Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 1992-Jun-19 22:22:17 |
Suspicious | The PE is possibly packed. | Section CODE is both writable and executable. |
Info | The PE contains common functions which appear in legitimate applications. |
[!] The program may be hiding some of its imports:
|
Info | The PE's resources present abnormal characteristics. | Resource SETTINGS is possibly compressed or encrypted. |
Malicious | VirusTotal score: 39/40 (Scanned on 2009-04-18 20:49:30) |
McAfee+Artemis:
MultiDropper-RY
nProtect: Backdoor/W32.Bifrose.61179 CAT-QuickHeal: Backdoor.Bifrose.ahih McAfee: MultiDropper-RY K7AntiVirus: Trojan.Win32.Buzus.ajt VirusBuster: Trojan.PWS.LdPinch.LEL NOD32: a variant of Win32/Injector.BT F-Prot: W32/TrojanX.AYAZ Symantec: Backdoor.IRC.Bot Norman: W32/Smalldoor.dam Avast: Win32:Ldpinch-CWA eSafe: Win32.TRPSW.LdPinch ClamAV: Trojan.Agent-16172 Kaspersky: Backdoor.Win32.Bifrose.aer BitDefender: Trojan.PSW.LdPinch.AKY Comodo: Backdoor.Win32.Bifrose.~AV F-Secure: Backdoor.Win32.Bifrose.aer DrWeb: BackDoor.Bifrost.750 NOD32Beta: a variant of Win32/Injector.BT AntiVir: TR/PSW.LdPinch.fbq TrendMicro: BKDR_AGENT.XQB McAfee-GW-Edition: Trojan.PSW.LdPinch.fbq Sophos: Troj/LdPinch-RT eTrust-Vet: Win32/AMalum.DNSA Authentium: W32/TrojanX.AYAZ Prevx1: High Risk System Back Door Antiy-AVL: Trojan/Win32.LdPinch Microsoft: VirTool:Win32/DelfInject.gen!N ViRobot: Trojan.Win32.Buzus.67126.B GData: Trojan.PSW.LdPinch.AKY AhnLab-V3: Win-Trojan/Bifrose.61440.G VBA32: Trojan-PSW.Win32.LdPinch.fbq Sunbelt: Backdoor.Win32.Bifrose.aer PCTools: Trojan.Buzus.KG Rising: Backdoor.Win32.Bifrose.fdc Ikarus: Trojan.Crypt Fortinet: W32/LdPinch.RT!tr AVG: Dropper.Delf.AYP Panda: Bck/SdBot.LWZ |
e_magic | MZ |
---|---|
e_cblp | 0x50 |
e_cp | 0x2 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0xf |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0x1a |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0x100 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 8 |
TimeDateStamp | 1992-Jun-19 22:22:17 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 2.0 |
SizeOfCode | 0x1800 |
SizeOfInitializedData | 0x7400 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x000026E4 (Section: CODE) |
BaseOfCode | 0x1000 |
BaseOfData | 0x3000 |
ImageBase | 0x10000000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x10000 |
SizeOfHeaders | 0x400 |
Checksum | 0x58ff |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x4000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
kernel32.dll |
GetCurrentThreadId
ExitProcess RtlUnwind RaiseException GetCommandLineA TlsSetValue TlsGetValue LocalAlloc GetModuleHandleA GetModuleFileNameA FreeLibrary HeapFree HeapReAlloc HeapAlloc GetProcessHeap |
---|---|
user32.dll |
CharNextA
|
kernel32.dll (#2) |
GetCurrentThreadId
ExitProcess RtlUnwind RaiseException GetCommandLineA TlsSetValue TlsGetValue LocalAlloc GetModuleHandleA GetModuleFileNameA FreeLibrary HeapFree HeapReAlloc HeapAlloc GetProcessHeap |
ntdll.dll |
RtlDecompressBuffer
|
StartAddressOfRawData | 0x10006000 |
---|---|
EndAddressOfRawData | 0x10006004 |
AddressOfIndex | 0x1000410c |
AddressOfCallbacks | 0x10007010 |
SizeOfZeroFill | 0 |
Characteristics |
IMAGE_SCN_TYPE_REG
|
Callbacks | (EMPTY) |