Malware | Joachim De Zutter
8th of October 2011

Sent from IP TCP port 55643
Provider: Bell Canada (Gatineau, Canada)

Filesize: 348704
MD5: 042d061531f0eddb111457bbf37eab40
SHA1: 741ef60d163babfe56635a1531cba85d164d1f34
SHA256: eb9ec607b869ece978bf44eade36182696297d80a3752e52c173f9604eba2adc

On execution, the following error was displayed 2 times:

"The application failed to initialize properly (0xc0000005). Click on OK to terminate the application."

The file embeds an EXE file which has been XOR encrypted with key "fuckyouman".

Filesize: 303616
MD5: 9d388cea1848f5152da4c93e4727ddbe
SHA1: de4a7960da5ab5d5cd41e20c47ebc8b5555be893
SHA256: c25d88d84af101b33caec63338fce43b7fdbb0d59752a42d995741fecb4f8ceb

When that file is executed, the following behavior is witnessed:

Establishes a TCP connection with
Provider: (Greenwich, United States)

Performs a DNS query for, which resolved to
Provider: Bell Canada (Gatineau, Canada)

Tries to establish a TCP connection with TCP port 100 and 200 of

Copies itself to %WINDIR%\system32\WinDir\svchost.exe