2EFE003B8969FA946F194333152F334C (Original Binary)
9645CD309A01211C8DB323EBFCC44C6B (Unpacked Binary)
Start by Looking Strings
Notice the two HTTP GET strings. They are likely to be callback URLs for communications with a command and control server of sorts.
Now, isolating the functions that work with this string: only one function to prototype.
Lets look at the function in IDA: note that it takes in one INT argument. The parameter maps to a query string variable called "s".
The formulation of the HTTP GET request happens here.
A closer look at the query string params on the stack (illustrated using notepad).
And the query is pushed to the stack after it is formulated.
A cleaner representation of the callback query.
The domain "livecounter.co" is still active (as of 2013-07-03 00:57 hrs).
Analysis of the second HTTP Get string surfaced the following callback query.
The domain "fling.com" is also still active.