General information
File Name:	c:\sohanad2.exe
MD5:	AD98A35FA9B7808C3EC9008D628CFF27
SHA-1:	687cff22f385ffb54a4ec6e97ead5d974c860ab5
File Size:	617343 Bytes
Packed:	Aspack v2.12 -> Alexey Solodovnikov ( Sn-flag:ok ) - Overlay : A3484B... Nothing discovered

+ Antivirus Detection
Antivir:	Contains detection pattern of the worm WORM/AutoIt.X
AVG:	Found Nothing
F-Prot:	W32/Trojan2.DFYJ (exact)
Avast:	Win32:AutoIt-CI [Trj
BitDefender:	Win32.Worm.Sohanad.NBM
ClamAV:	Trojan.Autoit.gen

+ File Identifier

68.0% (.EXE) Win32 Executable Generic (8527/13/3) 15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable Generic (2000/1)
0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)
68.0% (.EXE) Win32 Executable Generic (8527/13/3) 15.9% (.EXE) Generic Win/DOS Executable (2002/3)
15.9% (.EXE) DOS Executable Generic (2000/1)
0.0% (.CEL) Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3)

+ String Found

!This program cannot be run in DOS mode.
"RichVE
.text
.rdata
.data
.rsrc
.vc++
.adata
O$47E
`H,V+-
5r@m
dLdDe
.]e})
;'SH;
?{I#k
4Le#w
*%0`9
(^#8Z
YGn,l
=HX#,2vx
rKtel
d20h0$
rJn$P-
>2dp%
~v1+I
Wj=U,L
{yH~d
4eyU3
s4T9xI
V$wn@
\|vvs_
"lZ]+t
7Ko_*=
;~+C,jI
lfZoN
s)q;f g
]$Vwe
~:25Y
(;xK05d
M~"?D
zJ?[4%
wJ?BmN
*de\Dh
N}U
o0k9$E
p3&^4A
K~s2Z
aA9uh
#BGwP'(ic]
hF*Hw
ZGV%g
N%Rp8
Z-u/3
xm*x8
) eg,
b* ;W
EB3;r
h~#O\|
:`gA9I
3YP!x'
TWh5C
N(J[m
}]1SKG
{m6djs"
o'8{U
uvBE&
ZCcY^z
M[*$m
E{kx@%
DA:8Qn
MC
}"0sL
@aMEO
EcEdD
2hz>\|
j(U#_
[2?1gqZ
/0AD>./
pW-b%Z
;G\|s^
<4(fk
}oc3*
.xUH(44
u*";#
EEPnR
Y*;-bv=6
FHJ8O
$'AQ~q
PznbJD
taH2@u
qh'~~
&.<>1
M4yGMd
S:-h)
spOss
`B8` s
'YUt`Z
]U:.m
Ix,v:.G
C\|/FO
/8<&:
s{.q,
QpXQO~G
Ya$Vik
# @Zu
pm3'm
$XToH
]Fn32
JM[9\
=m8"l@
WqU@O
o9Qg3
x[ydE
]NVg$
]&u}h
kOdZP4H
F#z)n
R^M
J7GvE
d/L?9
u[5iL}R
J.$E,'
oF9BlMW
#]{0%
6M)G0D
xXzD9
0]5gIwB
(ZKK<
H;Trm[
k;fia2
f'FTs

+ New Process Run

+ File And Folder Activity

+ NetWork Activity

+ Filter By TCP

13 41.976773 10.0.2.15 -> 209.191.93.53 TCP netinfo-local > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
15 44.953763 10.0.2.15 -> 209.191.93.53 TCP netinfo-local > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
16 45.312249 209.191.93.53 -> 10.0.2.15 TCP http > netinfo-local [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
17 45.312293 10.0.2.15 -> 209.191.93.53 TCP netinfo-local > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
18 45.312654 10.0.2.15 -> 209.191.93.53 HTTP GET /setting.doc HTTP/1.1
19 45.312928 209.191.93.53 -> 10.0.2.15 TCP http > netinfo-local [ACK] Seq=1 Ack=72 Win=8760 Len=0
20 45.653354 209.191.93.53 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently (text/html)
21 45.653406 209.191.93.53 -> 10.0.2.15 TCP http > netinfo-local [FIN, ACK] Seq=403 Ack=72 Win=8760 Len=0
22 45.653427 10.0.2.15 -> 209.191.93.53 TCP netinfo-local > http [ACK] Seq=72 Ack=404 Win=63838 Len=0
23 45.653934 10.0.2.15 -> 209.191.93.53 TCP netinfo-local > http [FIN, ACK] Seq=72 Ack=404 Win=63838 Len=0
24 45.654890 209.191.93.53 -> 10.0.2.15 TCP http > netinfo-local [ACK] Seq=404 Ack=73 Win=8760 Len=0
27 45.669582 10.0.2.15 -> 209.131.36.158 TCP activesync > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
28 45.971986 209.131.36.158 -> 10.0.2.15 TCP http > activesync [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
29 45.972030 10.0.2.15 -> 209.131.36.158 TCP activesync > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
30 45.972392 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.doc HTTP/1.1
31 45.972671 209.131.36.158 -> 10.0.2.15 TCP http > activesync [ACK] Seq=1 Ack=100 Win=8760 Len=0
32 46.293175 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
33 46.295601 10.0.2.15 -> 209.131.36.158 TCP activesync > http [FIN, ACK] Seq=100 Ack=1025 Win=63216 Len=0
34 46.296835 209.131.36.158 -> 10.0.2.15 TCP http > activesync [ACK] Seq=1025 Ack=101 Win=8760 Len=0
35 46.299738 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
36 46.299770 10.0.2.15 -> 209.131.36.158 TCP activesync > http [RST, ACK] Seq=101 Ack=2049 Win=0 Len=0
37 46.337798 10.0.2.15 -> 209.191.93.53 TCP mxxrlogin > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
38 46.672427 209.191.93.53 -> 10.0.2.15 TCP http > mxxrlogin [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
39 46.672473 10.0.2.15 -> 209.191.93.53 TCP mxxrlogin > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
40 46.672805 10.0.2.15 -> 209.191.93.53 HTTP GET /setting.xls HTTP/1.1
41 46.673080 209.191.93.53 -> 10.0.2.15 TCP http > mxxrlogin [ACK] Seq=1 Ack=72 Win=8760 Len=0
42 47.010716 209.191.93.53 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently (text/html)
43 47.010767 209.191.93.53 -> 10.0.2.15 TCP http > mxxrlogin [FIN, ACK] Seq=403 Ack=72 Win=8760 Len=0
44 47.010795 10.0.2.15 -> 209.191.93.53 TCP mxxrlogin > http [ACK] Seq=72 Ack=404 Win=63838 Len=0
45 47.011289 10.0.2.15 -> 209.191.93.53 TCP mxxrlogin > http [FIN, ACK] Seq=72 Ack=404 Win=63838 Len=0
46 47.013885 10.0.2.15 -> 209.131.36.158 TCP nsstp > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
47 47.015478 209.191.93.53 -> 10.0.2.15 TCP http > mxxrlogin [ACK] Seq=404 Ack=73 Win=8760 Len=0
48 47.310907 209.131.36.158 -> 10.0.2.15 TCP http > nsstp [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
49 47.310952 10.0.2.15 -> 209.131.36.158 TCP nsstp > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
50 47.311310 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.xls HTTP/1.1
51 47.311615 209.131.36.158 -> 10.0.2.15 TCP http > nsstp [ACK] Seq=1 Ack=100 Win=8760 Len=0
52 47.618194 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
53 47.619899 10.0.2.15 -> 209.131.36.158 TCP nsstp > http [FIN, ACK] Seq=100 Ack=1025 Win=63216 Len=0
54 47.621253 209.131.36.158 -> 10.0.2.15 TCP http > nsstp [ACK] Seq=1025 Ack=101 Win=8760 Len=0
55 47.623835 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
56 47.623854 10.0.2.15 -> 209.131.36.158 TCP nsstp > http [RST, ACK] Seq=101 Ack=2049 Win=0 Len=0
57 48.641219 10.0.2.15 -> 209.191.93.53 TCP ams > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
58 48.976956 209.191.93.53 -> 10.0.2.15 TCP http > ams [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
59 48.977003 10.0.2.15 -> 209.191.93.53 TCP ams > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
60 48.977396 10.0.2.15 -> 209.191.93.53 HTTP GET /setting.doc HTTP/1.1
61 48.977743 209.191.93.53 -> 10.0.2.15 TCP http > ams [ACK] Seq=1 Ack=72 Win=8760 Len=0
62 49.309425 209.191.93.53 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently (text/html)
63 49.309490 209.191.93.53 -> 10.0.2.15 TCP http > ams [FIN, ACK] Seq=403 Ack=72 Win=8760 Len=0
64 49.309516 10.0.2.15 -> 209.191.93.53 TCP ams > http [ACK] Seq=72 Ack=404 Win=63838 Len=0
65 49.309935 10.0.2.15 -> 209.191.93.53 TCP ams > http [FIN, ACK] Seq=72 Ack=404 Win=63838 Len=0
66 49.312378 209.191.93.53 -> 10.0.2.15 TCP http > ams [ACK] Seq=404 Ack=73 Win=8760 Len=0
67 49.313316 10.0.2.15 -> 209.131.36.158 TCP mtqp > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
68 49.610774 209.131.36.158 -> 10.0.2.15 TCP http > mtqp [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
69 49.610818 10.0.2.15 -> 209.131.36.158 TCP mtqp > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
70 49.611149 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.doc HTTP/1.1
71 49.611429 209.131.36.158 -> 10.0.2.15 TCP http > mtqp [ACK] Seq=1 Ack=100 Win=8760 Len=0
72 49.927277 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
73 49.929325 10.0.2.15 -> 209.131.36.158 TCP mtqp > http [FIN, ACK] Seq=100 Ack=1025 Win=63216 Len=0
74 49.932327 209.131.36.158 -> 10.0.2.15 TCP http > mtqp [ACK] Seq=1025 Ack=101 Win=8760 Len=0
75 49.935921 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
76 49.935954 10.0.2.15 -> 209.131.36.158 TCP mtqp > http [RST, ACK] Seq=101 Ack=2049 Win=0 Len=0
77 49.948318 10.0.2.15 -> 209.191.93.53 TCP sbl > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
78 50.278587 209.191.93.53 -> 10.0.2.15 TCP http > sbl [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
79 50.278632 10.0.2.15 -> 209.191.93.53 TCP sbl > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
80 50.279017 10.0.2.15 -> 209.191.93.53 HTTP GET /setting.xls HTTP/1.1
81 50.279325 209.191.93.53 -> 10.0.2.15 TCP http > sbl [ACK] Seq=1 Ack=72 Win=8760 Len=0
82 50.623582 209.191.93.53 -> 10.0.2.15 HTTP HTTP/1.1 301 Moved Permanently (text/html)
83 50.623635 209.191.93.53 -> 10.0.2.15 TCP http > sbl [FIN, ACK] Seq=403 Ack=72 Win=8760 Len=0
84 50.623662 10.0.2.15 -> 209.191.93.53 TCP sbl > http [ACK] Seq=72 Ack=404 Win=63838 Len=0
85 50.624397 10.0.2.15 -> 209.191.93.53 TCP sbl > http [FIN, ACK] Seq=72 Ack=404 Win=63838 Len=0
86 50.625502 209.191.93.53 -> 10.0.2.15 TCP http > sbl [ACK] Seq=404 Ack=73 Win=8760 Len=0
87 50.627645 10.0.2.15 -> 209.131.36.158 TCP netarx > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
88 50.931759 209.131.36.158 -> 10.0.2.15 TCP http > netarx [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
89 50.931797 10.0.2.15 -> 209.131.36.158 TCP netarx > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
90 50.932238 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.xls HTTP/1.1
91 50.932530 209.131.36.158 -> 10.0.2.15 TCP http > netarx [ACK] Seq=1 Ack=100 Win=8760 Len=0
92 51.237868 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
93 51.239811 10.0.2.15 -> 209.131.36.158 TCP netarx > http [FIN, ACK] Seq=100 Ack=1025 Win=63216 Len=0
94 51.240825 209.131.36.158 -> 10.0.2.15 TCP http > netarx [ACK] Seq=1025 Ack=101 Win=8760 Len=0
95 51.241081 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
96 51.241103 10.0.2.15 -> 209.131.36.158 TCP netarx > http [RST, ACK] Seq=101 Ack=2049 Win=0 Len=0
97 51.258404 10.0.2.15 -> 209.131.36.158 TCP danf-ak2 > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
98 51.555539 209.131.36.158 -> 10.0.2.15 TCP http > danf-ak2 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
99 51.555583 10.0.2.15 -> 209.131.36.158 TCP danf-ak2 > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
100 51.555919 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.doc HTTP/1.1
101 51.556193 209.131.36.158 -> 10.0.2.15 TCP http > danf-ak2 [ACK] Seq=1 Ack=76 Win=8760 Len=0
102 51.872769 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
103 51.875727 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
104 51.875759 10.0.2.15 -> 209.131.36.158 TCP danf-ak2 > http [ACK] Seq=76 Ack=2049 Win=64240 Len=0
105 51.876426 10.0.2.15 -> 209.131.36.158 TCP danf-ak2 > http [RST, ACK] Seq=76 Ack=2049 Win=0 Len=0
106 51.894516 10.0.2.15 -> 209.131.36.158 TCP afrog > http [SYN] Seq=0 Win=64240 Len=0 MSS=1460
107 52.197815 209.131.36.158 -> 10.0.2.15 TCP http > afrog [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
108 52.197854 10.0.2.15 -> 209.131.36.158 TCP afrog > http [ACK] Seq=1 Ack=1 Win=64240 Len=0
109 52.198164 10.0.2.15 -> 209.131.36.158 HTTP GET /setting.xls HTTP/1.1
110 52.198417 209.131.36.158 -> 10.0.2.15 TCP http > afrog [ACK] Seq=1 Ack=76 Win=8760 Len=0
111 52.511464 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
112 52.512861 10.0.2.15 -> 209.131.36.158 TCP afrog > http [FIN, ACK] Seq=76 Ack=1025 Win=63216 Len=0
113 52.514013 209.131.36.158 -> 10.0.2.15 TCP http > afrog [ACK] Seq=1025 Ack=77 Win=8760 Len=0
114 52.516367 209.131.36.158 -> 10.0.2.15 TCP [TCP segment of a reassembled PDU]
115 52.516392 10.0.2.15 -> 209.131.36.158 TCP afrog > http [RST, ACK] Seq=77 Ack=2049 Win=0 Len=0
121 71.520388 10.0.2.15 -> 205.188.249.185 TCP dcutility > smtp [SYN] Seq=0 Win=64240 Len=0 MSS=1460
122 71.939598 205.188.249.185 -> 10.0.2.15 TCP smtp > dcutility [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460
123 71.939626 10.0.2.15 -> 205.188.249.185 TCP dcutility > smtp [ACK] Seq=1 Ack=1 Win=64240 Len=0
124 72.645208 205.188.249.185 -> 10.0.2.15 SMTP S: 220 cia-da08.mx.aol.com ESMTP mail_cia-da08.2; Wed, 29 Apr 2009 00:22:33 -0400

+ Registry Changes