Malware Archive


Home | Objdump info | Perdr info | Strings info

MD5 : 049630bfdfa9f2d19aa9f9073352012d
SHA1SUM : ab89c1c8ffd2c53a4ad88d40669d672858ff389c
Objdump info

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x1002a200

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Mon Mar 12 02:55:20 2007
Magic 010b (PE32)
MajorLinkerVersion 5
MinorLinkerVersion 12
SizeOfCode 00000a00
SizeOfInitializedData 0000ce68
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000002a200
BaseOfCode 000000000001e000
BaseOfData 0000000000002000
ImageBase 0000000010000000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00032000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000001e000 00000110 Import Directory [parts of .idata]
Entry 2 0000000000004000 0000c468 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 000000000001e110 00000018 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in 3a14gzkz at 0x1001e000

The Import Tables (interpreted 3a14gzkz section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000000 10001000 10001000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE
1 vyridizn 00000000 10002000 10002000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
2 .data 00000000 10003000 10003000 00000400 2**2
CONTENTS, ALLOC, LOAD, DATA
3 .rsrc 0000c468 10004000 10004000 00000400 2**2
CONTENTS, ALLOC, LOAD, READONLY, DATA
4 T0R0 00000000 10011000 10011000 0000ca00 2**2
CONTENTS, ALLOC, LOAD, CODE
5 5zd9bm4t 00000000 10012000 10012000 0000ca00 2**2
CONTENTS, ALLOC, LOAD, DATA
6 an.kk9rg 00000000 10013000 10013000 0000ca00 2**2
CONTENTS, ALLOC, LOAD, CODE
7 3a14gzkz 0000badb 1001e000 1001e000 0000ca00 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
8 y5maaiyw 00002800 1002a000 1002a000 00018600 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
Perdr info
PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 45F4B308 Mon Mar 12 02:55:20 2007
Subsystem: 2 (Windows GUI)
Image Base: 10000000 Size: 00032000
Code Base: 0001E000 Size: 00000A00
Data Base: 00002000 Size: 0000CE68
Entry Point: 0002A200 (file offset 00018800)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000020 (CERW)
2: vyridizn RVA: 00002000 Offset: 00000400 Size: 00000000 Flags: E0000060 (CDERW)
3: .data RVA: 00003000 Offset: 00000400 Size: 00000000 Flags: C0000040 (DRW)
4: .rsrc RVA: 00004000 Offset: 00000400 Size: 0000C468 Flags: 40000040 (DR)
5: T0R0 RVA: 00011000 Offset: 0000CA00 Size: 00000000 Flags: E0000020 (CERW)
6: 5zd9bm4t RVA: 00012000 Offset: 0000CA00 Size: 00000000 Flags: C0000040 (DRW)
7: an.kk9rg RVA: 00013000 Offset: 0000CA00 Size: 00000000 Flags: E0000020 (CERW)
8: 3a14gzkz RVA: 0001E000 Offset: 0000CA00 Size: 0000BADB Flags: E0000060 (Runtime Error: Unable to read from file
CDERW)
9: y5maaiyw RVA: 0002A000 Offset: 00018600 Size: 00002800 Flags: E00000E0 (CDUERW)

Strings info
!This program cannot be run in DOS mode.
RichJwS
.text
vyridizn
.data
.rsrc
@T0R0
5zd9bm4t
an.kk9rg
3a14gzkz
y5maaiyw
IQ8Af
?8<T
;yYj
0En9
;*CR
?!!-UI1!
)C'q
PImq
,Yg se
U&YYWyC
Q#A1