6e166d1c1.com(Trojan.Win32.Jorik.Lethic.gb hosted in Canada Affilnet Corporation)

File Details
MD5 55c55f7764767fd46909b95b1e64b2d1
SHA-1 964d2183f263be8bc565d3dd307486614e5d6ce1
File Type exe
First Received (GMT+8) 2012-02-18 06:49:00
Size (bytes) 8704
Weightage 147
virustotal.com 29 vendors detected

Static File Header
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4F1DB86E Tue Jan 24 03:43:42 2012
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00006000
Code Base: 00001000 Size: 00001600
Data Base: 00003000 Size: 00000800
Entry Point: 00002310 (file offset 00001710)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00001600 Flags: 60000020 (CER)
2: .rdata RVA: 00003000 Offset: 00001A00 Size: 00000400 Flags: 40000040 (DR)
3: .data RVA: 00004000 Offset: 00001E00 Size: 00000200 Flags: C0000040 (DRW)
4: .reloc RVA: 00005000 Offset: 00002000 Size: 00000200 Flags: 42000040 (DR)

Static File Header
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 4F1DB86E Tue Jan 24 03:43:42 2012
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00006000
Code Base: 00001000 Size: 00001600
Data Base: 00003000 Size: 00000800
Entry Point: 00002310 (file offset 00001710)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00001600 Flags: 60000020 (CER)
2: .rdata RVA: 00003000 Offset: 00001A00 Size: 00000400 Flags: 40000040 (DR)
3: .data RVA: 00004000 Offset: 00001E00 Size: 00000200 Flags: C0000040 (DRW)
4: .reloc RVA: 00005000 Offset: 00002000 Size: 00000200 Flags: 42000040 (DR)

Registry Change
The following Registry Keys were changed
Action Registry
Changed [NTUSER/Software/Microsoft/Windows/CurrentVersion/Run]
Changed [NTUSER/Software/Microsoft/Windows/CurrentVersion/Settings]

Running Processes
PID Command
34 SystemRootSystem32smss.exe
45 C:WINDOWSsystem32csrss.exe ObjectDirectory=Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequ
48 winlogon.exe
53 C:WINDOWSsystem32services.exe
54 C:WINDOWSsystem32lsass.exe
69 C:WINDOWSsystem32svchost -k DcomLaunch
74 C:WINDOWSsystem32svchost -k rpcss
80 C:WINDOWSSystem32svchost.exe -k netsvcs
118 C:WINDOWSExplorer.EXE
127 C:WINDOWSsystem32ctfmon.exe
178 C:WINDOWSSystem32svchost.exe -k HTTPFilter
203 C:WINDOWSsystem32svchost.exe -k LocalService
44 C:Documents and SettingsAdministratorApplication Dataregsrv64.exe
72 C:WINDOWSsystem32msfeedssync.exe sync

Traffic – by TCP/IP Connections

1 outbound connection found

Country IP Port
CA 207.112.46.14 20001

sample

analyse from http://www.xandora.net

hosting infos:
http://whois.domaintools.com/207.112.46.14

Categories: Uncategorized