Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 07563c9417b709573aebebafe1646fef
SHA1SUM : a7031af196b96c09c9d962602245ef4bb434e42f

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00420e8c

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sun May 20 19:49:13 2007
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00016000
SizeOfInitializedData 00008200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000020e8c
BaseOfCode 0000000000001000
BaseOfData 0000000000017000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00028000
SizeOfHeaders 00000400
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000020054 000001d1 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .rsrc at 0x420054

The Import Tables (interpreted .rsrc section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00020054 00020010 00000000 ffffffff 000200f4 00020010

DLL Name: kernel32.dll
vma: Hint/Ord Member-Name Bound-To
20104 0 LoadLibraryA
20114 0 GetProcAddress
20128 0 VirtualAlloc
20138 0 VirtualFree

00020068 00020024 00000000 ffffffff 00020148 00020024

DLL Name: MSVCRT.dll
vma: Hint/Ord Member-Name Bound-To
20154 0 _itoa

0002007c 0002002c 00000000 ffffffff 00020160 0002002c

DLL Name: WS2_32.dll
vma: Hint/Ord Member-Name Bound-To
80000004 4 <none>

00020090 00020034 00000000 ffffffff 0002016c 00020034

DLL Name: USER32.dll
vma: Hint/Ord Member-Name Bound-To
20178 0 GetForegroundWindow

000200a4 0002003c 00000000 ffffffff 00020190 0002003c

DLL Name: ADVAPI32.dll
vma: Hint/Ord Member-Name Bound-To
201a0 0 RegEnumValueA

000200b8 00020044 00000000 ffffffff 000201b4 00020044

DLL Name: SHELL32.dll
vma: Hint/Ord Member-Name Bound-To
201c0 0 ShellExecuteA

000200cc 0002004c 00000000 ffffffff 000201d4 0002004c

DLL Name: OLEAUT32.dll
vma: Hint/Ord Member-Name Bound-To
800000c8 200 <none>

000200e0 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00009e00 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
1 .rsrc 0000348c 00420000 00420000 0000a200 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 46508A19 Sun May 20 19:49:13 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00028000
Code Base: 00001000 Size: 00016000
Data Base: 00017000 Size: 00008200
Entry Point: 00020E8C (file offset 0000B08C)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00009E00 Flags: E0000060 (CDERW)
2: .rsrc RVA: 00020000 Offset: 0000A200 Size: 0000348C Flags: E0000060 (CDERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: kernel32.dll
Addr: 00020010 hint: 0(0000) Name: LoadLibraryA
Addr: 00020014 hint: 0(0000) Name: GetProcAddress
Addr: 00020018 hint: 0(0000) Name: VirtualAlloc
Addr: 0002001C hint: 0(0000) Name: VirtualFree

DLL: MSVCRT.dll
Addr: 00020024 hint: 0(0000) Name: _itoa

DLL: WS2_32.dll
Addr: 0002002C Ord#: 4(0004) Name: connect

DLL: USER32.dll
Addr: 00020034 hint: 0(0000) Name: GetForegroundWindow

DLL: ADVAPI32.dll
Addr: 0002003C hint: 0(0000) Name: RegEnumValueA

DLL: SHELL32.dll
Addr: 00020044 hint: 0(0000) Name: ShellExecuteA

DLL: OLEAUT32.dll
Addr: 0002004C Ord#: 200(00C8) Name: GetErrorInfo

PECompact2
zwov=Z
>37.
S,b@
m+yl*
b;@s
W$$=(
jkjp
!u:sY
xF9s
qyJ>
*Fs7
NcR8Bj
M99\
E7b!-I
&Sq-8
fYO-
l]xlz
]4z.
zTtcL
)xT[
Wg@C
f\)u
{I|ee
DWLg
)@]:nM'
9jCW
rho7;
K6 C\qf73
S=O{ "`DBI=C{
EQAl/
{,2&e
/CsM$m5
G0Rj
kaA}|1
hEaoP
xktr
4lr#H
?aS.gc
kJ:$
1we,
`\ ,q
~\Po
ykG_
F(\1%`
,"hv
ZEdSL-
^FxZ
7"|Uy
D*]}-y
xFc0B<
_}|_
NPe|
s9URaC
R;!z^
OU]Y
z:C}
Ul{D(S
FN="
' VC
0br]
< a-
rl!:
(ETD
n%2`
dK1<.
3`/L
JI5_
P]>ziDE
'dxs
Fo{1
J0r=
y/-nM
L&V.F
9Qgo'
1Q]cF
ddaf
Jr|Y
x*F,'
=$d`
V,]D6
+H\;
.ox;D
mZgt#
yFw5
%qtM
1m4gRog
SK#S
TGUf
Cymk
M."\D
k}6t
~w;
i=n7-
<cYi
)'ue
bm0b
L(6~
ji#2
^)K6
m{d*
>y>@
ziH7
'5Iu
^TR[\~
9<1ye
Ih7f
Q-Xg}
Dj j
Y1!b
><@E
qK`N
Cql?
=2;jk
KQ!F
j"[W
spML
J~V/
vS~B
"5dq
6~5s'
1dg9
Kd8?o
;Eb|
H nX
5ahs
0E<M
Th5G
}BDwlw
<MF2
*i]id
OOqshgm
5Hg+T
`u]g
S9vu
uX/
k+X-
xjFG<z
SotW;
^&*ce>
F4w,
V^;{-
5wM`[n
xSE=
]K@9
:+!k
R0|R
w8O'9
Je6zB
LM*o
VJVX
ME-K
RCmDF
.bR,
IA@}
iJk-
sA9D8
oLF3L
zAGQ*T
vEPw-
81wf*W
ilSF
Az3o=|
#YyMb
dU-N
)$r"
s!hv
2x^L
@ik,
~Qxtj
w tB
'~=t
IZBWv
L]:k
JhN`fq
z%M,(8k
`T[\b
Sk)N
*Yi:
(s)]
!l*3
/{6s
v/."]
HWa?
r&1]
Cz*/
9-(:};
Ht2>K
:s Dl3">
obOpU
N(jE
8R[.%
[81x
2ELI
-2gw
&f2*
.I<<
c2;]
{TE5
hwZM2_
,o jz
`\WR
1X t
fe_4
Q0( *s
rOH,
IGK&
Ve.dA
|(wm+"e
kBE3
h*\^
udU
` ZqR
&M\t
.9B)Ud
f~a<
Qz6'.
z1FF
d Zm
!PkU
lnhET
E}|F
/#7h
qrSB
8Dfa0
,oKA
<mNdN|
.ZZlME
[Hb^
aB\=[
"wl(1
@t1V0
B#x8~tuv^?Vn
,Ze#jo
ZT)Ee4
X$p^
7EMs
Ub;<
5V&"e
1k)G
dZHB
`\ykp
Iyz7
fu}*
{:M*
H"tY~0J
/:3q
<1a+U
5\PF
Q*Fk
jwLw
p"<1/
+\(i
Ul>z
EXKMP
vZ&"*P
TG5V
S$vt
WsbD
.)rs
"Gy}yw
$,%-
ogp>
#Hui
[\9P1
teqs
,QVd
s:<]
$OJZ
c ecD
O o%0
CS%XN>)
V&;LWH
WVGY)HR
"L.'
zv~l
m5&3H
_<{*n
dxB[fE
pJ|n
d acp,
wLHxP
y!=O
*F{V
cH,J6~
AY=V&Xs
pWmV
VD|_]T
Wsw,o
~)Z5
hxmt
e0[Q
Jt%I0
'bs<
<63:
:Ou+
6\m
"KGRL
-)!C>
.UA)^
Ynp>
$PNH
G8T7[
%@i
Q|5.fL
!iuhq
`WwW|
~acO
fD%|
xgz|V
%{O\
W.-f
%vK+
WZ~
r0r\
%7GX
5Lt`
&C'WB
]G?i
_.mZD
RCJS
H5`L
df#Nu
{iZ`
:$)m
}6 =R#v
8$A!
!8I-
8/-]
[='V
34CN
9-DA
2?K9
8g:Q
P$Dt(
ZVrr
rW9r
:ws~
a>`t
R$q
a=.k-
X"CB
aplQ!
|Oz~s
$\tR
$%Qj
8h01
<yFQ
K:G"
0_FO
p(|\
7"_X
%sQ*|
4J^p[/
^ugY
)mG
f,Ymv
qmaZ;
_axVG
1k~&
B3#
5!j'U
tz>QI
j= X
O@!#
[XKn
r5]t
S5xNb
!$2=$*}
j4m\
1DWV>
9[Lr
8zDt
WY'2g-0;
(3@{^
0Yua
L{+uA
0&"_D
{a(o
O~`I
Edjn
Y$Y2
2T[Z>
T{w_
9&p$#
:e=
0,,G}
{h8L
`(xT
[;E&.A
Zd1f
}%j)I
E%x
jp1/wi
L.>N
Mzr`
n$Yef
\vf:
r&bv
gSX:
KM0J
awEw
epbw
:2ns
aL!W
2:>A
8$]j
{M].
k6 w
VF=/
.K-M
bFIO
U@x7
fws;$
GN<A
&Eo<Z
bDlK~
x@JEl+
h{t)
]CHW
jp%.
HKNg`
5e SjxM
!^g~
WvcF
UHGV
G!~n$
HCFBe
%M.f
b4"_
h/Wj
*0md
M?xL7L
DP|A
]Tzd
&R;E
NsW2
'sq1
58mS
kRW'qX'U
, a'
l_nu.
BH}U
UR?O
|TT[(
>+ 4
`p?Q
?ZQS@
v_QuS
M*:RR
#%h]
WJXH
Gid2
vo_ ?
5n(X
G0[^;N
u~Ldd~O
(eA=
>07n?
Q&Id
sGA:Kvk
YXbZnzd
*c.?
;AB3cKN
h,#
c:E1
_;tZ
/Iy8
PTN~
PX}t
Qm{L
/L==
_\3Z
{C@*w
+"I6
k5[.Yu%
9]xD
T\b+
U>B-
"}"#
N6\;
ggJP
z$Fz
!TP
?5uh
5Qr(w
}cQh%i
p,)2
E[JVo
`C?L
"4/|
A*zBe
a7V$
Jy\h
(M2H
~SALj
-*X)
",3K
>YSx
j+JY
j<Vl
h]E?
$@Yk
D;n_
mj9R
zaU<
b# 6
~igR
G|^Rwd
{n{>K7
CF3u
~zpJ
=z!8
/Xu8Q
}"FQ
)p8:
kernel32.dll
LoadLibraryA
GetProcAddress
VirtualAlloc
VirtualFree
MSVCRT.dll
_itoa
WS2_32.dll
USER32.dll
GetForegroundWindow
ADVAPI32.dll
RegEnumValueA
SHELL32.dll
ShellExecuteA
OLEAUT32.dll
u4<E
u~`U
7*Id
7(hu
S +
0I_V
XCU!
sG*D
Q!?U
${3R
z7T2
^Ynbo
&\.q
rjxY
>FA.
h_Ix
SW\V
+KjH@
(L&H
AYR?
C`6K\@
]^_[
`X<tX
t5n;*
I`?W
}M'P
Ls^1}(K
nH<+
Q^2
;|}au
i-%-@
!{@PWQS
msvb
?NEY
BNc$
tDR"
q% %
loMa
K4z/"!
%!3O
zeHw
Ap licat
n er=
7%s5
d,al
3^p*IW':c^lHuPs
3p2vM
l?Ex
hHand
Virt
P$<JH0dz
+|$(
USQWVR
Z^_Y[]
ke8>RS]_
u-&w
Pk":/^
1O^_
:\YM_
+NN\_
-VY]O2KXNVO
-\OK^O/`OX^+
1O^6K]^/\\Y\
<;;:
xr,a
; pj%g
}>9^
& ]X.
iVER
W0K8
EXK6
tnPe`
MFIN
(^A,$
w p8
St/T
`slX}
0mhb
g@S@
*i^K
{;Dg,
Q*M:
e~AF
2kbd
{m:]
P~H<-
>A7,2
=h^?6"
-jf.
x2y#
2$o0
"_yQ
|^:l
`unX
=b46
~x2y
f g
@ 80)
5NQ6
:$vW
3pP4
1jZ*
]qE^
lf n
nXhO
g"_0
`{or/
wB|6
-$].
4f9ZH
)ck.{
tf/a
u5d8\
M M>
fV[GN
e$rl&l
K&lf
5 =N
(*x2
aq<J
vW2R
M{X>
O$rl&
8e}0V
]kHN
J"3v>D
{).3
8_@^^
i&lf
z5{&+\
$-=)YBH
PdI>+w_f
n8ton#
>mph
}p1jjs
V*/)
:mllQ
vpm,c
X,Np*D
e$rlw
i&lf
ou*X
M"pj$
i$a2
<k]j
4kVa
I%$%
M"pjd
pj#[
h\Ir
& g
Y4yd
p*"~Xz
_2TB