New Mydoom Virus

(3 Pages)
1
2
3
→

You cannot start a new topic
You cannot reply to this topic

New Mydoom Virus

#1 andydis

Master Sergeant

Group: Specialist
Posts: 622
Joined: 21-August 03

Posted 26 July 2004 - 08:10 AM

does anybodies AV pick this up?

Today we recieved an email from ourselves (message below)
and contained a message.zip folder
please note domain is replaced with word DOMAIN , so actually looks like it came from us - to us.

the message.zip contained a what looked like .bat file, however it was actually a .exe (ill upload it with admins permsision (GRANTED BY COMSEC 17:11)).

it appears its the new mydoom virus that has not been included in any virus definations for nay companies as of yet.

copy of email (which includes signiture that looks authentic)

:-

-----Original Message-----
From: Administrator
Sent: 26 July 2004 14:32
To: user@DOMAIN
Subject: status

Dear user user@DOMAIN ,

Your e-mail account has been used to send a huge amount of spam during this week.
We suspect that your computer had been infected and now contains a trojaned proxy server.

We recommend you to follow our instruction in order to keep your computer safe.

Sincerely yours,
The DOMAIN team.

user@DOMAIN

Visit our website at http://DOMAIN

MPORTANT INFORMATION

This message may contain confidential information and must not be copied, disclosed or used by anybody other than the intended recipient.
If you have received this message in error, please notify us by e-mail
(enquiries@DOMAIN and then delete the email and any copies of it.
Thank you for your assistance.

Please note
We are unable to accept instructions to deal via e-mail nor will we take settlement details via e-mail. Please use a more traditional means of communication to avoid any misuse in these circumstances.

******************************************************************
* PLEASE NOT THIS ATTACHMENT CONTAINS A ACTIVE VIRUS THAT WILL *
* IF EXECUTED CAUSE HARM TO YOUR COMPUTER. *
* MYSELF, GSO OR ANY ADMINS CANNOT BE HELD RESPONSABLE FOR WHAT *
* DATA LOSS OR DAMAGES INCURRED BY DOWNLOADING THIS FILE *
* PASSWORD : V14US *
******************************************************************

Attached File(s)

VIRUS.zip (25.55K)
Number of downloads: 397

#2 twistedps

Staff Sergeant

Group: Members
Posts: 271
Joined: 20-March 04

Posted 26 July 2004 - 08:38 AM

we also got this, and a confirmation from trend micro, there will be a patch released soon from trend, but nothing at the moment :angry:

update:
seems to be packed with upx, unpacking and throwing in the debugger atm

C:\virii>upx -d message.exe
                     Ultimate Packer for eXecutables
   Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004
UPX 1.25w        Markus F.X.J. Oberhumer & Laszlo Molnar        Jun 29th 2004

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     41632 <-     28832   69.25%    win32/pe     message.exe

Unpacked 1 file.

so far so good..

#3 twistedps

Staff Sergeant

Group: Members
Posts: 271
Joined: 20-March 04

Posted 26 July 2004 - 08:49 AM

some output from ida, so you get tosee whats going on kinda...

.idata:00501000; File Name � : C:\virii\message.exe
.idata:00501000; Format � � �: Portable executable for IBM PC (PE)
.idata:00501000; Section 1. (virtual address 00001000)
.idata:00501000; Virtual size � � � � � � � � �: 000070A4 ( �28836.)
.idata:00501000; Section size in file � � � � �: 00007200 ( �29184.)
.idata:00501000; Offset to raw data for section: 00000400
.idata:00501000; Flags 60000020: Text Executable Readable
.idata:00501000; Alignment � � : 16 bytes ?
.idata:00501000; 
.idata:00501000; Imports from ADVAPI32
.idata:00501000; 
.idata:00501000 
.idata:00501000 
.idata:00501000 unicode � � � � macro page,string,zero
.idata:00501000 � � � � � � � � irpc c,<string>
.idata:00501000 � � � � � � � � db '&c', page
.idata:00501000 � � � � � � � � endm
.idata:00501000 � � � � � � � � ifnb <zero>
.idata:00501000 � � � � � � � � dw zero
.idata:00501000 � � � � � � � � endif
.idata:00501000 endm
.idata:00501000 
.idata:00501000 � � � � � � � � model flat
.idata:00501000 
.idata:00501000; ---------------------------------------------------------------------------
.idata:00501000 
.idata:00501000; Segment type: Externs
.idata:00501000; _idata
.idata:00501000 � � � � � � � � extrn RegCloseKey:dword; DATA XREF: sub_502C90+DFr
.idata:00501000 � � � � � � � � � � � � � � � � � � � �; sub_502C90+F6r ...
.idata:00501004; LONG __stdcall RegOpenKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD ulOptions,REGSAM samDesired,PHKEY phkResult)
.idata:00501004 � � � � � � � � extrn RegOpenKeyExA:dword; DATA XREF: sub_502C90+97r
.idata:00501004 � � � � � � � � � � � � � � � � � � � �; sub_502FB0+8r ...
.idata:00501008; LONG __stdcall RegSetValueExA(HKEY hKey,LPCSTR lpValueName,DWORD Reserved,DWORD dwType,const BYTE *lpData,DWORD cbData)
.idata:00501008 � � � � � � � � extrn RegSetValueExA:dword; DATA XREF: sub_502FB0+12Cr
.idata:0050100C; LONG __stdcall RegQueryValueExA(HKEY hKey,LPCSTR lpValueName,LPDWORD lpReserved,LPDWORD lpType,LPBYTE lpData,LPDWORD lpcbData)
.idata:0050100C � � � � � � � � extrn RegQueryValueExA:dword; DATA XREF: sub_504FF8+FDr
.idata:0050100C � � � � � � � � � � � � � � � � � � � �; sub_507093+E0r
.idata:00501010; LONG __stdcall RegEnumKeyA(HKEY hKey,DWORD dwIndex,LPSTR lpName,DWORD cbName)
.idata:00501010 � � � � � � � � extrn RegEnumKeyA:dword; DATA XREF: sub_507093+76r
.idata:00501014; LONG __stdcall RegCreateKeyExA(HKEY hKey,LPCSTR lpSubKey,DWORD Reserved,LPSTR lpClass,DWORD dwOptions,REGSAM samDesired,LPSECURITY_ATTRIBUTES lpSecurityAttributes,PHKEY phkResult,LPDWORD lpdwDisposition)
.idata:00501014 � � � � � � � � extrn RegCreateKeyExA:dword; DATA XREF: sub_502C90+D2r
.idata:00501018 
.idata:0050101C; 
.idata:0050101C; Imports from KERNEL32
.idata:0050101C; 
.idata:0050101C; BOOL __stdcall FindClose(HANDLE hFindFile)
.idata:0050101C � � � � � � � � extrn FindClose:dword �; DATA XREF: sub_5052AD+18Er
.idata:00501020; DWORD __stdcall GetFileSize(HANDLE hFile,LPDWORD lpFileSizeHigh)
.idata:00501020 � � � � � � � � extrn GetFileSize:dword; DATA XREF: sub_504EEA+40r
.idata:00501020 � � � � � � � � � � � � � � � � � � � �; sub_5057E6+D1r ...
.idata:00501024; BOOL __stdcall FindNextFileA(HANDLE hFindFile,LPWIN32_FIND_DATAA lpFindFileData)
.idata:00501024 � � � � � � � � extrn FindNextFileA:dword; DATA XREF: sub_5052AD+D1r
.idata:00501028; LPVOID __stdcall MapViewOfFile(HANDLE hFileMappingObject,DWORD dwDesiredAccess,DWORD dwFileOffsetHigh,DWORD dwFileOffsetLow,DWORD dwNumberOfBytesToMap)
.idata:00501028 � � � � � � � � extrn MapViewOfFile:dword; DATA XREF: sub_504EEA+71r
.idata:0050102C; BOOL __stdcall UnmapViewOfFile(LPCVOID lpBaseAddress)
.idata:0050102C � � � � � � � � extrn UnmapViewOfFile:dword; DATA XREF: sub_504EEA+E2r
.idata:00501030; HANDLE __stdcall FindFirstFileA(LPCSTR lpFileName,LPWIN32_FIND_DATAA lpFindFileData)
.idata:00501030 � � � � � � � � extrn FindFirstFileA:dword; DATA XREF: sub_5052AD+B2r
.idata:00501034; DWORD __stdcall GetEnvironmentVariableA(LPCSTR lpName,LPSTR lpBuffer,DWORD nSize)
.idata:00501034 � � � � � � � � extrn GetEnvironmentVariableA:dword
.idata:00501034 � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_505449+E5r
.idata:00501038; UINT __stdcall GetDriveTypeA(LPCSTR lpRootPathName)
.idata:00501038 � � � � � � � � extrn GetDriveTypeA:dword; DATA XREF: sub_5055B4+6Er
.idata:0050103C; void __stdcall GetSystemTime(LPSYSTEMTIME lpSystemTime)
.idata:0050103C � � � � � � � � extrn GetSystemTime:dword; DATA XREF: sub_505717+Ar
.idata:00501040; BOOL __stdcall WriteFile(HANDLE hFile,LPCVOID lpBuffer,DWORD nNumberOfBytesToWrite,LPDWORD lpNumberOfBytesWritten,LPOVERLAPPED lpOverlapped)
.idata:00501040 � � � � � � � � extrn WriteFile:dword �; DATA XREF: sub_5057E6+117r
.idata:00501040 � � � � � � � � � � � � � � � � � � � �; sub_5057E6+128r ...
.idata:00501044; HANDLE __stdcall CreateFileMappingA(HANDLE hFile,LPSECURITY_ATTRIBUTES lpFileMappingAttributes,DWORD flProtect,DWORD dwMaximumSizeHigh,DWORD dwMaximumSizeLow,LPCSTR lpName)
.idata:00501044 � � � � � � � � extrn CreateFileMappingA:dword; DATA XREF: sub_504EEA+50r
.idata:00501048; HMODULE __stdcall LoadLibraryA(LPCSTR lpLibFileName)
.idata:00501048 � � � � � � � � extrn LoadLibraryA:dword; DATA XREF: sub_503620+48r
.idata:00501048 � � � � � � � � � � � � � � � � � � � �; sub_503E35+17r ...
.idata:0050104C; BOOL __stdcall CreateProcessA(LPCSTR lpApplicationName,LPSTR lpCommandLine,LPSECURITY_ATTRIBUTES lpProcessAttributes,LPSECURITY_ATTRIBUTES lpThreadAttributes,BOOL bInheritHandles,DWORD dwCreationFlags,LPVOID lpEnvironment,LPCSTR lpCurrentDirectory,LPSTARTUPINFOA lpStartupInfo,LPPROCESS_INFORMATION lpProcessInformation)
.idata:0050104C � � � � � � � � extrn CreateProcessA:dword; DATA XREF: sub_5075E5+140r
.idata:00501050; HGLOBAL __stdcall GlobalAlloc(UINT uFlags,DWORD dwBytes)
.idata:00501050 � � � � � � � � extrn GlobalAlloc:dword; DATA XREF: sub_506966+E4r
.idata:00501054; DWORD GetLastError(void)
.idata:00501054 � � � � � � � � extrn GetLastError:dword; DATA XREF: sub_502D8E+AEr
.idata:00501058; HANDLE __stdcall CreateMutexA(LPSECURITY_ATTRIBUTES lpMutexAttributes,BOOL bInitialOwner,LPCSTR lpName)
.idata:00501058 � � � � � � � � extrn CreateMutexA:dword; DATA XREF: sub_502D8E+A8r
.idata:0050105C; LPSTR __stdcall lstrcatA(LPSTR lpString1,LPCSTR lpString2)
.idata:0050105C � � � � � � � � extrn lstrcatA:dword �; DATA XREF: sub_502D8E+30r
.idata:0050105C � � � � � � � � � � � � � � � � � � � �; sub_502D8E+42r ...
.idata:00501060; DWORD __stdcall GetFileAttributesA(LPCSTR lpFileName)
.idata:00501060 � � � � � � � � extrn GetFileAttributesA:dword; DATA XREF: sub_502E50+135r
.idata:00501064; BOOL __stdcall CopyFileA(LPCSTR lpExistingFileName,LPCSTR lpNewFileName,BOOL bFailIfExists)
.idata:00501064 � � � � � � � � extrn CopyFileA:dword �; DATA XREF: sub_502E50+124r
.idata:00501064 � � � � � � � � � � � � � � � � � � � �; sub_505F2A+4Br ...
.idata:00501068; BOOL __stdcall DeleteFileA(LPCSTR lpFileName)
.idata:00501068 � � � � � � � � extrn DeleteFileA:dword; DATA XREF: sub_502E50+10Fr
.idata:00501068 � � � � � � � � � � � � � � � � � � � �; sub_505F2A+6Ar ...
.idata:0050106C; BOOL __stdcall CloseHandle(HANDLE hObject)
.idata:0050106C � � � � � � � � extrn CloseHandle:dword; DATA XREF: sub_502E50+102r
.idata:0050106C � � � � � � � � � � � � � � � � � � � �; .text:00504BBBr ...
.idata:00501070; HANDLE __stdcall CreateFileA(LPCSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile)
.idata:00501070 � � � � � � � � extrn CreateFileA:dword; DATA XREF: sub_502E50+F2r
.idata:00501070 � � � � � � � � � � � � � � � � � � � �; sub_504E00+3Fr ...
.idata:00501074; BOOL __stdcall SetFileAttributesA(LPCSTR lpFileName,DWORD dwFileAttributes)
.idata:00501074 � � � � � � � � extrn SetFileAttributesA:dword; DATA XREF: sub_502E50+D5r
.idata:00501078; int __stdcall lstrlenA(LPCSTR lpString)
.idata:00501078 � � � � � � � � extrn lstrlenA:dword �; DATA XREF: sub_502E50+9Er
.idata:00501078 � � � � � � � � � � � � � � � � � � � �; sub_502FB0+119r ...
.idata:0050107C; DWORD __stdcall GetTempPathA(DWORD nBufferLength,LPSTR lpBuffer)
.idata:0050107C � � � � � � � � extrn GetTempPathA:dword; DATA XREF: sub_502E50+85r
.idata:0050107C � � � � � � � � � � � � � � � � � � � �; sub_505F2A+17r ...
.idata:00501080; UINT __stdcall GetWindowsDirectoryA(LPSTR lpBuffer,UINT uSize)
.idata:00501080 � � � � � � � � extrn GetWindowsDirectoryA:dword; DATA XREF: sub_502E50+77r
.idata:00501080 � � � � � � � � � � � � � � � � � � � �; sub_505449+D8r ...
.idata:00501084; LPSTR __stdcall lstrcpyA(LPSTR lpString1,LPCSTR lpString2)
.idata:00501084 � � � � � � � � extrn lstrcpyA:dword �; DATA XREF: sub_502E50+47r
.idata:00501084 � � � � � � � � � � � � � � � � � � � �; sub_502E50+5Br ...
.idata:00501088; DWORD __stdcall GetModuleFileNameA(HMODULE hModule,LPSTR lpFilename,DWORD nSize)
.idata:00501088 � � � � � � � � extrn GetModuleFileNameA:dword; DATA XREF: sub_502E50+3Er
.idata:00501088 � � � � � � � � � � � � � � � � � � � �; sub_505FAF+53r ...
.idata:0050108C; void __stdcall ExitThread(DWORD dwExitCode)
.idata:0050108C � � � � � � � � extrn ExitThread:dword; DATA XREF: StartAddress+39r
.idata:0050108C � � � � � � � � � � � � � � � � � � � �; .text:005047B0r ...
.idata:00501090; FARPROC __stdcall GetProcAddress(HMODULE hModule,LPCSTR lpProcName)
.idata:00501090 � � � � � � � � extrn GetProcAddress:dword; DATA XREF: sub_50315C+76r
.idata:00501090 � � � � � � � � � � � � � � � � � � � �; sub_503620+58r ...
.idata:00501094; HMODULE __stdcall GetModuleHandleA(LPCSTR lpModuleName)
.idata:00501094 � � � � � � � � extrn GetModuleHandleA:dword; DATA XREF: sub_50315C+67r
.idata:00501094 � � � � � � � � � � � � � � � � � � � �; sub_503620+3Ar ...
.idata:00501098; void __stdcall Sleep(DWORD dwMilliseconds)
.idata:00501098 � � � � � � � � extrn Sleep:dword � � �; DATA XREF: sub_5031E4+40r
.idata:00501098 � � � � � � � � � � � � � � � � � � � �; sub_5031E4+6Fr ...
.idata:0050109C; HANDLE __stdcall CreateThread(LPSECURITY_ATTRIBUTES lpThreadAttributes,DWORD dwStackSize,LPTHREAD_START_ROUTINE lpStartAddress,LPVOID lpParameter,DWORD dwCreationFlags,LPDWORD lpThreadId)
.idata:0050109C � � � � � � � � extrn CreateThread:dword; DATA XREF: sub_5031E4+3Ar
.idata:0050109C � � � � � � � � � � � � � � � � � � � �; sub_5031E4+55r ...
.idata:005010A0; void __stdcall ExitProcess(UINT uExitCode)
.idata:005010A0 � � � � � � � � extrn ExitProcess:dword; DATA XREF: start+44r
.idata:005010A4; DWORD __stdcall GetTimeZoneInformation(LPTIME_ZONE_INFORMATION lpTimeZoneInformation)
.idata:005010A4 � � � � � � � � extrn GetTimeZoneInformation:dword
.idata:005010A4 � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_5032CB+40r
.idata:005010A8; BOOL __stdcall FileTimeToSystemTime(const FILETIME *lpFileTime,LPSYSTEMTIME lpSystemTime)
.idata:005010A8 � � � � � � � � extrn FileTimeToSystemTime:dword; DATA XREF: sub_5032CB+32r
.idata:005010AC; BOOL __stdcall FileTimeToLocalFileTime(const FILETIME *lpFileTime,LPFILETIME lpLocalFileTime)
.idata:005010AC � � � � � � � � extrn FileTimeToLocalFileTime:dword
.idata:005010AC � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_5032CB+24r
.idata:005010B0; void __stdcall GetLocalTime(LPSYSTEMTIME lpSystemTime)
.idata:005010B0 � � � � � � � � extrn GetLocalTime:dword; DATA XREF: sub_5032CB+15r
.idata:005010B4; DWORD GetTickCount(void)
.idata:005010B4 � � � � � � � � extrn GetTickCount:dword; DATA XREF: sub_5033A8r
.idata:005010B4 � � � � � � � � � � � � � � � � � � � �; sub_503819+26r ...
.idata:005010B8; int __stdcall WideCharToMultiByte(UINT CodePage,DWORD dwFlags,LPCWSTR lpWideCharStr,int cchWideChar,LPSTR lpMultiByteStr,int cchMultiByte,LPCSTR lpDefaultChar,LPBOOL lpUsedDefaultChar)
.idata:005010B8 � � � � � � � � extrn WideCharToMultiByte:dword; DATA XREF: sub_5034B8+BAr
.idata:005010BC; LONG __stdcall InterlockedIncrement(LPLONG lpAddend)
.idata:005010BC � � � � � � � � extrn InterlockedIncrement:dword
.idata:005010BC � � � � � � � � � � � � � � � � � � � �; DATA XREF: .text:00504A3Fr
.idata:005010C0; BOOL __stdcall ReadFile(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped)
.idata:005010C0 � � � � � � � � extrn ReadFile:dword �; DATA XREF: sub_503697+1Dr
.idata:005010C0 � � � � � � � � � � � � � � � � � � � �; sub_503697+31r ...
.idata:005010C4; DWORD __stdcall SetFilePointer(HANDLE hFile,LONG lDistanceToMove,PLONG lpDistanceToMoveHigh,DWORD dwMoveMethod)
.idata:005010C4 � � � � � � � � extrn SetFilePointer:dword; DATA XREF: sub_503697+Br
.idata:005010C4 � � � � � � � � � � � � � � � � � � � �; sub_503697+18r ...
.idata:005010C8; BOOL __stdcall HeapFree(HANDLE hHeap,DWORD dwFlags,LPVOID lpMem)
.idata:005010C8 � � � � � � � � extrn HeapFree:dword �; DATA XREF: sub_503A16+11r
.idata:005010C8 � � � � � � � � � � � � � � � � � � � �; sub_503B7C+1EFr ...
.idata:005010CC; HANDLE GetProcessHeap(void)
.idata:005010CC � � � � � � � � extrn GetProcessHeap:dword; DATA XREF: sub_503A16+Ar
.idata:005010CC � � � � � � � � � � � � � � � � � � � �; sub_503A35+E6r ...
.idata:005010D0; LPVOID __stdcall HeapAlloc(HANDLE hHeap,DWORD dwFlags,DWORD dwBytes)
.idata:005010D0 � � � � � � � � extrn HeapAlloc:dword �; DATA XREF: sub_503A35+EDr
.idata:005010D0 � � � � � � � � � � � � � � � � � � � �; sub_503B7C+24r ...
.idata:005010D4; LPSTR __stdcall lstrcpynA(LPSTR lpString1,LPCSTR lpString2,int iMaxLength)
.idata:005010D4 � � � � � � � � extrn lstrcpynA:dword �; DATA XREF: sub_503E35+98r
.idata:005010D4 � � � � � � � � � � � � � � � � � � � �; sub_5047B7+6Dr ...
.idata:005010D8; int __stdcall lstrcmpA(LPCSTR lpString1,LPCSTR lpString2)
.idata:005010D8 � � � � � � � � extrn lstrcmpA:dword �; DATA XREF: sub_50450E+5Cr
.idata:005010DC; int __stdcall lstrcmpiA(LPCSTR lpString1,LPCSTR lpString2)
.idata:005010DC � � � � � � � � extrn lstrcmpiA:dword �; DATA XREF: sub_50463F+4Ar
.idata:005010DC � � � � � � � � � � � � � � � � � � � �; sub_504874+11r ...
.idata:005010E0; BOOL __stdcall SetThreadPriority(HANDLE hThread,int nPriority)
.idata:005010E0 � � � � � � � � extrn SetThreadPriority:dword; DATA XREF: .text:00504789r
.idata:005010E0 � � � � � � � � � � � � � � � � � � � �; .text:00504A4Er ...
.idata:005010E4; HANDLE GetCurrentThread(void)
.idata:005010E4 � � � � � � � � extrn GetCurrentThread:dword; DATA XREF: .text:00504782r
.idata:005010E4 � � � � � � � � � � � � � � � � � � � �; .text:00504A47r ...
.idata:005010E8; HGLOBAL __stdcall GlobalFree(HGLOBAL hMem)
.idata:005010E8 � � � � � � � � extrn GlobalFree:dword; DATA XREF: sub_5049C5+5Dr
.idata:005010E8 � � � � � � � � � � � � � � � � � � � �; sub_506966+12Cr
.idata:005010EC; LONG __stdcall InterlockedDecrement(LPLONG lpAddend)
.idata:005010EC � � � � � � � � extrn InterlockedDecrement:dword
.idata:005010EC � � � � � � � � � � � � � � � � � � � �; DATA XREF: .text:00504A75r
.idata:005010F0; UINT __stdcall GetTempFileNameA(LPCSTR lpPathName,LPCSTR lpPrefixString,UINT uUnique,LPSTR lpTempFileName)
.idata:005010F0 � � � � � � � � extrn GetTempFileNameA:dword; DATA XREF: sub_505F2A+32r
.idata:005010F0 � � � � � � � � � � � � � � � � � � � �; sub_505FAF+9Dr ...
.idata:005010F4 
.idata:005010F8; 
.idata:005010F8; Imports from MSVCRT
.idata:005010F8; 
.idata:005010F8; void *__cdecl _imp_memset(void *,int,size_t)
.idata:005010F8 � � � � � � � � extrn __imp_memset:dword; DATA XREF: memsetr
.idata:005010FC; int __cdecl tolower(int)
.idata:005010FC � � � � � � � � extrn tolower:dword � �; DATA XREF: sub_50343E+Dr
.idata:005010FC � � � � � � � � � � � � � � � � � � � �; sub_50343E+23r ...
.idata:00501100; void *__cdecl _imp_memcpy(void *,const void *,size_t)
.idata:00501100 � � � � � � � � extrn __imp_memcpy:dword; DATA XREF: memcpyr
.idata:00501104; int __cdecl isdigit(int)
.idata:00501104 � � � � � � � � extrn isdigit:dword � �; DATA XREF: sub_5034B8+3Ar
.idata:00501108; char *__cdecl strchr(const char *,int)
.idata:00501108 � � � � � � � � extrn strchr:dword � �; DATA XREF: sub_50402F+6Cr
.idata:00501108 � � � � � � � � � � � � � � � � � � � �; sub_50402F+105r ...
.idata:0050110C; int __cdecl isalnum(int)
.idata:0050110C � � � � � � � � extrn isalnum:dword � �; DATA XREF: sub_50402F+3Br
.idata:0050110C � � � � � � � � � � � � � � � � � � � �; sub_50402F+90r ...
.idata:00501110; int __cdecl isspace(int)
.idata:00501110 � � � � � � � � extrn isspace:dword � �; DATA XREF: sub_50402F+2Br
.idata:00501110 � � � � � � � � � � � � � � � � � � � �; sub_50402F+F0r ...
.idata:00501114; void *__cdecl malloc(size_t)
.idata:00501114 � � � � � � � � extrn malloc:dword � �; DATA XREF: sub_50568C+Er
.idata:00501118; char *__cdecl strstr(const char *,const char *)
.idata:00501118 � � � � � � � � extrn strstr:dword � �; DATA XREF: sub_505BF9+Er
.idata:0050111C 
.idata:00501120; 
.idata:00501120; Imports from USER32
.idata:00501120; 
.idata:00501120; DWORD __stdcall CharUpperBuffA(LPSTR lpsz,DWORD cchLength)
.idata:00501120 � � � � � � � � extrn CharUpperBuffA:dword; DATA XREF: sub_505BF9+1B6r
.idata:00501120 � � � � � � � � � � � � � � � � � � � �; sub_505DC7+FFr
.idata:00501124; LPSTR __stdcall CharUpperA(LPSTR lpsz)
.idata:00501124 � � � � � � � � extrn CharUpperA:dword; DATA XREF: sub_505BF9+1C4r
.idata:00501124 � � � � � � � � � � � � � � � � � � � �; sub_505DC7+113r
.idata:00501128; LPSTR __stdcall CharLowerA(LPSTR lpsz)
.idata:00501128 � � � � � � � � extrn CharLowerA:dword; DATA XREF: sub_505131+52r
.idata:00501128 � � � � � � � � � � � � � � � � � � � �; sub_506B89+EBr
.idata:0050112C; int __stdcall wvsprintfA(LPSTR,LPCSTR,va_list arglist)
.idata:0050112C � � � � � � � � extrn wvsprintfA:dword; DATA XREF: sub_506D65+21r
.idata:00501130; int wsprintfA(LPSTR,LPCSTR,...)
.idata:00501130 � � � � � � � � extrn wsprintfA:dword �; DATA XREF: sub_5032CB+CEr
.idata:00501130 � � � � � � � � � � � � � � � � � � � �; sub_505BF9+192r ...
.idata:00501134; HWND __stdcall FindWindowA(LPCSTR lpClassName,LPCSTR lpWindowName)
.idata:00501134 � � � � � � � � extrn FindWindowA:dword; DATA XREF: StartAddress+1r
.idata:00501134 � � � � � � � � � � � � � � � � � � � �; StartAddress+Er ...
.idata:00501138; BOOL __stdcall PostMessageA(HWND hWnd,UINT Msg,WPARAM wParam,LPARAM lParam)
.idata:00501138 � � � � � � � � extrn PostMessageA:dword; DATA XREF: sub_5030F0+Dr
.idata:00501138 � � � � � � � � � � � � � � � � � � � �; sub_5030F0+18r ...
.idata:0050113C 
.idata:00501140; 
.idata:00501140; Imports from WS2_32
.idata:00501140; 
.idata:00501140; int __stdcall connect(SOCKET s,const struct sockaddr *name,int namelen)
.idata:00501140 � � � � � � � � extrn connect:dword � �; DATA XREF: sub_506E01+BEr
.idata:00501144; int __stdcall send(SOCKET s,const char *buf,int len,int flags)
.idata:00501144 � � � � � � � � extrn send:dword � � �; DATA XREF: sub_506D65+3Fr
.idata:00501144 � � � � � � � � � � � � � � � � � � � �; sub_506E01+1D8r ...
.idata:00501148; unsigned __int32 __stdcall inet_addr(const char *cp)
.idata:00501148 � � � � � � � � extrn inet_addr:dword �; DATA XREF: .text:00503F93r
.idata:00501148 � � � � � � � � � � � � � � � � � � � �; sub_506B54+2r
.idata:0050114C; struct hostent *__stdcall gethostbyname(const char *name)
.idata:0050114C � � � � � � � � extrn gethostbyname:dword; DATA XREF: .text:00503FA6r
.idata:0050114C � � � � � � � � � � � � � � � � � � � �; sub_506B54+19r
.idata:00501150; SOCKET __stdcall socket(int af,int type,int protocol)
.idata:00501150 � � � � � � � � extrn socket:dword � �; DATA XREF: sub_503B7C+3Er
.idata:00501150 � � � � � � � � � � � � � � � � � � � �; sub_506E01+9Fr
.idata:00501154; int __stdcall select(int nfds,fd_set *readfds,fd_set *writefds,fd_set *exceptfds,const struct timeval *timeout)
.idata:00501154 � � � � � � � � extrn select:dword � �; DATA XREF: sub_503B7C+C3r
.idata:00501154 � � � � � � � � � � � � � � � � � � � �; sub_506AB8+5Ar
.idata:00501158; int __stdcall recv(SOCKET s,char *buf,int len,int flags)
.idata:00501158 � � � � � � � � extrn recv:dword � � �; DATA XREF: sub_503B7C+E5r
.idata:00501158 � � � � � � � � � � � � � � � � � � � �; sub_506AB8+69r
.idata:0050115C; int __stdcall closesocket(SOCKET s)
.idata:0050115C � � � � � � � � extrn closesocket:dword; DATA XREF: sub_503B7C+25Fr
.idata:0050115C � � � � � � � � � � � � � � � � � � � �; sub_506E01+285r
.idata:00501160; u_short __stdcall ntohs(u_short netshort)
.idata:00501160 � � � � � � � � extrn ntohs:dword � � �; DATA XREF: sub_50392A+10r
.idata:00501160 � � � � � � � � � � � � � � � � � � � �; sub_50392A+17r ...
.idata:00501164; u_short __stdcall htons(u_short hostshort)
.idata:00501164 � � � � � � � � extrn htons:dword � � �; DATA XREF: sub_503819+40r
.idata:00501164 � � � � � � � � � � � � � � � � � � � �; sub_503819+BEr ...
.idata:00501168; int __stdcall sendto(SOCKET s,const char *buf,int len,int flags,const struct sockaddr *to,int tolen)
.idata:00501168 � � � � � � � � extrn sendto:dword � �; DATA XREF: sub_503819+FDr
.idata:0050116C; int __stdcall WSAStartup(WORD wVersionRequested,LPWSADATA lpWSAData)
.idata:0050116C � � � � � � � � extrn WSAStartup:dword; DATA XREF: start+15r
.idata:00501170; int __stdcall gethostname(char *name,int namelen)
.idata:00501170 � � � � � � � � extrn gethostname:dword; DATA XREF: sub_502D8E+2Ar
.idata:00501174 
.idata:00501174 
.text:00501178; ---------------------------------------------------------------------------
.text:00501178 
.text:00501178; Segment type: Pure code
.text:00501178; Segment permissions: Read/Execute
.text:00501178 _text � � � � � segment para public 'CODE' use32
.text:00501178 � � � � � � � � assume cs:_text
.text:00501178 � � � � � � � �;org 501178h
.text:00501178 � � � � � � � � assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
.text:00501178; const CHAR ModuleName
.text:00501178 ModuleName � � �db 'k' � � � � � � � �; DATA XREF: sub_50315C+Ao
.text:00501179 � � � � � � � � dd 656E7265h, 2E32336Ch, 6C6C64h
.text:00501185 � � � � � � � � align 4
.text:00501188 aRoot � � � � � db 'root',0 � � � � � �; DATA XREF: sub_502D8E+3Co
.text:0050118D � � � � � � � � align 4
.text:00501190; const CHAR String2
.text:00501190 String2: � � � � � � � � � � � � � � �; DATA XREF: sub_502E50+B7o
.text:00501190 � � � � � � � � � � � � � � � � � � � �; sub_5052AD+69o ...
.text:00501190 � � � � � � � � unicode 0, <\>,0
.text:00501194 aIeframe � � � �db 'IEFrame',0 � � � �; DATA XREF: StartAddress+29o
.text:0050119C aAth_note � � � db 'ATH_Note',0 � � � �; DATA XREF: StartAddress+19o
.text:005011A5 � � � � � � � � align 4
.text:005011A8 aRctrl_renwnd32 db 'rctrl_renwnd32',0 �; DATA XREF: StartAddress+9o
.text:005011B7 � � � � � � � � align 4
.text:005011B8 byte_5011B8 � � db 7Ch � � � � � � � �; DATA XREF: sub_50377D+51r
.text:005011B9 � � � � � � � � dd 0CFEE5F79h, 67DEDDB9h, 8015843Bh, 1E00D4h, 9FB2095Ch
.text:005011B9 � � � � � � � � dd 8D0015FBh, 0F781806h, 34040h, 41F42B1Dh, 0FCCD4F81h
.text:005011B9 � � � � � � � � dd 6B25D7FFh, 40010008h, 1538F3Ch, 400000h, 0A7FDF141h
.text:005011B9 � � � � � � � � dd 9ABDBB33h, 57041441h, 6004085h, 40h, 18001000h, 1084004h
.text:0050120D � � � � � � � � align 4
.text:00501210 dword_501210 � �dd 0A2Dh, 2879h, 2CA4h, 2DC8Ah, 0EBEh, 1B2Fh, 6BFh, 438A7h
.text:00501210 � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_50377D+82o
.text:00501210 � � � � � � � � dd 2F85h, 11305h, 5D15h, 0BCE5F8Eh
.text:00501240 dword_501240 � �dd 636544h, 766F4Eh, 74634Fh, 706553h, 677541h, 6C754Ah
.text:00501240 � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_50377D+8Eo
.text:00501240 � � � � � � � � � � � � � � � � � � � �; .data:00509048o ...
.text:00501240 � � � � � � � � dd 6E754Ah, 79614Dh, 727041h, 72614Dh, 626546h, 6E614Ah
.text:00501240 � � � � � � � � dd 746153h, 697246h, 756854h, 646557h, 657554h, 6E6F4Dh
.text:00501240 � � � � � � � � dd 6E7553h
.text:0050128C aSUSU_2u_2u_2uC db '%s, %u %s %u %.2u:%.2u:%.2u %c%.2u%.2u',0
.text:0050128C � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_5032CB+C6o
.text:005012B3 � � � � � � � � align 4
.text:005012B4 aInternetgetcon db 'InternetGetConnectedState',0; DATA XREF: sub_503620+52o
.text:005012CE � � � � � � � � align 4
.text:005012D0 aDnsapi_dll � � db 'dnsapi.dll',0 � � �; DATA XREF: sub_503E35+4o
.text:005012DB � � � � � � � � align 4
.text:005012DC aIphlpapi_dll � db 'iphlpapi.dll',0 � �; DATA XREF: .text:00503EFBo
.text:005012E9 � � � � � � � � align 4
.text:005012EC aDnsquery_a � � db 'DnsQuery_A',0 � � �; DATA XREF: sub_503E35+21o
.text:005012F7 � � � � � � � � align 4
.text:005012F8 aGetnetworkpara db 'GetNetworkParams',0; DATA XREF: .text:00503F29o
.text:00501309 � � � � � � � � align 4
.text:0050130C aMailerD � � � �db 'mailer-d',0 � � � �; DATA XREF: .data:00509160o
.text:00501315 � � � � � � � � align 4
.text:00501318 aSpam � � � � � db 'spam',0 � � � � � �; DATA XREF: .data:0050915Co
.text:0050131D � � � � � � � � align 4
.text:00501320 aAbuse � � � � �db 'abuse',0 � � � � �; DATA XREF: .data:00509158o
.text:00501326 � � � � � � � � align 4
.text:00501328 aMaster � � � � db 'master',0 � � � � �; DATA XREF: .data:00509154o
.text:0050132F � � � � � � � � align 4
.text:00501330 aSample � � � � db 'sample',0 � � � � �; DATA XREF: .data:00509150o
.text:00501337 � � � � � � � � align 4
.text:00501338 aAccoun � � � � db 'accoun',0 � � � � �; DATA XREF: .data:0050914Co
.text:0050133F � � � � � � � � align 4
.text:00501340 aPrivacycertifi db 'privacycertific',0; DATA XREF: .data:00509148o
.text:00501350 aBugs � � � � � db 'bugs',0 � � � � � �; DATA XREF: .data:00509140o
.text:00501355 � � � � � � � � align 4
.text:00501358 aListserv � � � db 'listserv',0 � � � �; DATA XREF: .data:0050913Co
.text:00501361 � � � � � � � � align 4
.text:00501364 aSubmit � � � � db 'submit',0 � � � � �; DATA XREF: .data:00509138o
.text:0050136B � � � � � � � � align 4
.text:0050136C aNtivi � � � � �db 'ntivi',0 � � � � �; DATA XREF: .data:00509134o
.text:00501372 � � � � � � � � align 4
.text:00501374 aSupport � � � �db 'support',0 � � � �; DATA XREF: .data:00509130o
.text:0050137C aAdmin � � � � �db 'admin',0
.text:00501382 � � � � � � � � align 4
.text:00501384 aPage � � � � � db 'page',0 � � � � � �; DATA XREF: .data:00509124o
.text:00501389 � � � � � � � � align 4
.text:0050138C aThe_bat � � � �db 'the.bat',0 � � � �; DATA XREF: .data:00509120o
.text:00501394 aGoldCerts � � �db 'gold-certs',0 � � �; DATA XREF: .data:0050911Co
.text:0050139F � � � � � � � � align 4
.text:005013A0 aCa � � � � � � db 'ca',0 � � � � � � �; DATA XREF: .data:00509118o
.text:005013A3 � � � � � � � � align 4
.text:005013A4 aFeste � � � � �db 'feste',0 � � � � �; DATA XREF: .data:00509114o
.text:005013AA � � � � � � � � align 4
.text:005013AC aNot � � � � � �db 'not',0 � � � � � �; DATA XREF: .data:00509110o
.text:005013B0 aHelp � � � � � db 'help',0 � � � � � �; DATA XREF: .data:0050910Co
.text:005013B5 � � � � � � � � align 4
.text:005013B8 aFoo � � � � � �db 'foo',0 � � � � � �; DATA XREF: .data:00509108o
.text:005013BC aNo � � � � � � db 'no',0 � � � � � � �; DATA XREF: .data:00509104o
.text:005013BF � � � � � � � � align 4
.text:005013C0 aSoft � � � � � db 'soft',0 � � � � � �; DATA XREF: .data:00509100o
.text:005013C5 � � � � � � � � align 4
.text:005013C8 aSite � � � � � db 'site',0 � � � � � �; DATA XREF: .data:005090FCo
.text:005013CD � � � � � � � � align 4
.text:005013D0 aRating � � � � db 'rating',0 � � � � �; DATA XREF: .data:005090F8o
.text:005013D7 � � � � � � � � align 4
.text:005013D8 aMe � � � � � � db 'me',0 � � � � � � �; DATA XREF: .data:005090F4o
.text:005013DB � � � � � � � � align 4
.text:005013DC aYou � � � � � �db 'you',0 � � � � � �; DATA XREF: .data:005090F0o
.text:005013E0 aYour � � � � � db 'your',0 � � � � � �; DATA XREF: .data:005090ECo
.text:005013E5 � � � � � � � � align 4
.text:005013E8 aSomeone � � � �db 'someone',0 � � � �; DATA XREF: .data:005090E8o
.text:005013F0 aAnyone � � � � db 'anyone',0 � � � � �; DATA XREF: .data:005090E4o
.text:005013F7 � � � � � � � � align 4
.text:005013F8 aNothing � � � �db 'nothing',0 � � � �; DATA XREF: .data:005090E0o
.text:00501400 aNobody � � � � db 'nobody',0 � � � � �; DATA XREF: .data:005090DCo
.text:00501407 � � � � � � � � align 4
.text:00501408 aNoone � � � � �db 'noone',0 � � � � �; DATA XREF: .data:005090D8o
.text:0050140E � � � � � � � � align 4
.text:00501410 aInfo � � � � � db 'info',0 � � � � � �; DATA XREF: .data:005090D4o
.text:00501415 � � � � � � � � align 4
.text:00501418 aWinrar � � � � db 'winrar',0 � � � � �; DATA XREF: .data:005090C4o
.text:0050141F � � � � � � � � align 4
.text:00501420 aWinzip � � � � db 'winzip',0 � � � � �; DATA XREF: .data:005090C0o
.text:00501427 � � � � � � � � align 4
.text:00501428 aRarsoft � � � �db 'rarsoft',0 � � � �; DATA XREF: .data:005090BCo
.text:00501430 aSf_net � � � � db 'sf.net',0 � � � � �; DATA XREF: .data:005090B8o
.text:00501437 � � � � � � � � align 4
.text:00501438 aSourceforge � �db 'sourceforge',0 � �; DATA XREF: .data:005090B4o
.text:00501444 aRipe_ � � � � �db 'ripe.',0 � � � � �; DATA XREF: .data:005090B0o
.text:0050144A � � � � � � � � align 4
.text:0050144C aArin_ � � � � �db 'arin.',0 � � � � �; DATA XREF: .data:005090ACo
.text:00501452 � � � � � � � � align 4
.text:00501454 aGoogle � � � � db 'google',0 � � � � �; DATA XREF: .data:005090A8o
.text:0050145B � � � � � � � � align 4
.text:0050145C aGnu_ � � � � � db 'gnu.',0 � � � � � �; DATA XREF: .data:005090A4o
.text:00501461 � � � � � � � � align 4
.text:00501464 aGmail � � � � �db 'gmail',0 � � � � �; DATA XREF: .data:005090A0o
.text:0050146A � � � � � � � � align 4
.text:0050146C aSeclist � � � �db 'seclist',0 � � � �; DATA XREF: .data:0050909Co
.text:00501474 aSecur � � � � �db 'secur',0 � � � � �; DATA XREF: .data:00509098o
.text:00501474 � � � � � � � � � � � � � � � � � � � �; .data:00509144o
.text:0050147A � � � � � � � � align 4
.text:0050147C aBar_ � � � � � db 'bar.',0 � � � � � �; DATA XREF: .data:00509094o
.text:00501481 � � � � � � � � align 4
.text:00501484 aFoo_com � � � �db 'foo.com',0 � � � �; DATA XREF: .data:00509090o
.text:0050148C aTrend � � � � �db 'trend',0 � � � � �; DATA XREF: .data:0050908Co
.text:00501492 � � � � � � � � align 4
.text:00501494 aUpdate � � � � db 'update',0 � � � � �; DATA XREF: .data:00509088o
.text:0050149B � � � � � � � � align 4
.text:0050149C aUslis � � � � �db 'uslis',0 � � � � �; DATA XREF: .data:00509084o
.text:005014A2 � � � � � � � � align 4
.text:005014A4 aDomain � � � � db 'domain',0 � � � � �; DATA XREF: .data:00509080o
.text:005014AB � � � � � � � � align 4
.text:005014AC aExample � � � �db 'example',0 � � � �; DATA XREF: .data:0050907Co
.text:005014B4 aSophos � � � � db 'sophos',0 � � � � �; DATA XREF: .data:00509078o
.text:005014BB � � � � � � � � align 4
.text:005014BC aYahoo � � � � �db 'yahoo',0 � � � � �; DATA XREF: .data:00509074o
.text:005014C2 � � � � � � � � align 4
.text:005014C4 aSpersk � � � � db 'spersk',0 � � � � �; DATA XREF: .data:00509070o
.text:005014CB � � � � � � � � align 4
.text:005014CC aPanda � � � � �db 'panda',0 � � � � �; DATA XREF: .data:0050906Co
.text:005014D2 � � � � � � � � align 4
.text:005014D4 aHotmail � � � �db 'hotmail',0 � � � �; DATA XREF: .data:00509068o
.text:005014DC aMsn_ � � � � � db 'msn.',0 � � � � � �; DATA XREF: .data:00509064o
.text:005014E1 � � � � � � � � align 4
.text:005014E4 aMsdn_ � � � � �db 'msdn.',0 � � � � �; DATA XREF: .data:00509060o
.text:005014EA � � � � � � � � align 4
.text:005014EC aMicrosoft � � �db 'microsoft',0 � � �; DATA XREF: .data:0050905Co
.text:005014F6 � � � � � � � � align 4
.text:005014F8 aSarc_ � � � � �db 'sarc.',0 � � � � �; DATA XREF: .data:00509058o
.text:005014FE � � � � � � � � align 4
.text:00501500 aSyma � � � � � db 'syma',0 � � � � � �; DATA XREF: .data:00509054o
.text:00501505 � � � � � � � � align 4
.text:00501508 aAvp � � � � � �db 'avp',0
.text:0050150C; char byte_50150C
.text:0050150C byte_50150C � � db '_' � � � � � � � �; DATA XREF: sub_50402F+67o
.text:0050150C � � � � � � � � � � � � � � � � � � � �; sub_50402F+100o ...
.text:0050150D � � � � � � � � dd 2E212Dh
.text:00501511 � � � � � � � � align 4
.text:00501514 dword_501514 � �dd 2E212D5Fh, 40h � � �; DATA XREF: sub_50402F+4Ao
.text:00501514 � � � � � � � � � � � � � � � � � � � �; sub_50402F+9Fo ...
.text:0050151C dword_50151C � �dd 6D7073h � � � � � �; DATA XREF: sub_50450E+77o
.text:00501520 byte_501520 � � db 20h � � � � � � � �; DATA XREF: sub_504C29+15r
.text:00501521 � � � � � � � � db ' � � � � � � � � � � � � � � � ',0
.text:00501541 � � � � � � � � dd 0Eh dup(0), 280000h, 29h, 27h dup(0), 2200000h, 74000000h
.text:00501625 � � � � � � � � db 18h, 50h, 0
.text:00501628 dword_501628 � �dd 1, 501870h, 2, 50186Ch, 1, 501868h, 2, 501864h, 1, 501868h
.text:00501628 � � � � � � � � � � � � � � � � � � � �; DATA XREF: sub_504C29+38o
.text:00501628 � � � � � � � � dd 2, 501860h, 1, 501868h, 3, 50185Ch, 1, 501868h, 4, 501854h
.text:00501628 � � � � � � � � dd 1, 501868h, 4, 50184Ch, 1, 501868h, 4, 501844h, 1, 501868h
.text:00501628 � � � � � � � � dd 4, 50183Ch, 1, 501868h, 5, 501834h, 1, 501830h, 5, 501828h
.text:00501628 � � � � � � � � dd 1, 501830h, 5, 501820h, 1, 501830h, 6, 501818h, 1, 501870h
.text:00501628 � � � � � � � � dd 5, 501810h, 1, 501870h, 4 dup(0)
.text:00501710 byte_501710 � � db 0 � � � � � � � � �; DATA XREF: sub_504D0C+39r
.text:00501710 � � � � � � � � � � � � � � � � � � � �; sub_504D0C+52r ...
.text:00501711 � � � � � � � � dd 8 dup(0), 2, 2 dup(0), 1000202h, 2 dup(1010101h), 1
.text:00501711 � � � � � � � � dd 2000000h, 6 dup(1010101h), 101h, 20000h, 6 dup(1010101h)
.text:00501711 � � � � � � � � dd 101h, 20h dup(0), 26000000h, 7073626Eh, 26000000h, 7073626Eh
.text:00501711 � � � � � � � � dd 2E00003Bh, 2E746F64h, 5F000000h, 5F746F64h
.text:0050182D � � � � � � � � align 4
.text:00501830; char buf
.text:00501830 buf � � � � � � db '.' � � � � � � � �; DATA XREF: sub_505FAF+160o
.text:00501830 � � � � � � � � � � � � � � � � � � � �; sub_505FAF+1DCo ...
.text:00501831 � � � � � � � � align 4
.text:00501834 � � � � � � � � dd 746F6428h, 29h, 20746120h, 0, 5F74615Fh, 0, 29746128h
.text:00501834 � � � � � � � � dd 0, 2E74612Eh, 0, 294028h, 4040h, 4020h
.text:00501868 dword_501868 � �dd 40h, 2040h � � � � �; DATA XREF: sub_505A45+B3o
.text:00501870 dword_501870 � �dd 20h, 2020h � � � � �; DATA XREF: sub_505FAF+1C9o
.text:00501878 dword_501878 � �dd 2A2E2Ah � � � � � �; DATA XREF: sub_5052AD+7Bo
.text:0050187C aUserprofile � �db 'USERPROFILE',0 � �; DATA XREF: sub_505449+E0o
.text:00501888 asc_501888 � � �db ':\',0 � � � � � � �; DATA XREF: sub_5055B4+3Co
.text:0050188B � � � � � � � � align 8
.text:00501890 aYahoo_com � � �db 'yahoo.com',0 � � �; DATA XREF: sub_505A45+158o
.text:0050189A � � � � � � � � align 8
.text:005018A0 dword_5018A0 � �dd 2Dh � � � � � � � �; DATA XREF: sub_505BF9+CEo
.text:005018A0 � � � � � � � � � � � � � � � � � � � �; sub_505BF9+103r
.text:005018A4; LPCSTR lpString2
.text:005018A4 lpString2 � � � dd offset aMessage � �; DATA XREF: sub_505BF9+10Fr
.text:005018A4 � � � � � � � � � � � � � � � � � � � �; "message"
.text:005018A8 dword_5018A8 � �dd 1Eh � � � � � � � �; DATA XREF: sub_505BF9+F7r
.text:005018AC � � � � � � � � dd offset aDocument � �; "document"
.text:005018B0 � � � � � � � � dd 1Eh, 5025FCh, 19h, 5025F4h, 19h, 5025ECh, 14h, 5025E4h
.text:005018B0 � � � � � � � � dd 14h, 5025DCh, 14h, 5025D0h, 14h, 5025C4h, 0Ah, 5025BCh
.text:005018B0 � � � � � � � � dd 0, 5025B8h
.text:005018F8 dword_5018F8 � �dd 32h � � � � � � � �; DATA XREF: sub_505BF9+129o
.text:005018F8 � � � � � � � � � � � � � � � � � � � �; sub_505BF9+15Er
.text:005018FC dword_5018FC � �dd 5025B4h � � � � � �; DATA XREF: sub_505BF9+16Ar
.text:00501900 dword_501900 � �dd 14h � � � � � � � �; DATA XREF: sub_505BF9+152r
.text:00501904 � � � � � � � � dd offset aPif � � � �; "pif"
.text:00501908 � � � � � � � � dd 14h, 5025ACh, 0Ah, 5025A8h, 0Ah, 5025A4h, 5, 5025A0h
.text:00501908 � � � � � � � � dd 0, 5025B8h
.text:00501930 dword_501930 � �dd 50h � � � � � � � �; DATA XREF: sub_505DC7+89o
.text:00501930 � � � � � � � � � � � � � � � � � � � �; sub_505DC7+BEr
.text:00501934 dword_501934 � �dd 50257Ch � � � � � �; DATA XREF: sub_505DC7+CAr
.text:00501938 dword_501938 � �dd 50h � � � � � � � �; DATA XREF: sub_505DC7+B2r
.text:0050193C � � � � � � � � dd offset aReturnedMailSe; "Returned mail: see transcript for detai"...
.text:00501940 � � � � � � � � dd 37h, 50252Ch, 32h, 502508h, 20h, 5024E8h, 1Eh, 5025B8h
.text:00501940 � � � � � � � � dd 14h, 5024D8h, 0Ch, 5024D0h, 0Ch, 5024C8h, 0Ch, 5024C0h

#4 twistedps

Staff Sergeant

Group: Members
Posts: 271
Joined: 20-March 04

Posted 26 July 2004 - 08:54 AM

didnt paste all the strings...
one of the important things may be this string right here,
... where the key is created in registry..

.text:00502AB0 aSoftwareMicros db 'Software\Microsoft\%s %s Manager\%ss',0

file formats

.text:005025A0 aCmd            db 'cmd',0
.text:005025A4 aBat            db 'bat',0
.text:005025A8 aCom            db 'com',0             ; DATA XREF: sub_505BF9+68o
.text:005025A8                                        ; sub_505FAF+212o
.text:005025AC aExe            db 'exe',0             ; DATA XREF: sub_5075E5+A8o
.text:005025B0 aPif            db 'pif',0             ; DATA XREF: .text:00501904o
.text:005025B4 aScr            db 'scr',0

seems like its trying to search and download something...

.text:00502B24 aUrlmon_dll     db 'urlmon.dll',0      ; DATA XREF: sub_507940+15o
.text:00502B2F                 align 4
.text:00502B30 aUrldownloadtoc db 'URLDownloadToCacheFileA',0; DATA XREF: sub_507940+30o
.text:00502B48 aHttpSearch_lyc db 'http://search.lycos.com/default.asp?lpv=1&loc=searchhp&tab=w'
.text:00502B48                                        ; DATA XREF: sub_507730+1FFo
.text:00502B48                 db 'eb&query=%s',0
.text:00502B90 aNbqD           db '&nbq=%d',0         ; DATA XREF: sub_507730+1EBo
.text:00502B98 aHttpWww_altavi db 'http://www.altavista.com/web/results?q=%s&kgs=0&kls=0',0
.text:00502B98                                        ; DATA XREF: sub_507730+1B7o
.text:00502BCE                 align 4
.text:00502BD0 aND             db '&n=%d',0           ; DATA XREF: sub_507730+1A8o
.text:00502BD6                 align 4
.text:00502BD8 aHttpSearch_yah db 'http://search.yahoo.com/search?p=%s&ei=UTF-8&fr=fp-tab-web-t'
.text:00502BD8                                        ; DATA XREF: sub_507730+177o
.text:00502BD8                 db '&cop=mss&tab=',0
.text:00502C22                 align 4
.text:00502C24 aNumD           db '&num=%d',0         ; DATA XREF: sub_507730+165o
.text:00502C2C aHttpWww_google db 'http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s',0
.text:00502C2C                                        ; DATA XREF: sub_507730+11Do

#5 twistedps

Staff Sergeant

Group: Members
Posts: 271
Joined: 20-March 04

Posted 26 July 2004 - 09:04 AM

ok soo ..

.. starts
.text:00503295                 call    ds:WSAStartup  // establish internet stuff
.text:0050329B                 call    sub_5033A8 // calls GetTickCount() for time/date
.text:005032A0                 push    108h
.text:005032A5                 lea     eax, [ebp+var_108]
i'm thinking GetTickCount() is used in the %s %s param's

#6 MHSICKNESS

Private First Class

Group: Members
Posts: 33
Joined: 15-October 03

Posted 26 July 2004 - 02:29 PM

some good research there...
Actually its not trying to download something.. (or yes.. it is..) but its doing a query at the popular search engines for email adresses which it can sent itself too..

#7 mortello

Master Sergeant

Group: Members
Posts: 408
Joined: 25-August 03

Posted 26 July 2004 - 05:13 PM

Well, from what I can see, that's why there was big problems with google and other search engines today

good research there....

one question tho since I'm a bit confused with all that stuff, does it open a port or anything, or is it harmless on that side of the virus

#8 Venom

Private First Class

Group: Members
Posts: 33
Joined: 23-August 03

Posted 26 July 2004 - 07:08 PM

MyDoom arrives in e-mail messages as an attachment. When opened by a computer user it creates files that allow it to mail itself to other computer users. It usually appears to the recipient to be a message from a network administrator or trusted contact reporting an e-mail problem like a failed delivery.

MyDoom also leaves an open electronic portal into infected computers. That allows its authors, or any other hackers trolling for unsecured computers, to send other files to the computer, search it for data or use it to broadcast spam.

Google and three other search engines - AltaVista, Lycos and Yahoo - were disrupted by a novel twist in MyDoomM, as the latest version of the worm is called. Instead of mailing itself to every address it finds in the address book of an infected computer, MyDoomM first sends queries to the search engines, looking for evidence of which addresses are active.

The flood of queries was probably intended to make the worm more efficient and help it avoid mailing itself to boxes set up specifically to trap unwanted e-mail, said Jose Nazario, a worm expert at Arbor Networks, a network security company based in Lexington, Mass.

Some security experts say that many of the messages that users received, saying that they could not be connected to Google's servers, may have been generated by their own networks' defense systems once the worm was detected rather than by actual overloads at Google.

Got it from NyTimes.com

#9 MaNiAx

Private First Class

Group: Members
Posts: 45
Joined: 06-July 03

Posted 26 July 2004 - 07:52 PM

well done research i might add .. explains everything, thankfully noone at the company has gotten anything, Kav picks it up with todays updates ( July 26, 2004) and it seems that all computers at the workplace. Although some where infected, and they were only win2k sp2 machines don't know if that has anythign to do with it but im guessing it had to do with the fact of Kav not being updated correctly at 12:00 Noon like all the others but thanks for the info u provided I was able to delete the registry entry and had them re-scanned, the company is safe once again thanks for the research once again twistedps.

-MaNiAx

#10 AdmiralB

Sergeant First Class

Group: Members
Posts: 312
Joined: 24-December 03

Posted 26 July 2004 - 11:18 PM

yea i got this but i opened the file
lol got infected
thanks for the information....removing it now

#11 THoRaX

Private First Class

Group: Members
Posts: 141
Joined: 16-January 04

Posted 27 July 2004 - 02:45 AM

i can't seem to extract the rar :huh:

#12 h3llraz0r

Private First Class

Group: Members
Posts: 144
Joined: 31-August 03

Posted 27 July 2004 - 05:47 AM

this version of my doom should also open a port on tcp 1034, don't know if the port needs authentication or if you just have to telnet to it

#13 nuorder

Master Sergeant

Group: Members
Posts: 574
Joined: 01-April 04

Posted 27 July 2004 - 06:29 AM

i cant seem to extract this zip file winzip or winrar
can you try re-uploading it?
thankyou

#14 andydis

Master Sergeant

Group: Specialist
Posts: 622
Joined: 21-August 03

Posted 27 July 2004 - 06:55 AM

nice work twistedps , i have been busy so not had a lot of chance to look at this,
yea the zip somehow seems to be corrupt, maybe invisions board AV scanner picked it up?

here it is again,
password: virus
encrypted with winzip level 2

********************************8
* AGAIN PLEASE NOTE THIS IS AN ACTIVE VIRUS YOU ARE ABOUT TO DOWNLOAD
**************************************************************

Attached File(s)

virus5.zip (25.52K)
Number of downloads: 204

#15 nuorder

Master Sergeant

Group: Members
Posts: 574
Joined: 01-April 04

Posted 27 July 2004 - 07:14 AM

thanks andydis and twistedps im gonna have some fun with ollydbg and ethereal
lol not very subtle in the ways it goes about harvesting the accounts, lots of hard drive usage and 70% CPU usage

(3 Pages)
1
2
3
→

You cannot start a new topic
You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Our Sponsors:

Forums: New Mydoom Virus - Forums

New Mydoom Virus

#1 andydis

Attached File(s)

#2 twistedps

#3 twistedps

#4 twistedps

#5 twistedps

#6 MHSICKNESS

#7 mortello

#8 Venom

#9 MaNiAx

#10 AdmiralB

#11 THoRaX

#12 h3llraz0r

#13 nuorder

#14 andydis

Attached File(s)

#15 nuorder

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Our Sponsors:

Skin and Language

Execution Stats

Forums: New Mydoom Virus - Forums

New Mydoom Virus

Attached File(s)

Attached File(s)

1 User(s) are reading this topic 0 members, 1 guests, 0 anonymous users

Our Sponsors:

Skin and Language

Execution Stats

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users