Reverse Engineering a Purported Microsoft Security Patch

By Charles Hornat

May 19, 2003

Overview

In this paper we will examine and dissect a malicious package sent to us as an attachment to an email that appeared to be sent from Microsoft that would fix all known vulnerabilities on our system. In addition, we will review the delivery method, analyze the executable and study the impact it had on a system once it was installed.

Reverse Engineering a Purported Microsoft Security Patch. 1

Post Installation/Pre-Boot 5

Post Installation/Post-Boot 7

Final Analysis. 10

Additional Resources. 11

Appendix A.. 12

Strings of Malware. 12

Appendix B.. 52

Tripwire Report After Malware Installation. 52

Appendix C.. 119

Tripwire Report After Malware Install and Reboot 119

The Tools

Tripwire

Tripwire is a tool written by a personal friend of mine, Gene Kim, and Eugene Spafford. Tripwire can be found at www.tripwire.com. This tool was developed to take a snapshot of specific files and directories and monitor them for changes, whether authorized or not. The snapshot is a gathering of hashes (e.g. MD5, SHA, and etc.) on the files and directories you chose. It then stores that information in a secure database. Tripwire scans files and/or directories you define on a manual or automated schedule and will alert you to whether a file has been added, changed or deleted. In addition to monitoring files and directories, it can also monitor Windows Registries, File Access Times, File Flags and etc.

Ethereal

A network sniffing application that monitored all traffic coming from the test system during and after the installation of the malicious application.

Windows XP

The test systems Operating System. This analysis was performed on a default Windows XP install, networked with no service packs or hotfixes applied. The goal was to learn from it and its effect to the system, not to protect from it.

GNU Strings

GNU Strings is an application that comes with most UNIX like (LINUX) operating systems. It prints, to screen or other location of your choice, the printable character sequences that are at least 4 characters long, or meet other requirements, and are followed by an unprintable character. This is especially helpful in non-text files like Microsoft executables.

The Delivery

On May 11, 2003, we received the email as displayed in Figure 1. The email is polite and colorful, adding to its believability. Additionally, in the footer of the email is the copyright information that many people believe adds authenticity to the email. This can be seen in Figure 2. And finally, the header also adds some more credibility to those less technical and can be seen in Figure 3. Note the email address that appears in the short header, advisor.microsoft.com.

Figure 1:Delivery Method

Figure 2:Footer

Figure 3: Header

Notes on Delivery

When you first read the message of the email, certain key points should set off alarms in your mind. The first is that this patch “eliminates all known security vulnerabilities”. This would be great if true, but unfortunately, it is not. There are service packs that attempt to include as many security hotfixes as possible, but they never eliminate all known security vulnerabilities. Even if you look at the size of the attachment, this should tip you off as service packs are much larger in nature.

Figure 4:The attachment

Additionally, if we expand the header as seen in Figure 5, we will get more clues as to the real source of this email.

Figure 5:Header

The return path is ftballguy66@cox.net, which is obviously not a Microsoft address. We can also see the From line states that iamlzytaw_903216@support.msdn.com is the spoofed email address that a return message, should we choose to send one, would be sent to.

Finally, one last point to be made is that Microsoft, and this can be said for most vendors, will NEVER email you the patch directly. They will alert you to the vulnerability or purpose of the email and provide some high level information. They will then give you a link for additional information and direct you to their site to download the patch.

The Analysis

The first part of reverse engineering performed was running the executable through strings. The results can be seen in Appendix A. Examining this information will alert you to the fact that there is text to simulate it as a legitimate Microsoft developed patch. In particular are two sections that go into such detail about licensing and rights. More than likely this was just copied to add realism to the installation that users will encounter. The key here is to look for common terms or locate specific keywords and do a search in your favorite search engine.

For example, a quick search in Google.com for “KaZaA uploDropper” brought up several pages talking about known worms and viri that contain this phrase. Thus tipping one off to proceed with caution or perform further research.

Post Installation/Pre-Boot

For this project, we used Tripwire 4.0. The report after the Malware was executed and prior to any reboot can be found in Appendix B. All changes you see were directly related to the running of the Malware. The Windows registry was most heavily impacted. A quick overview of the results nets the following: 59 Registry Class Keys were added, 1 System startup Key was added, 5 OS Support files were added, and 1 file in the System32 folder was added. There were no deletions or changes, only additions.

Added:
"C:\WINDOWS\WMSysDx.bin"
"C:\WINDOWS\DX3DRndr.exe"
"C:\WINDOWS\gibe.dll"
"C:\WINDOWS\MSBugAdv.exe"
"C:\WINDOWS\patch952.exe"
Added:
"C:\WINDOWS\System32\MSWinsck.ocx"
Modified:
"C:\WINDOWS\System32\services.msc"
Added:
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
Added:
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
Added:
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"
Added:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

Post Installation/Post-Boot

The next step was to reboot the Windows XP system to allow the malware to execute if needed in the ‘runas’ keys or startup folder. Once the reboot is completed, a rescan was performed to identify additional changes that occurred. In order to get an accurate understanding of what the Malware changed versus normal system file changes during a reboot, we identified all the common reboot file changes.

Modified:
"C:\WINDOWS\0.log"
"C:\WINDOWS\bootstat.dat"
Modified:
"C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid"

If we remove those entries from the results after the reboot, we are left with following (The complete report can be found in Appendix C):

Modified:
"C:\WINDOWS\System32\wpa.dbl"
Removed:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time"
Added:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated"
Removed:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated"
Added:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable"

Given the information above, it appears to impact the PnP Manager. A quick search in Google.com turns up no results on OptomizedLogonStatus either. The +OptomizedLogonStatus was set to a RED_DORD of 0x0000000b(11) and the NextLogonCacheable was set to RED_DWORD 0x00000001 (1).

The entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad" was supposed to launch the executable "C:\WINDOWS\DX3DRndr.exe". This executable was indeed launched, but for some reason did not run as designed, or did it? Since we did not write the program, we are not sure what the end result should have been. An NMAP scan of the system that was infected produced no new TCP ports other than those already open by default. Additionally, using Ethereal, there was no unusual traffic generated when rebooting or leaving the system idle for hours. Researching some of the key parts of this package on the Internet does bring additional research, but the analysis we found was did not accurately represent our findings.

Finally, there wasn’t any new traffic generated by the infected system. Sometimes Malware attempts to phone home to get further instructions, which may include connecting to an IRC server or downloading additional information. In this particular case, no traffic was generated and no logs are included in this analysis. The infected system was monitored from start to finish, including reboots.

Final Analysis

The final analysis we could determine is that this threat had minimal impact. Yes, it did install and alter critical system files, but the impact to the user was non-existent. When we downloaded it and installed it, we did not get any interaction with the malware. It did not prompt us for any impute nor show any signs of success or failure. When we reference back to the Strings portion of the evidence, we see a great amount of text that was probably meant to be displayed to the user, however was not.

It is important to note that both Mcafee and Norton identify and respond according to your settings when they encounter this file. We conclude that this is an altered existing Malware.

Additional Resources

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.B

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html

Appendix A

Strings of Malware

AutMSUpdate

VB5!

p214537

MSUpdate

KaZaA uploDropper

MainForm

LicenseForm

MSUpdate

advapi32.dll

RegCreateKeyExA

hp&@

RegOpenKeyExA

RegSetValueExA

RegQueryValueExA

hL'@

RegEnumKeyExA

RegCloseKey

kernel32

GetWindowsDirectoryA

h8(@

GetSystemDirectoryA

GetTempPathA

shell32.dll

ShellExecuteA

h$)@

SHGetSpecialFolderLocation

hx)@

SHGetPathFromIDListA

Frame1

RegisterServiceProcess

h4*@

Sleep

ht*@

GetShortPathNameA

lz32.dll

LZOpenFileA

LZCopy

hT+@

LZClose

Command1

C:\Program Files\VB6\VB6.OLB

Label1

Label2

Command2

Text1

Form

Picture1

ProgressPic

VBA6.DLL

MainForm

Installing Microsoft Update

vfff`

vfff

ffff

wwwwwp

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

Form1

Frame1

Picture1

Command1

&Cancel

ProgressPic

Label1

Extracting files ...

LicenseForm

License

Form1

Command2

Text1

This product is protected by copyright laws and international

treaties.

ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!

Microsoft and/or its respective suppliers hereby disclaim all warranties

and conditions with regard to this information, including all warranties

and conditions of merchantability, whether express, implied or

statutory, fitness for a particular purpose, title and non-infringement.

Microsoft does not warrant that the functions for the software or code

will meet your requirements, or that the operation of the software or

code will be uninterrupted or error-free, or that defects in the software

or code can be corrected. Furthermore, Microsoft does not warrant

or make any representations regarding the use or the results of the

use of the software, code or related documentation in terms of their

correctness, accuracy, reliability, or otherwise. No oral or written

information or advice given by Microsoft or its authorized

representatives shall create a warranty or in any way increase the

scope of this warranty. Should the software or code prove defective

after Microsoft has delivered the same, you, and you alone,

shall assume the entire cost associated with all necessary servicing,

repair or correction. In no event shall Microsoft and/or its respective

suppliers be liable for any special, indirect or consequential damages

or any damages whatsoever resulting from loss of use, data or profits,

whether in an action of contract, negligence or other tortious action,

arising out of or in connection with the use or performance of

software, documents, provision of or failure to provide services, or

information available from the services.

2003 Microsoft Corporation, One Microsoft Way,

Command1

&Yes

Label2

Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement.

Label1

Please read the following license agreement. Press the Page Down key to see the rest of the agreement.

MSVBVM60.DLL

MethCallEngine

EVENT_SINK_AddRef

DllFunctionCall

EVENT_SINK_Release

EVENT_SINK_QueryInterface

__vbaExceptHandler

ProcCallEngine

u]N>

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

vfff`

vfff

ffff

wwwwwp

SZDD

0.abnorm

al.com:[

wait]

2-254-10

7-9.clie

nt.attbi^

41.40

2.155.12

94.1

33.[

08.36.

.230

8.26

21.E

4.8u

acs2.byu

.edu

ldrick.b

lic.net

racka.rz

.uni-aug

sburg.de

lob.lin

uxfr.org

olo.nai

zen.l

ogivisio

ossix.winf

tik=

kielJ

head.cyb

ertrailw

concern.

wolters-

kluwer.n

rreo.u

vigo.es

ypress.a

onews.mi

ndspring

man.

torun.p

'wftph mic9

.rip

gluq

.affrc.

graf.

magdeF

ieg.uo

wdu112.

hermes1

hs-brem<

9tsrv

)humo

chivat

i da

ta.sL

ate.{ ac.yse

.rgv&

inx3

miK.u

;ug'

ees.ho

kudai

sD$crosof

,Knarziss

e.h;

tfh-

wildauJ

0sha.nca

neptl b

IF aQb

vcinc

].ca

iwirel( 2

]+Qribsur<

;]cofc

Set*M

Siys

].dma

\sup

$cxal

.gam

(Rcc3ip

mU`db

D"htwm

d.mh

d+@g

fvar>

Qinwar

"o(~

ctcanad

eycap

eqms.konk

lkrs

@M}e-

yth.

@ves?tav.mx

=D"phoOenixeA

ypam[

zill.}

ohgD@b

LE!>

enhei

g|01=

1.sin

cach?e0.fre

trl-

pxwell.s

yrj]ssvr2

0-ex

digyiKser}v

enc-1

i|@ufl

@lope-

gw.oswe

xy.d

)pd0

a) u

tcM05

00tcex

outlC

(spa7rkyH dw

unu789:

r/uhr-

targe

easy,aT

~ ca

aI s

o.hpcH

eh-b

sc5?

ikn@@

8v*p

ti>@

peuv-f

kfurt-o

xer05

www.foocal&

SZDD

!Thi

s progra

m cannot

be run

in DOS m

ode.

.t7ext

datam

-'-7-G-W-g-w-

='=7=G=W=g=w=

M"M2MBMRMbMrM

]"]2]B]R]b]r]

y`(y`>y`Vy`

by`t

}`l}`

}`T}`

p>9pUR9p^9pr9p

9p29p

p*up<upUJupVupfupvup

upUt

Q e(*

X_^[

"NMN

otifyWin

dowClasL`

ock Gene

ral Prop

erty Pag

MSWINS

CKWnd>

SK98.chm

icrosof

trol, ve

rsion 6.

"}Q)

FL^]

ND}X

Vg#h

GDt WV0

5(|

D| t1

T%V'

$| xP

DdJ8

Pmp7

Q d|

F8`A#

Nx<P

C9!@;(8

~ D"

t'h]AbC

F_4t:

!#T"t

!'T"L

dqYR

bI$

L$50i

%$pt}

B@t"

er(kr

,A9AE

ODeW@n

Y_^k3

jXV\

AXVS

l)oa

9mIm

!7n`3

f`_2

}<Tj

;< %

F8pH

Pmpd

R+`j

6a[S

3`&pf

!B0m

H&pu

Notifi

cation W_indow

ETT^

V#`-

qd-h-

=T$=05Q

D-T%

m m0m@mPm`m

m0}$}P}`}p}

T]dQ|0

%L}DyC

{~'>0

p,t"

v0{M

SP;h

p(~Z

SV V

Pu0q

~Ht&

9F0u

rLAQ0

Q0x!

q(%QQ

PS=0M

}7HQ;

gnPg

YN1T

0a3g

| ?9]

trl.ocx

CLSID\{A

DB880A6-

D8FF-11C

F-9377-0

0AA003B7

A11}\Inp

rocServe

A40~

w$Hqu

hZ0Y

X^{P

:V1p

<-L-

b7`v-b

H7`q

+PL0

U"~3z

W@}T[AU

`Ssw

e5 ;

nB)Y5

*BPYq

!BPp

Hu1Vd

L0ES

$t{,r@

K$t>,rD

0}@q

:zPl

[B\n

F4Wsh

DAb6

( 9

tP~2

ItV3

t 9x

%V5

RH5

5 o0

MSWIN

SCK.OCX

DLLGetDo

cumentat

DllC

anUnload

ssObject

Registe

rServer

"255.

"6.00.88

socP`-

FrameWor?k_Refl

"T9 a9 -

i,Rj

=sR

>;)>

4N0pR3

QQVW{j?

!Qcn

FL!V

=PHt

oX_^

vR{a

KHtL

u yqsb

hGbq

=3~P

kP[_D

4QNL+}

/at~

E gQ

p0`l

E 9n

oF$;

_^]=[e

C0;C4

K$)C(

K3`mPmp

C$Wj

F0;F4u} u

~$)~(

u !F kp

Cr'NSP

@@FF

H-X-

B0kP

v4Vz~1P

0FF@@

`$HtaHt

|}rt

DLMHt!HtG

Ht7H

31qA

Gl@C

m"QS

@tRf

@u:z

`~B=e

a;;`

tq!a

btH=

8Mr@

3QFqj

s+?E

`OaU

0!`uW

1Fm4

SShGj

F4Ph

|Q-`

~0W.

^4S.

F8PQ

7hNp

3`7`V

/Xp;

~ wZ`

CqWkj

kh6bA<

RPs#

9puCW

?Pu1{

#*QAD

AI#NM^H

$S/+R

1mAmQkP`m

!7}k

!&Gq

D}Ts

q^t}

I0dKp#

IQPS

!{~Z

@@FF

#PPw

AWS3

u >0

P|J@

j@YY

@YY^

fJ@%

J@Bf

N9?}

!$?f9u

Pd0-

t Hu

*|($

t7Hu

f nT

@DE2

Yu)\"@

(DcY@t3BBAj

`u#f Wj?j?

v@f P

~83f

~WHt

9~?8u

r_a?

<#H-

%fr"

uhVS

6WtE

r;uFq

j?P[

u0K9

5}Eu

Z`+A

"B]n

bA.0B

tBJEL;

;,ziR

}19I

t?9E

|Q48

CQ4<

(@IA

0{F)FD

fAMxD

fAI&xD

;ALWuP

p|vQ|

re``

a!hlz-lhH

JtPJtB

JJt3

{P3m

HpYE

p{Hr

_][}

yPPp

;E[a

Pp9V

~\Ppc

I= '

NTx

{u,b

~0_t

Y_^3

SVW3

`p_(

} U!43

tjcr

NAZ`i

p=D2

k!> _

UQ5g!

;u(-

$?6J

`90D

+BW5

$a9LM

QpMc

MR>7e

]Q:9R

"X5iH

"`5ktIb

zD|&

" ZpI`

pp\$

|$9]8t6

SVShT

Sh|5b$>4

9R,+

k9Yh

Y7A@R

0A2u

WShh

j [9]W

Yt_V

/q* V

[hX

R0 ;%<

=|)=90

=:z1

z1i==8

|0D@

S}V3

|9G`

wPN`.

/P$j

dY{j

0`ya,

0eC;

[03`

WPQRMj-

d:qY

7gbh

KSu,

7AAQ

"*`{t

~d]X

WgbT

gb\0

@PtD@

!F j

`PsP

G;~,r

7_^Y

Rq,L

bhPT

QM\2

%]5\

gJf;

d9XHu+

V]Vn

!U39

GPaS

RX_Pla

eTSK

RZCq

r}4|

/vq=

[Q#4

Z@D0K:

/4\K0

1t9@C

xbX3

p>Ptb

-t/v

t HHuE

npSP

uQ7]

1ou@

@7Y0~9

-@R`

rTNqUpYp

Yt1h

~/!%

{[PY1

;{P}

Ktu>

9Kht0

sPgQQQ

@K@u

8D'f9x>

Sh(n

b9;u

y|pj

ts}T

qdQs|p3

i@tA

Du/2

um~%

A 4 ;

F`=`$

5<B"/p

W 48

3 1k

t_sP

p*wP

(q:b

s`i@

L#C`

QRk`j

t"pP;

+KTQ

F0=`

@92v

J"t2

oqu#

FyHA

a9T$u

&d4u

^4q?

SlBQH9u$

!zAH

P9 u

<^0a

j`05

_Ffj

uwy9

L0<^0

Yt?h

5pSJ

0,w`G

Q[hh

$,}1r

PQVW

`u,h

V_p$V

's1b

u@j

5:aQh1p

PQSQ

1_/h,'

EdOft$V|c

Eyt3#

C(^0

C4x`

@;oE

`q!24

@qV3

p 8vQzN`,n

qFG@Y

@.z0

@V}R4

|=@WW

t7f9

u C@@f

a\Ad!

#d!\A

7W=`5

q1A0

r7,q0

8}:q0$

8UPq0

8^q0

r7lq0

AWSOCK

32.dll

ERNEL

UwSER"Eole

ADVAPI"EO

LEAUT"EGD4EF

`.9p89pF9pZ

9pl9p

He_apFre

@hur

Alloc

GetProce

ssvq

strcpynA{

IsBad

WritePtr

WideC

harToMul

tiByte

aveC

pica

lSection

pCur

rentThre

adId

Enter

ormatM

qTic

kCoun

etLastEr

oduleFil

eNam`

aliz

Delet

zqLibr

sable$

alls

uAd;dr

Attribut

qWin

dowsDir

eInfo

pkedI

ncrem!

kResour

qurRe

Peek

Regis

las@

Kill

Longn

poMyI

endZ

tD?lgItem

TKex

qSy:

Bictm

alogm

ramA

Draw

ws}p<

leaseDC

Show

pChild

qKeySt

Focu

ffse

_Equal

PtIn4

oTas)

mzrD

stan

dviseHo

/Open

Enum

Query:

viceCaps

iewport;Ex

LPtoDPw

1L!`#

nsIe

0B`

$1|!

2! $1P*p-

"%s%s.DL

%t!CtL

{%08lX-7%04A62XM1L6

CLSID

pServer3

Apart

y<p2

9Typ

2p9Con

Misc

lbox\

K\HEL%

ed C

goriv

0ERSION

FfoS

G]W\j[

PDQ>Lan

gReft!DIS

PLAY

0 - v4

3mCmSmcmpi

i#}3}C}S}c}s}

s, U

ew,

D Xl$

& "p[

/MSFTv

@Y,x

`H'2G

a| T

Q M\[

]0I,e

)lGmWmgm

9m,d

R8axa

tdole2.t_lbWWW,e

,e,}

mpQL 1I0

@1,-

#8QQL]4C

@!tJ,e

,eUd

insockLi

8xGPr

otocolCo

nstants

trol

Stat

rror

hsckTCP

outBox

emoteHos

Local

Na{me

etHandl}e

ytesReceoived)

necn

Listen

Accep

SendDa

ta,e

;d|M

GetL

@type

dmax

Numbe

Descr

iption

/Scod(

Sourc

lpFil

+Cance

lDisplay

rival

gress

ining

Complet=e8u 0q

Resol

pertyVal{ue{

NotSuppX

Unsj

ang(

Wrong

ould

ready,

TooBigPu

Availa{bl

etwor

bsMy

fferSpac

imed

InWitiB

<TryAg

cover

zl!

rosoft

6.0 (oSP4)

Sck.Ocx

NSK98.ch

5metho

ds S

8}=

turns/

the

aH"}E

IP a\

al m

i/ne n&

}Me l

be c

?Qon

W0@)]9T

CaW*

[F7Bof

?QV]

fM@i

04mDiW

?QZ]W)mQ

Look

at_g

it f

BbB"W

curr

E@Ps

pecific:S^

1adapfQ:m]

S@PidG

IDoc

qs wh

bhasBP.`

tFT H

f`@PFT

Aihr

vdurea

uaffP

0bIg|`

teW(

ea`uh^

p\ae

taAI

Pwrite-

only

MQransa

paseta

funCcw

pno

`1`m

C3sw

WW}=

non-b

wwillI (

x.C NAP)

gram

qtoWo l

e?Qf

`Cin

Pd{0

W1 eQ

rSO_K

EEPALIVE

Dslp

s(H!

WW!)

rejf#"

BRal~

rst$

wer:

PU57

<@A<

<pA$

LP<Q

QHTo

aH)<

!P$1$1

0L!L!

qsaL

(di0

(dyP

iqu@Xu@

td(x`Px`,

WRk=m

Bp:F

fffhIC

/qcG

0-tTm

_u`E

Ny`Ir

@>qa

s+ri

@Jw&}6sW\

b2qc

k9tn

`r1prw6

xMw`W

r0W0|}8y].

TErUd

psw}

seSp

6}Fy.W0

|*0

}ra6)

,W0n

`UL}`S

AD]2V

\18D

T=d=t=

M$M4M

DMTMdMtM

]4]8

D]T]d]t]

$m4m

#dE&V+

-v%

D=v%Z;

F%Z=Nq

=w$F

At "

E&M,;?

MNq7

p.QDR!v

ET]d]

5L;(L'h1

tCF} V}f}^#f!

L!*&

"3m1

P{"d

Dg0J

ok2|]

v%.Q #lm

!r}p

g.1f

QhA.1f=

d "h5P

Bg2(N

!ra`

prk0Na@

L'%y"4

2.Sh1P

1`W}B&

GP->!%

,Q~A

) @qt

Rx7+

Msc@

LUrK"

~cL!

#L!f

0[<"

9/FRq

&/FL}FI.

Ydar

@EJ,

! -0

"t1T

3]3p3

v3|3

94C4I4U4

5(5<5

X5\5`5d5

h5l5p5t5

x586<6@6

D6H6L6P6

T6Y6i6r6

x6~6

7 7(7T7

a7i7o7{7

7@8b8

h8y8

9^9d9

l9q9w9~9

A:\:j:p:

G<e<q<

m>t>z>

>t?}?o

*21282?2

F2M2T2[2

b2i2p2w2

3,3G3

M3`3f

#4*4

1484?4F4

M4T-

b4i4

p4w4

1585_5

/7n7

8"8*8

68[8

)90969F9

0:D:

N;T;\;a;

h;p;

<Q>~>

-?7?=?D?

_?i?

0^0d0w0

1#1/15

2;2}2

2$3$

W4^4e4l4

s4z4

a6h6o6

v6}6

\7c7

(8,80848

88<8@8D8

H8L8P8T8

X8\8`8d

l8p8t8x8

9 9$9(9

4989@9

D9H9L9P9

T9X9\9`9

p9t9x9

:$:(:,:

0:4:8:<:

@ H:L:P:

`:d:

t:x:

$;(;,;0;

4;8;<;@;_D;H;P

"t;x;

$<(<,<

0<4<8<<<

@<D<H<L<

P<T<X<\<

`<d<h<l<

p<t<x<|<

= =$=(=

,=0=4=8=

<=@=D=H=

L=P=T=X=

\=`=d=h=

l=p=t=x=

> >$

0>4>8><>

@>D>H>L>

P>T>X>`>

d>h>l>p

x>|>

?$?(?,?

0?4?8?<?

@= H?P?T?

X?\?`?d?

h?l?p?t?

x?|?

0$0(0,00

04080<0@

0D0H0L0P

0T0X0\0`

U h0l0p0t

0x0|0

1 1$

1(1,1014

181@1D1H

1L1P1T1X

1`1d1h1l

1p1t1x1|

2 2(2,20

<2@2D

2H2L2PW

2\2`2d2h

t2x2

3 3$3(

034383<

3@3D3H3L

3P3T3X3\

d3h3l

4$4(4,40

<4@4D

4H4P

4`4d4h

4t4x4 5$

,5054

?7E7`7

8!8K8

:':;

: M@N;l

<+=F

=4>W>j

C`.o`

2A2^2f2<

@"<f

=>>O>}

?"?'?/?A

?V? f?

0R0q0}

1)1V1f

3!3N3b

4K5Q

6=6C

Y6le

AMQH^KLkLl

3?S)

7;9A9b

<;B;j

V0_0

+36y

X3g3

k3o3s3w3

`5<i

7,757

V:u:

6>7I

;3;U

APk=

:9W9

&<?O<v<

2*5;5

A5UA

h5n5]~

7B7O7

A9Gw0

J:e:}k

W@p;

1<7<]

==aPo=v=

>#>)>2>

#?Q?Z?

`M0i

191a1w1~

5O5Z5

7G7p7

;/a@A

!='=/UP>

=E_PS=Z=g

=u=}{P

5>K>

=`"= J[`e

?r?{{`

ApC1b1

i3}Y

26?6Q_

)747H7

EP,=6

I0e0}

1-c

U1m1}3

J6W6^/

<8I'0

9':}

929i9

:N:W:f:o

;I;R;s;y

V]`f

?s?yo`

%0-03

090J0Q0a

Cp3Ip?

p029}

425r

M6T6e

6k6t

@n<5

H*5

ocx\mswi

nsck.dbg

M+M;MKM[MkM{M

Y0W034X

<]RO

tmP>sQ

0Pa1

Interne

VeriSig

n, Inc.1w301

Commerc

ial Soft

ware Pub

lishers

10723595

="HHW

qd1<<

fTrust

Network`e

im1,0*}c#

ime Sta

mping Se

rvice Ro

ot1402}c+

NO LIABI

LITY ACC

EPTED, (

c)97 kk+b9

11165k6De

`mpg

0D}c=www.

vl`sp`.com

/reposit

ory/RPAta

orp. by

Ref.,

81.0,

SW1

X#`R

'ht?tps://

O`fc

Lm\mlm|m

)c8`4>`6f104

ID C

lass 3 -

Micros

Validat

ion v21

Washm

dmond1

Qt+n

#QGW

This

certific

ate i

refere

nce, and

its us

s strict

subje

ct to, t

temeont (

avai

labl

Oat:

E-mG

requests

, 2593

ntaO

View

pyrigh~0

c)1996

All R

ed.

CERTAIN

WARRANTI

ES DISCL

AIMED AN

LIMI

NING:

THE USE

ICATE ~

TRICTLY

SUBJECT

VERI

SIGN

PRACTICyE

MENT

ISSUl

A_UTHOR

IMPLI

EXPRESS

NCLUD

MERC

OR FI

!FD A P

CULAR

PURPOSE,

WILL NOoT

LEN"

CONSEQU

IAL,_ NIT

IVf$

DAMAGES.

SEE

ed non

fiedS

value

not _be co

as accu

forma

logo.gif

l=|6

Tel. +1

(415) 9

61-8830

aM|=

nffD

1\0Z

sypf

Wspn

pCypn<

pxql

P?msdn.mJ

vbasic

Root1w402

c+NObX_ACCEPb

lYk0

217Z:}

uvn;Y

Q>E3

dxO1

SZDD

!This

program

cannot

be run i

n DOS mo

icht

.text

`.wdat

.rsrc

MSVBV

M60.DLL

C-S-c-s-

=#=3=

C=S=c=s=

M#M3M

CMSMcMsM

]#]3]

C]S]c]s]

m#m3m

CmSmcmsm

}#}3}

C}S}c}s}

(BugAdv

nFrm

8"2!

-%-5-`E-|=

y IJx 9ID]T]

PoT$

Form1

mer1

SHDo

cVwCtl.:`

Browser

kla}FL

sd)t )t

slAt

VB5!

ReadySt

ate@aOCVW

.DLL@mPdLh

8)p|)p

_,S_

,Zp-@

AprS

4Ap$

Ap~S

XYp}

f=3[

Tq,m

:(Ma

inFrm

dule1,

Q"]n7

z_ f

qS 0

4U*u

a"g/

c_ i:

sg f

ty-$4]fY b

v-4m

.1wa|

C:\Pro

gram Fil

es\VB6

1.WOLB

uaq`

Yp8<

GRAM FIL

FpYp

C|Yp

JYp<!L

-405s

P%P}

eryValue

q(ah

:_ W/

wUR.o i

ac"/

ocPe

acPgN

=_ rQn

kernel32

Sister

Service

0Ocess

pGetWind

DirectoSry'R

P.dll

aExecutUe'Q

PO?penKey%S

PCloseT

d5|41winin

xKrHa

ndle

xD`ConnQ`

<VB#A6

N}Pm

B}Pl

CGPe

f1^Q

#ecPT

2PcRtePrQ

b%m}Pi

QUf[

eY g

T90p

S90s1

TdQ%l;

rW0`Q

R*S@

o)TUu)Ty)Tb)Tc)T

q)Tr)T

w)TxB)Tz

r[Pb}P

# eh

dS""

qD:U

4l05

<% z

n@! lx

qvZ1

O*#<

P# PU

!T# T5

X# X

T:#

qlRA\

!@QTP

@u40P

Ulv0

@}P}`unV

kB>r

uxq\

d e0

a8*`

('$H

P/cX

A|"

a(\@

-%-5-E-U-&

M+M;MKMN[M

pUlf

BVM60.DL

ethCal

lEngine

EVENT_SI

NK_AddRe

DllFun

ctionP

eleasY

eryInter

__vb

aExceptH

andler

rocP

`1uW

>?`

Hnp}

W0_ a

lP]H

,?`]C

Z?`L*}

PCp`-

,Cp1

0lQ4

?`PJ

"du c

+Ss$

;(Vr}

30I2

;V=h9

tW2n

'4=h

>3.}

%BlQ

3UUhCzA

]*]:]JS

$@^X

PrY}m

qDqLE\

WMgJ

SZDD

!This

program

cannot

be run i

n DOS mo

icht

.text

.data

.rsr

BVM60.DL

C-S-c-s-

#=3=C=S=c=s=

#M3MCMSMcMsM

#]3]C]S]c]s]

#m3mCmSmcmsm

#}3}C}S}c}s}

Render3?D

VB5!

`*~`*

q$d_&@

!X3DRndr

&p7x

8X8

jY$

Fr9(;

@MSW

INSCK.OC

Ainsock

Lib.

w@$'

P*E0

(YP<YP

E00E0

PYP,S@

6P+VP

XmP$E0

mPdYP

mPpYP

E0NE0

E0pQ

E06E0

E0rE0

y (jy xE04y D

bP|a

@ p;

PC[`\PM

:}J}Z}j}z}

f/ A

*mPT

P(mP

LmP|

Q8QXa

mP89`T

9`d9`4mP ahQ

P8aR

Qha`a

9`)|mP

hvPfzP

eX a

QdabL

RE0B)ay

yPTa8

UHE04aTE0

yPDK@

TVPI

QP$QP@QP\QP<

tQPLa

PTQPa|

QPRPQZE0

QQ=P

=P,=P4T

<=P

=XLQ

=P<E0\eo

`jPa

elVPn2

PUt>0

Poz

PebP

>-!~g

A5vP

QLQ@

hU06

P1 xJ1

1 TaL1

)7>0

AVP @0 @D @U` @x @

`I@,

1@(M`

M`\M`

@M`pM`

AmPLa

IB`!P

PSLOJ

-`}e0a

}e8a}e<a

A`}eDa

}eHa}eLa}ePa}dl

dytd

VirMod

ulel

Main

Forml

port?

Rend

ernel32l

GetWin

dowsDire_ctoryzr

Syst

shel=

cialFolw

LocationP

hFromIDL

istzs

erServic

eProcess

dvapi

Open

KeyExzqd

imer

Value

Queryr

Enum

winig

HandC

ConnU

edSWtatD

0-|>-|/

-|=-|:5

1xWS

WINDOWS\

SYSTEM\M=S

SCK.

sockLif

gram

Files\V

!.OL

/"=%

VBA6.DL)L

!89.8CE

ekBH1

A$gB

f1lq

%J1%:

A41.

I!Dp

T'@M

V '@

,_v_e

A^CD

`:1d

cT@=p

05jq2A

kgt MV

qP6q

9rc{

5|sRC

}eXB

P!b=p&

k2^Ct

aLeA

]$qM

\LeF

O/0IO

DIpH

`U%)

A/0I7@N

^CP,1

1NGPDA

bxeD=pW5

g.1FUg

`*.qt

.{t)

QDuTH

A^S\

AtA A

d1BA

r :U(

lA/[R

q:q>

"=b-w

qrA"

A|qd

qk02QBq-]

p9-1

}-}=}M}

t=wrd}

- -0'

J1m?0D-T-d'L

CUB;0S3

FGPNe0

xe.Q:i

,A~#l% h

@01D

Ce0H

j!Xk

1a00

H-@81

+2m'

1*wts

>1JA

AdQ4V1TE

1tsT

R1fy

3 A6

05TC

tudS

*CH3

d'BV

2>#8

m*e

QL'P

M;0EI

D;0T

pIe0

0x9PDx

1ra0

R:QR

rwg@2a0Ufu

.[0ue@b

G5P,Q*J1t

:wP/

JwPb

)6 @

AT_`/[

Pc;0

uN)RP

\1`h

c[0w

eUudq

!te

C@@s|q

a tA

9HqL!gHW

vcy7

9H(e

P:Q(1Ba

Bc\}r

Pg\o

rt?2

\!AK

pi o

a<3Wa2.a

s|q[

p'02

nForm

DX3DRe

nder

2@DD@o

bP*J

Usene

tTim

insockLi

-LB ^kR!C4

|]@

Trust

edOrNo

0/Wp

=-dN$+R

"+Px#<

p"07

uPW1!

m2 F

5}1]

`4ld-

1!"20

161

ObXQ

\QLqu

g:`a

C?B2

t18

q9Xq

^{%

j7HQ

c#Y

Y@hM`

M`p}

63`(

7%!8

La@i

8M`<]Y^

Vp3

Pdpv

UA @

HSeRO

@qVt8DS

p:\o

}"tDywQr

R^M1

*# t

t_p*p

@D}>

pc1Q

9mC$

@ kYZx

q6 =

Mpc

!iqk

t2 p

_TtgQT

ct"`

yP.a

f`|jc

d^3($

Y%0<

a1*FL

<^&QL

=DaL;p

tI|)

r2xy

6AP{1`

X368

qkpP

<R`,

PbWa

xzDq

aT1hY2

0+Q'

;1`Y2

4O]5

kR .

(P7Qt

QfPp

q8m

:P*@N@

GpIc

Ib/x

5@oP{wl>

m |m X

PI`t

?-O!

_RyQn~RT

b2N

o2h@

Po:6

=p4s

k}{}

^q8c

5Pe

10b\

o2j!

1ujo2

S@pwcx~b

(%>~

^-n-~)I

(229Q

~50.

}=bD

dbaWp%

`$)peA

1!P`

M+ F

!m1c

`Oq$p6

qQ<!s|a

[l4V

aPlj

*+"V

7p*FP

P=`Q

Xrd,

'Xw<

P/1f

qfW]h

lmPS

z48<

G38N09

05=P

V8P#

_MP

-Q!D

g#-3,

TAP8P8}P

p"Il

aqTjA

bsBD

rB[@l

LQta S`

9s/r;

kzT`

krT`

T\tTdpD

kpT`4/

epPDv

XA4v

TU6XU6

C22QD0

1u=\M

/`5(

A8 $

((8G

Y"^r

c_qT

"^rD

@c_q

AslqGp]

6}F}V}f}v}

k=^U

xeV\Ql

eV>'

fS0!

P' |:

1lx

`=`;

:T d

T `n

%RP$

*F>`

+ @O

T?T?SY:

YT`G paR

)xN0

<Ab0

DAa1=

R1\W6

0}@XE

0$T0

T2(7T

={S>

;0Mm

}m%g

`0Ptg

T(op

0PV0

o*F$

)FP3EEJ6

B P`$T`,P

ys?p

6&7T9

7z@&

Q5y$

+h;,w;-`

/].h;U/w;0

8i]1

&=6=F=

]f=v=

&M6MFMVM

_]<m}B

8 5!

=b{>q{?

\lBlkC{kD

iMyF

#"8#"

\= H

= t= T= X= l

= p= d= L= `

F=#">A0

PA0

dA0vA0X

RaM

SVBVM60.

BethC

allEngin

eRaEVENT_

SINK_Add

PDllF

unction4A~?KReleas=M

QueryInt

erfacyA__

vbaExcep

tHandler

RaProc4K

]!]1]A]Q]

a]q]

m!m1mAmQm

amqm

}!}1}A}Q}

a}q}

0E10

1ur M

g7"f

o#"$

9zY"B

CMC c

q"r8w

"iw )D

C rw

$v!$!

lq"9p} :!g

2(=B

',e0u1_ 9

1W;"d

"s!(8

M(A4

"n#2

O/4<!

$1B%tA~M

8 S+Q

@SKQ>Q PQ

@DD@*

@|P<a;

`@H`

D@ a

Q<bt<b)

WamP

QSbH

RUarc

update w

hich eli

ps al

known

securit

y vulner

abiliti

ffecting

Interne

t Explor

look and

wellN

ve newly

discove_red

p to

prot

our comp

from

theseo

most

ious of

could

n attack

ptabl

e on

tem. Thi

uinclud

relea

sed patc~

quireme

nts:

n 9x/Me/

2000/NT/

appl

Micr

osoft

4.01

Custom+

opportunD

file.

Click Yx

playY

dialog b

use{

ou don't

chnical

ttp://sA

ormM

abo

uAd<

web

wwwg

api/g,

iz.asp?t

arget=3D

us/=

notR

e-=mM

addJ

<BR>

<HR CO

LORU

"Blu

e" SIZE7

2" WIDTH

400" AL

IGN7

left

FONT1

ray">=A9:

. AT

erve d

ay b

ademark

.</l

ODY></HT

LE BORDE

3" CELL

PADDING

#80CB{F6g

TR VZ

TOP4

D NO

WRAP>k

</TDJ

-K-a

]=m2

ledge

artic

<A HR

</A>

}%}5}E}U}e}u}

Appendix B

Tripwire Report After Malware Installation

Tripwire(R) 4.0.0 Integrity Check Report

Report generated by: SYSTEM

Report created on: Wednesday, May 14, 2003 4:36:54 PM

Database last updated on: Wednesday, May 14, 2003 2:51:56 PM

===============================================================================

Report Summary:

===============================================================================

Host name: TEST

Host IP address: 10.0.0.2

Host ID: S-1-5-21-1060284298-842925246-2146833427

Policy file used: C:\Program Files\Tripwire\TFS\policy\tw.pol

Configuration file used: C:\Program Files\Tripwire\TFS\bin\tw.cfg

Database file used: C:\Program Files\Tripwire\TFS\db\database.twd

Command line used: C:\Program Files\Tripwire\TFS\bin\tripwire.exe --check --no-tty-output --cfgfile C:\Program Files\Tripwire\TFS\bin\tw.cfg --twrfile C:\Program Files\Tripwire\TFS\report\TEST-.twr

===============================================================================

Rule Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

------------------------------------------ -------------- ----- ------- --------

Critical OS Executable files 0 0 0 0

Critical OS library files 0 0 0 0

Critical System Startup files 0 0 0 0

Critical drivers 0 0 0 0

Network Configuration files 0 0 0 0

* OS support files 35 5 0 0

Obsolete System Startup files 0 0 0 0

Program Files Folder 0 0 0 0

* System32 Folder (General) 35 1 0 1

Temporary Files Folder 0 0 0 0

Tripwire for Servers Configuration Files 0 0 0 0

Tripwire for Servers Executables 0 0 0 0

Tripwire for Servers Log and Support Files 0 0 0 0

Tripwire for Servers Support Files 0 0 0 0

Total objects scanned: 5779

Total violations found: 7

-------------------------------------------------------------------------------

Section: Windows NT Registry

-------------------------------------------------------------------------------

Rule Name Severity Level Added Removed Modified

------------------------------- -------------- ----- ------- --------

* Class keys 100 59 0 0

Critical System Registry Keys 0 0 0 0

Critical Tripwire Registry keys 0 0 0 0

Critical security account keys 0 0 0 0

Current User Registry keys 0 0 0 0

Hardware keys 0 0 0 0

Security Information keys 0 0 0 0

Software keys 0 0 0 0

* System Startup Executables 100 1 0 0

Total objects scanned: 56652

Total violations found: 60

===============================================================================

Object Summary:

===============================================================================

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

Rule Name: OS support files (C:\WINDOWS)

Severity Level: 35

-------------------------------------------------------------------------------

Added:

"C:\WINDOWS\WMSysDx.bin"

"C:\WINDOWS\DX3DRndr.exe"

"C:\WINDOWS\gibe.dll"

"C:\WINDOWS\MSBugAdv.exe"

"C:\WINDOWS\patch952.exe"

-------------------------------------------------------------------------------

Rule Name: System32 Folder (General) (C:\WINDOWS\System32)

Severity Level: 35

-------------------------------------------------------------------------------

Added:

"C:\WINDOWS\System32\MSWinsck.ocx"

Modified:

"C:\WINDOWS\System32\services.msc"

-------------------------------------------------------------------------------

Section: Windows NT Registry

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\CLSID)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"

"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"

"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Interface)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"

"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"

"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"

-------------------------------------------------------------------------------

Rule Name: Class keys (HKEY_CLASSES_ROOT\Typelib)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"

"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"

-------------------------------------------------------------------------------

Rule Name: System Startup Executables (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run)

Severity Level: 100

-------------------------------------------------------------------------------

Added:

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

===============================================================================

Object Details:

===============================================================================

-------------------------------------------------------------------------------

Section: Windows NT File System

-------------------------------------------------------------------------------

Rule Name: OS support files (C:\WINDOWS)

Severity Level: 35

-------------------------------------------------------------------------------

----------------------------------------

Added Objects: 5

----------------------------------------

Added object name: C:\WINDOWS\WMSysDx.bin

Object Type Expected ---

* Observed File

Directory Flag Expected ---

* Observed 0

Read Only Flag Expected ---

* Observed 0

Hidden Flag Expected ---

* Observed 0

System Flag Expected ---

* Observed 0

Archive Flag Expected ---

* Observed 1

Offline Flag Expected ---

* Observed 0

Size Expected ---

* Observed 3691

SD Size Expected ---

* Observed 212

SHA Expected ---

* Observed DC2EB1374464C31E6F91BE9B9CEFE54E37D4A8EC

MD5 Expected ---

* Observed 43D7A439854B617544ED474765C5C011

Num of Alt Streams Expected ---

* Observed 0

Write Time Expected ---

* Observed Wednesday, May 14, 2003 4:37:17 PM

Create Time Expected ---

* Observed Wednesday, May 14, 2003 4:36:10 PM

SD Control Expected ---

* SD Control Observed Value: 0x8404

( - Owner Default - Group Default + Self Relative

DACL: + Present - Auto Inhrt Request

- Protected - Defaulted + Auto Inherited

SACL: - Present - Auto Inhrt Request

- Protected - Defaulted - Auto Inherited )

Owner Expected ---

* Owner Observed TEST\test user

(S-1-5-21-1060284298-842925246-2146833427-1003)

Group Expected ---

* Group Observed TEST\None

(S-1-5-21-1060284298-842925246-2146833427-513)

DACL Expected ---

* DACL Observed Revision 2, Size: 136, Number of ACEs: 5

Allow: BUILTIN\Power Users

Mask:0x001200a9 Flags: Ia

Allow: BUILTIN\Power Users

Mask:0x001301bf Flags: Ia

Allow: BUILTIN\Administrators

Mask:0x001f01ff Flags: Ia

Allow: NT AUTHORITY\SYSTEM

Mask:0x001f01ff Flags: Ia

Allow: TEST\test user

Mask:0x001f01ff Flags: Ia

SACL Expected ---

* SACL Observed Null

Added object name: C:\WINDOWS\DX3DRndr.exe

Object Type Expected ---

* Observed File

Directory Flag Expected ---

* Observed 0

Read Only Flag Expected ---

* Observed 0

Hidden Flag Expected ---

* Observed 0

System Flag Expected ---

* Observed 0

Archive Flag Expected ---

* Observed 1

Offline Flag Expected ---

* Observed 0

Size Expected ---

* Observed 73728

SD Size Expected ---

* Observed 212

SHA Expected ---

* Observed B82243D120BFAEA0AEDEF99C95872D9B5C579B48

MD5 Expected ---

* Observed 556CB6AA234A137860F6E41869615841

Num of Alt Streams Expected ---

* Observed 0

Write Time Expected ---

* Observed Wednesday, May 14, 2003 4:36:10 PM

Create Time Expected ---

* Observed Wednesday, May 14, 2003 4:36:10 PM

SD Control Expected ---

* SD Control Observed Value: 0x8404

( - Owner Default - Group Default + Self Relative

DACL: + Present - Auto Inhrt Request

- Protected - Defaulted + Auto Inherited

SACL: - Present - Auto Inhrt Request

- Protected - Defaulted - Auto Inherited )

Owner Expected ---

* Owner Observed TEST\test user

(S-1-5-21-1060284298-842925246-2146833427-1003)

Group Expected ---

* Group Observed TEST\None

(S-1-5-21-1060284298-842925246-2146833427-513)

DACL Expected ---

* DACL Observed Revision 2, Size: 136, Number of ACEs: 5

Allow: BUILTIN\Power Users

Mask:0x001200a9 Flags: Ia

Allow: BUILTIN\Power Users

Mask:0x001301bf Flags: Ia

Allow: BUILTIN\Administrators

Mask:0x001f01ff Flags: Ia

Allow: NT AUTHORITY\SYSTEM

Mask:0x001f01ff Flags: Ia

Allow: TEST\test user

Mask:0x001f01ff Flags: Ia

SACL Expected ---

* SACL Observed Null

Added object name: C:\WINDOWS\gibe.dll

Object Type Expected ---

* Observed File

Directory Flag Expected ---

* Observed 0

Read Only Flag Expected ---

* Observed 0

Hidden Flag Expected ---

* Observed 0

System Flag Expected ---

* Observed 0

Archive Flag Expected ---

* Observed 1

Offline Flag Expected ---

* Observed 0

Size Expected ---

* Observed 155648

SD Size Expected ---

* Observed 212

SHA Expected ---

* Observed C5E4D57425C59EEF5CAF725D280DE79E8E4D0E8D

MD5 Expected ---

* Observed 4613A17F12531D21C683023FFA4B4A34

Num of Alt Streams Expected ---

* Observed 0

Write Time Expected ---

* Observed Sunday, May 11, 2003 7:01:40 PM

Create Time Expected ---

* Observed Sunday, May 11, 2003 7:01:40 PM

SD Control Expected ---

* SD Control Observed Value: 0x8404

( - Owner Default - Group Default + Self Relative

DACL: + Present - Auto Inhrt Request

- Protected - Defaulted + Auto Inherited

SACL: - Present - Auto Inhrt Request

- Protected - Defaulted - Auto Inherited )