Trj/CI.A
File Name : b.exe
File Type : MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
MD5 : 484e0bad5a6275ca0c6b5d249531bd09
PEiD : Nothing Found
Panda Says : Trj/CI.A
As usual, it hides files in Windows\fonts
Lets see what is in Windows\Fonts
08/31/2009 06:17 AM 31,944 alg.exe
08/31/2009 06:19 AM 234 bp.ini
08/31/2009 06:17 AM 244 isfb.ini
08/31/2009 06:20 AM 11,776 tencent.exe
08/31/2009 06:18 AM 1,750 usMywhxbgf5N8e9u6.Ttf
Lets check out,
C:\Sandbox\NoAB\DefaultBox\drive\C\WINDOWS\fonts\isfb.ini
http://76.73.AA.AA/c/getin.exe
http://76.73.AA.AA/c/3.exe
http://76.73.AA.AA/c/7.exe
http://76.73.AA.AA/c/dn.exe
http://76.73.AA.AA/c/tl.exe
http://76.73.AA.AA/c/cz.exe
http://76.73.AA.AA/c/9.exe
http://76.73.AA.AA/c/apxp.exe
Checking out WINDOWS/system32
08/31/2009 06:18 AM 13,531 360trav.exe
08/31/2009 06:18 AM 11,776 comres.dll
08/31/2009 06:18 AM -DIR- dllcache
08/31/2009 06:18 AM -DIR- drivers
08/31/2009 06:18 AM 256 Jmansza.dat
04/14/2008 05:42 AM 33,280 myInsDll.exe
08/31/2009 06:18 AM 49,152 npptools.dll
08/31/2009 06:18 AM 88,952 Packet.dll
08/31/2009 06:18 AM 11,776 Processa.dll
04/14/2008 05:42 AM 140,288 sfc32.dll
04/14/2008 05:41 AM 792,064 SysCom.dll
04/14/2008 05:42 AM 0 verclsid.exe
08/31/2009 06:18 AM 68,480 WanPacket.dll
08/31/2009 06:17 AM -DIR- WBEM
08/31/2009 06:18 AM 240,496 wpcap.dll
Well, wpcap.dll. Stealing password ?
After leaving it run for 30 min, b.exe con’t download few more software.
One of them believe is IE plug-in. Called IETimber.dll.
Another files that comes in to “Programs File” will be cpush.dll
Running Process :
b.exe
alg.exe
tencent.exe
Additional Feature, Killing AV as usual. :)
End of Report.