Site Report for baidu.com > File Analysis

Download Analysis for SharpReader0960.zip

We have tested this file and found it safe to use.

Overall Threat Level Overall Threat Level
SD Threat Level SD Threat Level
AV Threat Level AV Threat Level
TE Threat Level TE Threat Level

Other information

File Name: SharpReader0960.zip
File Size: 795.13 KB


Submission Summary:

  • Submission Details:
    • Submission Received: 06 January 2009 17:25:07 PM
    • Processing time: 8 min 11 sec
    • Submitted sample:
      • File MD5: CD3DC0C2C49D8D2967D9937E5838E1D2
      • File Size: 814,211 bytes
      • Alias & packer info:
  • Summary of the findings:
    What's been found Severity Level
    Downloads/requests other files from Internet.threat

Technical Details:

  • The new window was created, as shown below:

    Screen Shot

    NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
    Please contact us should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

File System Modifications

  • The following file was created in the system:
    #File NameFile SizeFile MD5Alias & packer info
    1 %AppData%\SharpReader\cache\rss.com.com-2547-12-0-5.xml
    		 1,801 bytes 49A5779F135AB1F77C3D78204BC579BA (not available)
    2 %AppData%\SharpReader\cache\slashdot.org-slashdot.rss.xml
    		 1,797 bytes DE9294497121718B450451946431D968 (not available)
    3 %AppData%\SharpReader\cache\www.hutteman.com-weblog-rss.xml
    		 1,813 bytes A2E3A32065FE502B31CEDE62AC6B3F0B (not available)
    4 %AppData%\SharpReader\cache\www.scripting.com-rss.xml
    		 1,799 bytes B03DF3E8AF36BA08D09299B52BF659E2 (not available)
    5 %AppData%\SharpReader\cache\www.wired.com-news_drop-netcenter-netcenter.rdf.xml
    		 1,851 bytes 9DCCF20A2BAFA924ED7852A9EA2AB9CE (not available)
    6 %AppData%\SharpReader\SharpReader.log
    		 18,222 bytes 812DD6CCE4FC99FE6FA9361D811071FF (not available)
    7 %AppData%\SharpReader\subscriptions.xml
    		 867 bytes B165C01317B6DE11AB4A05755C10755C (not available)
    8 %Temp%\AxInterop.SHDocVw.dll
    		 49,152 bytes 022718E6D049865DB703DDDC82077911 (not available)
    9 %Temp%\blogExtension.dll
    		 3,584 bytes 4853982811710E89F6DE141E138F6CF1 (not available)
    10 %Temp%\blogThis.dll
    		 3,584 bytes 39898F1372BAB7B6B77885CD4870C760 (not available)
    11 %Temp%\CustomComponents.dll
    		 20,480 bytes D2486168D1C04B5FA6420EA3B441B737 (not available)
    12 %Temp%\CustomComponents.pdb
    		 17,920 bytes 1C58D0965719C4E57AA013A49FF2C4E2 (not available)
    13 %Temp%\genghis-license.txt
    		 1,010 bytes DDB0BC20EDA8D5679B76E450E650853E (not available)
    14 %Temp%\Genghis.dll
    		 335,872 bytes 95B321D3E75B6EF9B3E833CA3DB0F23C (not available)
    15 %Temp%\ICSharpCode.SharpZipLib.dll
    		 114,688 bytes F4107481E72E107B0D69C39B73CD4449 (not available)
    16 %Temp%\Interop.SHDocVw.dll
    		 126,976 bytes 9BAB85E85D81C1A3D1D56F5704B2AD6E (not available)
    17 %Temp%\lamarvin.windows.forms.autocomplete.dll
    		 69,632 bytes A86055B5ECECD0B6942D5A2FCBE65B44 (not available)
    18 %Temp%\LaMarvin.Windows.Forms.AutoComplete.Interop.dll
    		 7,168 bytes F91A5D5FC00132F864ED867E592F7694 (not available)
    19 %Temp%\lamarvin.windows.forms.autocomplete.xml
    		 17,613 bytes 717AD7BC78E2B97E8A2A6ECDDD188B34 (not available)
    20 %Temp%\log4net-license.txt
    		 2,868 bytes B467453087E2E46042DCFA0592E7D88C (not available)
    21 %Temp%\log4net.dll
    		 196,608 bytes 67BA6F7D2EE62B177768ED642E6AD50D (not available)
    22 %Temp%\partial.mshtml.DLL
    		 102,400 bytes 8D4A32A2C5A2DA4B4DE08B7AD830D2BB (not available)
    23 %Temp%\plugins\readme.txt
    		 140 bytes 8982E9EAC81397786E93A53AF75ABA9A (not available)
    24 %Temp%\readme.htm
    		 5,401 bytes 3C1FCCAD879A578305384176D4281126 (not available)
    25 %Temp%\SharpReader.exe
    		 622,592 bytes 365EE56245ACFBA1D227A5F50FCDAC21 (not available)
    26 %Temp%\SharpReader.exe.config
    		 188 bytes 21A360C45A1E152128C46C6880CBB9C1 (not available)
    27 %Temp%\SharpReader.exe.log4net
    		 660 bytes 811494E233093BCF5E496AD76C1D7EBC (not available)
    28 %Temp%\SharpReader.exe.manifest
    		 674 bytes 052736BBCD037ACBD587981C61FBBBA0 (not available)
    29 %Temp%\SharpReader.pdb
    		 1,142,272 bytes 78D8B14EBB6CBBB9FE288411AE6E0041 (not available)
    30 %Temp%\sharpZipLib-license.txt
    		 19,659 bytes C6E6C82BE4A821F793D671346A88F93F (not available)
    31 [file and pathname of the sample #1]
    		 814,211 bytes CD3DC0C2C49D8D2967D9937E5838E1D2 (not available)
  • Notes:
    • %AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
    • %Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
  • The following directories were created:
    • %AppData%\SharpReader
    • %Temp%\plugins
    • %AppData%\SharpReader\cache

Memory modifications

  • There was a new process created in the system:
    Process NameProcess FilenameMain Module Size
    SharpReader.exe %Temp%\sharpreader.exe 0 bytes
  • The following module was loaded into the address space of other process(es):
    Module NameModule FilenameAddress Space Details
    Interop.SHDocVw.dll %Temp%\Interop.SHDocVw.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: f10000 - f32000
    log4net.dll %Temp%\log4net.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 12f0000 - 1324000
    AxInterop.SHDocVw.dll %Temp%\AxInterop.SHDocVw.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 14c0000 - 14d0000
    LaMarvin.Windows.Forms.AutoComplete.dll %Temp%\LaMarvin.Windows.Forms.AutoComplete.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 60000000 - 60014000
    CustomComponents.dll %Temp%\CustomComponents.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 11000000 - 11008000
    LaMarvin.Windows.Forms.AutoComplete.Interop.dll %Temp%\LaMarvin.Windows.Forms.AutoComplete.Interop.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 60100000 - 60108000
    blogExtension.dll %Temp%\blogExtension.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 44a0000 - 44a8000
    blogThis.dll %Temp%\blogThis.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 47d0000 - 47d8000
    partial.mshtml.dll %Temp%\partial.mshtml.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 4920000 - 493c000
    ICSharpCode.SharpZipLib.dll %Temp%\ICSharpCode.SharpZipLib.dll Process Name: SharpReader.exe
    Process Filename: %Temp%\sharpreader.exe
    Address space: 4ec0000 - 4ee0000

Registry modifications

  • The following Registry Keys were created:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\DefaultIcon]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\shell]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\shell\open]
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\shell\open\command]
    • [HKEY_CURRENT_USER\Software\LaMarvin]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete\_listView]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete\_tbFilter]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete\_tbRssUrl]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete\_tbSearch]
    • [HKEY_CURRENT_USER\Software\LaMarvin\AutoComplete\_treeView]
  • The newly created Registry Values are:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\shell\open\command]
      • (Default) = ""%Temp%\SharpReader.exe" %1"

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed\DefaultIcon]
      • (Default) = "%Temp%\SharpReader.exe"

    • [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\feed]
      • (Default) = "URL:feed protocol"
      • URL Protocol = ""

Other details

  • To mark the presence in the system, the following Mutex objects were created:
    • SharpReader/UserName
  • The following ports were open in the system:
    PortProtocolProcess
    5335 TCP SharpReader.exe (%Temp%\SharpReader.exe)
  • The following Host Name was requested from a host database:
    • slashdot.org
    • rss.com.com
    • www.scripting.com
    • www.hutteman.com
    • www.wired.com
  • The following HTTP URLs were started reading:
    • http://slashdot.org/slashdot.rss
    • http://rss.com.com/2547-12-0-5.xml
    • http://www.scripting.com/rss.xml
    • http://www.hutteman.com/weblog/rss.xml
    • http://www.wired.com/news_drop/netcenter/netcenter.rdf

All content ("Information") contained in this report is the copyrighted work of ThreatExpert Limited and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.