Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 0a435564b3bf3e02606be446c33538bc
SHA1SUM : f19cb73065c13fa1acc1e57d735bb34bfb8dfebf

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x0043fc9a

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Thu Sep 6 14:19:08 2007
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00016000
SizeOfInitializedData 00008200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 000000000003fc9a
BaseOfCode 0000000000027000
BaseOfData 0000000000017000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00041000
SizeOfHeaders 00001000
CheckSum 00021884
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000027000 00000110 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000027110 00000018 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in 802izwe5 at 0x427000

The Import Tables (interpreted 802izwe5 section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000000 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE
1 .rdata 00000000 00417000 00417000 00000400 2**2
CONTENTS, ALLOC, LOAD, DATA
2 .data 00000000 00418000 00418000 00000400 2**2
CONTENTS, ALLOC, LOAD, DATA
3 iwe0sgrm 00000000 00420000 00420000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE
4 802izwe5 00018cbe 00427000 00427000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
5 f1dfid6q 00000200 00440000 00440000 00019200 2**2
CONTENTS, ALLOC, READONLY

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 46DFF03C Thu Sep 6 14:19:08 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 00041000
Code Base: 00027000 Size: 00016000
Data Base: 00017000 Size: 00008200
Entry Point: 0003FC9A (file offset 0001909A)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000020 (CERW)
2: .rdata RVA: 00017000 Offset: 00000400 Size: 00000000 Flags: C0000040 (DRW)
3: .data RVA: 00018000 Offset: 00000400 Size: 00000000 Flags: C0000040 (DRW)
4: iwe0sgrm RVA: 00020000 Offset: 00000400 Size: 00000000 Flags: E0000020 (CERW)
5: 802izwe5 RVA: 00027000 Offset: 00000400 Size: 00018CBE Flags: E0000060 (CDERW)
6: f1dfid6q RVA: 00040000 Offset: 00019200 Size: 00000200 Flags: 40000080 (UR)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: kernel32.dll
Addr: 000270B4 hint: 0(0000) Name: GetModuleHandleA
Addr: 000270B8 hint: 0(0000) Name: LoadLibraryA
Addr: 000270BC hint: 0(0000) Name: GetProcAddress
Addr: 000270C0 hint: 0(0000) Name: ExitProcess
Addr: 000270C4 hint: 0(0000) Name: VirtualAlloc
Addr: 000270C8 hint: 0(0000) Name: VirtualFree

DLL: user32.dll
Addr: 00027104 hint: 0(0000) Name: MessageBoxA

!This program cannot be run in DOS mode.
?N]$7
?N]$#@]
?N]Rich
.text
.rdata
.data
iwe0sgrm
802izwe5
f1dfid6q
BHo4
}]C{
mv**jI
|J0O6
'+g_)
kernel32.dll
GetModuleHandleA
LoadLibraryA
GetProcAddress
ExitProcess
VirtualAlloc
VirtualFree
user32.dll
MessageBoxA
D;
PxqC
z&[c
5<y
$F>"
{_va
RL=b]
<-^R
eD8B
x<@Y
%Za.F
||,m
-\64-
QF;O.
41_V
a@bc
_7rr
?RyE
l`7T7
!8W~
I\D-
,kf
9Vz8
lpkb#
bLIu
\W~`
HD=s
c*cO
s;[R
RY!
vKt1
"b,n5
abYq
-Z_I*
svcub
uOEG
anXW
E\T^r
)I#V
:MD.
)Z(Gf
ETsa
?Z"[
Jg=@
O#us
P%+=
=CbI
J #d
RmT})s
l[US
?en>6
xKh=
OQ=i
@*=]
]N>8 b
*(C=J~8
7K%UD
17!D
VK`0
I!AW
6k@S
BOb (+
QVNU>xr"
\IBH
|F4A
#P/#g
mB,B
!Zz>
f/y]
%1O"J
01qr
#WeW
O9}6
<ap J@@
mmDH
E$<U
P\E,\
#EKp
{[]x
1wc=2
t-0
**(?
0zW$`h
3>^VE
Ji1+
sfE@
V-^E
.1(tY
gTp#
hc\[
ZpbP
V='RU
sO!N
TJyPT
H1W$
+ *oU
WrG C
YvcW~H
CYPU
rtL%E
OBSG
.qs
c/Lq
&Xqw
Q>Se
@mQg@
`/=X
:1)z
Rhne
0Lp0
+J.LD
yG#Z
({+i
= zO
'p2D
+(,
}U: ?
_AI7
2hDo
ueY{
~Y"_!k
r|UY
t~@1
q _m8
wALux
$ R%W
cVp]D
-TA_
a.{jSk
" Y_
LUl.#
(TQj
CCim
:(.x
;vy$
[GSa1 P
cYeVO
YIDV
A$)
yJV^
h4pB
D}$q5
<Q%rR
U!FG_#
&e6B
Y$<x
'e\W]
&iyU/i
EO.g
!V6@
{D]b
lUkV
{<,t
QTFN
k9#ZE
a:ZhGB
&BKW
#Aag
Rm/POGvE
.Eh(
IDL)*4
V#Je=]
OQwZ
|+_!
152{.C~
Zmy_