Skip navigation.
Home

Backdoor.Botnachala

| |

start.exe backdoor.botnachala

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 2eb58d7431b558c29ec2c18f6d8b495b
SHA1SUM: 4e74377003143ea90953c5b069563aa7ca7c7188
SHA256SUM: 93a050723fa3a3b4fff0cd419de2140d0db7702610273538eea71571aab9201d
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] UPX [unknown / modified] !
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo
#################################

Entrypoint: 00016FE0
File Offset: 000083E0

AntiVir Found Backdoor-Server/Agent.IT backdoor
ArcaVir Found Trojan.Agent.It
Avast Found Win32:Trojano-1354
AVG Antivirus Found BackDoor.Agent.7.AB
BitDefender Found Backdoor.Agent.IT
ClamAV Found nothing
Dr.Web Found BackDoor.Zuni
F-Prot Antivirus Found W32/Botnachala.A@bd
Fortinet Found W32/Botnachala-tr
Kaspersky Anti-Virus Found Backdoor.Win32.Agent.it
NOD32 Found Win32/Botnachala.A
Norman Virus Control Found W32/Agent.DON
UNA Found Backdoor.Agent
VBA32 Found Backdoor.Agent.37 (probable variant)

REGISTRY MODIFICATIONS:
4 3.43193579 start.exe:1932 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe NOT FOUND
5 3.43277836 start.exe:1932 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
6 3.43280220 start.exe:1932 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
7 3.43282795 start.exe:1932 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
8 3.43386698 start.exe:1932 OpenKey HKLM\System\CurrentControlSet\Control\SafeBoot\Option NOT FOUND
9 3.43389487 start.exe:1932 OpenKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS Access: 0x1
10 3.43391371 start.exe:1932 QueryValue HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled SUCCESS 0x1
11 3.43393636 start.exe:1932 CloseKey HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers SUCCESS
12 3.43396807 start.exe:1932 OpenKey HKCU\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers NOT FOUND
13 3.43473959 start.exe:1932 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
14 3.43475938 start.exe:1932 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
15 3.43478060 start.exe:1932 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
16 3.43486834 start.exe:1932 OpenKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS Access: 0x20019
17 3.43488622 start.exe:1932 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSAppCompat SUCCESS 0x0
18 3.43490267 start.exe:1932 QueryValue HKLM\System\CurrentControlSet\Control\Terminal Server\TSUserEnabled SUCCESS 0x0
19 3.43492222 start.exe:1932 CloseKey HKLM\System\CurrentControlSet\Control\Terminal Server SUCCESS
20 3.43495703 start.exe:1932 OpenKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x20019
21 3.43497753 start.exe:1932 QueryValue HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LeakTrack NOT FOUND
22 3.43499660 start.exe:1932 CloseKey HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS
23 3.43501830 start.exe:1932 OpenKey HKLM SUCCESS Access: 0x2000000
24 3.43505144 start.exe:1932 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics NOT FOUND
25 3.44522142 start.exe:1932 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x1
26 3.44524145 start.exe:1932 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode NOT FOUND
27 3.44526505 start.exe:1932 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS

FILESYSTEM:

4 10:15:00 PM start.exe:1352 READ C:\malware\start.exe SUCCESS Offset: 5120 Length: 29184
5 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\malware\start.exe SUCCESS FileNameInformation
6 10:15:00 PM start.exe:1932 OPEN C:\WINDOWS\Prefetch\START.EXE-03AE4E44.pf NOT FOUND Options: Open Access: All
7 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\malware\start.exe.Local NOT FOUND Attributes: Error
8 10:15:00 PM start.exe:1932 READ C:\malware\start.exe SUCCESS Offset: 34304 Length: 512
9 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\malware\WS2_32.dll NOT FOUND Attributes: Error
10 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\WINDOWS\System32\WS2_32.dll SUCCESS Attributes: A
11 10:15:00 PM start.exe:1932 OPEN C:\WINDOWS\System32\WS2_32.dll SUCCESS Options: Open Access: Execute
12 10:15:00 PM start.exe:1932 CLOSE C:\WINDOWS\System32\WS2_32.dll SUCCESS
13 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\malware\WS2HELP.dll NOT FOUND Attributes: Error
14 10:15:00 PM start.exe:1932 QUERY INFORMATION C:\WINDOWS\System32\WS2HELP.dll SUCCESS Attributes: A
15 10:15:00 PM start.exe:1932 OPEN C:\WINDOWS\System32\WS2HELP.dll SUCCESS Options: Open Access: Execute
16 10:15:00 PM start.exe:1932 CLOSE C:\WINDOWS\System32\WS2HELP.dll SUCCESS
17 10:15:00 PM start.exe:1932 READ C:\malware\start.exe SUCCESS Offset: 1024 Length: 4096

HOST FILE CHANGES:

127.0.0.1 localhost
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.fastclick.net
127.0.0.1 ads.fastclick.net
127.0.0.1 ar.atwola.com
127.0.0.1 atdmt.com
127.0.0.1 avp.ch
127.0.0.1 avp.com
127.0.0.1 avp.ru
127.0.0.1 awaps.net
127.0.0.1 banner.fastclick.net
127.0.0.1 banners.fastclick.net
127.0.0.1 ca.com
127.0.0.1 click.atdmt.com
127.0.0.1 clicks.atdmt.com
127.0.0.1 customer.symantec.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 download.mcafee.com
127.0.0.1 download.microsoft.com
127.0.0.1 downloads-eu1.kaspersky-labs.com
127.0.0.1 downloads-us1.kaspersky-labs.com
127.0.0.1 downloads.microsoft.com
127.0.0.1 downloads1.kaspersky-labs.com
127.0.0.1 downloads2.kaspersky-labs.com
127.0.0.1 downloads3.kaspersky-labs.com
127.0.0.1 downloads4.kaspersky-labs.com
127.0.0.1 engine.awaps.net
127.0.0.1 f-secure.com
127.0.0.1 fastclick.net
127.0.0.1 ftp.f-secure.com
127.0.0.1 ftp.sophos.com
127.0.0.1 go.microsoft.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 kaspersky.com
127.0.0.1 liveupdate.symantec.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 mast.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 media.fastclick.net
127.0.0.1 msdn.microsoft.com
127.0.0.1 my-etrust.com
127.0.0.1 nai.com
127.0.0.1 networkassociates.com
127.0.0.1 office.microsoft.com
127.0.0.1 phx.corporate-ir.net
127.0.0.1 rads.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 securityresponse.symantec.com
127.0.0.1 service1.symantec.com
127.0.0.1 sophos.com
127.0.0.1 spd.atdmt.com
127.0.0.1 support.microsoft.com
127.0.0.1 symantec.com
127.0.0.1 trendmicro.com
127.0.0.1 update.sy11
127.0.0.1 update.symantec.com
127.0.0.1 updates.symantec.com
127.0.0.1 us.mcafee.com
127.0.0.1 vil.nai.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.ru
127.0.0.1 windowsupdate.microsoft.com
127.0.0.1 www.avp.ch
127.0.0.1 www.avp.com
127.0.0.1 www.avp.ru
127.0.0.1 www.awaps.net
127.0.0.1 www.ca.com
127.0.0.1 www.f-secure.com
127.0.0.1 www.fastclick.net
127.0.0.1 www.kaspersky.com
127.0.0.1 www.kaspersky.ru
127.0.0.1 www.mcafee.com
127.0.0.1 www.my-etrust.com
127.0.0.1 www.nai.com
127.0.0.1 www.networkassociates.com
127.0.0.1 www.sophos.com
127.0.0.1 www.symantec.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.viruslist.com
127.0.0.1 www.viruslist.ru
127.0.0.1 www3.ca.com

STRINGS:

This program cannot be run in DOS mode.
2ijklr2 mnorrpqrs
fghi2 jkl2 mno
Pport d Cnum d
Microsoft Visual C
program name unknown
Buffer overrun detected
Unknown security failure detected
runtime error
TLOSS error
DOMAIN error
This application has requested the Runtime to terminate it in an unusual way.Please contact the applications support team for more information.
Runtime Error
pt d Cnum
aM0rsoft VCual
_A buff ovr pkhas
f6ModYF NamCV
----------------
ExitProcess
GetProcAddress
LoadLibraryA
KeyOp
,Rtlwi
QuyP
jfoy
FpfommLUf
PnCu
FebHp
ol0Det
buDsls
Copy
lose
SdHarn
ar4Locoe
mAMByFToWideCh
_EndOfFileLCMapStringW
CicdU4bYfUB__d
neAprilMarchFf
NovOo
ijklmpq
QageBoxHyY
8gurgsW2f5n
cuway.Ka
C ic
9opPlr
eughbpze
bloiaJz
Plea
h1\Racv
Ioiy/u
fail
Omu
m T4anksa
p na,unknown
Rtime Library
CZExitmsc
wbzunizfak
Working
odllegisterSvicePr
QuthA
\ksuP
Aux_
dlptxiA
.data
.rdata
.text
RegSetValueExA
RegOpenKeyExA
RegCloseKey
FlushFileBuffers
HeapSize
LoadLibraryA
VirtualQuery
InterlockedExchange
RtlUnwind
GetEnvironmentStringsW
WideCharToMultiByte
FreeEnvironmentStringsW
GetEnvironmentStrings
FreeEnvironmentStringsA
UnhandledExceptionFilter
TlsGetValue
TlsSetValue
TlsFree
SetLastError
TlsAlloc
GetFileType
GetStdHandle
SetHandleCount
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
VirtualAlloc
VirtualFree
HeapCreate
HeapDestroy
GetCommandLineA
GetStartupInfoA
GetSystemTimeAsFileTime
GetCurrentProcess
TerminateProcess
HeapAlloc
HeapFree
HeapReAlloc
CreateEventA
DeleteCriticalSection
CreateProcessA
GetModuleHandleA
GetProcAddress
ExitProcess
SetEvent
GetLastError
CreateMutexA
Sleep
GetFileSize
ReadFile
WriteFile
GetVersionExA
GetModuleFileNameA
lstrcatA
CreateFileA
GetWindowsDirectoryA
GetTempPathA
lstrlenA
SetFileAttributesA
CopyFileA
CloseHandle
WaitForSingleObject
CreateThread
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetCPInfo
SetFilePointer
SetStdHandle
GetLocaleInfoA
GetStringTypeA
MultiByteToWideChar
GetStringTypeW
LCMapStringA
LCMapStringW
SetEndOfFile
VirtualProtect
GetSystemInfo
abcdefghijklmnopqrstuvwxyz
C\malware\start.exe
C\WINDOWS\csrss.exe
SystemRoot
SystemDrive
noe.myftp.biz
csrss.exe
w\work\c5\bot\Release\bot.pdb
JanFebMarAprMayJunJulAugSepOctNovDec
SunMonTueWedThuFriSat
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
June
July
August
September
October
November
December
_abcdefghijklmnopqrstuvwxyz
MessageBoxA
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationA
GetProcessWindowStation
InitializeCriticalSectionAndSpinCount
Program
floating point not loaded
not enough space for arguments
not enough space for environment
not enough space for thread data
unexpected multithread lock error
unexpected heap error
unable to open console device
not enough space for _onexit/atexit table
pure virtual function call
not enough space for stdio initialization
not enough space for lowio initialization
unable to initialize heap
This application cannot run using the active version of the Microsoft .NET RuntimePlease contact the applications support team for more information.
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
null
null
A security error of unknown cause has been detected which hascorrupted the programs internal state. The program cannot safelycontinue execution and must now be terminated.
A buffer overrun has been detected which has corrupted the programsinternal state. The program cannot safely continue execution and mustnow be terminated.
Program
Runtime Library
mscoree.dll
CorExitProcess
zfor
zuni
Working.
RegisterServiceProcess
kernel32.dll
w0wBuw
WuVu
u8SS3FVh8Ah
u5EP3GWh8AW
EjVu
tItIuPj
tItIuSj
VWumh
uwjh2A
tahdAV9
dD/GD0YL1D2TT3D4gD5cD73D8eD
DpQDqTDrcDsDtVDuQDvcDwd\xDy\DzY\
DiTjDkTlDmLnDo
bcde
rtuvw
tuvwx
opqTrcsy
ijklmniv
ydefghii
_abc
ywut
RichY

MORE STRINGS:

0001050C 0041130C 0 Monday
00000020 00400020 0 Win32 only!
0000F3F8 004101F8 0 kernel32.dll
0000F408 00410208 0 RegisterServiceProcess
0000F420 00410220 0 0123456789.
0000F42C 0041022C 0 Working.
0000F438 00410238 0 127.0.0.2
0000F444 00410244 0 Pport: %d Cnum: %d
0000F478 00410278 0 %d.%d.%d.%d
0000F4CC 004102CC 0 CorExitProcess
0000F4DC 004102DC 0 mscoree.dll
0000F544 00410344 0 Microsoft Visual C++ Runtime Library
0000F56C 0041036C 0 Program:
0000F580 00410380 0
0000F598 00410398 0 A buffer overrun has been detected which has corrupted the program's
0000F5DD 004103DD 0 internal state. The program cannot safely continue execution and must
0000F624 00410424 0 now be terminated.
0000F638 00410438 0 Buffer overrun detected!
0000F658 00410458 0 A security error of unknown cause has been detected which has
0000F696 00410496 0 corrupted the program's internal state. The program cannot safely
0000F6D9 004104D9 0 continue execution and must now be terminated.
0000F70C 0041050C 0 Unknown security failure detected!
0000F838 00410638 0 FlsFree
0000F840 00410640 0 FlsSetValue
0000F84C 0041064C 0 FlsGetValue
0000F858 00410658 0 FlsAlloc
0000F884 00410684 0 runtime error
0000F898 00410698 0 TLOSS error
0000F8A8 004106A8 0 SING error
0000F8B8 004106B8 0 DOMAIN error
0000F8C8 004106C8 0 R6029
0000F8CF 004106CF 0 - This application cannot run using the active version of the Microsoft .NET Runtime
0000F924 00410724 0 Please contact the application's support team for more information.
0000F96C 0041076C 0 R6028
0000F973 00410773 0 - unable to initialize heap
0000F994 00410794 0 R6027
0000F99B 0041079B 0 - not enough space for lowio initialization
0000F9CC 004107CC 0 R6026
0000F9D3 004107D3 0 - not enough space for stdio initialization
0000FA04 00410804 0 R6025
0000FA0B 0041080B 0 - pure virtual function call
0000FA2C 0041082C 0 R6024
0000FA33 00410833 0 - not enough space for _onexit/atexit table
0000FA64 00410864 0 R6019
0000FA6B 0041086B 0 - unable to open console device
0000FA90 00410890 0 R6018
0000FA97 00410897 0 - unexpected heap error
0000FAB4 004108B4 0 R6017
0000FABB 004108BB 0 - unexpected multithread lock error
0000FAE4 004108E4 0 R6016
0000FAEB 004108EB 0 - not enough space for thread data
0000FB12 00410912 0 This application has requested the Runtime to terminate it in an unusual way.
0000FB60 00410960 0 Please contact the application's support team for more information.
0000FBA8 004109A8 0 R6009
0000FBAF 004109AF 0 - not enough space for environment
0000FBD4 004109D4 0 R6008
0000FBDB 004109DB 0 - not enough space for arguments
0000FC00 00410A00 0 R6002
0000FC07 00410A07 0 - floating point not loaded
0000FC28 00410A28 0 Runtime Error!
0000FC38 00410A38 0 Program:
0000FC44 00410A44 0 InitializeCriticalSectionAndSpinCount
0000FC7C 00410A7C 0 GetProcessWindowStation
0000FC94 00410A94 0 GetUserObjectInformationA
0000FCB0 00410AB0 0 GetLastActivePopup
0000FCC4 00410AC4 0 GetActiveWindow
0000FCD4 00410AD4 0 MessageBoxA
0000FCE0 00410AE0 0 user32.dll
00010347 00411147 0 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]
00010388 00411188 0 abcdefghijklmnopqrstuvwxyz{|}~
0001040C 0041120C 0 HH:mm:ss
00010418 00411218 0 dddd, MMMM dd, yyyy
0001042C 0041122C 0 MM/dd/yy
00010440 00411240 0 December
0001044C 0041124C 0 November
00010458 00411258 0 October
00010460 00411260 0 September
0001046C 0041126C 0 August
00010484 00411284 0 April
0001048C 0041128C 0 March
00010494 00411294 0 February
000104A0 004112A0 0 January
000104D8 004112D8 0 Saturday
000104E4 004112E4 0 Friday
000104EC 004112EC 0 Thursday
000104F8 004112F8 0 Wednesday
00010504 00411304 0 Tuesday
0001050C 0041130C 0 Monday
00010514 00411314 0 Sunday
00010574 00411374 0 SunMonTueWedThuFriSat
0001058C 0041138C 0 JanFebMarAprMayJunJulAugSepOctNovDec
00010610 00411410 0 RSDS/
00010628 00411428 0 w:\work\c5\bot\Release\bot.pdb
00011240 00412040 0 csrss.exe
00011250 00412050 0 noe.myftp.biz
00011260 00412060 0 %SystemDrive%
00011270 00412070 0 %SystemRoot%
00011E20 00412C20 0 C:\WINDOWS\csrss.exe
00011F4C 00412D4C 0 INDOWS\
00012050 00412E50 0 C:\WINDOWS\
00012330 00413130 0 C:\malware\start.exe
00012781 00413581 0 abcdefghijklmnopqrstuvwxyz
000127A1 004135A1 0 ABCDEFGHIJKLMNOPQRSTUVWXYZ
00014209 00415009 0 GetSystemInfo
00014218 00415018 0 VirtualProtect
00014228 00415028 0 SetEndOfFile
00014236 00415036 0 LCMapStringW
00014244 00415044 0 LCMapStringA
00014252 00415052 0 GetStringTypeW
00014262 00415062 0 MultiByteToWideChar
00014277 00415077 0 GetStringTypeA
00014287 00415087 0 GetLocaleInfoA
00014297 00415097 0 SetStdHandle
000142A5 004150A5 0 SetFilePointer
000142B5 004150B5 0 GetCPInfo
000142C0 004150C0 0 GetOEMCP
000142CA 004150CA 0 GetACP
000142D2 004150D2 0 LeaveCriticalSection
000142E8 004150E8 0 EnterCriticalSection
000142FE 004150FE 0 InitializeCriticalSection
00014319 00415119 0 CreateThread
00014327 00415127 0 WaitForSingleObject
0001433C 0041513C 0 CloseHandle
00014349 00415149 0 CopyFileA
00014354 00415154 0 SetFileAttributesA
00014368 00415168 0 lstrlenA
00014372 00415172 0 GetTempPathA
00014380 00415180 0 GetWindowsDirectoryA
00014396 00415196 0 CreateFileA
000143A3 004151A3 0 lstrcatA
000143AD 004151AD 0 lstrcpyA
000143B7 004151B7 0 GetModuleFileNameA
000143CB 004151CB 0 GetVersionExA
000143DA 004151DA 0 WriteFile
000143E5 004151E5 0 ReadFile
000143EF 004151EF 0 GetFileSize
000143FC 004151FC 0 Sleep
00014403 00415203 0 CreateMutexA
00014411 00415211 0 GetLastError
0001441F 0041521F 0 SetEvent
00014429 00415229 0 ExitProcess
00014436 00415236 0 GetProcAddress
00014446 00415246 0 GetModuleHandleA
00014458 00415258 0 CreateProcessA
00014468 00415268 0 DeleteCriticalSection
0001447F 0041527F 0 CreateEventA
0001448D 0041528D 0 HeapReAlloc
0001449A 0041529A 0 HeapFree
000144A4 004152A4 0 HeapAlloc
000144AF 004152AF 0 TerminateProcess
000144C1 004152C1 0 GetCurrentProcess
000144D4 004152D4 0 GetSystemTimeAsFileTime
000144ED 004152ED 0 GetStartupInfoA
000144FE 004152FE 0 GetCommandLineA
0001450F 0041530F 0 HeapDestroy
0001451C 0041531C 0 HeapCreate
00014528 00415328 0 VirtualFree
00014535 00415335 0 VirtualAlloc
00014543 00415343 0 QueryPerformanceCounter
0001455C 0041535C 0 GetTickCount
0001456A 0041536A 0 GetCurrentThreadId
0001457E 0041537E 0 GetCurrentProcessId
00014593 00415393 0 SetHandleCount
000145A3 004153A3 0 GetStdHandle
000145B1 004153B1 0 GetFileType
000145BE 004153BE 0 TlsAlloc
000145C8 004153C8 0 SetLastError
000145D6 004153D6 0 TlsFree
000145DF 004153DF 0 TlsSetValue
000145EC 004153EC 0 TlsGetValue
000145F9 004153F9 0 UnhandledExceptionFilter
00014613 00415413 0 FreeEnvironmentStringsA
0001462C 0041542C 0 GetEnvironmentStrings
00014643 00415443 0 FreeEnvironmentStringsW
0001465C 0041545C 0 WideCharToMultiByte
00014671 00415471 0 GetEnvironmentStringsW
00014689 00415489 0 RtlUnwind
00014694 00415494 0 InterlockedExchange
000146A9 004154A9 0 VirtualQuery
000146B7 004154B7 0 LoadLibraryA
000146C5 004154C5 0 HeapSize
000146CF 004154CF 0 FlushFileBuffers
000146EA 004154EA 0 RegCloseKey
000146F7 004154F7 0 RegOpenKeyExA
00014706 00415506 0 RegSetValueExA
00014863 00415663 0 .text
0001488B 0041568B 0 .rdata
000154F9 004162F9 0 kernel32.
0001550A 0041630A 0 egisterSvicePr
0001552D 0041632D 0 Working
00015547 00416347 0 t: %d Cnum
0001555E 0041635E 0 zunizf
0001558A 0041638A 0 CZExit
000155B7 004163B7 0 [aM0rsoft VCual
000155D0 004163D0 0 time Library+
000155F2 004163F2 0 na,unknown>
00015601 00416401 0 _A buff
0001594B 0041674B 0 QageBox
000159EB 004167EB 0 !"#$%&'()*+,-./6U
00015A00 00416800 0 :;<=>?@ABCDEFGHIJKLMNO
00015A19 00416819 0 VwSTXXYZ[\]%
00015EBF 00416CBF 0 _EndOfFile
00015ECA 00416CCA 0 LCMapStringW
00015EE8 00416CE8 0 ByFToWideCh
00015EF7 00416CF7 0 ar$4Locoe}
00015F08 00416D08 0 dHarn
00015F54 00416D54 0 "lose
00015F79 00416D79 0 pTepP]h
00015F86 00416D86 0 sDqUcyA
00015F9B 00416D9B 0 f6ModY#F
00015FA4 00416DA4 0 00015FBA 00416DBA 0 sgg G
0001602E 00416E2E 0 Fpf 00016081 00416E81 0 e8{Kx4
0001613F 00416F3F 0 *sPEL
00016470 00418070 0 KERNEL32.DLL
0001647D 0041807D 0 ADVAPI32.dll
0001648A 0041808A 0 WS2_32.dll
00016496 00418096 0 LoadLibraryA
000164A4 004180A4 0 GetProcAddress
000164B4 004180B4 0 ExitProcess
000164C2 004180C2 0 RegCloseKey

what tool

What tool are you using for the graph?

--
Best Regards,
Lance James
Author of "Phishing Exposed"
www.securescience.com

Halvar rules

I use various graphing tools all of which are plugins or components to IDA Pro. I use BinDiff and BinNavi both from Halvar as well as bd_funcgraph (the colored one pictured in the post). Im also working with process stalker by Pedram Amini and a few other things.

Graphing really helps me because I suck at ASM and I can just visually see things quickly without having to read too much. I've noticed that lots of malware looks visually similar. I bet you could compare the graphs of regular software and of malware and rapidly identify like 75% based on the visual structure.

Theres a link to sabre security (Halvar & co) in the links section which you can follow to buy this stuff (I've either bought or been givin the tools from Halvar) IDA Pro is a must also. Go Ilfak!

V.