Xandora

File SHA1: 549bb96dd9520628e3763e489d22a56fd1cc5fa3
File MD5 : 563c61f142396e56e7600094d3e24dde
File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Date: Mon Nov 9 18:25:55 MYT 2009
Possible Malware: YES
Panda Says: W32/Sality.AO

#– Files Created: –

/Documents and Settings/Administrator/Local Settings/Temp/941.exe
/Documents and Settings/Administrator/Local Settings/Temp/Cookies
/Documents and Settings/Administrator/Local Settings/Temp/History
/Documents and Settings/Administrator/Local Settings/Temp/Temporary Internet Files
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/0X6VKLAB/part[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/2[1].exe
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/bde[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/bot[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/lgate[1].htm
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/TN0LPWP3/lo[1].txt
/Documents and Settings/Administrator/Local Settings/Temporary Internet Files/Content.IE5/WDANS5QR/abb[1].txt
/Documents and Settings/Administrator/oashdihasidhasuidhiasdhiashdiuasdhasd
/Documents and Settings/Administrator/reader_s.exe
/Documents and Settings/Administrator/restorer32_a.exe
/Documents and Settings/All Users/Application Data/Microsoft/Dr Watson
/RECYCLER/S-1-5-21-0243636035-3055115376-381863306-1556
/RECYCLER/S-1-5-21-8739503812-7046268210-383256414-4792
/WINDOWS/Prefetch/5.TMP-01A6E178.pf
/WINDOWS/Prefetch/6.TMP-3B726FB8.pf
/WINDOWS/Prefetch/7.TMP-138C6DFA.pf
/WINDOWS/Prefetch/8.TMP-263F2046.pf
/WINDOWS/Prefetch/9.TMP-28BFBD6C.pf
/WINDOWS/Prefetch/941.EXE-04BFDACD.pf
/WINDOWS/Prefetch/A.TMP-06576726.pf
/WINDOWS/Prefetch/DRWTSN32.EXE-2B4B52AC.pf
/WINDOWS/Prefetch/NETSH.EXE-085CFFDE.pf
/WINDOWS/Prefetch/READER_S.EXE-31E43321.pf
/WINDOWS/Prefetch/SERVICES.EXE-2B0DDD57.pf
/WINDOWS/Temp/VRT1.tmp
/WINDOWS/Temp/VRT2.tmp
/WINDOWS/Temp/x1c45345.dll
/WINDOWS/services.exe
/WINDOWS/system32/4.tmp
/WINDOWS/system32/5.tmp
/WINDOWS/system32/6.tmp
/WINDOWS/system32/7.tmp
/WINDOWS/system32/795788.exe
/WINDOWS/system32/9.tmp
/WINDOWS/system32/dllcache/ndis.sys
/WINDOWS/system32/drivers/625.exe
/WINDOWS/system32/lowsec
/WINDOWS/system32/msxm192z.dll
/WINDOWS/system32/reader_s.exe
/WINDOWS/system32/restorer32_a.exe
/WINDOWS/system32/sdra64.exe

#– Registry Created: –

[SOFTWARE]
+ [software\Microsoft\DownloadManager]
+ [software\Microsoft\PCHealth\ErrorReporting\ExclusionList]
+ [software\Microsoft\PCHealth\ErrorReporting\InclusionList]
+ [software\Microsoft\Tracing\FWCFG]
+ [software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
+ [software\Microsoft\Windows\CurrentVersion\services]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\NAP\Netsh\Napmontr]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent]
+ [software\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\qagent\traceIdentifier]
+ [software\Policies\Microsoft\WindowsFirewall]
+ [software\Policies\Microsoft\WindowsFirewall\DomainProfile]
+ [software\Policies\Microsoft\WindowsFirewall\StandardProfile]
[SYSTEM]
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll]
+ [system\ControlSet001\Services\napagent\LocalConfig\Enroll\HcsGroups]
+ [system\ControlSet001\Services\napagent\LocalConfig\UI]
[SECURITIES]
[DEFAULT]
+ [default\Software\Microsoft\Internet Explorer\International]
+ [default\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
[NTUSER]

#– Malware Traffic – DNS: –

206.82.224.31.zip.com
38.234.82.124.in-addr.arpa
ASPMX.L.GOOGLE.com
MX.MAILANYONE.net
a.mx.zutek.com
alt4.gmail-smtp-in.l.google.com
andrej.andreev12.pochta.ru
aol.com
bfkq.com
chmail10.zurich.com
cluster1.us.messagelabs.com
cluster8.eu.messagelabs.com
cluster8.us.messagelabs.com
cluster9.us.messagelabs.com
clusterc.mailcontroller.co.uk
colopin.cn
com
config1007.iwillhavesexygirls.com
d.mx.mail.yahoo.com
datingintennessee.com
de
dev.null
dsl.xls.co.nz
g.mx.mail.yahoo.com
gandalf.zedo.com
gateway1.worldnet.att.net
gateway2.worldnet.att.net
gmail-smtp-in.l.google.com
gmail.com
hostrelay01.logix.in
hotmail.co.uk
hotmail.com
hrndva-smtpin01.mail.rr.com
idfc.info
in1.smtp.messagingengine.com
inbound.wmdesign.net.netsolmail.net
inbound.yourdictionary.com.netsolmail.net
inbound2.mail.flyingcroc.net
infousa.com.inbound15.mxlogic.net
irc.zief.pl
ismtp.sitestar.everyone.net
jsactivity.com
komojoke.cn
mail.datingintennessee.com
mail.global.bigfish.com
mail.global.frontbridge.com
mail.global.sprint.com
mail.messaging.microsoft.com
mail.telesouth1.com
mail.wincrest.com.au
mail.wisi.com
mail.wma.com
mail.wti.com
mail.x-link.co.za
mail.xit.net
mail.zelnet.ru
mail.zhats.com
mail.zs.com
mail0.wincor-nixdorf.com
mail1.wlgore.com
mail11.mondial-assistance-group.com.ppde.azmx.de
mail2.haufe.de
mail7.digitalwaves.co.nz
mailfoundry.tc3net.com
mailgate.cybercity.dk
mailgate.williams.edu
mailgate1.zfn.uni-bremen.de
mailgw10.wm.net
maillist.iwillhavesexygirls.com
mis-mail.zippo.com
mrin4-b.corp.re1.yahoo.com
mtagate1.de.ibm.com
mtagate5.uk.ibm.com
mx-4.wiu.edu
mx-ha01.web.de
mx-ha02.web.de
mx.the9.com
mx01.1and1.fr
mx01.zf.com
mx02.speakeasy.net
mx1.free.fr
mx1.hotmail.com
mx1.iswest.net
mx1.megamailservers.com
mx1.tnz.mail.yahoo.com
mx1.wral.com
mx1.wrs.com.mailhostsxode.net
mx11.wvu.edu
mx2.hotmail.com
mx2.xs4all.nl
mx2.yandex.ru
mx3.hotmail.com
mx3.mindspring.com
mx4.hotmail.com
mxs.mail.ru
ns.wood-co.cz
org
orts.alwaysproxy4.info
pure1.maildistiller.com
smtp.secureserver.net
sunflorida.com
sync.wildbrain.com
teknetwork.com
telesouth1.com
tes.memehehz.info
tes.stuckin.org
vcnet.com
web.de
webmail.efanz.com
wildbrain.com
williams.edu
willis.com
wimaxrf.com
win99.com
wincor-nixdorf.com
wincrest.com
wincrest.com.au
wincrest.s8a1.psmtp.com
wis-tv.com
wis-tv.com.s9a1.psmtp.com
wisdomcomputer.com
wisi.com
wiu.edu
wk.com
wkbw.com
wkbw.i-evolve.net
wlgore.com
wma.com
wmdata.com
wmdesign.net
wmg.com
wmg.com.s6a1.psmtp.com
wmharvey.com
wmharvey.com.inbound15.mxlogicmx.net
wnt.sas.com
woh.rr.com
wolfenet.com
wonderware.com
wood.com
woodhead-publishing.com
workpermit.com
worldaccess.com
worldnet.att
worldnet.att.net
worldonline.dk
worldonline.fr
wormhole.com
wov.com
wowchina.com
wpg.faneuil.com
wral-tv.com
wral.com
wrox.com
wrs.com
wrs.de
wsatkins.co.uk
wsj.com
wsj.com.s8a1.psmtp.com
wt.net
wti.com
wvmler6.mail.xerox.com
wvu.edu
ww-interlink.net
wwbcn.com
wwnet.com
wwtelco.com
www.worldnet.att.net
x-link.co.za
xerox.com
xilinx.com
xit.net
xls.co.nz
xmail.wiley.com
xo.com
xs4all.nl
xtra.co.nz
xxxcounter.com
xxxlcock.net
ya.ru
yadi.org
yahoo-inc.com
yahoo.com
yahoo.de
yam.com
yamaha.com
yesconnect.net
yesmail.com
yourdictionary.com
yourwap.com
yta.attmil.ne.jp
za.ibm.com
zedo.com
zelnet.ru
zensar.com
zf.com
zfn.uni-bremen.de
zhats.com
zip.com
zipmail.com
zippo.com
zko.dec.com
zs.com
zu.com
zurich.com
zurich.ibm.com
zutek.com

#– Malware Traffic – Connections: –

112.200.25.141.3128
112.201.98.146.3128
112.202.54.89.3128
113.12.120.216.3128
114.80.196.175.25
119.95.232.159.3128
12.23.46.195.25
123.237.81.177.3128
124.108.96.67.25
124.123.7.20.3128
124.158.119.168.3128
124.244.212.154.3128
13.8.138.231.25
134.102.20.31.25
143.223.20.50.25
143.43.142.70.25
149.238.2.132.25
157.182.140.81.25
157.204.22.38.25
173.45.105.218.8392
174.133.104.210.80
174.139.2.202.1199
188.129.161.109.3128
189.220.143.201.3128
190.1.25.212.3128
190.140.171.9.3128
190.246.106.206.3128
190.5.203.23.3128
190.60.36.228.3128
194.109.24.138.25
195.212.17.161.25
195.212.29.138.25
195.28.226.107.25
195.88.191.46.80
196.217.188.227.3128
196.23.250.154.3128
201.232.158.194.3128
203.157.0.1.25
203.199.134.219.25
203.97.206.225.25
204.127.134.23.25
204.27.57.154.8392
205.178.149.7.25
206.161.193.131.25
206.192.23.36.25
207.178.132.20.25
207.246.128.221.25
208.215.179.78.25
208.65.144.12.25
208.70.131.50.25
209.190.85.36.25
209.85.210.100.25
209.85.210.46.25
209.85.210.87.25
209.85.210.88.25
209.85.210.93.25
209.85.218.43.25
210.212.155.68.3128
211.30.126.243.3128
211.95.79.74.4444
212.117.164.35.25
212.227.15.186.25
213.164.69.204.25
216.157.145.27.25
216.200.145.235.25
216.237.12.147.25
216.251.32.71.25
216.32.180.22.25
216.82.241.83.25
216.82.249.3.25
216.82.249.51.25
217.112.42.216.25
217.112.42.217.25
217.112.42.7.25
217.72.192.149.25
218.61.7.9.80
218.93.205.30.80
222.166.167.3.3128
222.73.204.229.88
222.73.204.229.888
24.68.253.194.3128
41.204.220.195.25
58.107.175.248.3128
60.48.73.61.3128
61.100.43.25.3128
61.7.240.163.3128
64.112.192.12.25
64.12.137.169.25
64.120.149.21.33254
64.128.222.221.25
64.18.7.10.25
64.191.104.197.19725
64.207.53.142.25
64.41.197.46.25
65.36.167.153.25
65.54.188.72.25
65.54.188.94.25
65.55.37.104.25
65.55.88.22.25
66.111.4.71.25
66.197.252.149.3954
66.96.221.101.8392
67.19.176.194.25
67.195.168.31.25
67.215.1.206.80
68.142.202.247.25
68.150.152.20.3128
69.147.105.210.25
69.162.127.90.80
69.162.64.122.80
69.162.90.170.80
69.55.16.41.25
72.237.212.73.25
74.81.120.30.25
76.73.26.58.4444
77.221.159.154.25
78.159.102.105.32212
78.60.51.210.3128
80.92.97.13.25
82.204.219.221.80
82.237.119.2.3128
83.149.98.166.25
83.165.75.169.3128
83.228.117.8.3128
83.233.92.176.3128
83.239.118.56.3128
85.119.129.3.25
85.158.140.211.25
85.174.253.16.3128
85.223.253.194.3128
88.214.192.192.25
88.214.216.6.25
88.96.99.28.25
89.138.109.167.3128
89.149.62.107.3128
89.28.110.250.3128
89.44.211.125.3128
89.47.44.4.3128
90.227.249.226.3128
91.192.116.26.25
91.206.201.39.80
91.207.4.106.80
92.114.192.88.3128
92.87.226.181.3128
93.114.34.22.3128
93.158.134.89.25
93.174.92.220.80
93.177.186.64.3128
94.100.176.20.25
94.158.100.237.3128
94.244.168.161.3128
94.253.170.199.3128
98.137.54.238.25
99.226.87.61.3128

#– Malware Traffic – www: –

komojoke.cn/txt/read2.txt
komojoke.cn/txt/read.txt
colopin.cn/oc/box.txt
colopin.cn/op/lgate.php?n=E15210BDE81AC24D
komojoke.cn/sv/bde.txt
komojoke.cn/ag/lo.txt
colopin.cn/lib/bot.txt
colopin.cn/lib/abb.txt
195.88.191.46/2.exe
colopin.cn/licen/part.txt
idfc.info/pqz2.exe
91.207.4.106/spm/get_id.php
91.207.4.106/spm/page.php?id=747064&tick=107875&ver=400&smtp=ok&task=0
thd67nw406i.com/40E800144D513030303020312020202020202020202020206C0000002B66000000007600000642EB0005309E6689A4
andrej.andreev12.pochta.ru/flashcard/win.exe
24.68.253.194/+17594.html
112.202.54.89/+17594.html
89.47.44.4/+17594.html

#– Screenshots: –

Screen After 90 Seconds

Screen After 120 Seconds