Anubis - Analysis Report

Analysis Report for http://vconferenceonline.com/

Summary:

Description Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety
surfing the World Wide Web. medium
Performs File Modification and Destruction: The executable modifies and destructs files which are not
temporary. high
Performs Registry Activities: The executable reads and modifies register values. It also creates and
monitors register keys. low

International Secure Systems Lab

Vienna University of Technology , Eurecom France , UC Santa Barbara
Contact: [email protected]
Dependency overview:
iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe
Analysis reason: Primary Analysis Subject
Table of Contents:
1. General Information.............................................................................................................................................................................................. 4
2. iexplore.exe........................................................................................................................................................................................................... 4
a) Registry Activities............................................................................................................................................................................................. 5
b) File Activities.................................................................................................................................................................................................. 26
c) Network Activities........................................................................................................................................................................................... 29
d) Other Activities............................................................................................................................................................................................... 29
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

1. General Information

Information about Anubis' invocation

Time needed: 162 s
Report created: 09/24/10, 22:57:42 UTC
Termination reason: All tracked processes have exited
Program version: 1.74.3195

Popups
Process Window Name Window Text Screenshot Number of
Displayed Times
IEXPLORE.EXE http:// Links http://vconferenceonline.com/ 1
vconferenceonline.com/
http://vconferenceonline.com/
- Microsoft Opening page http://
Internet Explorer vconferenceonline.com/...

IEXPLORE.EXE vConferenceOnline Links 1

- Virtual Events,
Conferences,
Tradeshows
and Continuing
Education Tools -
Microsoft Internet
Explorer

2. iexplore.exe

General information about this executable

Analysis Reason: Primary Analysis Subject
Filename: iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" http://vconferenceonline.com/
Process-status at analysis end: dead
Exit Code: 0

Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\ntdll.dll 0x7C900000 0x000AF000
C:\Program Files\Internet Explorer\iexplore.exe 0x00400000 0x00019000
C:\WINDOWS\system32\kernel32.dll 0x7C800000 0x000F6000
C:\WINDOWS\system32\msvcrt.dll 0x77C10000 0x00058000
C:\WINDOWS\system32\USER32.dll 0x7E410000 0x00091000
C:\WINDOWS\system32\GDI32.dll 0x77F10000 0x00049000
C:\WINDOWS\system32\SHLWAPI.dll 0x77F60000 0x00076000
C:\WINDOWS\system32\ADVAPI32.dll 0x77DD0000 0x0009B000
C:\WINDOWS\system32\RPCRT4.dll 0x77E70000 0x00092000
C:\WINDOWS\system32\Secur32.dll 0x77FE0000 0x00011000
C:\WINDOWS\system32\SHDOCVW.dll 0x7E290000 0x00171000
C:\WINDOWS\system32\CRYPT32.dll 0x77A80000 0x00095000
C:\WINDOWS\system32\MSASN1.dll 0x77B20000 0x00012000
C:\WINDOWS\system32\CRYPTUI.dll 0x754D0000 0x00080000
C:\WINDOWS\system32\NETAPI32.dll 0x5B860000 0x00055000
C:\WINDOWS\system32\OLEAUT32.dll 0x77120000 0x0008B000
C:\WINDOWS\system32\ole32.dll 0x774E0000 0x0013D000
C:\WINDOWS\system32\VERSION.dll 0x77C00000 0x00008000

http://anubis.iseclab.org/ Page 4 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Load-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\WININET.dll 0x771B0000 0x000AA000
C:\WINDOWS\system32\WINTRUST.dll 0x76C30000 0x0002E000
C:\WINDOWS\system32\IMAGEHLP.dll 0x76C90000 0x00028000
C:\WINDOWS\system32\WLDAP32.dll 0x76F60000 0x0002C000
C:\WINDOWS\system32\ShimEng.dll 0x5CB70000 0x00026000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common- 0x773D0000 0x00103000
Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\system32\RichEd20.dll 0x74E30000 0x0006D000

Run-time Dlls
Module Name Base Address Size
C:\WINDOWS\system32\xpsp2res.dll 0x00DB0000 0x002C5000
C:\WINDOWS\system32\UxTheme.dll 0x5AD70000 0x00038000
C:\WINDOWS\system32\comctl32.dll 0x5D090000 0x0009A000
C:\WINDOWS\system32\hnetcfg.dll 0x662B0000 0x00058000
C:\WINDOWS\system32\browselc.dll 0x71600000 0x00012000
C:\WINDOWS\system32\shdoclc.dll 0x71800000 0x00088000
C:\WINDOWS\system32\mswsock.dll 0x71A50000 0x0003F000
C:\WINDOWS\System32\wshtcpip.dll 0x71A90000 0x00008000
C:\WINDOWS\system32\WS2HELP.dll 0x71AA0000 0x00008000
C:\WINDOWS\system32\WS2_32.dll 0x71AB0000 0x00017000
C:\WINDOWS\system32\wsock32.dll 0x71AD0000 0x00009000
C:\WINDOWS\system32\sensapi.dll 0x722B0000 0x00005000
C:\WINDOWS\system32\msls31.dll 0x746C0000 0x00027000
C:\WINDOWS\system32\msimtf.dll 0x746F0000 0x0002A000
C:\WINDOWS\system32\MSCTF.dll 0x74720000 0x0004C000
C:\WINDOWS\system32\jscript.dll 0x75C50000 0x0007D000
C:\WINDOWS\system32\mlang.dll 0x75CF0000 0x00091000
C:\WINDOWS\system32\BROWSEUI.dll 0x75F80000 0x000FD000
C:\WINDOWS\system32\IMM32.DLL 0x76390000 0x0001D000
C:\WINDOWS\System32\CSCDLL.dll 0x76600000 0x0001D000
C:\WINDOWS\system32\USERENV.dll 0x769C0000 0x000B4000
C:\WINDOWS\system32\WINMM.dll 0x76B40000 0x0002D000
C:\WINDOWS\system32\PSAPI.DLL 0x76BF0000 0x0000B000
C:\WINDOWS\system32\IPHLPAPI.DLL 0x76D60000 0x00019000
C:\WINDOWS\system32\rtutils.dll 0x76E80000 0x0000E000
C:\WINDOWS\system32\rasman.dll 0x76E90000 0x00012000
C:\WINDOWS\system32\TAPI32.dll 0x76EB0000 0x0002F000
C:\WINDOWS\system32\RASAPI32.DLL 0x76EE0000 0x0003C000
C:\WINDOWS\system32\DNSAPI.dll 0x76F20000 0x00027000
C:\WINDOWS\System32\winrnr.dll 0x76FB0000 0x00008000
C:\WINDOWS\system32\rasadhlp.dll 0x76FC0000 0x00006000
C:\WINDOWS\system32\CLBCATQ.DLL 0x76FD0000 0x0007F000
C:\WINDOWS\system32\COMRes.dll 0x77050000 0x000C5000
C:\WINDOWS\system32\SETUPAPI.dll 0x77920000 0x000F3000
C:\WINDOWS\System32\cscui.dll 0x77A20000 0x00054000
C:\WINDOWS\system32\appHelp.dll 0x77B40000 0x00022000
C:\WINDOWS\system32\SHELL32.dll 0x7C9C0000 0x00817000
C:\WINDOWS\system32\mshtml.dll 0x7DC30000 0x002F2000
C:\WINDOWS\system32\urlmon.dll 0x7E1E0000 0x000A2000
C:\WINDOWS\system32\SXS.DLL 0x7E720000 0x000B0000

2.a) iexplore.exe - Registry Activities

Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVers\Explorer\MenuOrder\Favorites

http://anubis.iseclab.org/ Page 5 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Keys Created:

HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVers\Explorer\MenuOrder\Favorites\Links
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\\
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\\
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P
HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\\BagMRU\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\\Bags\6
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

Registry Values Modified:

Key Name New Value
HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES ProxyEnable 0
\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet
Settings
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Common AppData C:\Documents and Settings\All Users\
Folders Application Data
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Common Desktop C:\Documents and Settings\All Users\
Folders Desktop
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Common Documents C:\Documents and Settings\All Users\
Folders Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Common Start Menu C:\Documents and Settings\All Users\Start
Folders Menu
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell CommonMusic C:\Documents and Settings\All Users\
Folders Documents\My Music
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell CommonPictures C:\Documents and Settings\All Users\
Folders Documents\My Pictures
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell CommonVideo C:\Documents and Settings\All Users\
Folders Documents\My Videos
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ Directory C:\Documents and Settings\Administrator
Cache\Paths \Local Settings\Temporary Internet Files\
Content.IE5
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ Paths 4
Cache\Paths
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CacheLimit 40852
Cache\Paths\Path1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CachePath C:\Documents and Settings\Administrator
Cache\Paths\Path1 \Local Settings\Temporary Internet Files\
Content.IE5\Cache1
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CacheLimit 40852
Cache\Paths\Path2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CachePath C:\Documents and Settings\Administrator
Cache\Paths\Path2 \Local Settings\Temporary Internet Files\
Content.IE5\Cache2
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CacheLimit 40852
Cache\Paths\Path3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CachePath C:\Documents and Settings\Administrator
Cache\Paths\Path3 \Local Settings\Temporary Internet Files\
Content.IE5\Cache3
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CacheLimit 40852
Cache\Paths\Path4
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ CachePath C:\Documents and Settings\Administrator
Cache\Paths\Path4 \Local Settings\Temporary Internet Files\
Content.IE5\Cache4
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ FullScreen no
Microsoft\Internet Explorer\Main
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Window_Placement 0x2c0000000200000003000000fffffffff
Microsoft\Internet Explorer\Main ffffffffffffffffffffffff2c00
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Locked 1
Microsoft\Internet Explorer\Toolbar

http://anubis.iseclab.org/ Page 6 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Modified:

Key Name New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ ITBarLayout 0x110000004c00000000000000340000001
Microsoft\Internet Explorer\Toolbar\WebBrowser 1f00000052000000010000002007
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ {01E04581-4EEE-11D0-0x8145e001ee4ed011bfe900aa005b43831
Microsoft\Internet Explorer\Toolbar\WebBrowser BFE9-00AA005B4383} 100000000000000001e032f40100
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ {0E5CBF21- 0x21bf5c0e5fd1d011830100aa005b43832
Microsoft\Internet Explorer\Toolbar\WebBrowser D15F-11D0-8301-00AA005B4383}
22001c0008000000060000000100
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Order 0x08000000020000007c000000010000000
Microsoft\Windows\CurrentVers\Explorer\MenuOrder\Favorites\Links 0100000070000000000000006200
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Order 0x08000000020000007c000000010000000
Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\ 0100000070000000000000006200
Links
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software BaseClass Drive
\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a1094da8-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software BaseClass Drive
\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\
{a1094daa-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ AppData C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Cache C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Local Settings\Temporary Internet Files
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Cookies C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Desktop C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Desktop
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Favorites C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Favorites
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ History C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Local Settings\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ My Pictures C:\Documents and Settings\Administrator\My
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Documents\My Pictures
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Personal C:\Documents and Settings\Administrator\My
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Documents
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Start Menu C:\Documents and Settings\Administrator\
Microsoft\Windows\CurrentVersion\Explorer\Shell Folders Start Menu
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software HRZR_PGYFRFFVBA 0xd4da4f0e02000000
\Microsoft\Windows\CurrentVersion\Explorer\\\UserAssist\
{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ IntranetName 1
Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ ProxyBypass 1
Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ UNCAsIntranet 1
Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ 2 0x14001f0080531c87a0426910a2ea08002
Microsoft\Windows\ShellNoRoam\\BagMRU 2b30309d0000
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MRUListEx 0x0100000000000000ffffffff
Microsoft\Windows\ShellNoRoam\\BagMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ NodeSlots 0x0202020202
Microsoft\Windows\ShellNoRoam\\BagMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MRUListEx 0xffffffff
Microsoft\Windows\ShellNoRoam\\BagMRU\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ NodeSlot 6
Microsoft\Windows\ShellNoRoam\\BagMRU\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Address 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Buttons 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ FFlags 1
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ HotKey 0
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Links 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell

http://anubis.iseclab.org/ Page 7 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Modified:

Key Name New Value
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MaxPos800x600(1).x 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MaxPos800x600(1).y 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MinPos800x600(1).x 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MinPos800x600(1).y 4294967295
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ Rev 1
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ ShowCmd 3
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ WFlags 2
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ WinPos800x600(1).bottom
454
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ WinPos800x600(1).left 44
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ WinPos800x600(1).right644
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ WinPos800x600(1).top 44
Microsoft\Windows\ShellNoRoam\\Bags\6\Shell
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ MigrateProxy 1
Microsoft\windows\CurrentVersion\Internet Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ ProxyEnable 0
Microsoft\windows\CurrentVersion\Internet Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ DefaultConnectionSettings
0x3c0000000300000001000000000000000
Microsoft\windows\CurrentVersion\Internet Settings\Connections 0000000000000000040000000000
HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\ SavedLegacySettings 0x3c0000000500000009000000000000000
Microsoft\windows\CurrentVersion\Internet Settings\Connections 0000000000000000000000000000
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\\ Count 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\\ Time 0xd9070700040002001500140015004801
HKU\S-1-5-21-842925246-1425521274-308236825-500\\\\\\\\ Type 4

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\.HTM htmlfile 6
HKLM\SOFTWARE\CLASSES\.HTM Content Type text/html 4
HKLM\SOFTWARE\CLASSES\.HTM PerceivedType text 2
HKLM\SOFTWARE\CLASSES\.HTML htmlfile 4
HKLM\SOFTWARE\CLASSES\.HTML Content Type text/html 4
HKLM\SOFTWARE\CLASSES\.URL InternetShortcut 3
HKLM\SOFTWARE\CLASSES\APPLICATIONS\ "C:\Program Files\Internet Explorer\ 2
IEXPLORE.EXE\SHELL\OPEN\COMMAND iexplore.exe" %1
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ Default 0x00000000 1
APPLICATION/X-INTERNET-SIGNUP
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ DllFile %SystemRoot%\system32\iedkcs32.dll 2
APPLICATION/X-INTERNET-SIGNUP
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ FileExtensions .ins 2
APPLICATION/X-INTERNET-SIGNUP
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ Default 0x01000000 1
APPLICATION/X-NS-PROXY-AUTOCONFIG
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ DllFile %SystemRoot%\system32\jsproxy.dll 2
APPLICATION/X-NS-PROXY-AUTOCONFIG
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ FileExtensions .pac;.jvs;.js 2
APPLICATION/X-NS-PROXY-AUTOCONFIG
HKLM\SOFTWARE\CLASSES\AUTOPROXYTYPES\ Flags 0x01000000 1
APPLICATION/X-NS-PROXY-AUTOCONFIG
HKLM\SOFTWARE\CLASSES\CLSID\ oleaut32.dll 1
{00020420-0000-0000-C000-000000000046}\
INPROCSERVER32

http://anubis.iseclab.org/ Page 8 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Both 1
{00020420-0000-0000-C000-000000000046}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ oleaut32.dll 1
{00020424-0000-0000-C000-000000000046}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Both 1
{00020424-0000-0000-C000-000000000046}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ shell32.dll 3
{00021401-0000-0000-C000-000000000046}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{00021401-0000-0000-C000-000000000046}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ "C:\Program Files\Internet Explorer\ 3
{0002DF01-0000-0000-C000-000000000046}\ iexplore.exe"
LOCALSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\browseui.dll 1
{01E04581-4EEE-11D0-BFE9-00AA005B4383}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{01E04581-4EEE-11D0-BFE9-00AA005B4383}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{0E5CBF21- %SystemRoot%\system32\SHELL32.dll 1
D15F-11D0-8301-00AA005B4383}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{0E5CBF21- ThreadingModel Apartment 1
D15F-11D0-8301-00AA005B4383}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\SHELL32.dll 3
{20D04FE0-3AEA-1069-A2D8-08002B30309D}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\mshtml.dll 3
{25336920-03F9-11CF-8FD0-00AA00686F13}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{25336920-03F9-11CF-8FD0-00AA00686F13}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ htmlfile 1
{25336920-03F9-11CF-8FD0-00AA00686F13}\PROGID
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\mshtml.dll 1
{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{38F69B16- %SystemRoot%\system32\shdocvw.dll 1
F583-40FB-B262-5C764DE868E8}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{38F69B16- ThreadingModel Apartment 1
F583-40FB-B262-5C764DE868E8}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ The Internet 2
{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\shdocvw.dll 2
{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{50D5107A- C:\WINDOWS\system32\msimtf.dll 1
D278-4871-8989-F4CEAAF59CFC}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{50D5107A- ThreadingModel Apartment 1
D278-4871-8989-F4CEAAF59CFC}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\SHELL32.dll 1
{59031A47-3F72-44A7-89C5-5595FE6B30EE}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{5B4DAE26- %SystemRoot%\system32\SHELL32.dll 1
B807-11D0-9815-00C04FD91972}\INPROCSERVER32

http://anubis.iseclab.org/ Page 9 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\CLSID\{5B4DAE26- ThreadingModel Apartment 1
B807-11D0-9815-00C04FD91972}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\System32\cscui.dll 2
{750FDF0E-2A26-11D1-A3EA-080036587F03}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{750FDF0E-2A26-11D1-A3EA-080036587F03}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ C:\WINDOWS\system32\urlmon.dll 3
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Both 1
{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ C:\WINDOWS\system32\urlmon.dll 3
{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Both 1
{7B8A2D95-0AC9-11D1-896C-00C04FB6BFC4}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\SHELL32.dll 1
{7EB5FBE4-2100-49E6-8593-17E130122F91}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{7EB5FBE4-2100-49E6-8593-17E130122F91}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\shdocvw.dll 6
{871C5380-42A0-1069-A2EA-08002B30309D}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{871C5380-42A0-1069-A2EA-08002B30309D}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ Attributes 36 1
{871C5380-42A0-1069-A2EA-08002B30309D}\
SHELLFOLDER
HKLM\SOFTWARE\CLASSES\CLSID\{9BA05972- %SystemRoot%\system32\shdocvw.dll 1
F6A8-11CF-A442-00A0C90A8F39}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{9BA05972- ThreadingModel Apartment 1
F6A8-11CF-A442-00A0C90A8F39}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\shdocvw.dll 1
{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{DD313E04- %SystemRoot%\system32\browseui.dll 4
FEFF-11D1-8ECD-0000F87A470C}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{DD313E04- ThreadingModel Both 1
FEFF-11D1-8ECD-0000F87A470C}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ C:\WINDOWS\system32\jscript.dll 1
{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Both 1
{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ %SystemRoot%\system32\browseui.dll 2
{F61FFEC1-754F-11D0-80CA-00AA005B4383}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\ ThreadingModel Apartment 1
{F61FFEC1-754F-11D0-80CA-00AA005B4383}\
INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B40- Internet Shortcut 2
E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B40- shdocvw.dll 2
E3F0-101B-8488-00AA003E56F8}\INPROCSERVER32

http://anubis.iseclab.org/ Page 10 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B40- LoadWithoutCOM 2
E3F0-101B-8488-00AA003E56F8}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B40- ThreadingModel Apartment 2
E3F0-101B-8488-00AA003E56F8}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B40- 2
E3F0-101B-8488-00AA003E56F8}\SHELLEX\
MAYCHANGEDEFAULTMENU
HKLM\SOFTWARE\CLASSES\CLSID\{FBF23B42- %SystemRoot%\system32\url.dll 1
E3F0-101B-8488-00AA003E56F8}\INPROCSERVER32
HKLM\SOFTWARE\CLASSES\DIRECTORY AlwaysShowExt 1
HKLM\SOFTWARE\CLASSES\DRIVE\ DriveMask 32 2
SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-
BEEE-4442-804E-409D6C4515E9}
HKLM\SOFTWARE\CLASSES\FTP EditFlags 2 1
HKLM\SOFTWARE\CLASSES\FTP URL Protocol 2
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ "C:\Program Files\Internet Explorer\ 2
COMMAND iexplore.exe" %1
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ "%1",,-1,0,,,, 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ NoActivateHandler 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ IExplore 2
DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ * 2
DDEEXEC\IFEXEC
HKLM\SOFTWARE\CLASSES\FTP\SHELL\OPEN\ WWW_OpenURL 2
DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\GOPHER EditFlags 2 1
HKLM\SOFTWARE\CLASSES\GOPHER URL Protocol 2
HKLM\SOFTWARE\CLASSES\GOPHER\SHELL\OPEN\ "C:\Program Files\Internet Explorer\ 2
COMMAND iexplore.exe" -nohome
HKLM\SOFTWARE\CLASSES\GOPHER\SHELL\OPEN\ "%1",,-1,0,,,, 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\GOPHER\SHELL\OPEN\ NoActivateHandler 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\GOPHER\SHELL\OPEN\ IExplore 2
DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\GOPHER\SHELL\OPEN\ WWW_OpenURL 2
DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\HTMLFILE\CLSID {25336920-03F9-11cf-8FD0-00AA00686F13} 1
HKLM\SOFTWARE\CLASSES\HTMLFILE\ C:\Program Files\Internet Explorer\ 1
DEFAULTICON iexplore.exe,1
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL opennew 2
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN Open in S&ame Window 2
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ &Open 2
OPENNEW
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ "C:\Program Files\Internet Explorer\ 2
OPENNEW\COMMAND iexplore.exe" %1
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ "%1",,-1,0,,,, 2
OPENNEW\DDEEXEC
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ NoActivateHandler 2
OPENNEW\DDEEXEC
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ IExplore 2
OPENNEW\DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ * 2
OPENNEW\DDEEXEC\IFEXEC
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\ WWW_OpenURLNewWindow 2
OPENNEW\DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN "C:\Program Files\Internet Explorer\ 2
\COMMAND iexplore.exe" -nohome
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN "file://%1",,-1,,,,, 2
\DDEEXEC

http://anubis.iseclab.org/ Page 11 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN NoActivateHandler 2
\DDEEXEC
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN IExplore 2
\DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\HTMLFILE\SHELL\OPEN WWW_OpenURL 2
\DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\HTTP EditFlags 2 1
HKLM\SOFTWARE\CLASSES\HTTP URL Protocol 2
HKLM\SOFTWARE\CLASSES\HTTPS EditFlags 2 1
HKLM\SOFTWARE\CLASSES\HTTPS URL Protocol 2
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\ "C:\Program Files\Internet Explorer\ 2
COMMAND iexplore.exe" -nohome
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\ "%1",,-1,0,,,, 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\ NoActivateHandler 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\ IExplore 2
DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\HTTPS\SHELL\OPEN\ WWW_OpenURL 2
DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\HTTP\DEFAULTICON %SystemRoot%\system32\url.dll,0 3
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\ "C:\Program Files\Internet Explorer\ 2
COMMAND iexplore.exe" -nohome
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\ "%1",,-1,0,,,, 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\ NoActivateHandler 2
DDEEXEC
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\ IExplore 2
DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\HTTP\SHELL\OPEN\ WWW_OpenURL 2
DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\INTERFACE\ {00020420-0000-0000-C000-000000000046} 1
{00020400-0000-0000-C000-000000000046}\
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} 1
{000214E6-0000-0000-C000-000000000046}\
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {B8DA6310- 1
{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\ E19B-11D0-933C-00A0C90DCAA9}
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {00020424-0000-0000-C000-000000000046} 3
{85CB6900-4D95-11CF-960C-0080C7F4EE85}\
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {EAB22AC0-30C1-11CF- 2
{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TYPELIB A7EB-0000C05BAE0B}
HKLM\SOFTWARE\CLASSES\INTERFACE\ Version 1.1 2
{85CB6900-4D95-11CF-960C-0080C7F4EE85}\TYPELIB
HKLM\SOFTWARE\CLASSES\INTERFACE\ {bf50b68e-29b8-4386-ae9c-9734d5117cd5} 1
{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {B8DA6310- 1
{B722BCCB-4E68-101B-A2BC-00AA00404770}\ E19B-11D0-933C-00A0C90DCAA9}
PROXYSTUBCLSID32
HKLM\SOFTWARE\CLASSES\INTERFACE\ {EAB22AC0-30C1-11CF- 1
{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\ A7EB-0000C05BAE0B}
TYPELIB
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT Internet Shortcut 2
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT EditFlags 2 1
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT IsShortcut 3
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT NeverShowExt 3
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ {FBF23B40- 3
CLSID E3F0-101B-8488-00AA003E56F8}

http://anubis.iseclab.org/ Page 12 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ %SystemRoot%\system32\url.dll,0 2
DEFAULTICON
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT 2
\SHELLEX\CONTEXTMENUHANDLERS\{FBF23B40-
E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ {FBF23B40- 3
SHELLEX\ICONHANDLER E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ {FBF23B40- 2
SHELLEX\PROPERTYHANDLER E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ 2
SHELLEX\PROPERTYSHEETHANDLERS\{FBF23B40-
E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ CLSID {FBF23B40- 2
SHELL\OPEN E3F0-101B-8488-00AA003E56F8}
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ LegacyDisable 2
SHELL\OPEN
HKLM\SOFTWARE\CLASSES\INTERNETSHORTCUT\ rundll32.exe shdocvw.dll,OpenURL %l 2
SHELL\OPEN\COMMAND
HKLM\SOFTWARE\CLASSES\MAILTO URL:MailTo Protocol 2
HKLM\SOFTWARE\CLASSES\MAILTO EditFlags 0x02000000 1
HKLM\SOFTWARE\CLASSES\MAILTO URL Protocol 2
HKLM\SOFTWARE\CLASSES\MAILTO\DEFAULTICON %ProgramFiles%\Outlook Express\ 2
msimn.exe,-2
HKLM\SOFTWARE\CLASSES\MAILTO\SHELL\OPEN\ "%ProgramFiles%\Outlook Express\ 2
COMMAND msimn.exe" /mailurl:%1
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL opennew 2
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ Open in S&ame Window 2
OPEN
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ &Open 2
OPENNEW
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ "C:\Program Files\Internet Explorer\ 2
OPENNEW\COMMAND iexplore.exe" %1
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ "file://%1",,-1,,,,, 2
OPENNEW\DDEEXEC
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ NoActivateHandler 2
OPENNEW\DDEEXEC
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ IExplore 2
OPENNEW\DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ * 2
OPENNEW\DDEEXEC\IFEXEC
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ WWW_OpenURLNewWindow 2
OPENNEW\DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ "C:\Program Files\Internet Explorer\ 2
OPEN\COMMAND iexplore.exe" -nohome
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ "file://%1",,-1,,,,, 2
OPEN\DDEEXEC
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ IExplore 2
OPEN\DDEEXEC\APPLICATION
HKLM\SOFTWARE\CLASSES\MHTMLFILE\SHELL\ WWW_OpenURL 2
OPEN\DDEEXEC\TOPIC
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\ Extension .css 2
CONTENT TYPE\TEXT/CSS
HKLM\SOFTWARE\CLASSES\MIME\DATABASE\ Extension .htm 4
CONTENT TYPE\TEXT/HTML
HKLM\SOFTWARE\CLASSES\NEWS URL:News Protocol 2
HKLM\SOFTWARE\CLASSES\NEWS EditFlags 0x02000000 1
HKLM\SOFTWARE\CLASSES\NEWS URL Protocol 2
HKLM\SOFTWARE\CLASSES\NEWS\DEFAULTICON %ProgramFiles%\Outlook Express\ 2
msimn.exe,-3
HKLM\SOFTWARE\CLASSES\NEWS\SHELL\OPEN\ "%ProgramFiles%\Outlook Express\ 2
COMMAND msimn.exe" /newsurl:"%1"
HKLM\SOFTWARE\CLASSES\RLOGIN URL:RLogin Protocol 2
HKLM\SOFTWARE\CLASSES\RLOGIN EditFlags 2 1

http://anubis.iseclab.org/ Page 13 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\SOFTWARE\CLASSES\RLOGIN URL Protocol 2
HKLM\SOFTWARE\CLASSES\RLOGIN\DEFAULTICON %SystemRoot%\system32\url.dll,0 2
HKLM\SOFTWARE\CLASSES\RLOGIN\SHELL\OPEN\ rundll32.exe url.dll,TelnetProtocolHandler %l 2
COMMAND
HKLM\SOFTWARE\CLASSES\ %SystemRoot%\system32\NOTEPAD.EXE 1
SYSTEMFILEASSOCIATIONS\TEXT\SHELL\EDIT\ %1
COMMAND
HKLM\SOFTWARE\CLASSES\TELNET URL:Telnet Protocol 2
HKLM\SOFTWARE\CLASSES\TELNET EditFlags 2 1
HKLM\SOFTWARE\CLASSES\TELNET URL Protocol 2
HKLM\SOFTWARE\CLASSES\TELNET\DEFAULTICON %SystemRoot%\system32\url.dll,0 2
HKLM\SOFTWARE\CLASSES\TELNET\SHELL\OPEN\ rundll32.exe url.dll,TelnetProtocolHandler %l 2
COMMAND
HKLM\SOFTWARE\CLASSES\TN3270 URL:TN3270 Protocol 2
HKLM\SOFTWARE\CLASSES\TN3270 EditFlags 2 1
HKLM\SOFTWARE\CLASSES\TN3270 URL Protocol 2
HKLM\SOFTWARE\CLASSES\TN3270\DEFAULTICON %SystemRoot%\system32\url.dll,0 2
HKLM\SOFTWARE\CLASSES\TN3270\SHELL\OPEN\ rundll32.exe url.dll,TelnetProtocolHandler %l 2
COMMAND
HKLM\SOFTWARE\CLASSES\TYPELIB\ C:\WINDOWS\system32\stdole2.tlb 1
{00020430-0000-0000-C000-000000000046}\2.0\0\
WIN32
HKLM\SOFTWARE\CLASSES\TYPELIB\ C:\WINDOWS\system32\shdocvw.dll 2
{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\1.1\0\
WIN32
HKLM\SOFTWARE\CLASSES\XML\CLSID {989D1DC0-B162-11D1-B6EC- 1
D27DDCF9A923}
HKLM\SOFTWARE\Classes\PROTOCOLS\Handler\about CLSID {3050F406-98B5-11CF- 6
BB82-00AA00BDCE0B}
HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ CUAS 0 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ UrlEncoding 0x00000000 4
Internet Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ SV1 2
Internet Settings\User Agent\Post Platform
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ 2
Internet Settings\User Agent\UA Tokens
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ MSN 2.0 2
Internet Settings\User Agent\UA Tokens
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ MSN 2.5 2
Internet Settings\User Agent\UA Tokens
HKLM\SYSTEM\CurrentControlSet\Control\ SecurityProviders msapsspc.dll, schannel.dll, digest.dll, 2
SecurityProviders msnsspc.dll
HKLM\SYSTEM\CurrentControlSet\Control\Session CriticalSectionTimeout 2592000 1
Manager
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\ Export 0x5c004400650076006900630065005c004 1
Linkage 4e0065007400420054005f005400
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ Bind 0x5c004400650076006900630065005c007 2
Linkage 7b00310041004400340035004200
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ DhcpServer 255.255.255.255 2
Parameters\Interfaces\{1AD45B38-4060-4F73-BB1E-
A0439A2D97EB}
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\ EnableDHCP 0 1
Parameters\Interfaces\{1AD45B38-4060-4F73-BB1E-
A0439A2D97EB}
HKLM\SYSTEM\CurrentControlSet\Services\Winsock\ Transports 0x5400630070006900700000004e0065007 2
Parameters 7400420049004f00530000000000
HKLM\SYSTEM\Setup OsLoaderPath \ 2
HKLM\SYSTEM\Setup SystemPartition \Device\HarddiskVolume1 2
HKLM\SYSTEM\Setup SystemSetupInProgress0 1
HKLM\SYSTEM\WPA\MediaCenter Installed 0 1
HKLM\Software\Classes\CLSID\{00021401-0000-0000- shell32.dll 1
c000-000000000046}\InProcServer32

http://anubis.iseclab.org/ Page 14 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\Software\Classes\CLSID\{01e04581-4eee-11d0- %SystemRoot%\system32\browseui.dll 1
bfe9-00aa005b4383}\InProcServer32
HKLM\Software\Classes\CLSID\{0e5cbf21- %SystemRoot%\system32\SHELL32.dll 1
d15f-11d0-8301-00aa005b4383}\InProcServer32
HKLM\Software\Classes\CLSID\{5b4dae26- %SystemRoot%\system32\SHELL32.dll 1
b807-11d0-9815-00c04fd91972}\InProcServer32
HKLM\Software\Classes\CLSID\{750fdf0e-2a26-11d1- %SystemRoot%\System32\cscui.dll 1
a3ea-080036587f03}\InProcServer32
HKLM\Software\Classes\CLSID\ C:\WINDOWS\system32\urlmon.dll 1
{7b8a2d94-0ac9-11d1-896c-00c04fb6bfc4}\
InProcServer32
HKLM\Software\Classes\CLSID\{871c5380-42a0-1069- %SystemRoot%\system32\shdocvw.dll 4
a2ea-08002b30309d}\InProcServer32
HKLM\Software\Classes\CLSID\{9ba05972-f6a8-11cf- %SystemRoot%\system32\shdocvw.dll 1
a442-00a0c90a8f39}\InProcServer32
HKLM\Software\Classes\CLSID\ %SystemRoot%\system32\shdocvw.dll 1
{a5e46e3a-8849-11d1-9d8c-00c04fc99d61}\
InProcServer32
HKLM\Software\Classes\CLSID\{dd313e04- %SystemRoot%\system32\browseui.dll 1
feff-11d1-8ecd-0000f87a470c}\InProcServer32
HKLM\Software\Clients\News Outlook Express 3
HKLM\Software\Microsoft\Active Setup IsInstalled 1 1
\Installed Components\{89820200-
ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\Active Setup Locale en 2
\Installed Components\{89820200-
ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\Active Setup Version 6,0,2900,5512 2
\Installed Components\{89820200-
ECBD-11cf-8B85-00AA005B4383}
HKLM\Software\Microsoft\COM3 COM+Enabled 1 1
HKLM\Software\Microsoft\COM3 Com+Enabled 1 2
HKLM\Software\Microsoft\COM3 REGDBVersion 0x0700000000000000 71
HKLM\Software\Microsoft\Internet Explorer IntegratedBrowser 1 1
HKLM\Software\Microsoft\Internet Explorer\Extensions\ Exec %windir%\Network Diagnostic\xpnetdiag.exe 1
{E2E2DD38-D088-4134-82B7-F2BA38496583}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ MenuText @xpsp3res.dll,-20001 1
{E2E2DD38-D088-4134-82B7-F2BA38496583}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ ButtonText Messenger 1
{FB5F1910-F110-11D2-BB9E-00C04F795683}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ Default Visible Yes 1
{FB5F1910-F110-11D2-BB9E-00C04F795683}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ Exec C:\Program Files\Messenger\msmsgs.exe 1
{FB5F1910-F110-11D2-BB9E-00C04F795683}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ HotIcon C:\Program Files\Messenger\ 1
{FB5F1910-F110-11D2-BB9E-00C04F795683} msmsgs.exe,302
HKLM\Software\Microsoft\Internet Explorer\Extensions\ Icon C:\Program Files\Messenger\ 1
{FB5F1910-F110-11D2-BB9E-00C04F795683} msmsgs.exe,301
HKLM\Software\Microsoft\Internet Explorer\Extensions\ MenuText Windows Messenger 1
{FB5F1910-F110-11D2-BB9E-00C04F795683}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ clsid {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} 1
{FB5F1910-F110-11d2-BB9E-00C04F795683}
HKLM\Software\Microsoft\Internet Explorer\Extensions\ clsid {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 1
{e2e2dd38-d088-4134-82b7-f2ba38496583}
HKLM\Software\Microsoft\Internet Explorer\Main FullScreen no 2
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_BEHAVIORS
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_DISABLE_MK_PROTOCOL
HKLM\Software\Microsoft\Internet iexplore.exe 1 1
Explorer\Main\FeatureControl\
FEATURE_LOCALMACHINE_LOCKDOWN
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 2
FeatureControl\FEATURE_MIME_HANDLING

http://anubis.iseclab.org/ Page 15 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_MIME_SNIFFING
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_OBJECT_CACHING
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 0 1
FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_SAFE_BINDTOOBJECT
HKLM\Software\Microsoft\Internet iexplore.exe 1 1
Explorer\Main\FeatureControl\
FEATURE_WEBOC_POPUPMANAGEMENT
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_WINDOW_RESTRICTIONS
HKLM\Software\Microsoft\Internet Explorer\Main\ iexplore.exe 1 1
FeatureControl\FEATURE_ZONE_ELEVATION
HKLM\Software\Microsoft\Internet Explorer\URL Compatibility Flags 4 1
Compatibility\~/CONNWIZ.HTM
HKLM\Software\Microsoft\Internet Explorer\URL Compatibility Flags 4 1
Compatibility\~/CWIZINTR.HTM
HKLM\Software\Microsoft\Internet Explorer\Version IE 6.0000 1
Vector
HKLM\Software\Microsoft\Internet Explorer\Version VML 1.0 1
Vector
HKLM\Software\Microsoft\Tracing EnableConsoleTracing 0 1
HKLM\Software\Microsoft\Tracing\RASAPI32 ConsoleTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableConsoleTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 EnableFileTracing 0 2
HKLM\Software\Microsoft\Tracing\RASAPI32 FileDirectory %windir%\tracing 4
HKLM\Software\Microsoft\Tracing\RASAPI32 FileTracingMask 4294901760 2
HKLM\Software\Microsoft\Tracing\RASAPI32 MaxFileSize 1048576 2
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ AllUsersProfile All Users 5
ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ DefaultUserProfile Default User 2
ProfileList
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ ProfilesDirectory %SystemDrive%\Documents and Settings 7
ProfileList
HKLM\Software\Microsoft\Windows ProfileImagePath %SystemDrive%\Documents and Settings\ 2
NT\CurrentVersion\ProfileList\ Administrator
S-1-5-21-842925246-1425521274-308236825-500
HKLM\Software\Microsoft\Windows\CurrentVersion CommonFilesDir C:\Program Files\Common Files 2
HKLM\Software\Microsoft\Windows\CurrentVersion DevicePath %SystemRoot%\inf 1
HKLM\Software\Microsoft\Windows\CurrentVersion ProgramFilesDir C:\Program Files 3
HKLM\Software\Microsoft\Windows\CurrentVersion\App Path C:\Program Files\Internet Explorer\ 1
Paths\ICWCONN1.EXE Connection Wizard;
HKLM\Software\Microsoft\Windows\CurrentVersion\App C:\Program Files\Internet Explorer\ 20
Paths\IEXPLORE.EXE iexplore.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ BrowseNewProcess yes 2
Explorer\BrowseNewProcess
HKLM\Software\Microsoft\Windows\CurrentVersion\ {750fdf0e-2a26-11d1-a3ea-080036587f03} 1
Explorer\ShellIconOverlayIdentifiers\Offline Files
HKLM\Software\Microsoft\Windows\CurrentVersion\ Common AppData %ALLUSERSPROFILE%\Application Data 1
Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\ Common Desktop %ALLUSERSPROFILE%\Desktop 1
Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\ Common Documents %ALLUSERSPROFILE%\Documents 1
Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\ Common Start Menu %ALLUSERSPROFILE%\Start Menu 1
Explorer\User Shell Folders
HKLM\Software\Microsoft\Windows\CurrentVersion\ 0 image/gif 3
Internet Settings\Accepted Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\ 1 image/x-xbitmap 3
Internet Settings\Accepted Documents

http://anubis.iseclab.org/ Page 16 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\Software\Microsoft\Windows\CurrentVersion\ 2 image/jpeg 3
Internet Settings\Accepted Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\ 3 image/pjpeg 3
Internet Settings\Accepted Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\ flash application/x-shockwave-flash 3
Internet Settings\Accepted Documents
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup DriverCachePath %SystemRoot%\Driver Cache 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup LogLevel 0 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ServicePackCachePath c:\windows\ServicePackFiles\ 2
ServicePackCache
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ServicePackSourcePathD:\ 2
HKLM\Software\Microsoft\Windows\CurrentVersion\Setup SourcePath D:\ 2
HKLM\Software\Microsoft\windows\CurrentVersion\ UrlEncoding 0x00000000 1
Internet Settings
HKLM\Software\Microsoft\windows\CurrentVersion\ DaysToKeep 0x14000000 1
Internet Settings\Url History
HKLM\Software\Policies\Microsoft\Windows\Safer\ TransparentEnabled 1 1
CodeIdentifiers
HKLM\System\CurrentControlSet\Control\ComputerName ComputerName PC 6
\ActiveComputerName
HKLM\System\CurrentControlSet\Control\ wheel 1 1
MediaProperties\PrivateProperties\Joystick\Winmm
HKLM\System\CurrentControlSet\Control\Nls\CodePage 950 c_950.nls 1
HKLM\System\CurrentControlSet\Control\Nls\Language 1 1 1
Groups
HKLM\System\CurrentControlSet\Control\Nls\Locale 00000C07 1 1
HKLM\System\CurrentControlSet\Control\ProductOptions ProductType WinNT 1
HKLM\System\CurrentControlSet\Control\Session ComSpec %SystemRoot%\system32\cmd.exe 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session FP_NO_HOST_CHECKNO 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session NUMBER_OF_PROCESSORS
1 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session OS Windows_NT 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session PATHEXT .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;. 4
Manager\Environment .JSE;.WSF;.WSH
HKLM\System\CurrentControlSet\Control\Session PROCESSOR_ARCHITECTURE
x86 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session PROCESSOR_IDENTIFIER
x86 Family 6 Model 3 Stepping 3, 4
Manager\Environment GenuineIntel
HKLM\System\CurrentControlSet\Control\Session PROCESSOR_LEVEL 6 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session PROCESSOR_REVISION
0303 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session Path %SystemRoot%\system32;%SystemRoot%; 4
Manager\Environment %SystemRoot%\System32\Wbem
HKLM\System\CurrentControlSet\Control\Session TEMP %SystemRoot%\TEMP 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session TMP %SystemRoot%\TEMP 4
Manager\Environment
HKLM\System\CurrentControlSet\Control\Session windir %SystemRoot% 4
Manager\Environment
HKLM\System\CurrentControlSet\Services\LDAP LdapClientIntegrity 1 1
HKLM\System\CurrentControlSet\Services\Tcpip\ Domain 11
Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\ Hostname pc 11
Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\ NameServer 2
Parameters
HKLM\System\CurrentControlSet\Services\Tcpip\ UseDomainNameDevolution
0 1
Parameters

http://anubis.iseclab.org/ Page 17 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\System\CurrentControlSet\Services\Tcpip\ HelperDllName %SystemRoot%\System32\wshtcpip.dll 1
Parameters\Winsock
HKLM\System\CurrentControlSet\Services\Tcpip\ Mapping 0x0b0000000300000002000000010000000 1
Parameters\Winsock 0600000002000000010000000000
HKLM\System\CurrentControlSet\Services\Tcpip\ MaxSockaddrLength 16 1
Parameters\Winsock
HKLM\System\CurrentControlSet\Services\Tcpip\ MinSockaddrLength 16 1
Parameters\Winsock
HKLM\System\CurrentControlSet\Services\Tcpip\ UseDelayedAcceptance0 1
Parameters\Winsock
HKLM\System\CurrentControlSet\Services\WinSock2\ WinSock_Registry_Version
2.0 4
Parameters
HKLM\System\CurrentControlSet\Services\WinSock2\ Num_Catalog_Entries 3 1
Parameters\NameSpace_Catalog5
HKLM\System\CurrentControlSet\Services\WinSock2\ Serial_Access_Num 4 2
Parameters\NameSpace_Catalog5
HKLM\System\CurrentControlSet\Services\WinSock2\ DisplayString Tcpip 4
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ Enabled 1 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ LibraryPath %SystemRoot%\System32\mswsock.dll 2
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ ProviderId 0x409d05229e7ecf11ae5a00aa00a7112b 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ StoresServiceClassInfo 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ SupportedNameSpace 12 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ Version 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ DisplayString NTDS 4
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ Enabled 1 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ LibraryPath %SystemRoot%\System32\winrnr.dll 2
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ ProviderId 0xee37263b80e5cf11a55500c04fd8d4ac 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ StoresServiceClassInfo 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ SupportedNameSpace 32 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ Version 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ DisplayString Network Location Awareness (NLA) 4
Parameters\NameSpace_Catalog5\Catalog_Entries\ Namespace
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ Enabled 1 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003

http://anubis.iseclab.org/ Page 18 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKLM\System\CurrentControlSet\Services\WinSock2\ LibraryPath %SystemRoot%\System32\mswsock.dll 2
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ ProviderId 0x3a244266a83ba64abaa52e0bd71fdd83 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ StoresServiceClassInfo 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ SupportedNameSpace 15 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ Version 0 1
Parameters\NameSpace_Catalog5\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ Next_Catalog_Entry_ID 1012 1
Parameters\Protocol_Catalog9
HKLM\System\CurrentControlSet\Services\WinSock2\ Num_Catalog_Entries 11 1
Parameters\Protocol_Catalog9
HKLM\System\CurrentControlSet\Services\WinSock2\ Serial_Access_Num 4 2
Parameters\Protocol_Catalog9
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000001
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000002
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000003
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000004
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\rsvpsp.d 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000005
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000006
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000007
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000008
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000009
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000010
HKLM\System\CurrentControlSet\Services\WinSock2\ PackedCatalogItem %SystemRoot%\system32\mswsock. 1
Parameters\Protocol_Catalog9\Catalog_Entries\
000000000011
HKLM\System\Setup SystemSetupInProgress0 4
HKLM\System\WPA\PnP seed 1274198464 1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Shell Icon Bpp 16 1
Control Panel\Desktop\WindowMetrics
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Shell Icon Size 32 1
Control Panel\Desktop\WindowMetrics
HKU\S-1-5-21-842925246-1425521274-308236825-500\ NumShape 1 2
Control Panel\International
HKU\S-1-5-21-842925246-1425521274-308236825-500\ TEMP %USERPROFILE%\Local Settings\Temp 4
Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ TMP %USERPROFILE%\Local Settings\Temp 4
Environment

http://anubis.iseclab.org/ Page 19 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Language Hotkey 1 4
Keyboard Layout\Toggle
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Layout Hotkey 2 4
Keyboard Layout\Toggle
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Enable 0 1
SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-
B5B1-00C04FC324A1}\LanguageProfile\0x00000409\
{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Enable 0 1
SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-
B5B1-00C04FC324A1}\LanguageProfile\0x00000c07\
{09EA4E4B-46CE-4469-B450-0DE76A435BBB}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Enabled 1 2
SOFTWARE\Microsoft\Internet Explorer\Security\
P3Global
HKU\S-1-5-21-842925246-1425521274-308236825-500\ EnableHttp1_1 1 1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ EnableNegotiate 1 1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MimeExclusionListForCache
multipart/mixed multipart/x-mixed-replace 4
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet multipart/x-byteranges
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ User Agent Mozilla/4.0 (compatible; MSIE 6.0; Win32) 4
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ WarnOnPost 0x01000000 1
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Completed 1 1
Software\Microsoft\Internet Connection Wizard
HKU\S-1-5-21-842925246-1425521274-308236825-500\ {FB5F1910- 8193 1
Software\Microsoft\Internet Explorer\Extensions\ F110-11d2-
CmdMapping BB9E-00C04F795683}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ {e2e2dd38- 8192 1
Software\Microsoft\Internet Explorer\Extensions\ d088-4134-82b7-
CmdMapping f2ba38496583}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ IEFixedFontName Courier New 2
Software\Microsoft\Internet Explorer\International\Scripts
\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ IEPropFontName Times New Roman 2
Software\Microsoft\Internet Explorer\International\Scripts
\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Anchor Underline yes 1
Software\Microsoft\Internet Explorer\Main
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Disable Script yes 1
Software\Microsoft\Internet Explorer\Main Debugger
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Display Inline Images yes 1
Software\Microsoft\Internet Explorer\Main
HKU\S-1-5-21-842925246-1425521274-308236825-500\ NoUpdateCheck 1 1
Software\Microsoft\Internet Explorer\Main
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Use_DlgBox_Colors yes 1
Software\Microsoft\Internet Explorer\Main
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Anchor Color 0,0,255 1
Software\Microsoft\Internet Explorer\Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Anchor Color Visited 128,0,128 1
Software\Microsoft\Internet Explorer\Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Use Anchor Hover No 1
Software\Microsoft\Internet Explorer\Settings Color
HKU\S-1-5-21-842925246-1425521274-308236825-500\ LinksFolderName Links 4
Software\Microsoft\Internet Explorer\Toolbar
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Locked 1 1
Software\Microsoft\Internet Explorer\Toolbar
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ParseAutoexec 1 2
Software\Microsoft\Windows NT\CurrentVersion\Winlogon

http://anubis.iseclab.org/ Page 20 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ShellState 0x240000003808000000000000000000000 2
Software\Microsoft\Windows\CurrentVersion\Explorer\ 00000000010000000d0000000000
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ClassicViewState 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DontPrettyPath 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Filter 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Hidden 1 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HideFileExt 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HideIcons 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MapNetDrvBtn 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ NoNetCrawling 1 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ SeparateProcess 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ShowCompColor 1 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ShowInfoTip 1 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ShowSuperHidden 1 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ WebView 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Attributes 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\
ShellFolder
HKU\S-1-5-21-842925246-1425521274-308236825-500\ FullPath 0 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Settings 0x0c0002000a01f87560000000 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
CabinetState
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Data 0x000000005c005c003f005c00490044004 1
Software\Microsoft\Windows\CurrentVersion 450023004300640052006f006d00
\Explorer\MountPoints2\CPC\Volume\
{a1094da8-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Generation 1 1
Software\Microsoft\Windows\CurrentVersion
\Explorer\MountPoints2\CPC\Volume\
{a1094da8-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Data 0x000000005c005c003f005c00530054004 1
Software\Microsoft\Windows\CurrentVersion 4f00520041004700450023005600
\Explorer\MountPoints2\CPC\Volume\
{a1094daa-30a0-11dd-817b-806d6172696f}\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Generation 1 30
Software\Microsoft\Windows\CurrentVersion
\Explorer\MountPoints2\CPC\Volume\
{a1094daa-30a0-11dd-817b-806d6172696f}\

http://anubis.iseclab.org/ Page 21 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MRUList cba 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
RunMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ a cmd\1 2
Software\Microsoft\Windows\CurrentVersion\Explorer\
RunMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ b c:\stimulator.exe\1 2
Software\Microsoft\Windows\CurrentVersion\Explorer\
RunMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ c c:\popupKiller.exe\1 2
Software\Microsoft\Windows\CurrentVersion\Explorer\
RunMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Settings 0x080000000300000001000000e0a51f0e7 1
Software\Microsoft\Windows\CurrentVersion\Explorer\ 7335cf11ae6908002b2e12620400
Streams
HKU\S-1-5-21-842925246-1425521274-308236825-500\ AppData %USERPROFILE%\Application Data 2
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Cache %USERPROFILE%\Local Settings\ 3
Software\Microsoft\Windows\CurrentVersion\Explorer\ Temporary Internet Files
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Cookies %USERPROFILE%\Cookies 3
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Desktop %USERPROFILE%\Desktop 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Favorites %USERPROFILE%\Favorites 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ History %USERPROFILE%\Local Settings\History 3
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Local Settings %USERPROFILE%\Local Settings 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ My Pictures %USERPROFILE%\My Documents\My 1
Software\Microsoft\Windows\CurrentVersion\Explorer\ Pictures
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Personal %USERPROFILE%\My Documents 2
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Recent %USERPROFILE%\Recent 4
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Start Menu %USERPROFILE%\Start Menu 1
Software\Microsoft\Windows\CurrentVersion\Explorer\
User Shell Folders
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Version 3 1
Software\Microsoft\Windows\CurrentVersion\
Explorer\\\UserAssist\{5E6AB780-7743-11CF-
A12B-00AA004AE837}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HRZR_PGYFRFFVBA 0xd4da4f0e02000000 1
Software\Microsoft\Windows\CurrentVersion\
Explorer\\\UserAssist\{5E6AB780-7743-11CF-
A12B-00AA004AE837}\Count
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Version 3 1
Software\Microsoft\Windows\CurrentVersion
\Explorer\\\UserAssist\{75048700-
EF1F-11D0-9888-006097DEACF9}
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HRZR_PGYFRFFVBA 0x6f2d460e01000000 1
Software\Microsoft\Windows\CurrentVersion
\Explorer\\\UserAssist\{75048700-
EF1F-11D0-9888-006097DEACF9}\Count
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ProxyEnable 0 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings

http://anubis.iseclab.org/ Page 22 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Signature Client UrlCache MMF Ver 5.2 2
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CacheLimit 163410 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CachePrefix 2
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content
HKU\S-1-5-21-842925246-1425521274-308236825-500\ PerUserItem 1 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Content
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CacheLimit 8192 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CachePrefix Cookie: 2
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\ PerUserItem 1 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\Cookies
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CacheLimit 8192 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CachePrefix Visited: 2
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\ PerUserItem 1 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\5.0\Cache\History
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CurrentLevel 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Description Your computer 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DisplayName My Computer 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Icon explorer.exe#0100 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Lockdown_Zones\0
HKU\S-1-5-21-842925246-1425521274-308236825-500\ IntranetName 1 7
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ProxyBypass 1 7
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ http 3 7
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\\ProtocolDefaults\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Flags 33 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CurrentLevel 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Description This zone contains all Web sites that are on 1
Software\Microsoft\Windows\CurrentVersion\Internet your organization's intranet.
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DisplayName Local intranet 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Flags 219 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1

http://anubis.iseclab.org/ Page 23 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Icon shell32.dll#0018 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MinLevel 65536 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ RecommendedLevel 66816 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\1
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CurrentLevel 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Description This zone contains Web sites that you trust 1
Software\Microsoft\Windows\CurrentVersion\Internet not to damage your computer or data.
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DisplayName Trusted sites 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Flags 71 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Icon inetcpl.cpl#00004480 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MinLevel 65536 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ RecommendedLevel 65536 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\2
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 1201 3 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 1400 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 1809 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 1A10 1 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 2100 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CurrentLevel 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Description This zone contains all Web sites you haven't 1
Software\Microsoft\Windows\CurrentVersion\Internet placed in other zones
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DisplayName Internet 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Flags 1 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Icon inetcpl.cpl#001313 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MinLevel 69632 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ RecommendedLevel 69632 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\3

http://anubis.iseclab.org/ Page 24 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ {AEBA21FA-782A-4A90-978D-
0x1a3761592352350c7a5f20172f1e1a190 1
Software\Microsoft\Windows\CurrentVersion\Internet B72164C80120} 0e2b01731e281a041b0c3bc22127
Settings\Zones\3
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CurrentLevel 0 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Description This zone contains Web sites that could 1
Software\Microsoft\Windows\CurrentVersion\Internet potentially damage your computer or data.
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DisplayName Restricted sites 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Flags 3 4
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ Icon inetcpl.cpl#00004481 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MinLevel 73728 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ RecommendedLevel 73728 1
Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\4
HKU\S-1-5-21-842925246-1425521274-308236825-500\ {871C5380-42A0-1069- 0x010000007c6c9c7cc0da56ab0ac5c801 4
Software\Microsoft\Windows\CurrentVersion\Shell A2EA-08002B30309D}
Extensions\Cached {000214E6-0000-0000-
C000-000000000046}
0x401
HKU\S-1-5-21-842925246-1425521274-308236825-500\ BagMRU Size 5000 3
Software\Microsoft\Windows\ShellNoRoam\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ LangID 0x0904 1
Software\Microsoft\Windows\ShellNoRoam\MUICache
HKU\S-1-5-21-842925246-1425521274-308236825-500\ @xpsp3res.dll,-20001 Diagnose Connection Problems... 1
Software\Microsoft\Windows\ShellNoRoam\MUICache\
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 0 0x14001f48ba8f0d4525add01198a808003 6
Software\Microsoft\Windows\ShellNoRoam\\BagMRU 361b11030000
HKU\S-1-5-21-842925246-1425521274-308236825-500\ 1 0x14001f50e04fd020ea3a6910a2d808002 6
Software\Microsoft\Windows\ShellNoRoam\\BagMRU 2b30309d0000
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MRUListEx 0x0100000000000000ffffffff 3
Software\Microsoft\Windows\ShellNoRoam\\BagMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ NodeSlots 0x0202020202 4
Software\Microsoft\Windows\ShellNoRoam\\BagMRU
HKU\S-1-5-21-842925246-1425521274-308236825-500\ MigrateProxy 1 1
Software\Microsoft\windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ProxyEnable 0 1
Software\Microsoft\windows\CurrentVersion\Internet
Settings
HKU\S-1-5-21-842925246-1425521274-308236825-500\ DefaultConnectionSettings
0x3c0000000200000009000000000000000 4
Software\Microsoft\windows\CurrentVersion\Internet 0000000000000000000000000000
Settings\Connections
HKU\S-1-5-21-842925246-1425521274-308236825-500\ SavedLegacySettings 0x3c0000000400000009000000000000000 4
Software\Microsoft\windows\CurrentVersion\Internet 0000000000000000000000000000
Settings\Connections
HKU\S-1-5-21-842925246-1425521274-308236825-500\ APPDATA C:\Documents and Settings\Administrator\ 4
Volatile Environment Application Data
HKU\S-1-5-21-842925246-1425521274-308236825-500\ CLIENTNAME 4
Volatile Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HOMEDRIVE C: 4
Volatile Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HOMEPATH \Documents and Settings\Administrator 4
Volatile Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ HOMESHARE 4
Volatile Environment

http://anubis.iseclab.org/ Page 25 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Registry Values Read:

Key Name Value Times
HKU\S-1-5-21-842925246-1425521274-308236825-500\ LOGONSERVER \\PC 4
Volatile Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ SESSIONNAME Console 4
Volatile Environment
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ListviewAlphaSelect 0 1
software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ListviewShadow 0 1
software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced
HKU\S-1-5-21-842925246-1425521274-308236825-500\ ListviewWatermark 1 1
software\Microsoft\Windows\CurrentVersion\Explorer\
Advanced

Monitored Registry Keys:

Key Name Watch subtree Notify Filter Count
HKLM\Software\Classes 1 Key Change,Value Change 3
HKLM\Software\Classes\CLSID 1 Key Change,Value Change 2
HKLM\Software\Microsoft\COM3 1 Key Change,Value Change 6
HKLM\Software\Microsoft\Tracing\RASAPI32 0 Attributes Change,Value Change,Security 2
Descriptor Change
HKLM\System\CurrentControlSet\Services\ 0 Key Change 1
WinSock2\Parameters\NameSpace_Catalog5
HKLM\System\CurrentControlSet\Services\ 0 Key Change 1
WinSock2\Parameters\Protocol_Catalog9
HKU 1 Key Change,Value Change 13

2.b) iexplore.exe - File Activities

Files Created:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\prototype[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\global[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\BrowserCompatible[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\global[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\scriptaculous[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\vconferenceonline[1].htm

Files Read:
C:\Documents and Settings\Administrator\Application Data\desktop.ini
C:\Documents and Settings\Administrator\Favorites\desktop.ini
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\prototype[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\global[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\BrowserCompatible[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\global[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
C:\Documents and Settings\Administrator\My Documents\My Pictures\desktop.ini
C:\Documents and Settings\Administrator\My Documents\desktop.ini
C:\Documents and Settings\Administrator\Start Menu\desktop.ini
C:\Documents and Settings\All Users\Application Data\desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\desktop.ini
C:\Documents and Settings\All Users\Documents\My Videos\desktop.ini
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\Documents and Settings\All Users\Start Menu\desktop.ini
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\mshtml.tlb

http://anubis.iseclab.org/ Page 26 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Files Read:
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\system32\url.dll
PIPE\lsarpc
PIPE\wkssvc
c:\autoexec.bat

Files Modified:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4X23OP2B\prototype[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GPURSX23\global[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\BrowserCompatible[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\global[1].css
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\scriptaculous[1].js
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\vconferenceonline[1].htm
Ip
MountPointManager
PIPE\lsarpc
PIPE\wkssvc
\Device\Afd\AsyncConnectHlp
\Device\Afd\Endpoint
\Device\Ip
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}
\Device\RasAcd
\Device\Tcp

File System Control Communication:

File Control Code Times
PIPE\lsarpc 0x0011C017 28
C:\Documents and Settings\Administrator\Favorites\Links 0x000900C0 1
PIPE\wkssvc 0x0011C017 1

Device Control Communication:

File Control Code Times
\Device\KsecDD 0x00390008 8
shadow 0x00140FFB 1
IDE#CdRomQEMU_QEMU_CD- 0x004D0008 1
ROM________________________0.9.____#4d51303030302033202020202020202020
0202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager 0x006D0008 2
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800 0x004D0008 1
0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager 0x006D0034 4
\Device\Afd\Endpoint AFD_GET_INFO 2
(0x0001207B)
\Device\Afd\Endpoint AFD_SET_CONTEXT 15
(0x00012047)
\Device\Afd\Endpoint AFD_BIND 3
(0x00012003)
\Device\Afd\Endpoint AFD_GET_TDI_HANDLES
6
(0x00012037)
\Device\Afd\Endpoint AFD_GET_SOCK_NAME
4
(0x0001202F)
\Device\Afd\Endpoint AFD_CONNECT 1
(0x00012007)
\Device\Afd\Endpoint AFD_SELECT 27
(0x00012024)

http://anubis.iseclab.org/ Page 27 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Device Control Communication:

File Control Code Times
\Device\Afd\Endpoint AFD_SET_INFO 2
(0x0001203B)
\Device\Tcp 0x00120003 19
\Device\Afd\AsyncConnectHlp AFD_CONNECT 2
(0x00012007)
\Device\Afd\Endpoint AFD_RECV 173
(0x00012017)
\Device\Afd\Endpoint AFD_SEND 17
(0x0001201F)
\Device\Ip 0x00120040 2
\Device\Ip 0x00120090 1
unnamed file 0x00120028 3
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB} 0x0021009A 1
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB} 0x00210096 1

Memory Mapped Files:

File Name
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\CSCDLL.dll
C:\WINDOWS\System32\cscui.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsShell.manifest
C:\WINDOWS\system32\BROWSEUI.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\IMM32.DLL
C:\WINDOWS\system32\IPHLPAPI.DLL
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\RichEd20.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHDOCVW.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\ShimEng.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\UxTheme.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\browselc.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\jscript.dll
C:\WINDOWS\system32\mlang.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\mshtml.tlb
C:\WINDOWS\system32\msimtf.dll
C:\WINDOWS\system32\msls31.dll

http://anubis.iseclab.org/ Page 28 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Memory Mapped Files:

File Name
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shdoclc.dll
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\system32\url.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\xpsp2res.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) iexplore.exe - Network Activity

DNS Queries:
Name Query Type Query Result Successful Protocol
vconferenceonline.com DNS_TYPE_A 64.29.220.153 YES udp
wpad DNS_TYPE_A NO

HTTP Conversations:
From ANUBIS:1039 to 64.29.220.153:80 - [vconferenceonline.com]
Request: GET /
Response: 200 "OK"
Request: GET /css/global.css
Response: 200 "OK"
Request: GET /js/global.js
Response: 200 "OK"
Request: GET /js/src/scriptaculous.js
Response: 200 "OK"
From ANUBIS:1040 to 64.29.220.153:80 - [vconferenceonline.com]
Request: GET /js/BrowserCompatible.js?opt=no&enc=utf-8
Response: 200 "OK"
Request: GET /js/src/prototype.js
Response: 200 "OK"

2.d) iexplore.exe - Other Activities

Mutexes Created:
CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500
CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-
308236825-500
MSCTF.Shared.MUTEX.IJG
MSCTF.Shared.MUTEX.IM
Shell.CMruPidlList
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex

http://anubis.iseclab.org/ Page 29 of 30
 Analysis Report for http://vconferenceonline.com/ - submitted on 09/24/10, 22:57:42 UTC

Mutexes Created:
_SHuassist.mtx

Keyboard Keys Monitored:

Virtual Key Code Times
VK_CONTROL (17) 15
VK_ESCAPE (27) 23
VK_LBUTTON (1) 59
VK_MENU (18) 14
VK_SHIFT (16) 15
VK_LWIN (91) 2
VK_RWIN (92) 2
VK_LSHIFT (160) 9
VK_LCONTROL (162) 9
VK_LMENU (164) 9
VK_RBUTTON (2) 3
VK_MBUTTON (4) 3

http://anubis.iseclab.org/ Page 30 of 30