Pay-Per-Install Analysis – Part Four

Posted by on Monday, July 26th, 2010 | 10,915 views

GoldInstall

Next we have a company called GoldInstall.

This is how much they pay for 1000 installs per country.

Country  	Price
OTH 	13$
US 	150$
GB 	110$
CA 	110$
DE 	30$
BE 	20$
IT 	65$
CH 	20$
CZ 	20$
DK 	20$
ES 	30$
AU 	55$
FR 	30$
NL 	20$
NO 	20$
PT 	30$
LB 	6$
AL 	6$
LA 	6$
AF 	6$
KZ 	6$
AE 	6$
LU 	6$
AZ 	6$
BD 	6$
BH 	6$
MN 	6$
MO 	6$
BN 	6$
MV 	6$
BT 	6$
MY 	6$
NP 	6$
CN 	6$
OM 	6$
PH 	6$
PK 	6$
CY 	6$
QA 	6$
SA 	6$
SG 	6$
SY 	6$
TW 	6$
TH 	6$
FJ 	6$
TM 	6$
HK 	6$
ID 	6$
IL 	6$
IN 	6$
UZ 	6$
IQ 	6$
IR 	6$
VN 	6$
YE 	6$
JO 	6$
JP 	6$
KH 	6$
KP 	6$
KR 	6$
KW 	6$

One thing I found quiet funny, was these 2 entries in their FAQ.

Is your software a virus?

Definitely not! We don’t do anything against computer owner. If they choose to use an Goldinstall-supported service, it is identical to accepting the mechanisms we bring (such as popup advertisements). It’s just as simple as that.

So why does my antivirus classify you as trojan/worm/virus?

AV companies have a good interest in convincing you that the Internet is an insecure place full of danger, and that almost nothing is worth of any trust (unless you use their products). We don’t share such views.

So let me get this right. AV’s are wrong to detect an application that silently downloads and executes other malware? One being a rootkit in my tests, which incidentally had “botnet” in its internal PDB path.

List of strings from the dropper, which was only packed with UPX, and compiled with Visual Basic 6.0.

0x000001B0	0x00000005	.text
0x000001D7	0x00000006	`.data
0x00000200	0x00000005	.rsrc
0x0000127C	0x0000000C	AutoDownload
0x0000128D	0x00000007	  =   3
0x000012D4	0x0000000E	lientWidSocket
0x00001368	0x00000005	Form1
0x00001372	0x00000005	Form1
0x00001589	0x0000000A	DDDDDDDDD@
0x0000168B	0x00000005	Form1
0x000016AD	0x00000006	Timer3
0x000016CE	0x00000008	dpsocket
0x000016DA	0x00000013	AutoDownload.Socket
0x00001752	0x00000005	Text1
0x00001773	0x00000006	Timer2
0x00001795	0x0000000B	WebBrowser1
0x000017A4	0x00000015	SHDocVwCtl.WebBrowser
0x00001874	0x00000006	Timer1
0x00001896	0x0000000A	vb6chs.dll
0x00001911	0x0000000C	AutoDownload
0x000022B8	0x0000004A	*\AS:\Worker\tempvbp\AutoDownload.vbp
0x000025C9	0x00000013	AutoDownload.Socket
0x000025DD	0x00000006	Socket
0x00002760	0x0000000A	ReadyState
0x0000276B	0x0000000B	shdocvw.dll
0x00002777	0x00000015	SHDocVwCtl.WebBrowser
0x0000278D	0x0000000A	WebBrowser
0x00004700	0x00000009	moduleAPI
0x0000470C	0x0000000E	moduleRegister
0x0000471C	0x0000000D	moduleWinInet
0x0000472C	0x00000005	Form1
0x00004734	0x00000013	classApplicationLog
0x00004748	0x00000007	Module1
0x00004750	0x00000007	Module2
0x00004758	0x0000000F	modSocketMaster
0x00004768	0x0000000D	CSocketMaster
0x00004778	0x00000006	Socket
0x00004780	0x0000000C	AutoDownload
0x00004794	0x00000014	USER32.DLL
0x000047B0	0x00000018	KERNEL32.DLL
0x000047D0	0x00000018	ADVAPI32.DLL
0x000047F0	0x00000016	WININET.DLL
0x0000482C	0x00000008	kernel32
0x0000483C	0x0000000C	GetLastError
0x0000484C	0x0000000B	WebBrowser1
0x00004890	0x0000000C	LoadLibraryA
0x000048D8	0x0000000E	GetProcAddress
0x00004920	0x00000006	user32
0x0000492C	0x0000000F	CallWindowProcA
0x00004974	0x0000000B	FreeLibrary
0x000049B8	0x0000000D	RtlMoveMemory
0x00004A18	0x00000006	Timer3
0x00004A64	0x00000008	VBA6.DLL
0x00004A74	0x0000000D	InternetOpenA
0x00004AB0	0x0000001A	RegOpenKeyExA
0x00004AD0	0x00000007	wininet
0x00004B20	0x00000013	InternetCloseHandle
0x00004B6C	0x00000010	InternetOpenUrlA
0x00004BB8	0x0000000B	wininet.dll
0x00004BC8	0x0000000E	HttpQueryInfoA
0x00004C10	0x00000010	InternetReadFile
0x00004C5C	0x00000012	InternetSetOptionA
0x00004D1C	0x00000035	C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
0x00004D8C	0x00000005	Text1
0x00004DB4	0x0000001F	C:\WINDOWS\system32\shdocvw.oca
0x00004DD4	0x0000000A	SHDocVwCtl
0x00004E18	0x00000009	udpsocket
0x00004E24	0x00000006	Timer1
0x00004E2C	0x00000006	Timer2
0x00004E38	0x0000000C	advapi32.dll
0x00004E4C	0x0000000D	RegCreateKeyA
0x00004E94	0x0000000E	RegSetValueExA
0x00004EDC	0x0000000B	RegCloseKey
0x00004F20	0x0000000B	RegOpenKeyA
0x00004F64	0x00000005	Sleep
0x00004FA4	0x0000000B	shell32.dll
0x00004FB4	0x00000010	SHGetFolderPathA
0x00004FFC	0x0000000D	kjgfrtxdgqe63
0x00005014	0x00000007	udpstop
0x0000501C	0x0000000A	Decryption
0x00005028	0x00000007	GetItem
0x00005030	0x00000007	SetItem
0x00005038	0x0000000C	SaveFileText
0x00005048	0x0000000C	ReadFileText
0x00005058	0x0000000E	IsWowInstalled
0x00005068	0x0000000C	firstfucktag
0x00005078	0x00000007	SConfig
0x000050E4	0x0000000B	GlobalAlloc
0x000050F0	0x0000000C	SocketHandle
0x00005100	0x00000007	connect
0x00005140	0x0000000A	GlobalFree
0x00005184	0x0000000A	ws2_32.dll
0x00005194	0x0000000A	WSAStartup
0x000051D8	0x0000000A	WSACleanup
0x0000521C	0x00000015	WSAAsyncGetHostByName
0x0000526C	0x0000000E	WSAAsyncSelect
0x000052B4	0x0000000F	CreateWindowExA
0x000052C4	0x00000008	CloseSck
0x00005308	0x0000000D	DestroyWindow
0x00005350	0x00000008	lstrlenA
0x00005394	0x00000008	lstrcpyA
0x000053D8	0x00000008	SetTimer
0x0000541C	0x00000009	KillTimer
0x00005460	0x00000008	IsWindow
0x0000547C	0x0000000D	BytesReceived
0x000054CC	0x0000000E	GetWindowLongA
0x00005514	0x0000000E	SetWindowLongA
0x0000555C	0x00000010	GetModuleHandleA
0x00005640	0x00000005	Class
0x00005648	0x00000008	Protocol
0x00005654	0x00000022	C:\WINDOWS\system32\msvbvm60.dll\3
0x00005678	0x00000005	VBRUN
0x000056AC	0x00000006	socket
0x000056EC	0x0000000A	GlobalLock
0x00005730	0x0000000C	GlobalUnlock
0x00005778	0x00000005	htons
0x000057B8	0x00000005	ntohs
0x000057F8	0x00000007	connect
0x00005844	0x0000000B	gethostname
0x00005888	0x0000000D	gethostbyname
0x00005910	0x0000000B	getsockname
0x00005954	0x0000000B	getpeername
0x00005998	0x00000009	inet_addr
0x00005A10	0x00000006	sendto
0x00005A50	0x0000000A	getsockopt
0x00005A94	0x0000000A	setsockopt
0x00005B18	0x00000008	recvfrom
0x00005B5C	0x00000015	WSACancelAsyncRequest
0x00005B74	0x00000005	State
0x00005B7C	0x0000000D	LocalHostName
0x00005B8C	0x00000007	LocalIP
0x00005BD0	0x00000006	listen
0x00005C10	0x00000006	accept
0x00005C50	0x00000009	inet_ntoa
0x00005C94	0x0000000B	ioctlsocket
0x00005CD8	0x0000000B	closesocket
0x00005D18	0x00000007	WndProc
0x00005D20	0x0000000A	RemotePort
0x00005D2C	0x0000000A	RemoteHost
0x00005D38	0x0000000C	RemoteHostIP
0x00005D48	0x00000009	LocalPort
0x00005D58	0x00000008	SendData
0x00005D64	0x00000007	GetData
0x00005D6C	0x00000008	PeekData
0x00005D78	0x00000006	Listen
0x00005D80	0x00000006	Accept
0x00005D88	0x00000011	ConnectionRequest
0x00005D9C	0x0000000B	DataArrival
0x00005DA8	0x00000005	Error
0x00005DB0	0x0000000C	SendComplete
0x00005DC0	0x0000000C	SendProgress
0x00005F00	0x0000000C	netapi32.dll
0x00005F18	0x00000007	Netbios
0x00005F58	0x0000000E	GetProcessHeap
0x00005FA0	0x00000009	HeapAlloc
0x00005FE4	0x00000008	HeapFree
0x00006094	0x0000000D	GetVersionExA
0x00006100	0x0000000B	CreateFileA
0x00006144	0x0000000F	DeviceIoControl
0x0000618C	0x0000000B	CloseHandle
0x000061D0	0x00000015	GetVolumeInformationA
0x00006284	0x00000012	GetModuleFileNameA
0x000062D0	0x00000013	GetCurrentProcessId
0x00006320	0x00000008	FlushLog
0x00006358	0x00000015	cmSocket_SendProgress
0x0000638C	0x0000001C	CreateShortcut
0x000063AC	0x00000014	TargetPath
0x000063D8	0x00000020	WorkingDirectory
0x00006434	0x00000012	ExecQuery
0x00006448	0x00000014	MACAddress
0x000064B8	0x0000000C	EbMode
0x000064CC	0x0000001C	SetWindowLongA
0x000064F0	0x0000001E	CallWindowProcA
0x00006514	0x00000014	WSACleanup
0x00006530	0x00000012	KillTimer
0x00006568	0x0000000C	user32
0x0000657C	0x0000000C	ws2_32
0x0000658C	0x0000000E	cmSocket_Error
0x0000659C	0x00000015	cmSocket_SendComplete
0x00006628	0x0000000B	UserControl
0x00006634	0x00000008	cmSocket
0x00006640	0x00000011	cmSocket_CloseSck
0x00006654	0x00000010	cmSocket_Connect
0x00006668	0x0000001A	cmSocket_ConnectionRequest
0x00006684	0x00000014	cmSocket_DataArrival
0x000066A0	0x00000012	LocalPort
0x000066C8	0x00000010	Protocol
0x000066E0	0x00000014	RemoteHost
0x000066FC	0x00000014	RemotePort
0x00006784	0x00000006	Socket
0x0001B39C	0x00000025	SAFE_rGX8EhiOOnz7qnE0cOpCKcNDUhe57Sli
0x0001B3C4	0x00000025	SAFE_wXfFU0GiYdAvUQ86skySPaU80AmMHnmw
0x0001B3EC	0x00000025	SAFE_4fDBPXBwTcNF4WpeuDSuwqcW3psMwB0f
0x0001B414	0x00000025	SAFE_CU5ZIkuee8iXHaYeF0XH07I12WnVk4NM
0x0001B43C	0x00000025	SAFE_Ukw8ASw6d514KXPxkGUCxCJ89lOobEip
0x0001B464	0x00000006	iSplit
0x0001B46C	0x00000025	SAFE_TzIyaWLC083eHor12AAAXyzARroaoCl7
0x0001B494	0x00000025	SAFE_lF9XRDNe05MAKliKXQ75U40IY6PsfM6a
0x0001B4BC	0x00000025	SAFE_n5qnjCxOP7ZeVOOX2TLLvDCogYRVYSUI
0x0001B4E4	0x00000025	SAFE_Uj0uzUEwwlL7B4YJJgs45Rdz2oEQLD8U
0x0001B50C	0x00000025	SAFE_mzrUqCGPviedE1Pcoxpz2We782pjCNUw
0x0001B534	0x00000025	SAFE_X8QUuSJSJc12iEyzfDnXJgOweBRL5Bts
0x0001B55C	0x00000025	SAFE_8mGmoaasaLRD5fHYjqVi04xGvoTiqark
0x0001B590	0x00000025	SAFE_eTgd1MK7Yy2XtTCJ2xKTBn5ayGXzlGi9
0x0001B5B8	0x00000025	SAFE_wjXCs4MaYvL4wQ3cWDHO8t6i5V8HcQ3c
0x0001B5E0	0x00000025	SAFE_xaESA2wJxxZY73kp2GVdZ2HFDxAuVWSL
0x0001B608	0x00000025	SAFE_Fp521kylwus4A0b8WWSYV7IMKClDLhno
0x0001B630	0x00000025	SAFE_WYQHz1fvKVyxUS2HORFM9RioUYC8UsUi
0x0001B658	0x00000025	SAFE_p7w6cFENZMIBQFccDq7StOvuDjNVqpIL
0x0001B680	0x00000025	SAFE_xjzfjrRvFgBPyI9Ly7RSulUXFJRDsgm5
0x0001B6A8	0x00000025	SAFE_9S0STCtgN17H8PFHBODi0juoUEuZBReV
0x0001B6D0	0x00000025	SAFE_sYcsc0R6Dngoyzvsj9HSEAwZjIvmvX46
0x0001B6F8	0x00000025	SAFE_mOf9lycdfUgnHchmTmCVrEGKeNU0qLFx
0x0001B720	0x00000025	SAFE_fnIuiVsEdGGHBupQQDw8R6lV8rCKRlEH
0x0001B748	0x00000025	SAFE_T571D8NHgN0hn6pJqX9ssVAJPflUAka5
0x0001B770	0x00000025	SAFE_lLyb4qPjfKJEq4gcKn6npaBRVuMn1uvY
0x0001B798	0x00000025	SAFE_RdiVDGLIzkh9zIdkFamXWBxLKNsKF985
0x0001B7C0	0x00000025	SAFE_OX7ybJucwnBnYa0uh44S3EAdOoyyUW3F
0x0001B7E8	0x00000025	SAFE_POnEsHULLpOHjDh7D7JhUOMAWG0aNcSx
0x0001B810	0x00000025	SAFE_heeojzWnKmhomAYQhNGcQTNIdVbtEnnQ
0x0001B838	0x00000025	SAFE_mZH4O1J1aXfWesOSmxySseAFZeDEShAK
0x0001B860	0x00000025	SAFE_oQxKf0tkzZt0pV5gH0CiJnMmh6GrLnZ2
0x0001B888	0x00000025	SAFE_pGeaxyUTOa6Uz8mtm2QxkxYIqZJTEuxl
0x0001B8B0	0x00000025	SAFE_GqZAWhIKHz2Tu42yAKSO68W8O0uBp8PG
0x0001B8D8	0x00000009	requestID
0x0001B8E4	0x0000000A	bytesTotal
0x0001B8F0	0x00000006	Number
0x0001B8F8	0x0000000B	Description
0x0001B904	0x00000005	sCode
0x0001B90C	0x00000006	Source
0x0001B914	0x00000008	HelpFile
0x0001B920	0x0000000B	HelpContext
0x0001B92C	0x0000000D	CancelDisplay
0x0001B93C	0x00000009	bytesSent
0x0001B948	0x0000000E	bytesRemaining
0x0001B958	0x00000025	SAFE_YoiwczIxR2qYF6Prg6qac9HgIRnEY8PX
0x0001B994	0x0000003F	Returns/Sets the port to be connected to on the remote computer
0x0001B9D4	0x00000007	lngPort
0x0001B9DC	0x00000020	Returns/Sets the socket protocol
0x0001BA00	0x0000000B	enmProtocol
0x0001BA0C	0x0000003A	Returns/Sets the name used to identify the remote computer
0x0001BA48	0x00000007	strHost
0x0001BA50	0x00000022	Returns the remote host IP address
0x0001BA74	0x00000030	Returns/Sets the port used on the local computer
0x0001BAA8	0x0000002A	Returns the state of the socket connection
0x0001BAD4	0x0000001E	Returns the local machine name
0x0001BAF4	0x00000024	Returns the local machine IP address
0x0001BB1C	0x00000037	Returns the number of bytes received on this connection
0x0001BB54	0x00000019	Returns the socket handle
0x0001BB70	0x00000050	Returns or sets an expression that stores any extra data needed for your program
0x0001BBC4	0x00000006	strTag
0x0001BBCC	0x00000025	Accept an incoming connection request
0x0001BBF4	0x00000009	LocalPort
0x0001BC00	0x00000007	LocalIP
0x0001BC08	0x00000029	Binds socket to specific port and adapter
0x0001BC34	0x00000018	Close current connection
0x0001BC50	0x0000000A	RemoteHost
0x0001BC5C	0x0000000A	RemotePort
0x0001BC68	0x0000001E	Connect to the remote computer
0x0001BC90	0x00000007	varType
0x0001BC98	0x00000006	maxLen
0x0001BCA0	0x00000029	Retrieve data sent by the remote computer
0x0001BCCC	0x00000027	Listen for incoming connection requests
0x0001BCF4	0x00000039	Look at incoming data without removing it from the buffer
0x0001BD30	0x0000001C	Send data to remote computer
0x0001BD50	0x00000034	Occurs when a remote client is attempting to connect
0x0001BD8C	0x0000003B	Occurs when data has been received from the remote computer
0x0001BDC8	0x0000000E	Error occurred
0x0001BDD8	0x0000002B	Occurs after a send operation has completed
0x0001BE04	0x00000025	Occurs during process of sending data
0x000536A0	0x0000000C	MSVBVM60.DLL
0x000536B0	0x00000018	EVENT_SINK_GetIDsOfNames
0x000536CA	0x0000000E	MethCallEngine
0x000536DA	0x00000011	EVENT_SINK_Invoke
0x000536EE	0x00000012	Zombie_GetTypeInfo
0x00053702	0x00000011	EVENT_SINK_AddRef
0x00053716	0x0000000F	DllFunctionCall
0x00053728	0x00000017	Zombie_GetTypeInfoCount
0x00053742	0x00000012	EVENT_SINK_Release
0x00053756	0x00000019	EVENT_SINK_QueryInterface
0x00053772	0x00000012	__vbaExceptHandler
0x00053786	0x0000000E	ProcCallEngine
0x0005413E	0x0000000C	CONFIG
0x00054339	0x0000000A	DDDDDDDDD@
0x00054452	0x0000001E	VS_VERSION_INFO
0x000544AE	0x00000016	VarFileInfo
0x000544CE	0x00000016	Translation
0x000544F2	0x0000001C	StringFileInfo
0x00054516	0x00000010	080404B0
0x0005452E	0x00000016	CompanyName
0x00054552	0x00000016	ProductName
0x0005457A	0x00000016	FileVersion
0x000545A6	0x0000001C	ProductVersion
0x000545D6	0x00000018	InternalName
0x00054602	0x00000020	OriginalFilename
0x00054624	0x00000010	dick.exe

0x000001B0 0x00000005 .text 0x000001D7 0x00000006 `.data 0x00000200 0x00000005 .rsrc 0x0000127C 0x0000000C AutoDownload 0x0000128D 0x00000007 = 3 0x000012D4 0x0000000E lientWidSocket 0x00001368 0x00000005 Form1 0x00001372 0x00000005 Form1 0x00001589 0x0000000A DDDDDDDDD@ 0x0000168B 0x00000005 Form1 0x000016AD 0x00000006 Timer3 0x000016CE 0x00000008 dpsocket 0x000016DA 0x00000013 AutoDownload.Socket 0x00001752 0x00000005 Text1 0x00001773 0x00000006 Timer2 0x00001795 0x0000000B WebBrowser1 0x000017A4 0x00000015 SHDocVwCtl.WebBrowser 0x00001874 0x00000006 Timer1 0x00001896 0x0000000A vb6chs.dll 0x00001911 0x0000000C AutoDownload 0x000022B8 0x0000004A *\AS:\Worker\tempvbp\AutoDownload.vbp 0x000025C9 0x00000013 AutoDownload.Socket 0x000025DD 0x00000006 Socket 0x00002760 0x0000000A ReadyState 0x0000276B 0x0000000B shdocvw.dll 0x00002777 0x00000015 SHDocVwCtl.WebBrowser 0x0000278D 0x0000000A WebBrowser 0x00004700 0x00000009 moduleAPI 0x0000470C 0x0000000E moduleRegister 0x0000471C 0x0000000D moduleWinInet 0x0000472C 0x00000005 Form1 0x00004734 0x00000013 classApplicationLog 0x00004748 0x00000007 Module1 0x00004750 0x00000007 Module2 0x00004758 0x0000000F modSocketMaster 0x00004768 0x0000000D CSocketMaster 0x00004778 0x00000006 Socket 0x00004780 0x0000000C AutoDownload 0x00004794 0x00000014 USER32.DLL 0x000047B0 0x00000018 KERNEL32.DLL 0x000047D0 0x00000018 ADVAPI32.DLL 0x000047F0 0x00000016 WININET.DLL 0x0000482C 0x00000008 kernel32 0x0000483C 0x0000000C GetLastError 0x0000484C 0x0000000B WebBrowser1 0x00004890 0x0000000C LoadLibraryA 0x000048D8 0x0000000E GetProcAddress 0x00004920 0x00000006 user32 0x0000492C 0x0000000F CallWindowProcA 0x00004974 0x0000000B FreeLibrary 0x000049B8 0x0000000D RtlMoveMemory 0x00004A18 0x00000006 Timer3 0x00004A64 0x00000008 VBA6.DLL 0x00004A74 0x0000000D InternetOpenA 0x00004AB0 0x0000001A RegOpenKeyExA 0x00004AD0 0x00000007 wininet 0x00004B20 0x00000013 InternetCloseHandle 0x00004B6C 0x00000010 InternetOpenUrlA 0x00004BB8 0x0000000B wininet.dll 0x00004BC8 0x0000000E HttpQueryInfoA 0x00004C10 0x00000010 InternetReadFile 0x00004C5C 0x00000012 InternetSetOptionA 0x00004D1C 0x00000035 C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB 0x00004D8C 0x00000005 Text1 0x00004DB4 0x0000001F C:\WINDOWS\system32\shdocvw.oca 0x00004DD4 0x0000000A SHDocVwCtl 0x00004E18 0x00000009 udpsocket 0x00004E24 0x00000006 Timer1 0x00004E2C 0x00000006 Timer2 0x00004E38 0x0000000C advapi32.dll 0x00004E4C 0x0000000D RegCreateKeyA 0x00004E94 0x0000000E RegSetValueExA 0x00004EDC 0x0000000B RegCloseKey 0x00004F20 0x0000000B RegOpenKeyA 0x00004F64 0x00000005 Sleep 0x00004FA4 0x0000000B shell32.dll 0x00004FB4 0x00000010 SHGetFolderPathA 0x00004FFC 0x0000000D kjgfrtxdgqe63 0x00005014 0x00000007 udpstop 0x0000501C 0x0000000A Decryption 0x00005028 0x00000007 GetItem 0x00005030 0x00000007 SetItem 0x00005038 0x0000000C SaveFileText 0x00005048 0x0000000C ReadFileText 0x00005058 0x0000000E IsWowInstalled 0x00005068 0x0000000C firstfucktag 0x00005078 0x00000007 SConfig 0x000050E4 0x0000000B GlobalAlloc 0x000050F0 0x0000000C SocketHandle 0x00005100 0x00000007 connect 0x00005140 0x0000000A GlobalFree 0x00005184 0x0000000A ws2_32.dll 0x00005194 0x0000000A WSAStartup 0x000051D8 0x0000000A WSACleanup 0x0000521C 0x00000015 WSAAsyncGetHostByName 0x0000526C 0x0000000E WSAAsyncSelect 0x000052B4 0x0000000F CreateWindowExA 0x000052C4 0x00000008 CloseSck 0x00005308 0x0000000D DestroyWindow 0x00005350 0x00000008 lstrlenA 0x00005394 0x00000008 lstrcpyA 0x000053D8 0x00000008 SetTimer 0x0000541C 0x00000009 KillTimer 0x00005460 0x00000008 IsWindow 0x0000547C 0x0000000D BytesReceived 0x000054CC 0x0000000E GetWindowLongA 0x00005514 0x0000000E SetWindowLongA 0x0000555C 0x00000010 GetModuleHandleA 0x00005640 0x00000005 Class 0x00005648 0x00000008 Protocol 0x00005654 0x00000022 C:\WINDOWS\system32\msvbvm60.dll\3 0x00005678 0x00000005 VBRUN 0x000056AC 0x00000006 socket 0x000056EC 0x0000000A GlobalLock 0x00005730 0x0000000C GlobalUnlock 0x00005778 0x00000005 htons 0x000057B8 0x00000005 ntohs 0x000057F8 0x00000007 connect 0x00005844 0x0000000B gethostname 0x00005888 0x0000000D gethostbyname 0x00005910 0x0000000B getsockname 0x00005954 0x0000000B getpeername 0x00005998 0x00000009 inet_addr 0x00005A10 0x00000006 sendto 0x00005A50 0x0000000A getsockopt 0x00005A94 0x0000000A setsockopt 0x00005B18 0x00000008 recvfrom 0x00005B5C 0x00000015 WSACancelAsyncRequest 0x00005B74 0x00000005 State 0x00005B7C 0x0000000D LocalHostName 0x00005B8C 0x00000007 LocalIP 0x00005BD0 0x00000006 listen 0x00005C10 0x00000006 accept 0x00005C50 0x00000009 inet_ntoa 0x00005C94 0x0000000B ioctlsocket 0x00005CD8 0x0000000B closesocket 0x00005D18 0x00000007 WndProc 0x00005D20 0x0000000A RemotePort 0x00005D2C 0x0000000A RemoteHost 0x00005D38 0x0000000C RemoteHostIP 0x00005D48 0x00000009 LocalPort 0x00005D58 0x00000008 SendData 0x00005D64 0x00000007 GetData 0x00005D6C 0x00000008 PeekData 0x00005D78 0x00000006 Listen 0x00005D80 0x00000006 Accept 0x00005D88 0x00000011 ConnectionRequest 0x00005D9C 0x0000000B DataArrival 0x00005DA8 0x00000005 Error 0x00005DB0 0x0000000C SendComplete 0x00005DC0 0x0000000C SendProgress 0x00005F00 0x0000000C netapi32.dll 0x00005F18 0x00000007 Netbios 0x00005F58 0x0000000E GetProcessHeap 0x00005FA0 0x00000009 HeapAlloc 0x00005FE4 0x00000008 HeapFree 0x00006094 0x0000000D GetVersionExA 0x00006100 0x0000000B CreateFileA 0x00006144 0x0000000F DeviceIoControl 0x0000618C 0x0000000B CloseHandle 0x000061D0 0x00000015 GetVolumeInformationA 0x00006284 0x00000012 GetModuleFileNameA 0x000062D0 0x00000013 GetCurrentProcessId 0x00006320 0x00000008 FlushLog 0x00006358 0x00000015 cmSocket_SendProgress 0x0000638C 0x0000001C CreateShortcut 0x000063AC 0x00000014 TargetPath 0x000063D8 0x00000020 WorkingDirectory 0x00006434 0x00000012 ExecQuery 0x00006448 0x00000014 MACAddress 0x000064B8 0x0000000C EbMode 0x000064CC 0x0000001C SetWindowLongA 0x000064F0 0x0000001E CallWindowProcA 0x00006514 0x00000014 WSACleanup 0x00006530 0x00000012 KillTimer 0x00006568 0x0000000C user32 0x0000657C 0x0000000C ws2_32 0x0000658C 0x0000000E cmSocket_Error 0x0000659C 0x00000015 cmSocket_SendComplete 0x00006628 0x0000000B UserControl 0x00006634 0x00000008 cmSocket 0x00006640 0x00000011 cmSocket_CloseSck 0x00006654 0x00000010 cmSocket_Connect 0x00006668 0x0000001A cmSocket_ConnectionRequest 0x00006684 0x00000014 cmSocket_DataArrival 0x000066A0 0x00000012 LocalPort 0x000066C8 0x00000010 Protocol 0x000066E0 0x00000014 RemoteHost 0x000066FC 0x00000014 RemotePort 0x00006784 0x00000006 Socket 0x0001B39C 0x00000025 SAFE_rGX8EhiOOnz7qnE0cOpCKcNDUhe57Sli 0x0001B3C4 0x00000025 SAFE_wXfFU0GiYdAvUQ86skySPaU80AmMHnmw 0x0001B3EC 0x00000025 SAFE_4fDBPXBwTcNF4WpeuDSuwqcW3psMwB0f 0x0001B414 0x00000025 SAFE_CU5ZIkuee8iXHaYeF0XH07I12WnVk4NM 0x0001B43C 0x00000025 SAFE_Ukw8ASw6d514KXPxkGUCxCJ89lOobEip 0x0001B464 0x00000006 iSplit 0x0001B46C 0x00000025 SAFE_TzIyaWLC083eHor12AAAXyzARroaoCl7 0x0001B494 0x00000025 SAFE_lF9XRDNe05MAKliKXQ75U40IY6PsfM6a 0x0001B4BC 0x00000025 SAFE_n5qnjCxOP7ZeVOOX2TLLvDCogYRVYSUI 0x0001B4E4 0x00000025 SAFE_Uj0uzUEwwlL7B4YJJgs45Rdz2oEQLD8U 0x0001B50C 0x00000025 SAFE_mzrUqCGPviedE1Pcoxpz2We782pjCNUw 0x0001B534 0x00000025 SAFE_X8QUuSJSJc12iEyzfDnXJgOweBRL5Bts 0x0001B55C 0x00000025 SAFE_8mGmoaasaLRD5fHYjqVi04xGvoTiqark 0x0001B590 0x00000025 SAFE_eTgd1MK7Yy2XtTCJ2xKTBn5ayGXzlGi9 0x0001B5B8 0x00000025 SAFE_wjXCs4MaYvL4wQ3cWDHO8t6i5V8HcQ3c 0x0001B5E0 0x00000025 SAFE_xaESA2wJxxZY73kp2GVdZ2HFDxAuVWSL 0x0001B608 0x00000025 SAFE_Fp521kylwus4A0b8WWSYV7IMKClDLhno 0x0001B630 0x00000025 SAFE_WYQHz1fvKVyxUS2HORFM9RioUYC8UsUi 0x0001B658 0x00000025 SAFE_p7w6cFENZMIBQFccDq7StOvuDjNVqpIL 0x0001B680 0x00000025 SAFE_xjzfjrRvFgBPyI9Ly7RSulUXFJRDsgm5 0x0001B6A8 0x00000025 SAFE_9S0STCtgN17H8PFHBODi0juoUEuZBReV 0x0001B6D0 0x00000025 SAFE_sYcsc0R6Dngoyzvsj9HSEAwZjIvmvX46 0x0001B6F8 0x00000025 SAFE_mOf9lycdfUgnHchmTmCVrEGKeNU0qLFx 0x0001B720 0x00000025 SAFE_fnIuiVsEdGGHBupQQDw8R6lV8rCKRlEH 0x0001B748 0x00000025 SAFE_T571D8NHgN0hn6pJqX9ssVAJPflUAka5 0x0001B770 0x00000025 SAFE_lLyb4qPjfKJEq4gcKn6npaBRVuMn1uvY 0x0001B798 0x00000025 SAFE_RdiVDGLIzkh9zIdkFamXWBxLKNsKF985 0x0001B7C0 0x00000025 SAFE_OX7ybJucwnBnYa0uh44S3EAdOoyyUW3F 0x0001B7E8 0x00000025 SAFE_POnEsHULLpOHjDh7D7JhUOMAWG0aNcSx 0x0001B810 0x00000025 SAFE_heeojzWnKmhomAYQhNGcQTNIdVbtEnnQ 0x0001B838 0x00000025 SAFE_mZH4O1J1aXfWesOSmxySseAFZeDEShAK 0x0001B860 0x00000025 SAFE_oQxKf0tkzZt0pV5gH0CiJnMmh6GrLnZ2 0x0001B888 0x00000025 SAFE_pGeaxyUTOa6Uz8mtm2QxkxYIqZJTEuxl 0x0001B8B0 0x00000025 SAFE_GqZAWhIKHz2Tu42yAKSO68W8O0uBp8PG 0x0001B8D8 0x00000009 requestID 0x0001B8E4 0x0000000A bytesTotal 0x0001B8F0 0x00000006 Number 0x0001B8F8 0x0000000B Description 0x0001B904 0x00000005 sCode 0x0001B90C 0x00000006 Source 0x0001B914 0x00000008 HelpFile 0x0001B920 0x0000000B HelpContext 0x0001B92C 0x0000000D CancelDisplay 0x0001B93C 0x00000009 bytesSent 0x0001B948 0x0000000E bytesRemaining 0x0001B958 0x00000025 SAFE_YoiwczIxR2qYF6Prg6qac9HgIRnEY8PX 0x0001B994 0x0000003F Returns/Sets the port to be connected to on the remote computer 0x0001B9D4 0x00000007 lngPort 0x0001B9DC 0x00000020 Returns/Sets the socket protocol 0x0001BA00 0x0000000B enmProtocol 0x0001BA0C 0x0000003A Returns/Sets the name used to identify the remote computer 0x0001BA48 0x00000007 strHost 0x0001BA50 0x00000022 Returns the remote host IP address 0x0001BA74 0x00000030 Returns/Sets the port used on the local computer 0x0001BAA8 0x0000002A Returns the state of the socket connection 0x0001BAD4 0x0000001E Returns the local machine name 0x0001BAF4 0x00000024 Returns the local machine IP address 0x0001BB1C 0x00000037 Returns the number of bytes received on this connection 0x0001BB54 0x00000019 Returns the socket handle 0x0001BB70 0x00000050 Returns or sets an expression that stores any extra data needed for your program 0x0001BBC4 0x00000006 strTag 0x0001BBCC 0x00000025 Accept an incoming connection request 0x0001BBF4 0x00000009 LocalPort 0x0001BC00 0x00000007 LocalIP 0x0001BC08 0x00000029 Binds socket to specific port and adapter 0x0001BC34 0x00000018 Close current connection 0x0001BC50 0x0000000A RemoteHost 0x0001BC5C 0x0000000A RemotePort 0x0001BC68 0x0000001E Connect to the remote computer 0x0001BC90 0x00000007 varType 0x0001BC98 0x00000006 maxLen 0x0001BCA0 0x00000029 Retrieve data sent by the remote computer 0x0001BCCC 0x00000027 Listen for incoming connection requests 0x0001BCF4 0x00000039 Look at incoming data without removing it from the buffer 0x0001BD30 0x0000001C Send data to remote computer 0x0001BD50 0x00000034 Occurs when a remote client is attempting to connect 0x0001BD8C 0x0000003B Occurs when data has been received from the remote computer 0x0001BDC8 0x0000000E Error occurred 0x0001BDD8 0x0000002B Occurs after a send operation has completed 0x0001BE04 0x00000025 Occurs during process of sending data 0x000536A0 0x0000000C MSVBVM60.DLL 0x000536B0 0x00000018 EVENT_SINK_GetIDsOfNames 0x000536CA 0x0000000E MethCallEngine 0x000536DA 0x00000011 EVENT_SINK_Invoke 0x000536EE 0x00000012 Zombie_GetTypeInfo 0x00053702 0x00000011 EVENT_SINK_AddRef 0x00053716 0x0000000F DllFunctionCall 0x00053728 0x00000017 Zombie_GetTypeInfoCount 0x00053742 0x00000012 EVENT_SINK_Release 0x00053756 0x00000019 EVENT_SINK_QueryInterface 0x00053772 0x00000012 __vbaExceptHandler 0x00053786 0x0000000E ProcCallEngine 0x0005413E 0x0000000C CONFIG 0x00054339 0x0000000A DDDDDDDDD@ 0x00054452 0x0000001E VS_VERSION_INFO 0x000544AE 0x00000016 VarFileInfo 0x000544CE 0x00000016 Translation 0x000544F2 0x0000001C StringFileInfo 0x00054516 0x00000010 080404B0 0x0005452E 0x00000016 CompanyName 0x00054552 0x00000016 ProductName 0x0005457A 0x00000016 FileVersion 0x000545A6 0x0000001C ProductVersion 0x000545D6 0x00000018 InternalName 0x00054602 0x00000020 OriginalFilename 0x00054624 0x00000010 dick.exe

Sandbox report of the dropper.

Detailed report of suspicious malware actions:
 
Created file on defined folder: C:\Documents and Settings\Administrator\Local Settings\Temp\~DFE274.tmp
Defined file type copied to Windows folder: C:\WINDOWS\system32\drivers\zgiejqbqy7.sys
Defined file type created: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\software\microsoft\Windows\CurrentVersion\Run\ewrgetuj = C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\geurge.exe
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\DisplayName = zgiejqbqy7
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\ImagePath = system32\drivers\zgiejqbqy7.sys
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Start = 01000000
Defined registry AutoStart location added or modified: machine\system\CurrentControlSet\Services\zgiejqbqy7\Type = 01000000
Internet connection: C:\Documents and Settings\Administrator\Local Settings\Temp\geurge.exe Connects to "122.224.6.48" on port 88 (TCP).
Internet connection: C:\Documents and Settings\Administrator\current\Local Settings\Temp\geurge.exe Connects to "93.174.92.220" on port 80 (TCP - HTTP).
Query DNS: config.perfectexe.com
Query DNS: ghucom.com
 
Risk evaluation result: High

Strings from the rootkit driver I spoke of earlier.

0x00000377	0x00000006	h.text
0x0000039F	0x00000006	h.data
0x000003C8	0x00000006	.cdata
0x00000418	0x00000006	.reloc
0x00001EA9	0x00000005	8SVWh
0x000024AD	0x00000005	VVVVh
0x00002564	0x00000005	WWWWh
0x0000C0EC	0x0000001A	\Driver\NTICE
0x0000C108	0x00000016	\Driver\npf
0x0000C120	0x00000016	\SystemRoot
0x0000C142	0x00000006	.cdata
0x0000C14A	0x0000000A	hwldi
0x0000C156	0x0000000A	hwsht
0x0000C170	0x00000010	TransportAddress
0x0000C182	0x00000011	ConnectionContext
0x0000C19E	0x00000006	      
0x0000C1A6	0x0000000A	hwbcr
0x0000C39C	0x00000009	opera.exe
0x0000C3A8	0x0000000A	thebat.exe
0x0000C3B4	0x0000000F	thunderbird.exe
0x0000C3C4	0x00000009	msimn.exe
0x0000C3D0	0x0000000A	telnet.exe
0x0000C708	0x0000002D	e:\eclipse\botnet\drivers\Bin\i386\kernel.pdb
0x000103AE	0x00000008	hfisa@Pj
0x00010920	0x00000019	%08x %ws+0x%x (%08x:%08x)
0x0001093A	0x0000001D	%08x unknown+0x%x (%08x:%08x)
0x00010958	0x00000012	 (0x%08X--&gt;0x%08X)
0x00010978	0x0000000A	hwbcr
0x00010984	0x00000012	IofCompleteRequest
0x00010998	0x0000000D	IofCallDriver
0x00010A6E	0x0000001E	FILE: unknown+0x%x (%08x:%08x)
0x00010A94	0x0000000C	 (%08x:%08x)
0x00010AA2	0x00000005	+0x%x
0x00010AA8	0x00000009	FILE: %ws
0x00010ADA	0x00000025	BugCheck %X, {%08x, %08x, %08x, %08x}
0x00010B00	0x00000006	.cdata
0x00011610	0x0000000C	CreateModule
0x00011620	0x0000000C	DeleteModule
0x00012CF6	0x00000014	ObfDereferenceObject
0x00012D0E	0x00000017	ObReferenceObjectByName
0x00012D28	0x00000012	IoDriverObjectType
0x00012D3E	0x00000014	RtlInitUnicodeString
0x00012D57	0x00000014	xAllocatePoolWithTag
0x00012D6E	0x00000006	memset
0x00012D78	0x00000012	IofCompleteRequest
0x00012D8E	0x0000000C	PoCallDriver
0x00012D9E	0x00000013	PoStartNextPowerIrp
0x00012DB4	0x0000000E	IoDeleteDevice
0x00012DC6	0x0000001B	IoAttachDeviceToDeviceStack
0x00012DE4	0x0000000E	IoCreateDevice
0x00012DF6	0x00000012	ObfReferenceObject
0x00012E0C	0x00000018	IoGetRelatedDeviceObject
0x00012E28	0x00000019	ObReferenceObjectByHandle
0x00012E44	0x0000000C	IoCreateFile
0x00012E54	0x00000006	memcpy
0x00012E5E	0x0000000D	IofCallDriver
0x00012E6E	0x0000000E	IoAttachDevice
0x00012E80	0x00000009	_purecall
0x00012E8C	0x00000013	IoGetCurrentProcess
0x00012EA3	0x00000010	xFreePoolWithTag
0x00012EB6	0x00000008	_stricmp
0x00012EC2	0x00000012	KeGetCurrentThread
0x00012ED8	0x00000015	KeWaitForSingleObject
0x00012EF0	0x0000000D	IoAllocateIrp
0x00012F00	0x0000000C	KeClearEvent
0x00012F10	0x00000010	IoFileObjectType
0x00012F24	0x00000006	strcmp
0x00012F2E	0x00000007	strncat
0x00012F38	0x00000018	NtQuerySystemInformation
0x00012F54	0x00000007	ZwClose
0x00012F5E	0x00000018	KeServiceDescriptorTable
0x00012F7A	0x00000010	MmIsAddressValid
0x00012F8E	0x00000007	sprintf
0x00012F98	0x0000000C	KeBugCheckEx
0x00012FA8	0x0000000C	PsGetVersion
0x00012FB8	0x0000001D	IoBuildDeviceIoControlRequest
0x00012FD8	0x00000011	KeInitializeEvent
0x00012FEC	0x0000000A	KeSetEvent
0x00012FFA	0x00000014	RtlFreeUnicodeString
0x00013012	0x00000017	RtlCompareUnicodeString
0x0001302C	0x00000014	RtlCopyUnicodeString
0x00013044	0x00000019	MmGetSystemRoutineAddress
0x00013060	0x00000011	RtlFreeAnsiString
0x00013074	0x0000001C	RtlUnicodeStringToAnsiString
0x00013094	0x00000016	RtlQueryRegistryValues
0x000130AE	0x0000001E	IoRegisterShutdownNotification
0x000130D0	0x00000013	KeSetPriorityThread
0x000130E6	0x00000014	PsCreateSystemThread
0x000130FE	0x00000019	RtlUnicodeStringToInteger
0x0001311A	0x00000013	RtlTimeToTimeFields
0x00013130	0x00000007	_allmul
0x0001313A	0x00000015	RtlWriteRegistryValue
0x00013152	0x00000014	RtlCreateRegistryKey
0x0001316A	0x00000008	swprintf
0x00013176	0x00000016	RtlDeleteRegistryValue
0x00013190	0x00000011	ObQueryNameString
0x000131A4	0x00000009	IoFreeIrp
0x000131B0	0x0000000E	ObInsertObject
0x000131C2	0x0000001E	SeSetAccessStateGenericMapping
0x000131E4	0x00000011	RtlMapGenericMask
0x000131F8	0x00000013	SeCreateAccessState
0x0001320E	0x0000000E	ObCreateObject
0x00013220	0x00000009	IoFreeMdl
0x0001322C	0x0000000D	MmUnlockPages
0x0001323C	0x0000000B	IoCancelIrp
0x0001324A	0x00000013	MmProbeAndLockPages
0x00013260	0x0000000D	IoAllocateMdl
0x00013270	0x00000018	KeWaitForMultipleObjects
0x0001328C	0x0000000C	KeResetEvent
0x0001329C	0x00000012	KeNumberProcessors
0x000132B2	0x00000008	_aulldiv
0x000132BE	0x0000001C	RtlAnsiStringToUnicodeString
0x000132DE	0x00000011	RtlInitAnsiString
0x000132F2	0x0000000B	KeTickCount
0x000132FE	0x0000000C	ntoskrnl.exe
0x0001330F	0x0000000F	eGetCurrentIrql
0x00013323	0x0000000A	fRaiseIrql
0x00013331	0x0000000A	fLowerIrql
0x0001333F	0x00000010	fReleaseSpinLock
0x00013353	0x00000010	fAcquireSpinLock
0x00013364	0x00000007	HAL.dll
0x0001336E	0x00000007	strncpy
0x00013378	0x00000007	wcsncpy
0x00013382	0x00000006	strlen
0x0001338C	0x00000010	RtlCompareMemory
0x000133A0	0x0000000A	ZwReadFile
0x000133AE	0x0000000B	ZwWriteFile
0x000133BC	0x00000011	KeQuerySystemTime
0x000133D0	0x00000006	strchr
0x000133DA	0x00000006	wcschr
0x000133E4	0x00000009	RtlUnwind
0x00013C39	0x00000009	;$;);2;9;

0x00000377 0x00000006 h.text 0x0000039F 0x00000006 h.data 0x000003C8 0x00000006 .cdata 0x00000418 0x00000006 .reloc 0x00001EA9 0x00000005 8SVWh 0x000024AD 0x00000005 VVVVh 0x00002564 0x00000005 WWWWh 0x0000C0EC 0x0000001A \Driver\NTICE 0x0000C108 0x00000016 \Driver\npf 0x0000C120 0x00000016 \SystemRoot 0x0000C142 0x00000006 .cdata 0x0000C14A 0x0000000A hwldi 0x0000C156 0x0000000A hwsht 0x0000C170 0x00000010 TransportAddress 0x0000C182 0x00000011 ConnectionContext 0x0000C19E 0x00000006 0x0000C1A6 0x0000000A hwbcr 0x0000C39C 0x00000009 opera.exe 0x0000C3A8 0x0000000A thebat.exe 0x0000C3B4 0x0000000F thunderbird.exe 0x0000C3C4 0x00000009 msimn.exe 0x0000C3D0 0x0000000A telnet.exe 0x0000C708 0x0000002D e:\eclipse\botnet\drivers\Bin\i386\kernel.pdb 0x000103AE 0x00000008 hfisa@Pj 0x00010920 0x00000019 %08x %ws+0x%x (%08x:%08x) 0x0001093A 0x0000001D %08x unknown+0x%x (%08x:%08x) 0x00010958 0x00000012 (0x%08X-->0x%08X) 0x00010978 0x0000000A hwbcr 0x00010984 0x00000012 IofCompleteRequest 0x00010998 0x0000000D IofCallDriver 0x00010A6E 0x0000001E FILE: unknown+0x%x (%08x:%08x) 0x00010A94 0x0000000C (%08x:%08x) 0x00010AA2 0x00000005 +0x%x 0x00010AA8 0x00000009 FILE: %ws 0x00010ADA 0x00000025 BugCheck %X, {%08x, %08x, %08x, %08x} 0x00010B00 0x00000006 .cdata 0x00011610 0x0000000C CreateModule 0x00011620 0x0000000C DeleteModule 0x00012CF6 0x00000014 ObfDereferenceObject 0x00012D0E 0x00000017 ObReferenceObjectByName 0x00012D28 0x00000012 IoDriverObjectType 0x00012D3E 0x00000014 RtlInitUnicodeString 0x00012D57 0x00000014 xAllocatePoolWithTag 0x00012D6E 0x00000006 memset 0x00012D78 0x00000012 IofCompleteRequest 0x00012D8E 0x0000000C PoCallDriver 0x00012D9E 0x00000013 PoStartNextPowerIrp 0x00012DB4 0x0000000E IoDeleteDevice 0x00012DC6 0x0000001B IoAttachDeviceToDeviceStack 0x00012DE4 0x0000000E IoCreateDevice 0x00012DF6 0x00000012 ObfReferenceObject 0x00012E0C 0x00000018 IoGetRelatedDeviceObject 0x00012E28 0x00000019 ObReferenceObjectByHandle 0x00012E44 0x0000000C IoCreateFile 0x00012E54 0x00000006 memcpy 0x00012E5E 0x0000000D IofCallDriver 0x00012E6E 0x0000000E IoAttachDevice 0x00012E80 0x00000009 _purecall 0x00012E8C 0x00000013 IoGetCurrentProcess 0x00012EA3 0x00000010 xFreePoolWithTag 0x00012EB6 0x00000008 _stricmp 0x00012EC2 0x00000012 KeGetCurrentThread 0x00012ED8 0x00000015 KeWaitForSingleObject 0x00012EF0 0x0000000D IoAllocateIrp 0x00012F00 0x0000000C KeClearEvent 0x00012F10 0x00000010 IoFileObjectType 0x00012F24 0x00000006 strcmp 0x00012F2E 0x00000007 strncat 0x00012F38 0x00000018 NtQuerySystemInformation 0x00012F54 0x00000007 ZwClose 0x00012F5E 0x00000018 KeServiceDescriptorTable 0x00012F7A 0x00000010 MmIsAddressValid 0x00012F8E 0x00000007 sprintf 0x00012F98 0x0000000C KeBugCheckEx 0x00012FA8 0x0000000C PsGetVersion 0x00012FB8 0x0000001D IoBuildDeviceIoControlRequest 0x00012FD8 0x00000011 KeInitializeEvent 0x00012FEC 0x0000000A KeSetEvent 0x00012FFA 0x00000014 RtlFreeUnicodeString 0x00013012 0x00000017 RtlCompareUnicodeString 0x0001302C 0x00000014 RtlCopyUnicodeString 0x00013044 0x00000019 MmGetSystemRoutineAddress 0x00013060 0x00000011 RtlFreeAnsiString 0x00013074 0x0000001C RtlUnicodeStringToAnsiString 0x00013094 0x00000016 RtlQueryRegistryValues 0x000130AE 0x0000001E IoRegisterShutdownNotification 0x000130D0 0x00000013 KeSetPriorityThread 0x000130E6 0x00000014 PsCreateSystemThread 0x000130FE 0x00000019 RtlUnicodeStringToInteger 0x0001311A 0x00000013 RtlTimeToTimeFields 0x00013130 0x00000007 _allmul 0x0001313A 0x00000015 RtlWriteRegistryValue 0x00013152 0x00000014 RtlCreateRegistryKey 0x0001316A 0x00000008 swprintf 0x00013176 0x00000016 RtlDeleteRegistryValue 0x00013190 0x00000011 ObQueryNameString 0x000131A4 0x00000009 IoFreeIrp 0x000131B0 0x0000000E ObInsertObject 0x000131C2 0x0000001E SeSetAccessStateGenericMapping 0x000131E4 0x00000011 RtlMapGenericMask 0x000131F8 0x00000013 SeCreateAccessState 0x0001320E 0x0000000E ObCreateObject 0x00013220 0x00000009 IoFreeMdl 0x0001322C 0x0000000D MmUnlockPages 0x0001323C 0x0000000B IoCancelIrp 0x0001324A 0x00000013 MmProbeAndLockPages 0x00013260 0x0000000D IoAllocateMdl 0x00013270 0x00000018 KeWaitForMultipleObjects 0x0001328C 0x0000000C KeResetEvent 0x0001329C 0x00000012 KeNumberProcessors 0x000132B2 0x00000008 _aulldiv 0x000132BE 0x0000001C RtlAnsiStringToUnicodeString 0x000132DE 0x00000011 RtlInitAnsiString 0x000132F2 0x0000000B KeTickCount 0x000132FE 0x0000000C ntoskrnl.exe 0x0001330F 0x0000000F eGetCurrentIrql 0x00013323 0x0000000A fRaiseIrql 0x00013331 0x0000000A fLowerIrql 0x0001333F 0x00000010 fReleaseSpinLock 0x00013353 0x00000010 fAcquireSpinLock 0x00013364 0x00000007 HAL.dll 0x0001336E 0x00000007 strncpy 0x00013378 0x00000007 wcsncpy 0x00013382 0x00000006 strlen 0x0001338C 0x00000010 RtlCompareMemory 0x000133A0 0x0000000A ZwReadFile 0x000133AE 0x0000000B ZwWriteFile 0x000133BC 0x00000011 KeQuerySystemTime 0x000133D0 0x00000006 strchr 0x000133DA 0x00000006 wcschr 0x000133E4 0x00000009 RtlUnwind 0x00013C39 0x00000009 ;$;);2;9;

There you can see the “botnet” string, nothing good about that file. That also looks to see if kernel mode debugger is running.

To be continued…

Posted by on Monday, July 26th, 2010 at 4:38 pm and filed under Malware Analysis with tags . You can skip to the end and leave a response. Pinging is currently not allowed.

Pay-Per-Install Analysis – Part Four

Random Posts

Previous Posts

Leave a Reply

Search

Categories

Recent

Products