Reverse Engineering a Purported Microsoft Security Patch

 

By Charles Hornat

May 19, 2003

 

Overview

In this paper we will examine and dissect a malicious package sent to us as an attachment to an email that appeared to be sent from Microsoft that would fix all known vulnerabilities on our system.  In addition, we will review the delivery method, analyze the executable and study the impact it had on a system once it was installed.

 

Table of Contents

Reverse Engineering a Purported Microsoft Security Patch. 1

Overview.. 1

Table of Contents. 1

The Tools. 2

Tripwire. 2

Ethereal 2

Windows XP.. 2

GNU Strings. 2

The Delivery. 2

Notes on Delivery. 4

The Analysis. 5

Post Installation/Pre-Boot 5

Post Installation/Post-Boot 7

Final Analysis. 10

Additional Resources. 11

Appendix A.. 12

Strings of Malware. 12

Appendix B.. 52

Tripwire Report After Malware Installation. 52

Appendix C.. 119

Tripwire Report After Malware Install and Reboot 119

 

The Tools

Tripwire

Tripwire is a tool written by a personal friend of mine, Gene Kim, and Eugene Spafford.  Tripwire can be found at www.tripwire.com.  This tool was developed to take a snapshot of specific files and directories and monitor them for changes, whether authorized or not.  The snapshot is a gathering of hashes (e.g. MD5, SHA, and etc.) on the files and directories you chose.  It then stores that information in a secure database.  Tripwire scans files and/or directories you define on a manual or automated schedule and will alert you to whether a file has been added, changed or deleted.  In addition to monitoring files and directories, it can also monitor Windows Registries, File Access Times, File Flags and etc.

 

Ethereal

A network sniffing application that monitored all traffic coming from the test system during and after the installation of the malicious application.

 

Windows XP

The test systems Operating System.  This analysis was performed on a default Windows XP install, networked with no service packs or hotfixes applied.  The goal was to learn from it and its effect to the system, not to protect from it.

 

GNU Strings

GNU Strings is an application that comes with most UNIX like (LINUX) operating systems.  It prints, to screen or other location of your choice, the printable character sequences that are at least 4 characters long, or meet other requirements, and are followed by an unprintable character.  This is especially helpful in non-text files like Microsoft executables.

 

The Delivery

On May 11, 2003, we received the email as displayed in Figure 1.  The email is polite and colorful, adding to its believability.  Additionally, in the footer of the email is the copyright information that many people believe adds authenticity to the email.  This can be seen in Figure 2.  And finally, the header also adds some more credibility to those less technical and can be seen in Figure 3.  Note the email address that appears in the short header, advisor.microsoft.com. 

 

 

 

Figure 1:Delivery Method

 

Figure 2:Footer

 

Figure 3: Header

 

 

Notes on Delivery

When you first read the message of the email, certain key points should set off alarms in your mind.  The first is that this patch “eliminates all known security vulnerabilities”.  This would be great if true, but unfortunately, it is not.  There are service packs that attempt to include as many security hotfixes as possible, but they never eliminate all known security vulnerabilities.  Even if you look at the size of the attachment, this should tip you off as service packs are much larger in nature.

 

Figure 4:The attachment

 

Additionally, if we expand the header as seen in Figure 5, we will get more clues as to the real source of this email.

 

Figure 5:Header

 

The return path is ftballguy66@cox.net, which is obviously not a Microsoft address.  We can also see the From line states that iamlzytaw_903216@support.msdn.com is the spoofed email address that a return message, should we choose to send one, would be sent to.

 

Finally, one last point to be made is that Microsoft, and this can be said for most vendors, will NEVER email you the patch directly.  They will alert you to the vulnerability or purpose of the email and provide some high level information.  They will then give you a link for additional information and direct you to their site to download the patch.

 

The Analysis

The first part of reverse engineering performed was running the executable through strings.  The results can be seen in Appendix A.  Examining this information will alert you to the fact that there is text to simulate it as a legitimate Microsoft developed patch.  In particular are two sections that go into such detail about licensing and rights.  More than likely this was just copied to add realism to the installation that users will encounter.  The key here is to look for common terms or locate specific keywords and do a search in your favorite search engine. 

 

For example, a quick search in Google.com for “KaZaA uploDropper” brought up several pages talking about known worms and viri that contain this phrase.  Thus tipping one off to proceed with caution or perform further research.

 

Post Installation/Pre-Boot

For this project, we used Tripwire 4.0.  The report after the Malware was executed and prior to any reboot can be found in Appendix B.  All changes you see were directly related to the running of the Malware.  The Windows registry was most heavily impacted.  A quick overview of the results nets the following: 59 Registry Class Keys were added, 1 System startup Key was added, 5 OS Support files were added, and 1 file in the System32 folder was added.  There were no deletions or changes, only additions.

 

Added:
"C:\WINDOWS\WMSysDx.bin"
"C:\WINDOWS\DX3DRndr.exe"
"C:\WINDOWS\gibe.dll"
"C:\WINDOWS\MSBugAdv.exe"
"C:\WINDOWS\patch952.exe"
Added:
"C:\WINDOWS\System32\MSWinsck.ocx"
Modified:
"C:\WINDOWS\System32\services.msc"
Added:
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+ThreadingModel"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32"
"HKEY_CLASSES_ROOT\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32"
"HKEY_CLASSES_ROOT\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\+"
Added:
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\+Version"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\+"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid"
"HKEY_CLASSES_ROOT\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid\+"
Added:
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\+"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32"
"HKEY_CLASSES_ROOT\Typelib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\+"
Added:
"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad"

 

Post Installation/Post-Boot

The next step was to reboot the Windows XP system to allow the malware to execute if needed in the ‘runas’ keys or startup folder.  Once the reboot is completed, a rescan was performed to identify additional changes that occurred.  In order to get an accurate understanding of what the Malware changed versus normal system file changes during a reboot, we identified all the common reboot file changes. 

 

Modified:
"C:\WINDOWS\0.log"
"C:\WINDOWS\bootstat.dat"
Modified:
"C:\WINDOWS\System32\config\systemprofile\Cookies\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\History\History.IE5\index.dat"
"C:\WINDOWS\System32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\+LsaPid"

 

If we remove those entries from the results after the reboot, we are left with following (The complete report can be found in Appendix C):

Modified:
"C:\WINDOWS\System32\wpa.dbl"
Removed:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+0"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmboot\+Start"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\+Sources"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+Count"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kmixer\Enum\+NextInstance"
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\+SpecialPollTimeRemaining"
Modified:
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\SspiCache\+Time"
Added:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002e.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000030.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000034.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000038.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000041.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000042.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000047.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000046.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000040.Translated"
Removed:
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000002d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000031.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000035.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003b.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003c.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^0000003d.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000043.Translated"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Raw"
"HKEY_LOCAL_MACHINE\hardware\RESOURCEMAP\PnP Manager\PnpManager\+%^Device%^00000044.Translated"
Added:
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+OptimizedLogonStatus"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-1060284298-842925246-2146833427-1003\+NextLogonCacheable"

Given the information above, it appears to impact the PnP Manager.  A quick search in Google.com turns up no results on OptomizedLogonStatus either.  The +OptomizedLogonStatus was set to a RED_DORD of 0x0000000b(11) and the NextLogonCacheable was set to RED_DWORD 0x00000001 (1).

 

The entry "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\+DxLoad" was supposed to launch the executable "C:\WINDOWS\DX3DRndr.exe".  This executable was indeed launched, but for some reason did not run as designed, or did it?  Since we did not write the program, we are not sure what the end result should have been.  An NMAP scan of the system that was infected produced no new TCP ports other than those already open by default.  Additionally, using Ethereal, there was no unusual traffic generated when rebooting or leaving the system idle for hours.  Researching some of the key parts of this package on the Internet does bring additional research, but the analysis we found was did not accurately represent our findings.

 

Finally, there wasn’t any new traffic generated by the infected system.  Sometimes Malware attempts to phone home to get further instructions, which may include connecting to an IRC server or downloading additional information.  In this particular case, no traffic was generated and no logs are included in this analysis.  The infected system was monitored from start to finish, including reboots.

 

Final Analysis

The final analysis we could determine is that this threat had minimal impact.  Yes, it did install and alter critical system files, but the impact to the user was non-existent.  When we downloaded it and installed it, we did not get any interaction with the malware.  It did not prompt us for any impute nor show any signs of success or failure.  When we reference back to the Strings portion of the evidence, we see a great amount of text that was probably meant to be displayed to the user, however was not.

 

It is important to note that both Mcafee and Norton identify and respond according to your settings when they encounter this file.  We conclude that this is an altered existing Malware.

Additional Resources

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GIBE.B

http://securityresponse.symantec.com/avcenter/venc/data/w32.gibe@mm.html

 

 

 

 

 

 

Appendix A

Strings of Malware

 

   AutMSUpdate

    = 

VB5!

p214537

MSUpdate

MSUpdate

KaZaA uploDropper

MainForm

LicenseForm

MSUpdate

advapi32.dll

RegCreateKeyExA

hp&@

RegOpenKeyExA

RegSetValueExA

RegQueryValueExA

hL'@

RegEnumKeyExA

RegCloseKey

kernel32

GetWindowsDirectoryA

h8(@

GetSystemDirectoryA

GetTempPathA

shell32.dll

ShellExecuteA

h$)@

SHGetSpecialFolderLocation

hx)@

SHGetPathFromIDListA

Frame1

RegisterServiceProcess

h4*@

Sleep

ht*@

GetShortPathNameA

lz32.dll

LZOpenFileA

LZCopy

hT+@

LZClose

Command1

C:\Program Files\VB6\VB6.OLB

Label1

Label2

Command2

Text1

Form

Picture1

ProgressPic

VBA6.DLL

MainForm

 Installing Microsoft Update

vfff`

vfff

ffff

wwwwwp

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

Form1

Frame1

Picture1

Command1

&Cancel

ProgressPic

Label1

Extracting files ...

LicenseForm

 License

Form1

Command2

Text1

This product is protected by copyright laws and international

copyright treaties, as well as other intellectual property laws and

treaties.

ALL MICROSOFT PRODUCTS AND RELATED DOCUMENTS ARE

PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND!

Microsoft and/or its respective suppliers hereby disclaim all warranties

and conditions with regard to this information, including all warranties

and conditions of merchantability, whether express, implied or

statutory, fitness for a particular purpose, title and non-infringement.

Microsoft does not warrant that the functions for the software or code

will meet your requirements, or that the operation of the software or

code will be uninterrupted or error-free, or that defects in the software

or code can be corrected.  Furthermore, Microsoft does not warrant

or make any representations regarding the use or the results of the

use of the software, code or related documentation in terms of their

correctness, accuracy, reliability, or otherwise. No oral or written

information or advice given by Microsoft or its authorized

representatives shall create a warranty or in any way increase the

scope of this warranty.  Should the software or code prove defective

after Microsoft has delivered the same, you, and you alone,

shall assume the entire cost associated with all necessary servicing,

repair or correction. In no event shall Microsoft and/or its respective

suppliers be liable for any special, indirect or consequential damages

or any damages whatsoever resulting from loss of use, data or profits,

whether in an action of contract, negligence or other tortious action,

arising out of or in connection with the use or performance of

software, documents, provision of or failure to provide services, or

information available from the services.

COPYRIGHT NOTICE.

Copyright

 2003 Microsoft Corporation, One Microsoft Way,

Redmond, Washington U.S.A. All rights reserved.

Command1

&Yes

Label2

Do you accept all of the terms of the preceding License Agreement? If you choose No, Install will close. To install you must accept this agreement.

Label1

Please read the following license agreement. Press the Page Down key to see the rest of the agreement.

MSVBVM60.DLL

MethCallEngine

EVENT_SINK_AddRef

DllFunctionCall

EVENT_SINK_Release

EVENT_SINK_QueryInterface

__vbaExceptHandler

ProcCallEngine

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

u]N>

1u 

vfffffff`

ff`wwp

vfffffff

ffffffff

xwwwwwwwwwwxp

wwwwwwwwwwwwp

vfff`

vfff

ffff

wwwwwp

SZDD

0.abnorm

al.com:[

wait]

2-254-10

7-9.clie

nt.attbi^

41.40

2.155.12

94.1

33.[

08.36.

.230

8.26

21.E

4.8u

acs2.byu

.edu

ldrick.b

lic.net

racka.rz

.uni-aug

sburg.de

lob.lin

uxfr.org

olo.nai

zen.l

ogivisio

ossix.winf

tik=

kielJ

head.cyb

ertrailw

concern.

wolters-

kluwer.n

rreo.u

vigo.es

ypress.a

onews.mi

ndspring

man.

torun.p

'wftph mic9

.rip

gluq

.affrc.

graf.

magdeF

ieg.uo

wdu112.

hermes1

hs-brem<

 9tsrv

)humo

chivat

i da

ta.sL

ate.{ ac.yse

.rgv&

inx3

 miK.u

;ug'

ees.ho

kudai

sD$crosof

,Knarziss

e.h;

tfh-

wildauJ

0sha.nca

neptl b

IF aQb

vcinc

].ca

iwirel( 2

]+Qribsur<

 ;]cofc

Set*M

Siys

].dma

\sup

$cxal

.gam

(Rcc3ip

mU`db

D"htwm

d.mh

d+@g

fvar>

Qinwar

"o(~

ctcanad

eycap

eqms.konk

lkrs

@M}e-

yth.

@ves?tav.mx

=D"phoOenixeA

ypam[

zill.}

ohgD@b

LE!>