Malware Analysis email: rajdeep.chakraborty@gmail.

com

Detailed analysis of the continuously evolving threat of Malwares

Author: Rajdeep Chakraborty

rajdeep.chakraborty@gmail.com
http://www.malwareinfo.org

Page 1
Malware Analysis email: rajdeep.chakraborty@gmail.com

Malware Analysis
A detailed analysis of the continuously evolving threat of Malwares
Author: Rajdeep Chakraborty
Email: rajdeep@malwareinfo.org

The purpose of this article is to help users analyze and determine if an executable\process\binary running in their system is a
harmful Malware. We will do the analysis by analyzing it in a controlled environment without the use of antivirus software,
debuggers, code disassembly or any other sophisticated tools or applications. However, we would take the help of certain
freely available tools and utilities to fulfill our requirements.

The steps for Malware Analysis followed here in this article have been taken from the article "Malware Analysis for
Administrators" posted by S.G. Masood of F-Secure (http://www.securityfocus.com/infocus/1780). The basic methodologies
proposed by him in the document have been kept the same but I have tried to explain those methodologies in a much more
detailed fashion.

Introduction

Traditionally, Malware analysis has been considered to be very complicated, and in fact some of the techniques or
methodologies involved are very complicated and way beyond a normal user's access or understanding. However, in context of
today’s scenario, we can see that there is a clear need for people to learn how to analyze Malware themselves. But the most
important factor is that the analysis techniques should be simplified enough so that even the average computer user can
understand it. Unfortunately, information dealing with Malware analysis techniques is either too complicated for the average
users to understand or they are in a very much scattered form, beyond the reach of normal users. With the help of this, sort
of tutorial, I would try to fill in this disparity and also would like to make it easy and simplified enough for the average users to
understand and do hands on themselves.

Basics

Malwares has evolved into the cyber era as the most dangerous, damaging and menacing tantrum. It is not an exaggerated
statement that if you are linked to the Internet, there’s every chance of being affected by this nuisance. So, it is very
important that we should possess a peripheral view about this threat. We will look into some basic details of this thing called
Malware.

What is Malware?

Malware is a malicious software, which is designed specifically to damage your system or interrupt the normal computing
environment. A trojan horse, worm, virus or spyware could be classified as malware. Some advertising software can be
malicious by trying to re-install itself after you have removed it. A binary is considered Malware on the basis of certain
features.

Types of Malware

A Malware can be Viruses, Worms, Trojan horses, Rootkits, Spywares, dishonest Adware or other malicious and unwanted
rogue softwares. Hence a Malware is something that usually contaminates the system and carries out malicious activities.
The best-known types of Malware are viruses and worms. They are known for the manner in which they spread, rather
than any other particular behavior.

Virus: A computer virus is a computer program that can copy itself and infect a computer without permission or
knowledge of the user. A virus can only spread from one computer to another when its host is taken to the uninfected
computer, for instance by a user sending it over a network or the Internet, or by carrying it on a removable medium such
as a floppy disk, CD, or USB drive.

Worm: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes
(computer terminals on the network) and it may do so without any user intervention. Unlike a virus, it does not need to
attach itself to an existing program.

Trojan horse: A piece of software which appears to perform a certain action but in fact performs another such as a
computer Virus. Trojan horses are notorious for their use in the installation of backdoor programs in the system that can
be exploited by the author of such programs. These systems now become zombies and they can be completely controlled
by the attacker.

Spyware: A computer software that is installed surreptitiously on a personal computer to intercept or take partial control
over the user's interaction with the computer, without the user's informed consent. Spyware suggests software that
secretly monitors the user's behavior, collect various types of personal information, interfere with user control of the
computer in other ways such as installing additional software, redirecting Web browser activity, accessing websites blindly
that will cause more harmful viruses, or diverting advertising revenue to a third party.

Page 2
Malware Analysis email: rajdeep.chakraborty@gmail.com

Adware: Computer software that comes with advertising functions integrated into or bundled with a program. It is
usually seen by the programmer as a way to recover programming development costs. Some types of Adware are also
Spyware and can be classified as privacy-invasive software. They automatically play, display, or download advertising
material to a computer after the software is installed on it or while the application is being used.

There can be many more categories of Malware depending on their characteristics and malicious activities. However, detailed
description of those is not within the scope of this article.

Background of Malware Analysis

The threat of malicious software can easily be considered as the greatest threat to Internet security these days. Earlier,
Viruses were, more or less, the only form of Malware. However, nowadays, the threat has grown to include a vast range of
highly sophisticated applications viz. network-aware worms, Trojans, DDoS agents, IRC Controlled bots, Spywares, Rootkits
and many more. The infection vectors have also changed and grown drastically as malicious agents now use mechanisms like
email harvesting, browser exploits, operating system vulnerabilities, and P2P networks and many more unknown, unheard and
technologically advanced techniques of replication.

A relatively large percentage of the software that a normal internet user encounters in his/her online activities are or can be
malicious in some form or other. Most of these Malwares are detected by Antivirus software, Spyware removal applications and
other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary
sneak through all these levels of protection and compromises the system and the user’s data. The reasons for this breach can
be:

 Users not updating their Antivirus signatures regularly

 Users not keeping their systems well patched
 Failure of Antivirus Software’s heuristics engine
 New or low-profile Malware that has not yet been discovered by Antivirus vendors
 Custom coded Malware which cannot be detected by Antivirus
 Firewall not installed or not properly configured

Malwares are continuously evolving, and Antivirus vendors are finding it difficult to keep up with this ever increasing threat
list. In some cases, the vendors may opt not to include a signature for a particular piece of Malware. However, this should not
prevent knowledge seekers from using freeware tools and techniques to analyze the files and develop their own prevention
and detection mechanisms. Though the Antivirus Softwares are continually getting better and more sophisticated, a small but
very significant percentage of Malwares escape this predefined screening process and manages to enter and compromise both
the system and the network itself. Unfortunately, this percentage of the Malwares escaping this predefined screening process
is also growing everyday.

It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining
it manually and without relying on the automated scanning engines. The level of information required after an analysis is done
differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while
an administrator might want to know more like the registry values the binary injects, the copies of infected files it creates, the
types of files the binary infects and also the actual payload information and what it does. That means, he may want to
completely reverse engineer the binary for his purposes.

Techniques for Malware Analysis

There are basically two techniques that are used for analyzing a Malware:

 Code analysis
 Behavior analysis

In most cases, a combination of both these techniques is used. However, we will consider code analysis first.

Code Analysis

Code analysis is one of the primary techniques used for examining Malwares. The best way of understanding the way a
program works is, of course, to study the source code of the program. However, the source code for most Malware is not
available. Malicious software is more often distributed in the form of binaries, and binary code can still be examined using
debuggers and disassembles. However, the use of these tools is often beyond the ability of all but a small minority because of
the specialized knowledge that is required. Given sufficient time, any binary, however large or complicated, can be reversed
completely by using code analysis techniques. We will deal with some aspect of code analysis and reverse engineering process
later.

Behavior Analysis

Page 3
Malware Analysis email: rajdeep.chakraborty@gmail.com

Behavior analysis is more concerned with the behavioral aspects of the malicious software. Like a beast kept under
observation in a zoo, a binary can be kept in a tightly controlled environment and have its behavior scrutinized. It is mainly
done in Virtual OS environment so that the effects of the Malware can be kept under control. Analysis of activities or changes
it makes to the environment (file system, registry, network, etc), its communication with the rest of the network, its
communication with remote devices, and so on are closely monitored and information is collected. The collected data is
properly documented, analyzed and the complete picture is reconstructed from these different bits of information.

The best thing about behavior analysis is that it is within the scope of an average administrator or even a normal user. Though
reverse engineering using behavior analysis does not lead to the generation of the binaries code, it is sufficient for most users'
needs. For instance, it is not sufficient for an antivirus researcher but for most other users or Administrators, behavior analysis
can fulfill all their needs. In this article, we will deal mainly with the behavioral analysis of the Malwares and the ways and
tools with which we can do that.

Goals of the Analysis

The goal of this article is to provide a set of behavior analysis techniques for reverse engineering Malwares activities in a
controlled environment. We also have to keep in mind that the learning curve should be simple enough so that it is within the
scope of the average users understanding. Using these methods, people should be able to analyze an unknown binary and
determine whether it is a Malware or not. For those who require more in-depth knowledge, they can further reverse engineer
the binary and document its workings completely.

Assumptions

This paper makes a few assumptions for the sake of convenience and clarity. These are:

 We assume that the Malware[s] are Win32 based binary on Intel x86 platform
 We sometimes will refer to the Malware as "Binary". However, a Malware can be a collection of one or more Binaries
 The host machine on which the Binary is executed is referred to as the "Sandbox" or the "Victim Computer"
 The other machine on the test network is referred to as the "Sniffer Computer"

Tools used in Malware Analysis

Since the goal of this article is to propose a generic set of techniques, the tools mentioned in this paper are just "proposed"
tools and are readily available as freeware. Any other tool that has the same or similar functionality can be used in place of
the proposed ones, however it would be recommended to use the ones suggested here, though the versions may vary. The
tools or applications we would be using for our analysis part are:

 Microsoft Virtual PC 2007: Virtual PC 2007 is a powerful software virtualization solution that allows you- to run
multiple PC based operating systems, simultaneously on one workstation. We will be using it to create the “Sandbox”
or the “Victim Computer”.
 SysInternals Process Explore: To find out what files, registry keys and other objects the running processes have
opened, which DLLs they have loaded, and more.
 SysInternals AutoRuns: To see what programs are configured to startup automatically when your system boots
and you login. Autoruns also shows you the full list of Registry and file locations where applications can configure
auto-start settings.
 SysInternals FileMon: This monitoring tool lets us see all file system activity in real-time.
 SysInternals RegMon: This monitoring tool lets you see all Registry activity in real-time.
 SysInternals Process Monitor: This is an advanced monitoring tool for Windows that shows real-time file system,
Registry and Process/thread activity.
 7th Sphere Port Scan: This is probably the best Windows port scanner I've used. It’s fast and accurate. Fport is
also a good choice as it will map the owing process to the open port.
 FileAlyzer: This is a file analysis tool that can be used as a standalone utility or with SpyBot S&D.
 Trend Micro HijackThis v2.0.0: This program will scan the system and will generate a log file containing the
registry, file and BHO settings, which are commonly manipulated by Malwares.
 ESUG Loadpoint Diagnostic: This is a tool that I have received from the Symantec Support guys and I don’t think
it can be downloaded, however I will try to upload it for people to get benefited. This command line tool scans the
system and generates a zip file that contains a detailed HTML summary of the entire system.
 Network Active PIAFCTM: This is a packet Sniffer. You can use any other good packet Sniffer if you wish to.
 InstallWatch: A utility that tracks changes made to your system during the installation or removal of software or
hardware. It tracks deletions, or modifications to files and directories, INI files, and the Registry.

Page 4
Malware Analysis email: rajdeep.chakraborty@gmail.com

 Resource Hacker: A freeware utility to view, modify, add, delete and extract resources from 32bit Windows
executables.

There can be more tools that can be used to lean down the approach or methodologies for this analysis. However, for now we
will work with these above mentioned tools. Detailed description of the individual tool used for our analysis will be provided at
the end of this article.

Page 5
Malware Analysis email: rajdeep.chakraborty@gmail.com

Methodology

The proposed methodology to go ahead with this behavioral analysis of a Malware will be broadly divided into six stages. They
are:

 Creating a controlled environment

 Baseline the environment
 Information collection
 Information analysis
 Reconstructing the bigger picture
 Documenting the results

Creating a controlled environment

The setting up of a controlled environment is absolutely essential for analyzing Malwares. A "test environment" is created for
this purpose. Some essential features of this test environment will be:

 At least two systems should be used. One system is for hosting the malicious binary (Sandbox) and the other is to
baseline and sniff the network traffic (Sniffer Computer). They should be networked in such a way that the Sniffer
Computer can sniff the Sandbox's network traffic. We will use Microsoft Virtual PC to create the Sandbox and we will
use the host OS as the Sniffer Computer.

 These two systems should be isolated from the rest of the network but it is recommended that we have Internet
accessibility from the Host/Sniffer Computer.

 Fresh copies of Operating Systems should be installed on each of the two machines. In both the systems, we will be
installing Windows XP Professional SP2; however, we will not be installing any further updates or hotfixes. This is
done so that the Malwares, incase they exploit any vulnerability in the XP SP2 System, can take full advantage of
those vulnerabilities. This would give us a better insight to the activities of the Malware.

 The above mentioned tools should be transferred to the relevant systems. Later on we will make a note/list of which
tool has to be kept in which System.

 The binary that is to be examined should be transferred to the Sandbox.

 It is highly preferable not to install any other application upon the Sandbox apart from the tools required for analysis.

 This is the most basic setup for a Malware Analysis environment. Apart from this and depending on the situation,
more modifications can be made. For instance, if the malicious binary tries to communicate with a remote server
xyz.com, then specific host file entries can be made or a fake xyz.com can be set up in the Host OS and the requests
to the Hosts port 80 can be redirected for trapping the packets sent. An excellent paper that discusses the creation of
a Malware Analysis environment is "An Environment for Controlled Worm Replication and Analysis".

 We may have to return to this "creating a controlled environment" stage many times during the analysis process.

Baseline the environment

Baselining the environment created for carrying out the Malware Analysis process is the next most important step towards any
Malware Analysis process. To "Baseline" means taking a snapshot of the current environment. We will use this snapshot or
state of the existing two systems, specially the Sandbox, as the benchmark for comparison. To determine the differences in
the configuration and state of the Sandbox will be our goal.

This will be the most vital stage in our analysis. If baselining is not done properly, it will have a serious effect on the
information gathering stage, which in turn seriously affects our understanding of the binary and the activities that the binary
will carry out once executed in the Sandbox. If baselining is done efficiently, the information gathered during the next stage
will become very accurate and depending on this behavioral analysis we can get a clear picture of the Malware that we would
be analyzing.

To accomplish our goals, the binary which has to be analyzed is executed in a controlled environment and the changes it
makes to that environment are captured. Before executing the binary, a snapshot of the environment is created (baseline) and
then after execution another snapshot is created. In theory, the difference between the baseline and the final snapshot shows
the changes made by the binary.

Baselining the Sandbox

Page 6
Malware Analysis email: rajdeep.chakraborty@gmail.com

The elements of the Sandbox environment that has to be baselined are:

 File System & Installed Applications: The file system on the victim host has to be baselined. There are many
programs that can create a snapshot of the file system and after a few changes occur, they can point out the
modifications. Some of the programs we can use InstallWatch, Loadpoint Diagnostic, AutoRuns etc.

 Registry: The registry is the next component that is to be baselined. Most Malware applications rely on registry
entries. Therefore it is crucial to capture registry modifications. InstallWatch, Loadpoint Diagnostic as mentioned
above can be used for registry baselining.

 Running processes: A snapshot of the running processes can be created using a number of programs. Some of
them are available from SysInternals.

 Open Ports: A snapshot of the open ports can be created using the 'netstat' utility. However, it does not list the
name of the process that is tied to the port. We can also use 7th Sphere Port Scan to scan the Sandbox. Fport is also
a good choice as it will map the owing process to the open port.

 Network traffic: The next element that has to be baselined is the network traffic. Even when there is no application
running on either of the test machines, there will still be some network traffic. This traffic has to be recorded and the
"normal traffic" in our test network has to be defined. This is because when deviations occur in the "normal traffic"
pattern, we can assume it to be generated by the binary and perform further testing on it. Sniffing software that is
installed on our "Sniffer Computer" is used for this purpose. Any sniffing software running in verbose mode is
sufficient for our purposes. However, to make our task easier, it is preferable to use a protocol analyzer like Network
Active PIAFCTM or Ethereal.

 External view: Although we have created a snapshot of the open ports in the Sandbox, it is always better to create
one more snapshot from an external machine. A port scanner running on our "Sniffer System" can achieve this task
for us. 7th Sphere Port Scan will be the port scanner we will use here.

Users, Groups, Network Shares and Services are some of the other elements that should be baselined as well.

Information collection

Now that the preparations are over, we can go ahead with our activities. This is the only stage where we have an actual
interaction with the Malware. A lot of raw information about the binary is collected during this stage which is analyzed in the
next stage. Therefore, it is very important to carefully record all the information generated in this stage. The steps in the
information collection stage are:

 Static analysis

During the static analysis stage, we collect as much information about the binary as possible, without executing it. This
involves many techniques and tools. Static analysis reveals the scripts, HTML, GUI, passwords, commands, control
channels, and so on. Simple things like the file name, size and version string are recorded. Human-readable strings are
extracted from the Malware and these strings are recorded. A program like Binary Text Scan can be used for this purpose.
These strings reveal a lot of information about the function of the binary.

Resources that are embedded in the binary are extracted and recorded. A program like Resource Hacker can be used for
this purpose. The resources that can be discovered through this process include GUI elements, scripts, HTML, graphics,
icons, and more.

 Dynamic analysis

During this stage, we actually execute the binary and observe its interaction with the environment. All monitoring tools
including the sniffing software are activated. Different experiments are done to test the response of the running Malware
process to our tools. Attempts to communicate with other machines are recorded. In this analysis phase a new snapshot
of the environment is created like in the baselining the environment stage.

After taking a snapshot of all the changes the Malware performs in the system, the Malware process is terminated. Now,
the differences between the new snapshot and the baseline snapshot are determined. The dynamic analysis step is very
similar to the baselining the environment stage. Therefore, the tools are reused for this stage. Loadpoint Diagnostic and
InstallWatch can be used for this purpose. Apart from these tools, AutoRuns, FileMon and RegMon from SysInternals can
be used for monitoring the file system and the registry dynamically. These tools are used for observing the changes to the
file system and the registry of the Sandbox.

The information recorded, forms the input for the next stage of our analysis. The information generated here can be new files,
registry entries, open ports, etc. Sometimes, the static analysis has to be repeated once more after doing a dynamic analysis.

Page 7
Malware Analysis email: rajdeep.chakraborty@gmail.com

Information analysis

This is the stage where we can finally reverse engineer the binary based on all the information collected during the previous
stages. Each part of the information is analyzed over and over and till the "jigsaw puzzle" is complete. Then the bigger picture
begins to appear and the reverse engineering process is finished. However, before this is achieved, we may have to repeat the
previous stages several times. We will look into the process of ‘Reverse Engineering a Malware’ in another article dedicated to
Reverse Analysis.

The goals of the individual or organization evaluating the Malware determine the type of analysis and because the goals differ,
no standard methodology is provided for this stage. Looking for deviations from the stated security policy of an organization,
the goals and information to be collected may differ. Although a complete methodology for information analysis is beyond the
scope of this paper, a few techniques are presented here. In many cases, these techniques are sufficient for analysis.

Internet searches

A search engine can be used for searching for more information on the Malware. Keywords for the search engine can be drawn
from the information generated during the "Static Analysis" step. Things like filenames, registry entries, commands, etc. often
reveal a lot of information about the Malware. Some good sources of information on the internet include Online Virus
Databases (mostly maintained by Antivirus Vendors), News Groups and Mailing Lists. Many times, internet searches reveal
almost all the information about a Malware and no further research is needed.

One very interesting and important site that I personally refer to before carrying out any Malware Analysis process is:
http://www.virustotal.com

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of Viruses, Worms, Trojans and all
kinds of Malware detected by antivirus engines.

Features:
 Free, independent service
 Use of multiple antivirus engines
 Real-time automatic updates of virus signatures
 Detailed results from each antivirus engine
 Real time global statistics

Personally I also submit any suspicious binary to the Microsoft Malware Protection Center (MMPC) and its for sure, that even if
the Malware is not getting detected by any of the Antivirus Scanners, MMPC responds back within 10-12 hours of submission.
The Virus Submission url of MMPC is: https://www.microsoft.com/security/portal/submit.aspx

Startup methods

Every Malware needs a way to ensure that it is executed when a system reboots. This is the most vulnerable aspect of the
Malware. There are number of ways in all operating systems that a program can use to restart automatically when a system
reboots. The information collected during the static & dynamic analysis stage can be analyzed to identify the startup methods
the Malware uses to get activated at system reboot.

A special section to inform the users about the various startup methods used by Malwares will be added at the end of this
article. A tool from SysInternals called AutoRuns does the trick for us during the Malware Analysis process. AutoRuns monitors
more startup areas, compared to any other startup applications available today hence giving us opportunity to check the ways
by which a Malware actually can become alive.

Spreading mechanism

If the Malware under observation is a self-spreading worm or a virus, the collected network traffic data will easily reveal its
spreading mechanism. In most cases, a brief analysis of the network traffic is enough; else, a study of the file system activity
and registry activity is carried out to find out the activities of the payload of the Malware.

Documenting the results

Documenting the results of the Malware analysis process is essential. One of the main advantages is that the knowledge
incorporated into the documentation can be used for later analysis activity. The documentation will differ from individual to
individual and organization to organization, depending on the requirement and purpose.

Conclusion

From this article we have seen that a basic behavioral analysis of a Malware can be easily performed by an administrator, or
indeed by a power user. While this approach does not give the same level of detail as code analysis or reverse engineering
would, still it is sufficient for most people's needs when figuring out what a potentially malicious binary is capable of and also
how to go ahead with the removal and disinfection process.

Page 8
Malware Analysis email: rajdeep.chakraborty@gmail.com

Page 9
Malware Analysis email: rajdeep.chakraborty@gmail.com

Case Study: A known rogue application

Analysis of a real Malware

Introduction

Before I carry further on analyzing a real life Malware, let me take you through some symptoms of infection. It is really hard
to detect the symptoms of infection as they often appear to be normal Web or computer operations. So, you may not
recognize them as symptoms. However, a sudden change in how your computer is behaving could be a sign of a possible
infection. Below are some of the symptoms that may reveal that your system is possibly infested with Malwares.

Virus Symptoms
 Unusual messages or displays on your monitor
 System shutting down or logging off suddenly
 System has less available memory than it should
 A disk or volume name has been changed or inaccessible
 Programs or files are suddenly inaccessible (eg. Task manager, Registry Editor, Folder Options)
 Unknown programs or files have been created
 Known files or folders changing to files with .exe or .vbs extensions
 Sudden increase in network activity

Trojan Symptoms
 Your computer screen flips upside down or inverts
 Your wall paper or background settings change by themselves
 Documents or messages print on your printer by themselves
 Your windows color settings change by themselves
 Your screen saver settings change by themselves
 Your right and left mouse buttons reverse their functions
 Your mouse pointer disappears
 Your mouse moves by itself
 Your mouse starts leaving trails
 Your Windows Start button disappears
 Your computer starts reading the contents of your computer clipboard
 Your Task bar disappears
 Your computer shuts down and powers off by itself

Spyware Symptoms
 One of the oldest and most common Spyware tricks is to automatically change your Web browser's default or start-up
homepage - the page that first appears when you start your browser or click the "home" button.
 You end up in a same strange site, whenever you perform a search.
 Your firewall and antivirus programs are frequently turned off automatically.
 Your network connection's activity lights blink a lot, when you are not actively doing anything on the internet.
 You are unable to stop the excessive popup windows that appears from nowhere.
 Strange icons and new shortcuts lurking in your taskbar, system tray or on your desktop.
 You find new programs in the add/remove programs of your control panel which you don't ever remember installing.
 You are redirected to a strange site instead of 404 error pages, when a web page isn't found.
 You get frequent alerts from your firewall about an unknown program or process trying to access the internet.
 You get a lot of bounced back mail and see evidence of e-mails being sent without your knowledge.
 Your browsing speed becomes very slow since you installed the "ultimate search companion".
 Strange and unexpected toolbars appear in your web browser and you don't know how it got there.

There can me more symptoms but it is again outside the scope of this article. These lists of symptoms can be read in details in
a lot of the Security related sites in the internet. For further read, I would recommend you to take active participation in
security forums or blogs.

THE MALWARE

Getting back to the topic of analyzing the actual binary executable that falls under the genre of Malware, let me bring you face
to face with the actual Malware itself.

Page 10
Malware Analysis email: rajdeep.chakraborty@gmail.com

We would be working out with a ‘rogue application’ that poses to be an Antispyware, but in reality is a Malware. To know a
little bit about this application, it would be better if I make clear the concept of what a ‘rogue application’ is.

Rogue Application: In the broader meaning a rogue application could be any software for which an Organization does not
have an appropriate license. This could include unauthorized or non business critical programs like Kazaa, LimeWire, and other
peer-to-peer applications; iTunes or other media players; or public instant messaging clients like those from AOL or Yahoo!
However, I would focus on the maliciousness of the application concerned instead of the 'Compliance' aspect of an
Organizations audit policies. In general the term rogue application brings to mind Rootkits, Keyloggers, Backdoor TELNET
servers, and other Trojan horse type exploit programs that pose as legitimate applications. So to sum up:

Any application that poses as software intended to be of useful nature, but at the background carries out certain malicious
illegitimate activities can be classified as a rogue application. Some well known examples of such rogue applications that
pretended to be Antispyware application are SpyShredder, MalwareMonitor etc.

In our case, we are going to deal with an application, that also poses to be an Antispyware and after it was analyzed by
MMPC, this is what they had to say about this program:

“This threat is classified as a Trojan - Downloader. A downloader Trojan accesses remote websites in an attempt to download
and install malicious or potentially unwanted software. This threat is detected by the Microsoft antivirus engine. Technical
details are not currently available.” – MMPC (March 08 2008)
http://www.microsoft.com/security/portal/Entry.aspx?ThreatId=-2147364773

The Malware was getting downloaded from the website: http://xpantivirus2008.com (refer to the screenshot from the site)

The site looked pretty impressive. All the links viz. “Try Free”, “Buy Now”, “Start Scan” were pointing to the url:
http://xpantivirus2008.com/download.php?id=

Page 11
Malware Analysis email: rajdeep.chakraborty@gmail.com

On clicking the link the application exe named “XPantivirus2008_v880011.exe” was getting downloaded. This is the actual
Malware that we would be analyzing. After downloading the application and installing it, the application shows elevated
security risks and then the program prompts the user to purchase a registered version of the software in order to remove the
reported threats.

To analyze the said application, we would be referring back to the Malware Analysis article and follow the steps mentioned.

Page 12
Malware Analysis email: rajdeep.chakraborty@gmail.com

Methodology

The proposed methodology (already mentioned in the article above) to go ahead with this behavioral analysis of a Malware will
be broadly divided into six stages. They are:

 Creating a controlled environment

 Baseline the environment
 Information collection
 Information analysis
 Documenting & Reconstructing the bigger picture

Creating a controlled environment

We will be creating the test environment for analyzing the above mentioned Malware. We will be using Microsoft VPC 2007 to
create the victim system or the Sandbox and the host system will serve the purpose of the Sniffer Computer.

We have installed Windows XP SP2 using Microsoft VPC and named it as SandBox.

For optimizing the performance of the Sandbox, we have done certain amount of tweaking. Complete details of the tweaking
of Windows XP SP2 can be found easily in the internet and it is suggested that the Sandbox’s OS is configured so that it
doesn’t eat up much memory. The reason behind this is, the analysis process will need the use of certain tools and
applications that might end up eating the resources and eventually the Sandbox might crash.

One more essential feature of the VPC is the option to compress the virtual Hard Disk that we created while installation of the
Sandbox. Also, it is recommended that we ‘Enable’ the ‘Undo Disk’ feature. This will help us to discard all the changes made
by the Malware after we purposefully infect the Sandbox.

We will transfer all the tools (mentioned above in the article) required for Malware analysis to the sandbox. We have installed
in the Sandbox only those applications that would help us in our activities. Ideally, I have installed Mozilla Firefox, InstallWatch
and Network Active PIAFCTM. However, the complete list of these would be jotted down during the benchmarking phase.

As we created the environment of the Sandbox ready for carrying out the analysis, we would be doing the same for the Sniffer
computer. We have installed Network Active PIAFCTM in this system as well for sniffing out the network traffic that might get
generated from the Sandbox. Also, we have kept all the tools for Malware Analysis in this Sniffer (host) system as well.

Page 13
Malware Analysis email: rajdeep.chakraborty@gmail.com

Details of the Sandbox and the Sniffer computer are as follows:

Sandbox details: Sniffer details:

Host Name . . . . . . . . . . . . : Sandbox Host Name . . . . . . . . . . . . : Sniffer

Physical Address. . . . . . . . . : 00-03-FF-5E-2B-52
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 202.54.9.1/202.54.29.145
Operating System. . . . . . . . : Windows XP v2002 SP2
Physical Address. . . . . . . . . : 00-03-FF-5E-2B-52
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 202.54.9.1/202.54.29.145
Operating System. . . . . . . . : Windows XP v2002 SP2

Connectivity between the Sandbox and the Sniffer has to be configured so that from the Sniffer you can ping, sniff and
transfer files to the Sandbox.

Ping response from the Sniffer to the Sandbox: Pinging 192.168.1.3 with 32 bytes of data.

Reply from 192.168.1.3: bytes=32 time=52ms TTL=128

Reply from 192.168.1.3: bytes=32 time=481ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128
Reply from 192.168.1.3: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.1.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 481ms, Average = 133ms

File transfer response from the Sniffer to the Sandbox: Microsoft Virtual Machine Additions are installed in the
Sandbox. This would ensure that copy paste and drag and drop feature gets enabled between the Sniffer and the
Sandbox and vice versa.

Baselining the Sandbox

The elements of the Sandbox environment that has to be baselined are:

File System & Installed Applications: The file system on the victim host has to be baselined. There are many programs
that can create a snapshot of the file system and after a few changes occur, they can point out the modifications. Some of the
programs we can use InstallWatch, Loadpoint Diagnostic, AutoRuns, HijackThis etc.

Installed Applications: We have just 3 applications installed.

 Mozilla Firefox for browsing the internet (Mozilla is used incase the Malware infects Internet Explorer)
 InstallWatch for monitoring the changes in the registry and file system after the Malware is executed.
 NetworkActiv PIAFCTM for monitoring the network traffic in the Sandbox.

Add or Remove Program snapshot

This Add Remove Program snapshot is important as some Malwares, specially Spywares have a tendency to download other
malicious rogue applications or Adware without the knowledge of the users. This baseline snapshot will help to identify if there
are any deviation after the Malware infects the Sandbox.

Page 14
Malware Analysis email: rajdeep.chakraborty@gmail.com

InstallWrite snapshot – InstallWrite will create a baseline snapshots.

Loadpoint Diagnostic snapshot

HijackThis Logs - The log generated by HijackThis is also saved as Sandbox’s baseline snapshots.

Registry: The registry is the next component that is to be baselined. Most Malware applications rely on registry entries.
Therefore it is crucial to capture registry modifications. InstallWatch, Loadpoint Diagnostic, AutoRuns as mentioned above can
be used for registry baselining.

AutoRuns screenshot – We will take a registry snapshot with AutoRuns and save the view state as the baseline.

Apart from this we already have Loadpoint Diagnostic log and the HijackThis log. These logs will help us to compare the state
of the Sandbox one the Malware infects it.

Page 15
Malware Analysis email: rajdeep.chakraborty@gmail.com

We could have taken the backup of the entire registry, but I try to avoid this method because it would generate a .reg file that
would be around 20-30 MB and it becomes really problematic to get our file compare utilities to work on it. Since we don’t
save the state of the Sandbox (Undo Disk -> Enabled) during shutdown we need not worry about the integrity of the
Sandbox’s OS as well.

Running processes: A snapshot of the running processes can be created using a number of programs. Some of them are
available from SysInternals.

Process Explorer snapshot – snapshot and log of the running processes can be created using SysInternals Process Explorer

Apart from Process Explorer log, we also have the logs of HijackThis and Loadpoint Diagnostic tools. These logs will help us to
identify any new process that gets created after the Malware is executed in the Sandbox.

Open Ports: A snapshot of the open ports can be created using the 'netstat' utility. However, it does not list the name of the
process that is tied to the port. We can also use 7th Sphere Port Scan to scan the Sandbox. Fport is also a good choice as it
will map the owing process to the open port.

7th Sphere Port Scan

Page 16
Malware Analysis email: rajdeep.chakraborty@gmail.com

After scanning for open ports we found the below results:

SCANNING HOST: Sandbox

IP ADDRESS: 192.168.1.3
SCAN BEGUN ON PORT: 1
SCAN HALTED ON PORT: 65536
RESULTS OF SCAN FOLLOW
TCP 135: Open
TCP 139: Open
TCP 445: Open
TCP 2869: Open

We would also like to get the names of the processes or services that are using these ports. Also we are interested in seeing if
there are any UDP ports open in the system. We will use Fport for this. After scanning the system with Fport (a good
command line port to process referrer utility) we get the below results:

E:\Malware Analysis\Fport>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path

764 -> 135 TCP
4 System -> 139 TCP
4 System -> 445 TCP
940 -> 2869 TCP
0 System -> 137 UDP
0 System -> 138 UDP
764 -> 445 UDP
4 System -> 500 UDP
940 -> 1037 UDP
4 System -> 1038 UDP
0 System -> 1039 UDP
0 System -> 1040 UDP
0 System -> 1041 UDP
0 System -> 1900 UDP
0 System -> 4500 UDP

Network traffic: The next element that has to be baselined is the network traffic. Even when there is no application running
on the Sandbox, there will still be some network traffic. However, to make our task easier, it is preferable to use a protocol
analyzer like Network Active PIAFCTM or Ethereal.

Network Active PIAFCTM Snapshot

The traffic that is displayed here is generating from the Sniffer system. This is a normal traffic that shows the interaction of
the Host OS (Sniffer) with the Guest OS (Sandbox) in a Microsoft VPC environment.

External view: Although we have created a snapshot of the open ports in the Sandbox, it is always better to create one more
snapshot from an external machine. A port scanner running on our "Sniffer System" can achieve this task for us. 7th Sphere
Port Scan will be the port scanner we will use here.

After scanning for open ports we found the below results:

SCANNING HOST: Sandbox

IP ADDRESS: 192.168.1.3
SCAN BEGUN ON PORT: 1
SCAN HALTED ON PORT: 65536
RESULTS OF SCAN FOLLOW

Page 17
Malware Analysis email: rajdeep.chakraborty@gmail.com

TCP 135: Open

TCP 139: Open
TCP 445: Open
TCP 2869: Open

This result is in sync with the scan result that we had received after initiating the scan inside the Sandbox.

Information collection

Now that the preparations are over, we can go ahead with our actual analysis part. This is the only stage where we have an
actual interaction with the Malware. A lot of raw information about the binary is collected during this stage which is analyzed
in the next stage. Therefore, it is very important to carefully record all the information generated in this stage. The steps in
the information collection stage are:

 Static analysis

During the static analysis stage, we collect as much information about the binary as possible, without executing it. This
involves many techniques and tools.

Details of the binary: Static analysis reveals simple things like the file name, size and version string are recorded.
Human-readable strings are extracted from the Malware and these strings are recorded. Tools like Binary Text Scan
FileAlyzer, Resource Hacker can be used for this purpose. This simple information can reveal a lot of details about the
binary.

FileAlyzer Logs: This tool will generate a lot of important information about the Malware binary. It records the binaries
CRC-32 checksum, MD5 hash key, version information, file attributes and even the PE Header information. Though all
the information gathered by this tool is important but since we are not focusing on reverse engineering now so I would
exclude the PE Header information part.

File Name: XPantivirus2008_v880011.exe

Date Analyzed: 3/9/2008 7:00:06 AM
Location: E:\Infected Files\
Size: 41.472 KB
Version: n/a
CRC-32: 2E741646
MD5: 4EDF998086A9A3327256BC9CA1581228
Read only: No
Hidden: No
System file: No
Directory: No
Archive: Yes
Embedded Resources
Bitmap: BITBTN1_BITMAP
RCData: DVCLAL / PACKAGEINFO
Import/Export Table
Import table: (libraries: 1) kernel32.dll (imports: 1) DeleteFileA
PE Sections
Section VirtSize VirtAddr PhysSize PhysAddr Flags
UPX0 00010000 00001000 00000000 00000400 E0000080
UPX1 00009000 00011000 00008E00 00000400 E0000040
.rsrc 00001000 0001A000 00001000 00009200 C0000040

There are a few things that I would like to explain here, especially about the Embedded Resources, Import/Export Table
and the PE Section.

 RCData: Raw data resources permit the inclusion of binary data directly in the executable file. The presence of this
tag in the log means that a binary has been included as a resource while creating this Malware. Now this would raise
some suspicion.
 DVCLAL: This stands for "Delphi Visual Component Library Access License". It shows the compiler version for Borland
products. It shows that the Malware was compiled using Delphi Compiler.
 PACKAGEINFO: It shows all units used during compiling an executable.
 Import table: It shows that the Malware is dependent on the Kernel32.dll library and from this library it uses the
function DeleteFileA.
 UPX0/UPX1: UPX stands for ‘Ultimate Packer for eXecutables’. It shows that the Malware binary has been packaged
using UPX. Later on we will try to unpackage this.

Page 18
Malware Analysis email: rajdeep.chakraborty@gmail.com

Since we saw that this Malware has some embedded resources in it, I would like to dig deeper and try to view these
resources with the help of the tool called Resource Hacker.

Resource Hacker: Resource Hacker is a freeware utility to view, modify, rename, add, delete and extract resources in
32bit Windows executables and resource files (*.res). Resources can be saved as image files (*.ico, *.bmp etc), as script
files (*.rc), as binary resource files (*.res), or as untyped binary files (*.bin). Resources can be modified by replacing the
resource with a resource located in another file (*.ico, *.bmp, *.res etc) or by using the internal resource script compiler
(for menus, dialogs etc).

After opening the Malware binary with Resource Hacker and trying to view the bitmap resource in it, it gave an error that
confirms that the binary has been packaged with UPX.

While trying to unpack the Malware binary we received the following error:

We will leave this here because it’s not the resources that we are focusing, not even the packing and unpacking aspects of
the Malware binary. Instead we would go ahead with the behavioral analysis of the Malware. So his takes us to the
dynamic analysis part of our Malware analysis process.

 Dynamic analysis

During this stage, we actually execute the binary and observe its interaction with the environment. All monitoring tools
including the sniffing software are activated. Different experiments are done to test the response of the running Malware
process to our tools. Attempts to communicate with other machines are recorded. In this analysis phase a new snapshot of
the environment is created like in the baselining the environment stage.

The first thing we would do here is make a checklist of what tools we would be using and in what sequence to analyze the
Malware and its activities in the controlled or test environment. Refer below for the sequence in which we will use the tools
and save snapshots.

 Information to be collected from VirusTotal (if available) about the Malware

 Using InstallWrite to execute the Malware and take snapshot of the activities
 Record the activities of the Malware after it has been executed
 Run HijackThis and Loadpoint Diagnostic utilities to save snapshot of the infected system
 Take snapshot of the running processes with Process Explorer
 Take snapshot of the registry startups with AutoRuns
 Check the Add or Remove Programs console to see changes
 Take snapshot of Network Activity
 Scan the Sandbox for open ports
 Monitor Registry & File System Activities with RegMon & FileMon
 Record the activities of the Malware after it has been executed

After taking a snapshot of all the changes the Malware performs in the system, the Malware process is terminated. Now,
the differences between the new snapshot and the baseline snapshot are determined. The dynamic analysis step is very
similar to the baselining the environment stage. Therefore, the tools are reused for this stage. Loadpoint Diagnostic,
InstallWatch and all other tools mentioned above can be used for this purpose. Apart from these tools, AutoRuns, FileMon
and RegMon from SysInternals can be used for monitoring the file system and the registry dynamically. These tools are

Page 19
Malware Analysis email: rajdeep.chakraborty@gmail.com

used for observing the changes to the file system and the registry of the Sandbox. Now we will go ahead with the actual
dynamic analysis checklist and carry on the steps with utmost care and precision.

Page 20
Malware Analysis email: rajdeep.chakraborty@gmail.com

Information to be collected from VirusTotal (if available) about the Malware (http://www.virustotal.com)

VirusTotal is a service that analyzes suspicious files and facilitates the quick detection of all kinds of Malware.

File: XPantivirus2008_v880011.exe Received on 03.08.2008 13:33:31 (CET) Result: 14/32 (43.75%)

Antivirus Version Last Update Result_____________________________

AhnLab-V3 2008.3.4.0 2008.03.07 -
AntiVir 7.6.0.73 2008.03.07 TR/Crypt.ULPM.Gen
Authentium 4.93.8 2008.03.07 -
Avast 4.7.1098.0 2008.03.07 -
AVG 7.5.0.516 2008.03.07 Win32/PolyCrypt
BitDefender 7.2 2008.03.08 MemScan:Trojan.FakeAlert.PT
CAT-QuickHeal 9.50 2008.03.08 -
ClamAV 0.92.1 2008.03.08 -
DrWeb 4.44.0.09170 2008.03.08 Trojan.Fakealert.446
eSafe 7.0.15.0 2008.03.06 suspicious Trojan/Worm
eTrust-Vet 31.3.5597 2008.03.07 -
Ewido 4.0 2008.03.08 -
FileAdvisor 1 2008.03.08 -
Fortinet 3.14.0.0 2008.03.08 -
F-Prot 4.4.2.54 2008.03.08 -
F-Secure 6.70.13260.0 2008.03.07 W32/Smalltroj.CYTS
Ikarus T3.1.1.20 2008.03.08 Trojan.Crypt.ULPM
Kaspersky 7.0.0.125 2008.03.08 Trojan-Downloader.Win32.FraudLoad.aa
McAfee 5247 2008.03.07 -
Microsoft 1.3301 2008.03.07 TrojanDownloader:Win32/Renos.CT
NOD32v2 2931 2008.03.08 -
Norman 5.80.02 2008.03.07 W32/Smalltroj.CYTS
Panda 9.0.0.4 2008.03.08 Adware/Xpantivirus2008
Prevx1 V2 2008.03.08 Heuristic: Suspicious Self Modifying EXE
Rising 20.34.52.00 2008.03.08 -
Sophos 4.27.0 2008.03.08 Mal/HckPk-A
Sunbelt 3.0.930.0 2008.03.05 -
Symantec 10 2008.03.08 -
TheHacker 6.2.92.237 2008.03.08 -
VBA32 3.12.6.2 2008.03.05 -
VirusBuster 4.3.26:9 2008.03.07 -
Webwasher-Gateway 6.6.2 2008.03.07 Trojan.Crypt.ULPM.Gen
Additional information
File size: 41472 bytes
MD5: 4edf998086a9a3327256bc9ca1581228
SHA1: ffe4489828e7bce26f7125f73c2c99b5ccc48959
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CDB50E2B002DEBA0A22300F15DBBFB00EA9EFD40

Page 21
Malware Analysis email: rajdeep.chakraborty@gmail.com

Now that we have enough proof and information about the binary being a really Malware in its truest sense, we will focus
on finding out the behavior it displays in the test environment.

Using InstallWrite to execute the Malware and take snapshot of the activities

InstallWrite will help us capture a snapshot of the system before we initiate the execution of the Malware using InstallWrite.
It is recommended that before executing the Malware, you create a fresh snapshot so that whatever changes has occurred
after you have created the last snapshot would be overwritten and this fresh snapshot would be your baseline.

Opening the InstallWrite once you click the Install option you would see a Wizard

Once you click Next the InstallWrite will create the baseline snapshot again because the snapshot you created earliest is
much older.

Once you click yes, it will start creating a fresh snapshot.

Page 22
Malware Analysis email: rajdeep.chakraborty@gmail.com

After the snapshot creation is complete, it would ask you to select the Malware binary that you want to execute. Once
selected, click Next. This will straight away initiate the Malware binary and now you can see the malwares (which in reality
is a rogue application) installation wizard.

At this moment, before clicking the Continue, we have to start the Network Traffic analyzer and click Start button of the
NetworkActiv PIACIM window. Once done, click Continue and keep a watch of at the Network Traffic as well.

The moment you do so, you will see the Network Traffic getting captured by the Network Traffic Analyzer.

After the installation is complete, you will see the Malwares window open and it will initiate a fake scan with elevated high
risk alerts displayed as detection. At this time forget the Malwares window and come back to the InstallWatch wizard and
click Next. Doing so will again initiate the snapshot creation window and InstallWrite will again take a snapshot. It will then
ask you the name of the application you just installed. Type in Malware in the text box and click OK. By this the InstallWrite
wizard will take you to the wizard end. Click Finish to get out of the InstallWrite wizard.

Page 23
Malware Analysis email: rajdeep.chakraborty@gmail.com

Record the activities of the Malware after it has been executed

Now after the InstallWrite has done its job, our next work is to save the report generated by InstallWrite. InstallWrite will
show a summary of the snapshot comparison:

The installation performed the following activity:

8 files / folder added
15 files deleted
7 files updated
76 registry entries added
0 registry entries deleted
32 registry entries updated

Installed 3/9/2008 12:50:34 PM

You can now on the right panel of the InstallWrite window see the name Malware. Expand all the All Files & Registry sub
entries. This will help us know what changes the Malware has made n the systems File System and Registry.

We will make a note of all the activities under their respective heads.

Added Files / folders: 8 Files / Folders were added by the Malware.

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk

1KB A 3/9/2008 12:46:52 PM
C:\Documents and Settings\Administrator\Desktop\XP Antivirus 2008.lnk 1KB A 3/9/2008 12:46:52 PM

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\firstrun[1].htm

1KB A 3/9/2008 12:46:53 PM
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008 1KB D 1/1/1601 5:30:00 AM

C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk 1KB A

3/9/2008 12:46:52 PM
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk 1KB A
3/9/2008 12:46:52 PM
C:\Program Files\XP Antivirus 1KB D 1/1/1601 5:30:00 AM
C:\Program Files\XP Antivirus\xpa2008.exe 529KB A 3/9/2008 12:46:50 PM

Deleted Files: 15 Files were deleted by the Malware.

C:\Documents and Settings\Administrator\Cookies\administrator@google.co[1].txt 1KB A 3/3/2008

7:14:22 PM
C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt 1KB A 3/3/2008 7:14:22 PM

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\0X05Q5EL\nav_logo3[1].png 7KB A 3/3/2008 7:14:23 PM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\new_002[1].png
1KB A 3/9/2008 10:03:14 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\upx12[1].png
23KB A 3/9/2008 10:03:15 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\google.co[1].htm
7KB A 3/3/2008 7:14:22 PM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\lclsrch[1].xml
2KB A 3/3/2008 7:57:24 PM

Page 24
Malware Analysis email: rajdeep.chakraborty@gmail.com

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\valid-

xhtml10[1].png 3KB A 3/9/2008 10:03:15 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\GRYNOTA7\fader201[1].png 1KB A 3/9/2008 10:03:13 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\GRYNOTA7\upx.sourceforge[1].htm 28KB A 3/9/2008 10:03:13 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5WZAXEX\balloon[1].xml
35KB A 3/3/2008 7:57:28 PM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\I5WZAXEX\logo_plain[1].png 9KB A 3/3/2008 7:14:23 PM
C:\System Volume Information 1KB D 1/1/1601 5:30:00 AM
E:\Infected Files\XPantivirus2008_v880011.exe 42KB A 3/6/2008 12:54:00 AM
E:\System Volume Information 1KB D 1/1/1601 5:30:00 AM

Modified Files: 7 Files were modified by the Malware.

C:\Documents and Settings\Administrator\Cookies\index.dat 33KB 33KB A A 3/9/2008 10:01:59 AM

3/9/2008 12:46:50 PM
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat 33KB 33KB A A
3/9/2008 10:01:59 AM 3/9/2008 12:46:50 PM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat 66KB 66KB
A A 3/9/2008 10:01:59 AM 3/9/2008 12:46:50 PM
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP 1KB 1KB A A 3/9/2008 11:44:10 AM
3/9/2008 12:36:44 PM
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER 1KB 1KB A A 3/9/2008 11:44:10 AM
3/9/2008 12:36:45 PM
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP 4KB 4KB A A 3/9/2008
11:40:17 AM 3/9/2008 12:36:45 PM
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP 3KB 3KB A A 3/9/2008 11:44:10 AM
3/9/2008 12:36:45 PM

Added Registry Entry: 76 Registry Entries were added by the Malware.

HKEY_CURRENT_USER\Software\XP antivirus
HKEY_CURRENT_USER\Software\XP antivirus\Options
HKEY_CURRENT_USER\Software\XP antivirus\Options Aff "880011"
HKEY_CURRENT_USER\Software\XP antivirus\Options FirstRunUrl
"http://xpantivirus2008.com/firstrun.php?product=%product%&aff=%aff%&update=%update%"
HKEY_CURRENT_USER\Software\XP antivirus\Options AfterRegisterUrl
"http://xpantivirus2008.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update
%&cookie_type=%cookie_type%&cookie=%cookie%"
HKEY_CURRENT_USER\Software\XP antivirus\Options LabelUrl ""
HKEY_CURRENT_USER\Software\XP antivirus\Options TermsUrl"http://www.xpantivirus2008.com/eula.php"
HKEY_CURRENT_USER\Software\XP antivirus\Options HelpURL "http://xpantivirus2008.com/help.php"
HKEY_CURRENT_USER\Software\XP antivirus\Options BillingURL
"http://xpantivirus2008.com/license.php?Email=%email%&AffiliateID=%aff%"
HKEY_CURRENT_USER\Software\XP antivirus\Options BillingUrlApproved
"http://xpantiviruspro.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&
cookie_type=%cookie_type%&cookie=%cookie%"
HKEY_CURRENT_USER\Software\XP antivirus\Options TransactionKey "XsHrUGEutblgVFNM"
HKEY_CURRENT_USER\Software\XP antivirus\Options BillingRegURL
"http://xpantivirus2008.com/order_xp.php?ver=%aff%"
HKEY_CURRENT_USER\Software\XP antivirus\Options BillingURL2
"https://secure.filesdepot.us/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%
&AffiliateID=%aff%"
HKEY_CURRENT_USER\Software\XP antivirus\Options BillingUrlApproved2
"https://secure.filesdepot.us/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%
&AffiliateID=%aff%&RegistrationCompleted=1"
HKEY_CURRENT_USER\Software\XP antivirus\Options LastRun "3/9/2008"
HKEY_CURRENT_USER\Software\XP antivirus\Options SecurityVector "0000000000000000000000000"
HKEY_CURRENT_USER\Software\XP antivirus\Options Scans "1"
HKEY_CURRENT_USER\Software\XP antivirus\Options LastScan "09.03.2008 12:46:54"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU j

hex:49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,57,00,61,00,74,00,63,00,68,00,2e,00,65,00,78,00,65,00,00,00,45,00,3a,
00,5c,00,49,00,6e,00,66,00,65,00,63,00,74,00,65,00,64,00,20,00,46,00,69,00,6c,00,65,00,73,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-
DFA8C500BA84}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-
DFA8C500BA84} BaseClass "Drive"

Page 25
Malware Analysis email: rajdeep.chakraborty@gmail.com

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-
DFA8C500BA84} _CommentFromDesktopINI ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-
DFA8C500BA84} _LabelFromDesktopINI ""
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Fgneg Zrah\KC Nagvivehf 2008\KC
Nagvivehf 2008.yax hex:07,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Fgneg Zrah\KC Nagvivehf
2008\Havafgnyy KC Nagvivehf 2008.yax hex:07,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus "C:\Program Files\XP
Antivirus\xpa2008.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2 1

hex:4e,00,31,00,00,00,00,00,68,38,4d,74,10,00,45,50,53,49,4c,4f,7e,31,00,00,36,00,03,00,04,00,ef,be,68,38,4d,74,68,3
8,4d,74,14,00,00,00,45,00,70,00,73,00,69,00,6c,00,6f,00,6e,00,20,00,53,00,71,00,75,00,61,00,72,00,65,00,64,00,00,00
,18,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1 0

hex:50,00,31,00,00,00,00,00,68,38,4e,74,10,00,49,4e,53,54,41,4c,7e,31,00,00,38,00,03,00,04,00,ef,be,68,38,4d,74,68,
38,4e,74,14,00,00,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,57,00,61,00,74,00,63,00,68,00,20,00,50,00,72,00,6f,0
0,00,00,18,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1 MRUListEx
hex:00,00,00,00,ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0 NodeSlot
dword:00000045
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0 MRUListEx hex:ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\69
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\69\Shell
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\69\Shell FolderType "Documents"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache E:\Infected
Files\XPantivirus2008_v880011.exe "XPantivirus2008_v880011"
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache C:\Program Files\XP Antivirus\xpa2008.exe
"xpa2008"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options Aff
"880011"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options FirstRunUrl
"http://xpantivirus2008.com/firstrun.php?product=%product%&aff=%aff%&update=%update%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options AfterRegisterUrl
"http://xpantivirus2008.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update
%&cookie_type=%cookie_type%&cookie=%cookie%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options LabelUrl ""
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options TermsUrl
"http://www.xpantivirus2008.com/eula.php"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options HelpURL
"http://xpantivirus2008.com/help.php"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options BillingURL
"http://xpantivirus2008.com/license.php?Email=%email%&AffiliateID=%aff%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options
BillingUrlApproved
"http://xpantiviruspro.com/confirm.php?product=%product%&aff=%aff%&email=%email%&update=%update%&
cookie_type=%cookie_type%&cookie=%cookie%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options TransactionKey
"XsHrUGEutblgVFNM"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options BillingRegURL
"http://xpantivirus2008.com/order_xp.php?ver=%aff%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options BillingURL2
"https://secure.filesdepot.us/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%
&AffiliateID=%aff%"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options
BillingUrlApproved2
"https://secure.filesdepot.us/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%
&AffiliateID=%aff%&RegistrationCompleted=1"

HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options LastRun

"3/9/2008"

Page 26
Malware Analysis email: rajdeep.chakraborty@gmail.com

HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options SecurityVector

"0000000000000000000000000"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options Scans "1"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus\Options LastScan
"09.03.2008 12:46:54"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU j

hex:49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,57,00,61,00,74,00,63,00,68,00,2e,00,65,00,78,00,65,00,00,00,45,00,3a,
00,5c,00,49,00,6e,00,66,00,65,00,63,00,74,00,65,00,64,00,20,00,46,00,69,00,6c,00,65,00,73,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-DFA8C500BA84}

HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-DFA8C500BA84}
BaseClass "Drive"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-DFA8C500BA84}
_CommentFromDesktopINI ""
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{981A5169-8153-46D5-AE05-DFA8C500BA84}
_LabelFromDesktopINI ""
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Fgneg Zrah\KC Nagvivehf 2008\KC Nagvivehf
2008.yax hex:07,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACVQY:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Fgneg Zrah\KC Nagvivehf 2008\Havafgnyy KC
Nagvivehf 2008.yax hex:07,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Run
XP Antivirus "C:\Program Files\XP Antivirus\xpa2008.exe"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2 1

hex:4e,00,31,00,00,00,00,00,68,38,4d,74,10,00,45,50,53,49,4c,4f,7e,31,00,00,36,00,03,00,04,00,ef,be,68,38,4d,74,68,3
8,4d,74,14,00,00,00,45,00,70,00,73,00,69,00,6c,00,6f,00,6e,00,20,00,53,00,71,00,75,00,61,00,72,00,65,00,64,00,00,00
,18,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1 0

hex:50,00,31,00,00,00,00,00,68,38,4e,74,10,00,49,4e,53,54,41,4c,7e,31,00,00,38,00,03,00,04,00,ef,be,68,38,4d,74,68,
38,4e,74,14,00,00,00,49,00,6e,00,73,00,74,00,61,00,6c,00,6c,00,57,00,61,00,74,00,63,00,68,00,20,00,50,00,72,00,6f,0
0,00,00,18,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1 MRUListEx hex:00,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0 NodeSlot dword:00000045
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2\1\0 MRUListEx hex:ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\ShellNoRoam\Bags\69

HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\Bags\69\Shell
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\Bags\69\Shell FolderType "Documents"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\ShellNoRoam\MUICache
E:\Infected Files\XPantivirus2008_v880011.exe "XPantivirus2008_v880011"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\ShellNoRoam\MUICache
C:\Program Files\XP Antivirus\xpa2008.exe "xpa2008"

Modified Registry Entry: 32 Registry Entries were modified by the Malware.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU MRUList
"baihgfedc" "jbaihgfedc"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu Order

Page 27
Malware Analysis email: rajdeep.chakraborty@gmail.com

hex:08,00,00,00,02,00,00,00,00,02,00,00,01,00,00,00,03,00,00,00,d2,00,00,00,00,00,00,00,c4,00,00,00,41,75,67,4d,02
,00,00,00,01,00,00,00,b2,00,32,00,47,06,00,00,61,38,97,90,20,00,53,45,54,50,52,4f,7e,31,2e,4c,4e,4b,00,00,88,00,03,0
0,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,5c,00,53,00,65,00,74,00,20,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,
20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,61,00,6e,00,64,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,
73,00,2e,00,6c,00,6e,00,6b,00,00,00,40,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,78,70,73,70,31,72
,65,73,2e,64,6c,6c,2c,2d,31,30,30,37,37,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,0
0,9c,00,00,00,01,00,00,00,8e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7c,00,32,00,8e,01,00,00,61,38,97,90,20,00
,57,49,4e,44,4f,57,7e,32,2e,4c,4e,4b,00,00,52,00,03,00,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,3c,00,57,00,69,00,6e
,00,64,00,6f,00,77,00,73,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,

hex:08,00,00,00,02,00,00,00,80,02,00,00,01,00,00,00,04,00,00,00,80,00,00,00,03,00,00,00,72,00,00,00,41,75,67,4d,02
,00,00,00,01,00,00,00,60,00,31,00,00,00,00,00,69,38,1b,3a,10,00,58,50,41,4e,54,49,7e,31,00,00,3a,00,03,00,04,00,ef,b
e,69,38,1b,3a,69,38,1b,3a,14,00,00,00,58,00,50,00,20,00,41,00,6e,00,74,00,69,00,76,00,69,00,72,00,75,00,73,00,20,00
,32,00,30,00,30,00,38,00,00,00,18,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,18,00,00,00,00,00,00,00,00,00,d2,00,00,00,0
0,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,32,00,47,06,00,00,61,38,97,90,20,00,53,45,54,50,5
2,4f,7e,31,2e,4c,4e,4b,00,00,88,00,03,00,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,5c,00,53,00,65,00,74,00,20,00,50,0
0,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,61,00,6e,00,64,00,20,00,44,00
,65,00,66,00,61,00,75,00,6c,00,74,00,73,00,2e,00,6c,00,6e,00,6b,00,00,00,40,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,7
3,74,65,6d,33,32,5c,78,70,73,70,31,72,65,73,2e,64,6c,6c,2c,2d,31,30,30,37,37,00,00,1c,00,0e,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACNGU hex:07,00,00,00,99,00,00,00,b0,ea,5e,39,b3,81,c8,01,
hex:07,00,00,00,9a,00,00,00,a0,cc,5b,0e,b5,81,c8,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACVQY hex:07,00,00,00,19,00,00,00,50,3c,54,39,b3,81,c8,01,
hex:07,00,00,00,1a,00,00,00,e0,a4,52,0e,b5,81,c8,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACVQY:%pfvqy2%\ArgjbexNpgvi CVNSPGZ 1.5.yax
hex:07,00,00,00,07,00,00,00,50,0c,6e,80,7d,81,c8,01,
hex:07,00,00,00,08,00,00,00,e0,a4,52,0e,b5,81,c8,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-
006097DEACF9}\Count HRZR_EHACNGU:P:\Cebtenz Svyrf\ArgjbexNpgvi CVNSPGZ 1.5\ArgjbexNpgviCVNSPGZi1.5.rkr
hex:07,00,00,00,07,00,00,00,90,19,71,80,7d,81,c8,01,
hex:07,00,00,00,08,00,00,00,a0,cc,5b,0e,b5,81,c8,01,
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings

hex:3c,00,00,00,32,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,b0,4d,b5,27,cb,
7b,c8,01,01,00,00,00,c0,a8,01,03,00,00,00,00,00,00,00,00,

hex:3c,00,00,00,34,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,b0,4d,b5,27,cb,
7b,c8,01,01,00,00,00,c0,a8,01,03,00,00,00,00,00,00,00,00,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU NodeSlots

hex:02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02
,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,

hex:02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02
,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3 MRUListEx
hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff, hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2 MRUListEx
hex:00,00,00,00,ff,ff,ff,ff, hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_CURRENT_USER\SessionInformation ProgramCount dword:00000001 dword:00000003
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG Seed

hex:78,95,d2,c3,d0,63,e3,d9,30,93,6e,01,3e,85,3e,67,4f,1d,eb,ba,ef,f7,74,a6,04,00,e1,c9,76,cd,9b,a1,eb,a2,68,91,38,08,
1b,2d,a9,41,4b,f0,e8,69,de,a7,eb,15,2d,45,4e,d8,92,62,10,66,63,78,84,8e,53,04,1f,cf,28,46,2b,ba,a2,ee,eb,66,a0,34,4f,8
a,14,f4,

hex:07,53,7a,44,89,3a,43,4e,53,fa,0d,d0,09,ab,57,c8,10,b1,43,5b,99,78,98,44,75,9b,4e,b3,25,82,e8,6b,85,8e,9b,d7,9f,6
1,cc,b0,ec,d8,24,9d,f1,93,60,5f,13,55,7a,cb,77,cc,7a,88,8e,96,d1,a9,59,05,c0,bf,d8,4c,59,c1,0e,c0,ac,87,da,f3,24,9f,27,6
c,d7,f9,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths Directory
"C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5"
"C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
CacheLimit dword:0000daa8 dword:0000da00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1
CachePath "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet

Page 28
Malware Analysis email: rajdeep.chakraborty@gmail.com

Files\Content.IE5\Cache1" "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\Cache1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
CacheLimit dword:0000daa8 dword:0000da00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2
CachePath "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet
Files\Content.IE5\Cache2" "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Cache2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
CacheLimit dword:0000daa8 dword:0000da00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3
CachePath "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet
Files\Content.IE5\Cache3" "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Cache3"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
CacheLimit dword:0000daa8 dword:0000da00
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4
CachePath "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet
Files\Content.IE5\Cache4" "C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\Cache4"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU MRUList "baihgfedc"
"jbaihgfedc"
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu Order

hex:08,00,00,00,02,00,00,00,00,02,00,00,01,00,00,00,03,00,00,00,d2,00,00,00,00,00,00,00,c4,00,00,00,41,75,67,4d,02
,00,00,00,01,00,00,00,b2,00,32,00,47,06,00,00,61,38,97,90,20,00,53,45,54,50,52,4f,7e,31,2e,4c,4e,4b,00,00,88,00,03,0
0,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,5c,00,53,00,65,00,74,00,20,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,
20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,61,00,6e,00,64,00,20,00,44,00,65,00,66,00,61,00,75,00,6c,00,74,00,
73,00,2e,00,6c,00,6e,00,6b,00,00,00,40,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,73,74,65,6d,33,32,5c,78,70,73,70,31,72
,65,73,2e,64,6c,6c,2c,2d,31,30,30,37,37,00,00,1c,00,0e,00,00,00,0a,00,ef,be,01,00,00,00,1c,00,00,00,00,00,00,00,00,0
0,9c,00,00,00,01,00,00,00,8e,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,7c,00,32,00,8e,01,00,00,61,38,97,90,20,00
,57,49,4e,44,4f,57,7e,32,2e,4c,4e,4b,00,00,52,00,03,00,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,3c,00,57,00,69,00,6e
,00,64,00,6f,00,77,00,73,00,20,00,43,00,61,00,74,00,61,00,6c,00,6f,00,67,00,2e,00,6c,00,6e,00,

hex:08,00,00,00,02,00,00,00,80,02,00,00,01,00,00,00,04,00,00,00,80,00,00,00,03,00,00,00,72,00,00,00,41,75,67,4d,02
,00,00,00,01,00,00,00,60,00,31,00,00,00,00,00,69,38,1b,3a,10,00,58,50,41,4e,54,49,7e,31,00,00,3a,00,03,00,04,00,ef,b
e,69,38,1b,3a,69,38,1b,3a,14,00,00,00,58,00,50,00,20,00,41,00,6e,00,74,00,69,00,76,00,69,00,72,00,75,00,73,00,20,00
,32,00,30,00,30,00,38,00,00,00,18,00,0e,00,00,00,0a,00,ef,be,00,00,00,00,18,00,00,00,00,00,00,00,00,00,d2,00,00,00,0
0,00,00,00,c4,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,b2,00,32,00,47,06,00,00,61,38,97,90,20,00,53,45,54,50,5
2,4f,7e,31,2e,4c,4e,4b,00,00,88,00,03,00,04,00,ef,be,61,38,97,90,63,38,9a,63,14,00,5c,00,53,00,65,00,74,00,20,00,50,0
0,72,00,6f,00,67,00,72,00,61,00,6d,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,61,00,6e,00,64,00,20,00,44,00
,65,00,66,00,61,00,75,00,6c,00,74,00,73,00,2e,00,6c,00,6e,00,6b,00,00,00,40,43,3a,5c,57,49,4e,44,4f,57,53,5c,73,79,7
3,74,65,6d,33,32,5c,78,70,73,70,31,72,65,73,2e,64,6c,6c,2c,2d,31,30,30,37,37,00,00,1c,00,0e,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU hex:07,00,00,00,99,00,00,00,b0,ea,5e,39,b3,81,c8,01,
hex:07,00,00,00,9a,00,00,00,a0,cc,5b,0e,b5,81,c8,01,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACVQY hex:07,00,00,00,19,00,00,00,50,3c,54,39,b3,81,c8,01,
hex:07,00,00,00,1a,00,00,00,e0,a4,52,0e,b5,81,c8,01,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACVQY:%pfvqy2%\ArgjbexNpgvi CVNSPGZ 1.5.yax
hex:07,00,00,00,07,00,00,00,50,0c,6e,80,7d,81,c8,01,
hex:07,00,00,00,08,00,00,00,e0,a4,52,0e,b5,81,c8,01,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
HRZR_EHACNGU:P:\Cebtenz Svyrf\ArgjbexNpgvi CVNSPGZ 1.5\ArgjbexNpgviCVNSPGZi1.5.rkr
hex:07,00,00,00,07,00,00,00,90,19,71,80,7d,81,c8,01,
hex:07,00,00,00,08,00,00,00,a0,cc,5b,0e,b5,81,c8,01,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Connections SavedLegacySettings

hex:3c,00,00,00,32,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,b0,4d,b5,27,cb,
7b,c8,01,01,00,00,00,c0,a8,01,03,00,00,00,00,00,00,00,00,

Page 29
Malware Analysis email: rajdeep.chakraborty@gmail.com

hex:3c,00,00,00,34,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,04,00,00,00,00,00,00,00,b0,4d,b5,27,cb,
7b,c8,01,01,00,00,00,c0,a8,01,03,00,00,00,00,00,00,00,00,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU
NodeSlots

hex:02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02
,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,

hex:02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02
,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,02,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3 MRUListEx
hex:01,00,00,00,00,00,00,00,02,00,00,00,ff,ff,ff,ff, hex:02,00,00,00,01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-
500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\0\3\2 MRUListEx hex:00,00,00,00,ff,ff,ff,ff,
hex:01,00,00,00,00,00,00,00,ff,ff,ff,ff,
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\SessionInformation ProgramCount
dword:00000001 dword:00000003

Run HijackThis and Loadpoint Diagnostic utilities to save snapshot of the infected system

We will save the HijackThis log and the Loadpoint Diagnostic log from the infected Sandbox. This is done so that we can
compare the logs saved during the benchmarking stage with the logs saved now. This comparison will help us to identify
the changes that have happened in the Sandbox after the Malware was run on the system. We will use a freeware file
comparison utility called ExamDiff.

Page 30
Malware Analysis email: rajdeep.chakraborty@gmail.com

HijackThis Log Comparison: After comparing the HijackThis log saved during the baseline phase with the HijackThis log
saved now we find the below mentioned changes in the Sandbox’s settings:

C:\Program Files\XP Antivirus\xpa2008.exe

O4 - HKCU\..\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa2008.exe

These above two entries, that we can clearly see belonging to the Malware have been added.

Loadpoint Diagnostic Comparison: After comparing the Loadpoint Diagnostic log saved during the baseline phase with
the Loadpoint Diagnostic log saved now we find the below mentioned changes in the Sandbox’s settings:

XP Antivirus c:\Program Files\XP Antivirus\xpa2008.exe

sxs.dll c:\windows\system32\sxs.dll
Apphelp.dll c:\windows\system32\Apphelp.dll
seclogon.dll c:\windows\system32\seclogon.dll
srsvc.dll c:\windows\system32\srsvc.dll
POWRPROF.dll c:\windows\system32\POWRPROF.dll
rkwks.dll c:\windows\system32\trkwks.dll
wmisvc.dll c:\windows\system32\wbem\wmisvc.dll
VSSAPI.DLL c:\windows\system32\VSSAPI.DLL
browser.dll c:\windows\system32\browser.dll
comsvcs.dll c:\windows\system32\comsvcs.dll
MTXCLU.DLL c:\windows\system32\MTXCLU.DLL
WSOCK32.dll c:\windows\system32\WSOCK32.dll
colbact.DLL c:\windows\system32\colbact.DLL
CLUSAPI.DLL c:\windows\system32\CLUSAPI.DLL
RESUTILS.DLL c:\windows\system32\RESUTILS.DLL
mswsock.dll c:\windows\system32\mswsock.dll
hnetcfg.dll c:\windows\system32\hnetcfg.dll
wshtcpip.dll c:\windows\system32\wshtcpip.dll
actxprxy.dll c:\windows\system32\actxprxy.dll
MPR.dll c:\windows\system32\MPR.dll
mrxvpcnp.dll c:\Program Files\Virtual Machine Additions\mrxvpcnp.dll
vmsrvc.dll c:\windows\system32\vmsrvc.dll
drprov.dll c:\windows\system32\drprov.dll
ntlanman.dll c:\windows\system32\ntlanman.dll
NETUI0.dll c:\windows\system32\NETUI0.dll
NETUI1.dll c:\windows\system32\NETUI1.dll
NETRAP.dll c:\windows\system32\NETRAP.dll
SAMLIB.dll c:\windows\system32\SAMLIB.dll
davclnt.dll c:\windows\system32\davclnt.dll

Out of these .DLL files a lot of them belong to Microsoft and are legitimate system DLLs. The one entry at the top belongs
to the Malware; however we will have to analyze the rest of the DLL files to check their authenticity.

To check the authenticity, open Process Explorer in the Sandbox and go to Find > Handle or DLL. In the text box type the
name of the DLL and click search. Once they show the process with which the DLL is associated, select that process name.
Doing so, the lower pane of the Process Explorer will get activated and there you can see the Company Name. Delete the
names of the DLL that belong to Microsoft. After analyzing the DLLs it was found that all of them were from Microsoft
except these 3 entries which are not legitimate:

XP Antivirus c:\Program Files\XP Antivirus\xpa2008.exe

seclogon.dll c:\windows\system32\seclogon.dll
RESUTILS.DLL c:\windows\system32\RESUTILS.

Take snapshot of the running processes with Process Explorer

We will take a snapshot of the running processes with the Process Explorer; however we have to compare the snapshot
taken during the baseline of the Sandbox with this fresh copy manually. The reason is, the PID of the running process
would be different (incase if you have restarted the Sandbox). After comparing both the snapshots, I find the below
process, which clearly belongs to the Malware.

xpa2008.exe---832  this process is running with the PID 832 and one more thing to notice is that, this process is not
carrying the signature of its author. This is a very important marker for a majority of Malwares.
However, there may be Malwares that may also spoof the signature of Microsoft.

Page 31
Malware Analysis email: rajdeep.chakraborty@gmail.com

Take snapshot of the registry startups with AutoRuns

We will take a snapshot of the startups with AutoRuns; also we will compare the snapshot taken during the baseline of the
Sandbox with this fresh snapshot. After comparing both the snapshots, I find the below process, which again clearly
belongs to the Malware.

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ XP Antivirus c:\program files\xp antivirus\xpa2008.exe

Check the Add or Remove Programs console to see changes

There were no changes detected in the Add or Remove Programs console. So it becomes evident that he Malware, which is
in reality a rogue application, doesn’t create any entry in the Add or Remove Programs console.

Take snapshot of Network Activity

If you remember, while we were initiating the Malware with the help of InstallWatch we also were capturing the network
traffic. For reference see the screenshot below.

We have even saved a log of the network traffic while baselining the Sandbox. We will take a look at excerpts from both
the logs and try to figure out the network activity of the Malware.

Log before the Malware was executed:

NetworkActiv PIAFCTM saved information:

Type Size Source IP Destination IP sPort dPort Date/Time

-----------------------------------------------------------------------------------------------
UDP 202 192.168.1.2 192.168.1.255 138 138 [2008.03.09 - 06:05:50.229]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:50.229]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:50.970]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:51.731]
UDP 202 192.168.1.2 192.168.1.255 138 138 [2008.03.09 - 06:05:54.485]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:54.495]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:55.226]
UDP 78 192.168.1.2 192.168.1.255 137 137 [2008.03.09 - 06:05:55.967]

Log after the Malware was executed:

Type Size Source IP Destination IP sPort dPort Date/Time

-----------------------------------------------------------------------------------------------
TCP 40 192.168.1.3 69.50.173.10 1038 80 [2008.03.09 - 15:08:56.348]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.358]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.458]
TCP 40 192.168.1.3 69.50.173.10 1038 80 [2008.03.09 - 15:08:56.468]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.668]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.668]
TCP 40 192.168.1.3 69.50.173.10 1038 80 [2008.03.09 - 15:08:56.679]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.799]

After comparing the logs, it is pretty obvious that before the Malware was executed, mostly all of the network traffic was
getting generated from the Sniffer system. However, after the Malware was executed, there was a communication between
the Sandbox and an IP Address 69.50.173.10. Also, the communication was happening on port 1038 and there was
definitely a good amount of packets that were getting transmitted. Whenever the communication was initiated by the
Sandbox with the above mentioned unknown IP Address, it transmitted a packet of size 40 and every time there was a

Page 32
Malware Analysis email: rajdeep.chakraborty@gmail.com

reply back with a packet size of 1500. I had tried to view the content of those packets but the content appeared as junk
characters at most of the times and at times it looked like the Malware was getting information in the form if XML files.

Packet Data:

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">

<assemblyIdentity
type="win32"
name="DelphiApplication"
version="1.0.0.0"
processorArchitecture="*"/>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
language="*"
processorArchitecture="*"/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
°ìDì½ì`ìÊìhì×ìpìäìxìîì€ìøìˆìíìí˜ìí ì(í¨ì4íBíRíbípí~íŒíšíªí¼íÄíÎíÜíìíôíîKERNEL32.DLLadvapi32.dllcomctl32.dllcomdlg32.dllgdi32.dl
lole32.dlloleaut32.dllshell32.dlluser32.dllversion.dllwininet.dllLoadLibraryAGetProcAddressVirtualProtectVirtualA

It seems that the information which the Malware was showing as elevated high risk alerts, it was getting the list of these
threats from that unknown IP Address. There is not any way to become absolutely sure because the packet data of mostly
all packets are encrypted. However a list of the 24 high severity alerts is mentioned below:

XP Antivirus 2008 system scan report.

Report generated 09.03.2008 18:03:56

Type Run type Name Details

Spyware C://windows/system32/iesetup.dll Spyware.IEMonster.d "Steals passwords from Internet Explorer, Mozilla
Firefox, Outlook and other programs."
Adware autorun Zlob.PornAdvertiser.ba Adware that displays pop-up/pop-under advertisements of pornographic or
online gambling Web sites.
Spyware autorun Spyware.IMMonitor program that can be used to monitor and record conversations in popular
instant messaging applications.
Backdoor C://windows/system32/svchost.exe Win32.Rbot.fm An IRC controlled backdoor that can be
used to gain unauthorized access to a victim's machine.
Trojan autorun Infostealer.Banker.E Steals sensitive information from the infected computer (e.g. logins and
passwords from online banking sessions)
Trojan autorun Trojan.Tooso Trojan.Tooso is a trojan which attempts to terminate and delete security related
applications.
Trojan C://windows/system32/explorer.exe Trojan.MailGrabber.s Trojan horse that gets access to e-mail
accounts on the infected computer.
Trojan C://windows/system32/alg.exe Trojan.Alg.t Trojan program that can compromise your private
information stored on the hard drive.
Rogue C://Program Files/TrustedAntivirus TrustedAntivirus A corrupt and misleading anti-virus program that may be
usually installed with the help of malcous Trojans and other malware
Rogue C://Program Files/SecurePCCleanerSecurePCCleaner Rogue Security Software: fake Security software that uses
deceptive means for installation and purpose.
Dialer C://windows/system32/cmdial32.dll Dialer.Xpehbam.biz_dialer A Dialer that loads pornographic material.
The url information shows Hardcore Pornographic pages.
Spyware autorun Spyware.KnownBadSites Uses the Windows hosts file to redirect your browser to a malicious site when
you try to access a valid site.
Rogue C://Program Files/AVSystemCare AVSystemCare Rogue Security Software: fake Security software that uses
deceptive means for installation and purpose.

Page 33
Malware Analysis email: rajdeep.chakraborty@gmail.com

Rogue C://Program Files/Advanced Cleaner AdvancedCleaner "A rogue anti-spyware program that uses altered
desktop backgrounds, fake security alerts, and other malware to advertise and install itself."
Trojan C://windows/system32/ Trojan.BAT.Adduser.t This Trojan has a malicious payload. It is a BAT file. It is
1129 bytes in size.
Spyware C://windows/system32/ Spyware.007SpySoftware Program designed to monitor user activity. May be used with
or without consent.
Trojan C://windows/hidden/ Trojan.Clicker.EC Trojan.Clicker.EC is an information stealing Trojan that masquerades
as a legitimate system file so as to avoid detection and subsequent removal.
Dialer C://windows/hidden/ Dialer.Trafficjam.a Dialer.Trafficjam.a is a premium-rate phone dialer that
automatically invokes paid access to various porn-related Web sites.
Trojan hidden autorun Trojan.Poison.J Trojan.Poison.J is a key-logging Trojan for the Windows platform.
Adware Registry Adware.eXact.BargainBuddy A browser helper object that monitors internet browsing sessions in
an attempt to redirect search queries and distribute unsolicited advertisements.
Worm C://windows/system32/ Win32.Delbot.AI Win32.Delbot.AI is a worm and IRC backdoor that exploits system
and software vulnerabilities in order to provide unmitigated remote access to the host machine.
Worm C://windows/temp/ Win32.Sdbot.ADN A worm and IRC backdoor that exploits system and software
vulnerabilities in order to provide unmitigated remote access to the host machine.
Trojan C://windows/ Trojan-Dropper.Win32.Agent.bot This Trojan is designed to install and launch other malicious
programs on the victim machine without the knowledge or consent of the user. It is a Windows PE EXE file. It is 70656
bytes in size.
Worm C://windows/temp/ Win32.Rbot.CBX A worm and IRC backdoor that exploits system and software
vulnerabilities in order to provide unmitigated remote access to the host machine.

Opening the IP Address 69.50.173.10 with the browser opens the site http://xpantivirus2008.com, the source from which
we had initially downloaded this rogue application from.

Scan the Sandbox for open ports

While scanning the open ports with Fport, we see the below result:

E:\Malware Analysis\Fport>Fport
FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com

Pid Process Port Proto Path

764 135 TCP
4 System 139 TCP
4 System 445 TCP
1104 xpa2008 1039 TCP C:\Program Files\XP Antivirus\xpa2008.exe
904 2869 TCP
0 System 137 UDP
0 System 138 UDP

Page 34
Malware Analysis email: rajdeep.chakraborty@gmail.com

764 445 UDP

4 System 500 UDP
904 1037 UDP
0 System 1900 UDP
1104 xpa2008 1900 UDP C:\Program Files\XP Antivirus\xpa2008.exe
4 System 4500 UDP

Running a netstat reveals further information:

E:\Malware Analysis\Fport>netstat -n

Active Connections

Proto Local Address Foreign Address State

TCP 192.168.1.3:1039 69.50.173.10:80 CLOSE_WAIT

It is obvious that the Malware process has opened 2 new ports viz. TCP 1039 and UDP 1900.

Monitor Registry & File System Activities with RegMon & FileMon

There was no runtime File System & Registry activity by the Malware. FileMon & RegMon didn’t show any entry that was
getting generating because of the Malwares presence in the computer.

Record the activities of the Malware after it has been executed

There were some definitive signs of the Malwares presence in the computer. Below are the details:

 There was a shortcut entry in the systems Start Menu

Page 35
Malware Analysis email: rajdeep.chakraborty@gmail.com

 A desktop icon was created by the Malware

 A System Tray icon was created

 A popup window was automatically getting displayed after certain duration. It showed fake elevated risks

 Clicking “Continue Unprotected” will make it disappear, however, clicking “Remove all threats now” will open the
Registration and Activation window

Page 36
Malware Analysis email: rajdeep.chakraborty@gmail.com

Page 37
Malware Analysis email: rajdeep.chakraborty@gmail.com

Information analysis

To sum up the findings of the dynamic analysis phase, we will first take a look at that logs that were retrieved. On the basis
of the logs and changes in the systems configuration we will try to create the bigger picture and jot down the Technical
Information about this Malware.

On the basis of the first interaction of the Malware with the Sandbox, we noted that, when it got executed, it performed the
following activities:

8 files / folder added

15 files deleted
8 files updated
76 registry entries added
32 registry entries updated

8 files or folders that were created after the Malware got executed were:

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk

C:\Documents and Settings\Administrator\Desktop\XP Antivirus 2008.lnk
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\firstrun[1].htm

C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008

C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa2008.exe

The first file created was a .LNK file as part of the Quick Launch item and it was pointing to the below mentioned file:
C:\Program Files\XP Antivirus\xpa2008.exe

The second file was again a .LNK file as part of the Desktop Shortcut Icon and it was pointing to the below mentioned file:
C:\Program Files\XP Antivirus\xpa2008.exe

So it becomes obvious that the actual Installation Directory and Executable of the Malware is:
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa2008.exe

In the Start Menu the Malware created a folder and placed 2 items. One was for launching the Malware and the other as
part of the Uninstall feature:
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\Administrator\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk

Here the
Uninstall XP Antivirus 2008.lnk pointing to C:\Program Files\XP Antivirus\xpa2008.exe –uninstall
XP Antivirus 2008.lnk pointing to C:\Program Files\XP Antivirus\xpa2008.exe

Also it kept a copy of the Malwares website inside the Temporary Internet Files:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\firstrun[1].htm

firstrun[1].htm is nothing but a html page that would redirect the browser to the Malwares website
(http://xpantivirus2008.com)

15 files or folders that we deleted after the Malware was executed:

C:\Documents and Settings\Administrator\Cookies\administrator@google.co[1].txt

C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\0X05Q5EL\nav_logo3[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\new_002[1].png

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\upx12[1].png

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\google.co[1].htm

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\lclsrch[1].xml

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\valid-

xhtml10[1].png

Page 38
Malware Analysis email: rajdeep.chakraborty@gmail.com

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet

Files\Content.IE5\GRYNOTA7\fader201[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\GRYNOTA7\upx.sourceforge[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5WZAXEX\balloon[1].xml
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\I5WZAXEX\logo_plain[1].png
C:\System Volume Information
E:\Infected Files\XPantivirus2008_v880011.exe
E:\System Volume Information

Of these deletions, the below mentioned Temporary Internet Files were deleted by the Malware:
C:\Documents and Settings\Administrator\Cookies\administrator@google.co[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@google[1].txt
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\0X05Q5EL\nav_logo3[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\new_002[1].png

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0X05Q5EL\upx12[1].png

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\google.co[1].htm

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\lclsrch[1].xml

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0XYJCXIB\valid-

xhtml10[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\GRYNOTA7\fader201[1].png
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\GRYNOTA7\upx.sourceforge[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\I5WZAXEX\balloon[1].xml
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet
Files\Content.IE5\I5WZAXEX\logo_plain[1].png

The reason for the above deletion is unknown, but it is possible that, since the Malware poses to be an Antispyware, so as
part of the Antispyware KRA (Key Responsibility Area) it had to remove these Temporary Internet Files. This was probably
done with the intension to make users believe that it is actually cleaning junk from their system. However one big issue is,
why remove the remaining 3 entries. The entries are mentioned below:

C:\System Volume Information

E:\System Volume Information

Removing System Volume Information without any user intervention is by any means illegal because it's actually a part of
System Restore; the tool that allows you to set points in time to roll back your computer. The System Volume Information
folder is where XP stores these points and associated information that makes them accessible. Deleting such an important
folder from the system, and that to without letting the user know is definitely illegal and by every means Malware activity.

E:\Infected Files\XPantivirus2008_v880011.exe

XPantivirus2008_v880011.exe is the file that we executed for installing the Malware in the Sandbox. So why would an
application delete the original exe with which it is getting installed. One explanation could be, to stop detection, if by
mistake the user clicked on it then deleting that copy would mean the user would never come to know of the source of
installation. This is also a definite Malware activity.

7 Files or folders were modified by the Malware:

C:\Documents and Settings\Administrator\Cookies\index.dat

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

Common Information Model (CIM) is a collection of schema classes. If you want to write your own WMI classes then you
can inherit from one or more of these classes.

Physically, the CIM resides in the %SystemRoot%\system32\wbem\Repository\FS\ directory and consists of the
following four files:

Page 39
Malware Analysis email: rajdeep.chakraborty@gmail.com

index.btr: Binary-tree (btree) index file.

index.map: Transaction control file.
objects.data: CIM repository where managed resource definitions are stored.
objects.map: Transaction control file.

So we can safely assume that the Malware has nothing to do with the below mentioned 4 entries:

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP

As for the remaining 3 entries:

C:\Documents and Settings\Administrator\Cookies\index.dat

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat

The ‘index.dat’ file is a store for web related things; the URL content cache, cookies, RSS feeds, and visited links. Each of
these collections, called a container, has their own index.dat file that lives in the user profile. So based on what these files
are for, we can exclude them from our analysis. These files got listed by InstallWrite because, when the Malware was
executed, it initiated a communication between the Sandbox and the IP Address 69.50.173.10 over port 80 and this is
when the index.dat file got edited. So we can skip analyzing these files.

Registry changes made by the Malware

The rest of the changes made by the Malware after it was executed in the Sandbox are related with the registry entries. I
would not recommend users to play with the registry and hence would not explain much about the registry entries created
or modified by the Malware. However I would discuss about a few entries at some specific locations of the Registry that can
be deleted safely as these entries are usually utilized by Malwares to put their binary executables path in the startup so
that they can run every time the system is rebooted. Refer below for further details:

Entry recorded by InstallWrite

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus "C:\Program Files\XP
Antivirus\xpa2008.exe"

Entry recorded by AutoRuns

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
+ XP Antivirus c:\program files\xp antivirus\xpa2008.exe

Entry recorded by HijackThis

O4 - HKCU\Software\Microsoft\Windows\CurrentVersion\Run: [XP Antivirus] C:\Program Files\XP Antivirus\xpa2008.exe

The above mentioned entry recorded by different utilities is usually utilized by Malwares to put their binary executables
path in the startup so that they can run every time the system is rebooted. You can both disable and permanently stop
programs from running during start-up by editing the relevant entries from the System Registry using Regedit or AutoRuns.

The other keys used for doing the same are as follows:-

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Apart from the above one, the Malware has created a registry folder called XP antivirus under the key
HKEY_CURRENT_USER\Software. This folder contains a lot of different subkey related to the Malware.

HKEY_CURRENT_USER\Software\XP antivirus

Change recorded by Loadpoint Diagnostic Utility

XP Antivirus c:\Program Files\XP Antivirus\xpa2008.exe

seclogon.dll c:\windows\system32\seclogon.dll
RESUTILS.DLL c:\windows\system32\RESUTILS.

After searching the file details for seclogon.dll and RESUTILS.DLL it was found out that both these DLL files belong to
Microsoft. So we will remove these entries from our analysis as well. Apart from this, the file xpa2008.exe is the Malware
executable itself.

Page 40
Malware Analysis email: rajdeep.chakraborty@gmail.com

Change recorded by Process Explorer

After execution of the Malware, Process Explorer noted the process xpa2008.exe---832 added to the existing process list.

Page 41
Malware Analysis email: rajdeep.chakraborty@gmail.com

Change recorded by NetworkActiv PIAFCTM

Type Size Source IP Destination IP sPort dPort Date/Time

-----------------------------------------------------------------------------------------------
TCP 40 192.168.1.3 69.50.173.10 1038 80 [2008.03.09 - 15:08:56.348]
TCP 1500 69.50.173.10 192.168.1.3 80 1038 [2008.03.09 - 15:08:56.358]

The Network Traffic Analyzer, NetworkActiv PIAFCTM detected a flow of packets from the Sandbox to the IP Address
69.50.173.10 over remote port 80 and local port 1038.

This IP Address 69.50.173.10 was hosting the Malware site (http://xpantivirus2008.com)

A WHOIS lookup resulted the below details:

IP address: 69.50.173.10
Reverse DNS: [Timeout]
Reverse DNS authenticity: [Unknown]
ASN: 27595
ASN Name: INTERCAGE
IP range connectivity: 0
Registrar (per ASN): ARIN
Country (per IP registrar): US [United States]
Country Currency: USD [United States Dollars]
Country IP Range: 69.50.128.0 to 69.50.255.255
Country fraud profile: Normal
City (per outside source): Ottawa, Ontario
Country (per outside source): CA [Canada]
Private (internal) IP? No
IP address registrar: whois.arin.net
Known Proxy? No

Even pinging the hostname xpantivirus2008.com resolved the IP Address to 69.50.173.10

C:\>ping xpantivirus2008.com

Pinging xpantivirus2008.com [69.50.173.10] with 32 bytes of data:

Reply from 69.50.173.10: bytes=32 time=339ms TTL=48

Reply from 69.50.173.10: bytes=32 time=321ms TTL=48
Reply from 69.50.173.10: bytes=32 time=318ms TTL=48
Reply from 69.50.173.10: bytes=32 time=321ms TTL=48

Ping statistics for 69.50.173.10:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 318ms, Maximum = 339ms, Average = 324ms

Open port recorded by Fport

Scanning the open ports with Fport, we see the below result:

E:\Malware Analysis\Fport>Fport
FPort v2.0 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com

Pid Process Port Proto Path

4 System 445 TCP
1104 xpa2008 1039 TCP C:\Program Files\XP Antivirus\xpa2008.exe
1104 xpa2008 1900 UDP C:\Program Files\XP Antivirus\xpa2008.exe

So it becomes obvious that the Malware was running on the Sandbox and it had opened the TCP port 1039 and UDP port
1900.

Now we have a list of logs and records from different tools and utilities that will help us to recreate the bigger picture of the
Malwares behavior with the Sandbox. On the basis of this analysis we can draw an image of what activities were carried out
by the Malware in the test environment. We will include all the information, technical and non technical, whatsoever in the
documentation part.

Page 42
Malware Analysis email: rajdeep.chakraborty@gmail.com

Documenting & reconstructing the bigger picture

Malware: XP Antivirus 2008

File Name: XPantivirus2008_v880011.exe
File size: 41472 bytes
MD5: 4edf998086a9a3327256bc9ca1581228
SHA1: ffe4489828e7bce26f7125f73c2c99b5ccc48959
Download URL: http://xpantivirus2008.com
Also Known As: TR/Crypt.ULPM.Gen, Win32/PolyCrypt, MemScan:Trojan.FakeAlert.PT, Trojan.Fakealert.446,
W32/Smalltroj.CYTS, Trojan.Crypt.ULPM, Trojan-Downloader.Win32.FraudLoad.aa, TrojanDownloader:Win32/Renos.CT,
W32/Smalltroj.CYTS, Adware/Xpantivirus2008, Mal/HckPk-A, Trojan.Crypt.ULPM.Gen
Systems Affected: Windows 98, Windows 95, Windows XP, Windows Me, Windows NT, Windows 2000

Technical Details:

XP Antivirus 2008 fakes to be an Antispyware application. Below is the author’s description:

Make the switch to XP antivirus Protection and enjoy your system work without any
influence of Spyware and Viruses.

Once executed, the Malware opens up port 1038 in the local system and communicates with the IP Address 69.50.173.10 over
remote port 80. It downloads malicious packets from the web server and installs the rogue application in the folder
C:\Program Files\XP Antivirus and drops the binary xpa2008.exe in its installation directory.

C:\Program Files\XP Antivirus\xpa2008.exe

The Malware runs the process:

xpa2008.exe

It creates a Start Menu folder with the name XP Antivirus 2008 and with 2 links in it pointing to the Malwares binary.

Creates a desktop icon with the name XP Antivirus 2008

Creates a System Tray icon that works as a quick access option

It also places a Quick Launch shortcut icon in the Quick launch tray

It showed fake elevated risks with fake descriptions of the risks. A brief description of the risk logs it saves is give below:

XP Antivirus 2008 system scan report.

Report generated 09.03.2008 18:03:56

Type Run type Name Details

Spyware C://windows/system32/iesetup.dll Spyware.IEMonster.d "Steals passwords from Internet Explorer, Mozilla
Firefox, Outlook and other programs."
Adware autorun Zlob.PornAdvertiser.ba Adware that displays pop-up/pop-under advertisements of pornographic or online
gambling Web sites.
Spyware autorun Spyware.IMMonitor program that can be used to monitor and record conversations in popular instant
messaging applications.

Page 43
Malware Analysis email: rajdeep.chakraborty@gmail.com

Apart from these deviations, it carries out various activities like displaying popup windows. It was automatically getting
displayed after certain duration.

Added Files / Folders: Files / Folders were added by the Malware.

C:\Documents and Settings\<user profile>\Application Data\Microsoft\Internet Explorer\Quick Launch\XP Antivirus 2008.lnk

C:\Documents and Settings\<user profile>\Desktop\XP Antivirus 2008.lnk
C:\Documents and Settings\<user profile>\Start Menu\XP Antivirus 2008
C:\Documents and Settings\<user profile>\Start Menu\XP Antivirus 2008\Uninstall XP Antivirus 2008.lnk
C:\Documents and Settings\<user profile>\Start Menu\XP Antivirus 2008\XP Antivirus 2008.lnk 1KB
C:\Program Files\XP Antivirus
C:\Program Files\XP Antivirus\xpa2008.exe

Deleted Files / Folders:

Deletes all the content from the Temporary Internet Files and deletes the System Volume Information folder from all drives.

[Drive Letter]:\System Volume Information

Deletes the Malwares installation file from the system.

Registry Entry Added:

HKEY_CURRENT_USER\Software\XP antivirus
HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus "C:\Program Files\XP
Antivirus\xpa2008.exe"

Removal Instruction:

Stop the process xpa2008.exe with the help of Process Explorer or use Task Manager itself

Delete the folder XP Antivirus that has been created inside C:\Program Files

Delete the folder Antivirus 2008 that has been created inside C:\Documents and Settings\<user profile>\Start Menu

Delete the XP Antivirus 2008.lnk from C:\Documents and Settings\<user profile>\Desktop

Delete XP Antivirus 2008.lnk from C:\Documents and Settings\<user profile>\Application Data\Microsoft\Internet

Explorer\Quick Launch

Before deleting the Registry entries, it is recommended that you back up the registry completely. Once done follow the below
steps:

Click Start > Run

Type Regedit

Page 44
Malware Analysis email: rajdeep.chakraborty@gmail.com

Click OK
Then navigate to and delete the following entries:

HKEY_CURRENT_USER\Software\XP antivirus

HKEY_USERS\S-1-5-21-1417001333-1343024091-1957994488-500\Software\XP antivirus

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run XP Antivirus "C:\Program Files\XP

Antivirus\xpa2008.exe"

Exit the Registry Editor

Written By:
Rajdeep Chakraborty
Aka. MaliciousBrains
Site : http://www.malwareinfo.org
Blog : http://blog.malwareinfo.org
Forum: http://forum.malwareinfo.org
Email: maliciousbrains@malwareinfo.org
-------------------------------------------------
There are no patches or service packs for ignorance!

Page 45