Full Disclosure mailing list archives
Re: massive outbreak - expect a major network slowdown
From: Byron Copeland <nodialtone () comcast net>
Date: 26 Jan 2004 22:35:32 -0500
I have a UPX compressed version of it I received a while ago. I saved it and uuencoded it if soemone wants it for analytical purposes email me personally. What I received was readme.pif -b On Mon, 2004-01-26 at 18:58, Thierry wrote:
Hello Gadi, GE> Whichever the case this outbreak is HUGE. GE> Largest in a while and it is spreading VERY FAST. I can only confirm, it currently slips through my ISP Virus mail gateway, I have a few files here some in uncompressed state if anybody is interested and hasn't had the chance to have one of those (should be rare though). I am not aware whether it selfmodifies or not, here are the strings I extracted from the uncompressed PIF file. Tool: BinText File pos Mem pos ID Text ======== ======= == ==== 0000269C 004A269C 0 iphlpapi.dll 000026AC 004A26AC 0 DnsQuery_A 000026B8 004A26B8 0 dnsapi.dll 000026C4 004A26C4 0 GetNetworkParams 000026D8 004A26D8 0 sandra 000026E0 004A26E0 0 linda 000026E8 004A26E8 0 julie 000026F0 004A26F0 0 jimmy 000026F8 004A26F8 0 jerry 00002700 004A2700 0 helen 00002708 004A2708 0 debby 00002710 004A2710 0 claudia 00002718 004A2718 0 brenda 00002728 004A2728 0 alice 00002730 004A2730 0 brent 00002764 004A2764 0 smith 0000276C 004A276C 0 steve 00002798 004A2798 0 robert 000027A0 004A27A0 0 peter 000027C0 004A27C0 0 brian 000027CC 004A27CC 0 maria 000027E0 004A27E0 0 andrew 000027EC 004A27EC 0 george 000027F4 004A27F4 0 david 000027FC 004A27FC 0 kevin 0000280C 004A280C 0 james 00002814 004A2814 0 michael 0000282C 004A282C 0 accoun 00002834 004A2834 0 certific 00002840 004A2840 0 listserv 0000284C 004A284C 0 ntivi 00002854 004A2854 0 support 0000285C 004A285C 0 icrosoft 00002868 004A2868 0 admin 00002878 004A2878 0 the.bat 00002880 004A2880 0 gold-certs 00002890 004A2890 0 feste 00002898 004A2898 0 submit 000028AC 004A28AC 0 service 000028B4 004A28B4 0 privacy 000028BC 004A28BC 0 somebody 000028D4 004A28D4 0 contact 000028E4 004A28E4 0 rating 00002904 004A2904 0 someone 0000290C 004A290C 0 anyone 00002914 004A2914 0 nothing 0000291C 004A291C 0 nobody 00002924 004A2924 0 noone 0000292C 004A292C 0 webmaster 00002938 004A2938 0 postmaster 00002944 004A2944 0 samples 0000295E 004A295E 0 be_loyal: 00002968 004A2968 0 mozilla 00002970 004A2970 0 utgers.ed 0000297C 004A297C 0 tanford.e 0000298C 004A298C 0 acketst 00002994 004A2994 0 secur 0000299C 004A299C 0 isc.o 000029A4 004A29A4 0 isi.e 000029AC 004A29AC 0 ripe. 000029B4 004A29B4 0 arin. 000029BC 004A29BC 0 sendmail 000029C8 004A29C8 0 rfc-ed 000029E0 004A29E0 0 usenet 000029F0 004A29F0 0 linux 000029F8 004A29F8 0 kernel 00002A00 004A2A00 0 google 00002A08 004A2A08 0 ibm.com 00002A1C 004A2A1C 0 mit.e 00002A38 004A2A38 0 berkeley 00002A68 004A2A68 0 ruslis 00002A70 004A2A70 0 nodomai 00002A78 004A2A78 0 mydomai 00002A80 004A2A80 0 example 00002A88 004A2A88 0 inpris 00002A90 004A2A90 0 borlan 00002A98 004A2A98 0 sopho 00002AA0 004A2AA0 0 panda 00002AA8 004A2AA8 0 hotmail 00002AB8 004A2AB8 0 icrosof 00002AD4 004A2AD4 0 -._!@ 00002ADC 004A2ADC 0 abuse 00002E34 004A2E34 0 USERPROFILE 00002E40 004A2E40 0 Ybpny Frggvatf 0000345C 004A345C 0 %s.%s 00003480 004A3480 0 %s.zip 0000348C 004A348C 0 Mail transaction failed. Partial message is available. 000034C8 004A34C8 0 The message contains Unicode characters and has been sent as a binary attachment. 00003520 004A3520 0 The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment. 00003590 004A3590 0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ 000035DE 004A35DE 0 K-ZFZnvy-Cevbevgl: Abezny File pos Mem pos ID Text ======== ======= == ==== 000035FA 004A35FA 0 K-Cevbevgl: 3 00003608 004A3608 0 boundary="%s" 0000361A 004A361A 0 Pbagrag-Glcr: zhygvcneg/zvkrq; 0000363E 004A363E 0 ZVZR-Irefvba: 1.0 00003652 004A3652 0 Qngr: 0000365E 004A365E 0 Fhowrpg: 00003670 004A3670 0 Sebz: 00003678 004A3678 0 ----=_%s_%.3u_%.4u_%.8X.%.8X 00003698 004A3698 0 NextPart 000036A8 004A36A8 0 --%s-- 000036BE 004A36BE 0 Pbagrag-Glcr: nccyvpngvba/bpgrg-fgernz; 000036E7 004A36E7 0 anzr="%f" 000036F3 004A36F3 0 Pbagrag-Genafsre-Rapbqvat: onfr64 00003716 004A3716 0 Pbagrag-Qvfcbfvgvba: nggnpuzrag; 00003738 004A3738 0 svyranzr="%f" 0000375E 004A375E 0 Pbagrag-Glcr: grkg/cynva; 00003779 004A3779 0 punefrg="Jvaqbjf-1252" 00003792 004A3792 0 Pbagrag-Genafsre-Rapbqvat: 7ovg 00003890 004A3890 0 gate.%s 00003898 004A3898 0 ns.%s 000038A0 004A38A0 0 relay.%s 000038AC 004A38AC 0 mail1.%s 000038B8 004A38B8 0 mxs.%s 000038C0 004A38C0 0 mx1.%s 000038C8 004A38C8 0 smtp.%s 000038D0 004A38D0 0 mail.%s 000038D8 004A38D8 0 mx.%s 0000A009 004AA009 0 CreateFileMappingA 0000A01D 004AA01D 0 FindNextFileA 0000A02C 004AA02C 0 FindFirstFileA 0000A03C 004AA03C 0 GetEnvironmentVariableA 0000A055 004AA055 0 GetWindowsDirectoryA 0000A06B 004AA06B 0 GetDriveTypeA 0000A07A 004AA07A 0 GetFileSize 0000A087 004AA087 0 FindClose 0000A092 004AA092 0 FileTimeToSystemTime 0000A0A8 004AA0A8 0 GlobalAlloc 0000A0B5 004AA0B5 0 GetTempFileNameA 0000A0C7 004AA0C7 0 SetFilePointer 0000A0D7 004AA0D7 0 GetSystemTime 0000A0E6 004AA0E6 0 GetCurrentThread 0000A0F8 004AA0F8 0 WriteFile 0000A103 004AA103 0 LoadLibraryA 0000A111 004AA111 0 lstrcpyA 0000A11B 004AA11B 0 CloseHandle 0000A128 004AA128 0 GetFileAttributesA 0000A13C 004AA13C 0 CreateFileA 0000A149 004AA149 0 lstrlenA 0000A153 004AA153 0 GetTempPathA 0000A161 004AA161 0 GetSystemDirectoryA 0000A176 004AA176 0 lstrcatA 0000A180 004AA180 0 GetLastError 0000A18E 004AA18E 0 CreateMutexA 0000A19C 004AA19C 0 CopyFileA 0000A1A7 004AA1A7 0 DeleteFileA 0000A1B4 004AA1B4 0 SetFileAttributesA 0000A1C8 004AA1C8 0 GetModuleFileNameA 0000A1DC 004AA1DC 0 SystemTimeToFileTime 0000A1F2 004AA1F2 0 GetSystemTimeAsFileTime 0000A20B 004AA20B 0 Sleep 0000A212 004AA212 0 ExitThread 0000A21E 004AA21E 0 WaitForSingleObject 0000A233 004AA233 0 CreateProcessA 0000A243 004AA243 0 CreateThread 0000A251 004AA251 0 GetTickCount 0000A25F 004AA25F 0 ExitProcess 0000A26C 004AA26C 0 GetTimeZoneInformation 0000A284 004AA284 0 MapViewOfFile 0000A293 004AA293 0 FileTimeToLocalFileTime 0000A2AC 004AA2AC 0 GetLocalTime 0000A2BA 004AA2BA 0 WideCharToMultiByte 0000A2CF 004AA2CF 0 GetProcAddress 0000A2DF 004AA2DF 0 GetModuleHandleA 0000A2F1 004AA2F1 0 HeapFree 0000A2FB 004AA2FB 0 GetProcessHeap 0000A30B 004AA30B 0 HeapAlloc 0000A316 004AA316 0 lstrcpynA 0000A321 004AA321 0 lstrcmpA 0000A32B 004AA32B 0 lstrcmpiA 0000A336 004AA336 0 GlobalFree 0000A342 004AA342 0 InterlockedDecrement 0000A358 004AA358 0 InterlockedIncrement 0000A36E 004AA36E 0 ReadFile 0000A378 004AA378 0 UnmapViewOfFile 0000A389 004AA389 0 SetThreadPriority 0000A3A5 004AA3A5 0 RegCloseKey 0000A3B2 004AA3B2 0 RegOpenKeyExA 0000A3C1 004AA3C1 0 RegSetValueExA 0000A3D1 004AA3D1 0 RegQueryValueExA 0000A3E3 004AA3E3 0 RegEnumKeyA 0000A3F0 004AA3F0 0 RegCreateKeyExA 0000A40A 004AA40A 0 memset 0000A412 004AA412 0 tolower 0000A41B 004AA41B 0 memcpy 0000A423 004AA423 0 isdigit 0000A42C 004AA42C 0 toupper 0000A435 004AA435 0 isxdigit 0000A43F 004AA43F 0 isalnum 0000A448 004AA448 0 isspace 0000A45A 004AA45A 0 CharUpperBuffA 0000A46A 004AA46A 0 CharUpperA 0000A476 004AA476 0 CharLowerA 0000A482 004AA482 0 wvsprintfA 0000A48E 004AA48E 0 wsprintfA 0000A5CB 004AA5CB 0 .text 0000A5F3 004AA5F3 0 .rsrc 0000C290 004AC290 0 KERNEL32.DLL 0000C29D 004AC29D 0 ADVAPI32.dll 0000C2AA 004AC2AA 0 MSVCRT.dll 0000C2B5 004AC2B5 0 USER32.dll 0000C2C0 004AC2C0 0 WS2_32.dll 0000C2CC 004AC2CC 0 LoadLibraryA 0000C2DA 004AC2DA 0 GetProcAddress 0000C2EA 004AC2EA 0 ExitProcess 0000C2F8 004AC2F8 0 RegCloseKey 0000C306 004AC306 0 memset 0000C30E 004AC30E 0 wsprintfA
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- massive outbreak - expect a major network slowdown Gadi Evron (Jan 26)
- Re: massive outbreak - expect a major network slowdown Thierry (Jan 26)
- Re: massive outbreak - expect a major network slowdown Byron Copeland (Jan 26)
- Re: massive outbreak - expect a major network slowdown [2] Thierry (Jan 27)
- Re[2]: massive outbreak - expect a major network slowdown [2] Papp Geza (Jan 27)
- Re: massive outbreak - expect a major network slowdown [2] Roland Lezuo (Jan 27)
- Re: massive outbreak - expect a major network slowdown Thierry (Jan 26)