, as follows:

. When performing dynamic analysis, we also notice this User-Agent change when we see Internet Explorer 7.50/pma0.

Next, we perform more in-depth analysis with disassembly. We load the executable into IDA Pro and look at the main method, which is clearly structurally different from main in , although many of the same functions are called. We see the functions 0x401000 (check Internet connection method), 0x401040 (parse HTML method), 0x4012B5 as printf, and 0x401150 (the switch statement). You should rename these functions as such in IDA Pro to make them easier to analyze.

Looking at the main method in IDA Pro’s graphical view mode, we see an upward-facing arrow, which signifies looping. shows the loop structure.

shows the start of 0x401040.

Example C-10. The function at 0x401040

00401049       mov eax, [ebp+arg_0] 0040104C       push eax ❶ 0040104D       push offset aInt ; "Internet Explorer 7.50/pma%d" 00401052       lea ecx, [ebp+szAgent] 00401055       push ecx         ; char * 00401056       call _sprintf 0040105B       add esp, 0Ch 0040105E       push 0           ; dwFlags 00401060       push 0           ; lpszProxyBypass 00401062       push 0           ; lpszProxy 00401064       push 0           ; dwAccessType 00401066       lea edx, [ebp+szAgent] ❷ 00401069       push edx         ; lpszAgent 0040106A       call ds:InternetOpenA

Here, arg_0 is the only parameter, and main is the only method calling 0x401040, so we conclude that arg_0 is always the counter (var_C) from the main method. Arg_0 is pushed on the stack at ❶, along with a format string and a destination. We also see that sprintf is called, which creates the string and stores it in the destination buffer, the local variable labeled szAgent. And szAgent is passed to InternetOpenA at ❷, which means that every time the counter increases, the User-Agent will change. This mechanism can be used by an attacker managing and monitoring a web server to track how long the malware has been running.

To summarize, the program checks for an active Internet connection using the if construct. If no connection is found, the program terminates. Otherwise, the program uses a unique User-Agent to attempt to download a web page containing a counter from a for loop construct. This counter contains the number of minutes the program has been running. The web page contains an embedded HTML comment and is read into an array construct of characters and compared to <!--. The next character is parsed from this comment and used in a switch construct to determine what action to take on the local system. These are hard-coded actions, including deleting a file, creating a directory, setting a registry run key, copying a file, and sleeping for 100 seconds. This program will run for 1440 minutes (24 hours) before terminating.