Re: Re: Google Malware Search

[David Taylor <ltr () isc upenn edu>]

One other thing which may already be known by most of you, on the google
results you can click “View as HTML” and get a lot of file information.

WINDOWS EXECUTABLE

32bit for Windows 95 and Windows NT

Technical File Information:

Image File Header 

Signature: 00004550

Machine: Intel 386

Number of Sections: 0003

Time Date Stamp: 43e3d0b9

Symbols Pointer: 00000000

Number of Symbols: 00000000

Size of Optional Header 00e0

Characteristics: Relocation info stripped from file.
File is executable  (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
32 bit word machine.
 
 

Image Optional Header

Magic: 010b

Linker Version: 5.12

Size of Code: 00003800

Size of Initialized Data: 00004000

Size of Uninitialized Data: 00000000

Address of Entry Point: 0000b037

Base of Code: 00001000

Base of Data: 00005000

Image Base: 00400000

Section Alignment: 00001000

File Alignment: 00000200

Operating System Version: 4.00

Image Version: 0.00

Subsystem Version: 4.00

Reserved1: 00000000

Size of Image: 00010000

Size of Headers: 00000400

Checksum: 00000000

Subsystem: Image runs in the Windows GUI subsystem.

DLL Characteristics: 0000

Size of Stack Reserve: 00100000

Size of Stack Commit: 00001000

Size of Heap Reserve: 00100000

Size of Heap Commit: 00001000

Loader Flags: 00000000

Size of Data Directory: 00000010

Import Directory Virtual Address:  0000a000

Import Directory Size:  00000240

  
 

Import Table 

~tY–µý u

Ordinal Function Name
 
 

kernel32.dll

Ordinal Function Name

0000 Sleep 
 

user32.dll

Ordinal Function Name

0000 wsprintfA 
 

wsock32.dll

Ordinal Function Name

0000 send 
 

ole32.dll

Ordinal Function Name

0000 CoInitialize 
 

shlwapi.dll

Ordinal Function Name

0000 StrDupA 
 

wininet.dll

Ordinal Function Name

0000 InternetOpenA 
 

advapi32.dll

Ordinal Function Name

0000 RegCloseKey 
 

urlmon.dll

Ordinal Function Name

0000 URLDownloadToFileA
 

shell32.dll

Ordinal Function Name

0000 ShellExecuteA 
 

gdi32.dll

Ordinal Function Name

0000 DeleteDC 
 

Section Table 

Section name: UPX0

Virtual Size: 00009000

Virtual Address: 00001000

Size of raw data: 00000000

Pointer to Raw Data: 00000400

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains initialized data
Section is executable
Section is readable
Section is writeable

  

Section name: UPX1

Virtual Size: 00000240

Virtual Address: 0000a000

Size of raw data: 00000400

Pointer to Raw Data: 00000400

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains initialized data
Section is readable
Section is writeable

  

Section name: UPX2

Virtual Size: 00005000

Virtual Address: 0000b000

Size of raw data: 00004400

Pointer to Raw Data: 00000800

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains code
Section is executable
Section is readable
Section is writeable

 

Header Information 

Signature: 5a4d

Last Page Size: 0090

Total Pages in File: 0003

Relocation Items: 0000

Paragraphs in Header: 0004

Minimum Extra Paragraphs: 0000

Maximum Extra Paragraphs: ffff

Initial Stack Segment: 0000

Initial Stack Pointer: 00b8

Complemented Checksum: 0000

Initial Instruction Pointer: 0000

Initial Code Segment: 0000

Relocation Table Offset: 0040

Overlay Number: 0000

Reserved: 0000 0000 0000 0000

0000 0000 0000 0000

0000 0000 0000 0000

0000 0000 0000 0000

Offset to New Header: 000000c0

Memory Needed: 2K


On 7/17/06 12:21 PM, "Mike M" <mkmaxx () gmail com> wrote:

> > Message: 11
> > Date: Sun, 16 Jul 2006 23:58:30 -0500
> > From: H D Moore < fdlist () digitaloffense net
> > <mailto:fdlist () digitaloffense net> >
> > Subject: [Full-disclosure] Google Malware Search
> > To: full-disclosure () lists grok org uk
> > Message-ID: < 200607162358.30574.fdlist () digitaloffense net
> > <mailto:200607162358.30574.fdlist () digitaloffense net> >
> > Content-Type: text/plain;  charset="us-ascii"
> >
> > http://metasploit.com/research/misc/mwsearch/?q=bagle
> > <http://metasploit.com/research/misc/mwsearch/?q=bagle>
> >
> > Enjoy,
> >
> > -HD
>
>  
>
> Didnt know google crawls scr's and com's.. Since when?
>
> MM
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/