[ DetectionInfo ] * Sandbox name: W32/Malware * Signature name: W32/Malware.BWOI * Compressed: NO * TLS hooks: NO * Executable type: Application * Executable file structure: OK [ General information ] * Drops files in %WINSYS% folder. * File length: 40232 bytes. * MD5 hash: 959496a44ce68aa578312c9eb02f5981. [ Changes to filesystem ] * Creates directory C:\WINDOWS\SYSTEM32\outbook. * Creates directory C:\WINDOWS\SYSTEM32\outbook\selex. * Creates file C:\WINDOWS\SYSTEM32\subjectnkk.txt. * Creates file C:\WINDOWS\SYSTEM32\bodynkk.txt. * Deletes file C:\WINDOWS\SYSTEM32\subjectnkk.txt. * Deletes file C:\WINDOWS\SYSTEM32\bodynkk.txt. [ Changes to registry ] * Reads value "SMTP Email Address"="" in key "HKCU\Software\Microsoft\Internet Account Manager\Accounts\unreal". * Creates key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform". * Sets value "QUID=2206172990-109205689599002218-GOBBA EVO"="X>B" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform". * Creates value "msninfo.exe"="C:\WINDOWS\SYSTEM32\outbook\selex\msninfo.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run". [ Network services ] * Connects to "0" on port 80. * Looks for an Internet connection. * Downloads file from http://www.depos******.com/subjectnkk.txt as C:\WINDOWS\SYSTEM32\subjectnkk.txt. * Connects to "www.depos******.com" on port 80. * Opens URL: www.depos*****.com/subjectnkk.txt. * Downloads file from http://www.depos*****.com/bodynkk.txt as C:\WINDOWS\SYSTEM32\bodynkk.txt. * Opens URL: www.depos*****.com/bodynkk.txt. [ Process/window information ] * Will automatically restart after boot (I'll be back...). * Attemps to NULL C:\WINDOWS\SYSTEM32\outbook\selex\msninfo.exe NULL. * Attemps to Open C:\COMMAND.COM NULL. * Terminates AV software. * Attempts to open CLSID {E70C92A9-4BFD-11D1-8A95-00C04FB951F3}.