Architecture |
IMAGE_FILE_MACHINE_I386
|
---|---|
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
Compilation Date | 2010-Jul-14 22:03:32 |
Detected languages |
Chinese - PRC
|
CompanyName | Microsoft Corporation |
FileDescription | Windows Service Pack Uninstall |
FileVersion | 6.3.0004.1 built by: dnsrv |
InternalName | SPUNINST.EXE |
LegalCopyright | (C) Microsoft Corporation. All rights reserved. |
OriginalFilename | SPUNINST.EXE |
ProductName | Microsoft(R) Windows(R) Operating System |
ProductVersion | 6.3.0004.1 |
Info | Matching compiler(s): |
Microsoft Visual C++ 6.0 - 8.0
Microsoft Visual C++ Microsoft Visual C++ v6.0 Microsoft Visual C++ v5.0/v6.0 (MFC) |
Suspicious | Strings found in the binary may indicate undesirable behavior: |
May have dropper capabilities:
|
Info | Cryptographic algorithms detected in the binary: | Uses constants related to CRC32 |
Suspicious | The PE is possibly packed. | Unusual section name found: .idata2 |
Suspicious | The PE contains functions most legitimate programs don't use. |
[!] The program may be hiding some of its imports:
|
Malicious | The PE's digital signature is invalid. |
Signer: Kaspersky Lab
Issuer: VeriSign Class 3 Code Signing 2004 CA The file was modified after it was signed. |
Malicious | VirusTotal score: 69/73 (Scanned on 2020-01-16 07:26:25) |
Bkav:
W32.ZegostQKB.Trojan
MicroWorld-eScan: Gen:Variant.Zegost.2 VBA32: TrojanPSW.Bjlog FireEye: Generic.mg.f300317af13482d5 CAT-QuickHeal: TrojanDropper.Zegost.C5 McAfee: BackDoor-CEP.gen.cn Cylance: Unsafe Zillya: Trojan.Bjlog.Win32.11309 SUPERAntiSpyware: Trojan.Agent/Gen-Zegost Sangfor: Malware K7AntiVirus: Unwanted-Program ( 004ae6551 ) Alibaba: TrojanPSW:Win32/Bjlog.059b93a8 K7GW: Unwanted-Program ( 004ae6551 ) Cybereason: malicious.af1348 Arcabit: Trojan.Zegost.2 Invincea: heuristic Baidu: Win32.Backdoor.Zegost.b F-Prot: W32/Zegost.C.gen!Eldorado Symantec: Trojan Horse TotalDefense: Win32/Zegost.CJ APEX: Malicious Avast: Win32:Zegost-C [Trj] ClamAV: Win.Spyware.78740-1 Kaspersky: Trojan-PSW.Win32.Bjlog.dtwr BitDefender: Gen:Variant.Zegost.2 NANO-Antivirus: Trojan.Win32.Bjlog.drshei Paloalto: generic.ml ViRobot: Trojan.Win32.A.PSW-Bjlog.42428 Tencent: Backdoor.Win32.Zegost.aaa Endgame: malicious (high confidence) Emsisoft: Gen:Variant.Zegost.2 (B) Comodo: Backdoor.Win32.Zegost.B@1qlsm2 F-Secure: Backdoor:W32/Bjlog.D DrWeb: BackDoor.Zegost.48 VIPRE: Trojan.Win32.Generic.pak!cobra TrendMicro: BKDR_ZEGOST.SMZZ McAfee-GW-Edition: BackDoor-CEP.gen.cn Trapmine: malicious.high.ml.score CMC: Trojan-PSW.Win32.Bjlog!O Sophos: Mal/PWS-GA SentinelOne: DFI - Malicious PE Cyren: W32/Zegost.L.gen!Eldorado Jiangmin: Trojan/PSW.Bjlog.bvd Webroot: W32.Trojan.Gen Avira: TR/PSW.Bjlog.lfzb Fortinet: W32/Bjlog.GL!tr Antiy-AVL: Trojan[PSW]/Win32.Bjlog.dtwr Microsoft: TrojanDropper:Win32/Zegost.B AegisLab: Trojan.Win32.Bjlog.l9ov ZoneAlarm: Trojan-PSW.Win32.Bjlog.dtwr TACHYON: Trojan-PWS/W32.Bjlog.209384 AhnLab-V3: Trojan/Win32.Bjlog.R2244 Acronis: suspicious BitDefenderTheta: AI:Packer.5AF68E151F ALYac: Gen:Variant.Zegost.2 MAX: malware (ai score=100) Ad-Aware: Gen:Variant.Zegost.2 Malwarebytes: Trojan.Dropper ESET-NOD32: a variant of Win32/Redosdru.FP TrendMicro-HouseCall: BKDR_ZEGOST.SMZZ Rising: Backdoor.Win32.GenFxj.c (CLOUD) Yandex: Trojan.Zegost.Gen.5 Ikarus: Trojan.Agent eGambit: Unsafe.AI_Score_99% GData: Gen:Variant.Zegost.2 AVG: Win32:Zegost-C [Trj] Panda: Generic Malware CrowdStrike: win/malicious_confidence_100% (W) Qihoo-360: Dropper.Win32.Zegost.A |
e_magic | MZ |
---|---|
e_cblp | 0x90 |
e_cp | 0x3 |
e_crlc | 0 |
e_cparhdr | 0x4 |
e_minalloc | 0 |
e_maxalloc | 0xffff |
e_ss | 0 |
e_sp | 0xb8 |
e_csum | 0 |
e_ip | 0 |
e_cs | 0 |
e_ovno | 0 |
e_oemid | 0 |
e_oeminfo | 0 |
e_lfanew | 0xf0 |
Signature | PE |
---|---|
Machine |
IMAGE_FILE_MACHINE_I386
|
NumberofSections | 4 |
TimeDateStamp | 2010-Jul-14 22:03:32 |
PointerToSymbolTable | 0 |
NumberOfSymbols | 0 |
SizeOfOptionalHeader | 0xe0 |
Characteristics |
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_RELOCS_STRIPPED
|
Magic | PE32 |
---|---|
LinkerVersion | 6.0 |
SizeOfCode | 0x5000 |
SizeOfInitializedData | 0x2b000 |
SizeOfUninitializedData | 0 |
AddressOfEntryPoint | 0x00002C46 (Section: CODE) |
BaseOfCode | 0x1000 |
BaseOfData | 0x6000 |
ImageBase | 0x400000 |
SectionAlignment | 0x1000 |
FileAlignment | 0x200 |
OperatingSystemVersion | 4.0 |
ImageVersion | 0.0 |
SubsystemVersion | 4.0 |
Win32VersionValue | 0 |
SizeOfImage | 0x31800 |
SizeOfHeaders | 0x1000 |
Checksum | 0 |
Subsystem |
IMAGE_SUBSYSTEM_WINDOWS_GUI
|
SizeofStackReserve | 0x100000 |
SizeofStackCommit | 0x1000 |
SizeofHeapReserve | 0x100000 |
SizeofHeapCommit | 0x1000 |
LoaderFlags | 0 |
NumberOfRvaAndSizes | 16 |
kernel32.dll |
ExitProcess
GetTickCount IsBadWritePtr GetProcAddress GetModuleHandleA GetLastError Sleep LoadLibraryA GetCurrentDirectoryA GetTempPathA CloseHandle WriteFile SetFilePointer CreateFileA WaitForSingleObject GetCurrentProcess CreateEventA ExpandEnvironmentStringsA GetSystemDirectoryA SetEnvironmentVariableA SleepEx IsBadReadPtr ExitThread GetExitCodeThread CreateThread SetUnhandledExceptionFilter CreateProcessA GetStartupInfoA CopyFileA GetCommandLineA GetCurrentThreadId GetModuleFileNameA Process32Next lstrcmpi Process32First CreateToolhelp32Snapshot CreateDirectoryA DeleteFileA SetFileAttributesA GetFileAttributesA LocalAlloc InterlockedExchange RaiseException FreeLibrary |
---|---|
msvcrt.dll |
_itoa
_except_handler3 memset __CxxFrameHandler memmove srand rand _ftol tolower malloc strncmp _exit _XcptFilter exit _acmdln __getmainargs _initterm __setusermatherr _adjust_fdiv __p__commode __p__fmode __set_app_type ??1type_info@@UAE@XZ _controlfp |
SHLWAPI.dll |
PathFileExistsA
SHGetValueA SHDeleteKeyA SHCopyKeyA |
USER32.dll |
GetActiveWindow
wsprintfA FlashWindow |
WS2_32.dll |
closesocket
getprotobynumber |
Signature | 0xfeef04bd |
---|---|
StructVersion | 0x10000 |
FileVersion | 6.3.4.1 |
ProductVersion | 6.3.4.1 |
FileFlags | (EMPTY) |
FileOs |
VOS_DOS_WINDOWS32
VOS_NT
VOS_NT_WINDOWS32
VOS_WINCE
VOS__WINDOWS32
|
FileType |
VFT_APP
|
Language | Chinese - PRC |
CompanyName | Microsoft Corporation |
FileDescription | Windows Service Pack Uninstall |
FileVersion (#2) | 6.3.0004.1 built by: dnsrv |
InternalName | SPUNINST.EXE |
LegalCopyright | (C) Microsoft Corporation. All rights reserved. |
OriginalFilename | SPUNINST.EXE |
ProductName | Microsoft(R) Windows(R) Operating System |
ProductVersion (#2) | 6.3.0004.1 |
Resource LangID | Chinese - PRC |
---|
XOR Key | 0xaa373b29 |
---|---|
Unmarked objects | 0 |
12 (7291) | 2 |
14 (7299) | 2 |
C objects (VS98 build 8168) | 11 |
Linker (VS98 build 8168) | 2 |
Imports (VS2003 (.NET) build 4035) | 9 |
Total imports | 130 |
Resource objects (VS98 cvtres build 1720) | 1 |
C++ objects (VS98 build 8168) | 9 |