0I\mcsh[1].mp3
Chronological order
Create/Open File: \Device\RasAcd (OPEN_ALWAYS) Open File: \\.\PIPE\lsarpc (OPEN_EXISTING) Get File Attributes: c:\autoexec.bat Flags: (SECURITY_ANONYMOUS) Open File: c:\autoexec.bat (OPEN_EXISTING) Find File: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\.pbk Find File: C:\WINDOWS\system32\Ras\.pbk Find File: C:\Documents and Settings\foobar\Application Data\Microsoft\Network\Connections\Pbk\*.pbk Open File: C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\A360B5YU\jackjohnson[1].mp3 (OPEN_EXISTING) Create File: a.exe Open File: \\.\PIPE\wkssvc (OPEN_EXISTING) Get File Attributes: c:\analysis\binary Flags: (SECURITY_ANONYMOUS) Get File Attributes: a.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\system32\shdocvw.dll (OPEN_EXISTING) Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS) Open File: C:\WINDOWS\Registration\R000000000014.clb (OPEN_EXISTING) Get File Attributes: c:\analysis\binary\a.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\a.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS) Open File: C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\VXZ0R7B8\drsmartload1135a[1].exe (OPEN_EXISTING) Create File: drsmartload1135a.exe Get File Attributes: drsmartload1135a.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\drsmartload1135a.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\drsmartload1135a.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Get File Attributes: Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\system32\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\System\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\WINDOWS\System32\Wbem\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: C:\Program Files\Support Tools\Yinstall.exe Flags: (SECURITY_ANONYMOUS) Open File: C:\Documents and Settings\foobar\Local Settings\Temporary Internet Files\Content.IE5\R4AWLO0I\mcsh[1].mp3 (OPEN_EXISTING) Create File: mny.exe Get File Attributes: mny.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\mny.exe Flags: (SECURITY_ANONYMOUS) Get File Attributes: c:\analysis\binary\mny.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS) Copy File: msnmsgr.exe to msgs.exe

Mutexes

Creates Mutex: ZonesCounterMutex
Creates Mutex: ZonesCacheCounterMutex
Creates Mutex: ZonesLockedCacheCounterMutex
Creates Mutex: RasPbFile

Registry

Create or Open
HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager
Reads
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings "DisableImprovedZoneCheck" Software\Microsoft\Windows\CurrentVersion\ThemeManager "Compositing" Control Panel\Desktop "LameButtonText" HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\SecurityService "DefaultAuthLevel" HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadManager "CacheOk" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "User Agent" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "IsTextPlainHonored" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCompatibility "DisableAppCompat" HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\\Registry\Machine\Software\Classes\CLSID\{871c5380-42a0-1069-a2ea-08002b30309d}\InProcServer32 "" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\MSNMSGR.EXE "Path"
Enums
HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\

Process Management

Creates Process - Filename (a.exe) CommandLine: () As User: () Creation Flags: ()
Creates Process - Filename (drsmartload1135a.exe) CommandLine: () As User: () Creation Flags: ()
Creates Process - Filename (Yinstall.exe) CommandLine: () As User: () Creation Flags: ()
Creates Process - Filename (mny.exe) CommandLine: () As User: () Creation Flags: ()

Service Management

Open Service Manager - Name: "SCM"
Open Service - Name: "RASMAN"

System Info

Get System Directory
Get Windows Directory
Get Computer Name

User Management

Impersonate User - Domain: () User: (foobar)
Impersonate User - Domain: () User: (foobar)
Get User Name

Window

Enum Windows
Destroy Window - Class Name (URL Moniker Notification Window) Window Name ()

Network Activity

DNS Lookup
Host Name	IP Address
go.links4all.biz	69.25.27.172

UDP Connections

Download URLs
http://go.links4all.biz/
http://69.64.36.26/jackjohnson.mp3
http://69.64.36.26/mcsh.mp3
http://194.187.45.56/webmasterexe/drsmartload1135a.exe
http://69.64.36.26/Yinstall.mp3

Outgoing connection to remote server: go.links4all.biz TCP port 80
Outgoing connection to remote server: 69.64.38.140 port 80
Outgoing connection to remote server: 69.64.36.26 TCP port 80
Outgoing connection to remote server: 194.187.45.56 TCP port 80
Outgoing connection to remote server: 69.64.36.26 TCP port 80

Analysis Number	2
Parent ID	0
Process ID	704
Filename	services.exe
Filesize	-1 bytes
MD5
Start Reason	SCM
Termination Reason	Timeout
Start Time	00:04.110
Stop Time	00:13.703

Report generated at 27.09.2006 21:02:15 with CWSandbox Version Beta 1.81
This analysis was created by the CWSandbox Copyright © 2006 Carsten Willems
Copyright © 1996-2006 Sunbelt Software. All rights reserved.