Malware Archive


Home | Objdump info | Perdr info | Strings info

MD5 : 17028f1eda9d3a3f7423f47bd2f525f6
SHA1SUM : 25942bbd53a66b29a2a6dba66a7376ee068b0921
Objdump info

architecture: i386, flags 0x0000010b:
HAS_RELOC, EXEC_P, HAS_DEBUG, D_PAGED
start address 0x5630dec0

Characteristics 0x210e
executable
line numbers stripped
symbols stripped
32 bit words
DLL

Time/Date Wed Feb 16 18:05:58 2005
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00005000
SizeOfInitializedData 00001000
SizeOfUninitializedData 00009000
AddressOfEntryPoint 000000000000dec0
BaseOfCode 000000000000a000
BaseOfData 000000000000f000
ImageBase 0000000056300000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 00000000
SizeOfImage 00010000
SizeOfHeaders 00001000
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 000000000000f000 000001ec Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 000000000000f1ec 0000000c Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000000000 00000000 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in UPX2 at 0x5630f000

The Import Tables (interpreted UPX2 section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
0000f000 00000000 00000000 00000000 0000f114 0000f0c8

DLL Name: KERNEL32.DLL

0000f014 00000000 00000000 00000000 0000f121 0000f0d4

DLL Name: ADVAPI32.dll

0000f028 00000000 00000000 00000000 0000f12e 0000f0dc

DLL Name: ICMP.DLL

0000f03c 00000000 00000000 00000000 0000f137 0000f0e4

DLL Name: MPR.dll

0000f050 00000000 00000000 00000000 0000f13f 0000f0ec

DLL Name: MSVCRT.dll

0000f064 00000000 00000000 00000000 0000f14a 0000f0f4

DLL Name: ole32.dll

0000f078 00000000 00000000 00000000 0000f154 0000f0fc

DLL Name: urlmon.dll

0000f08c 00000000 00000000 00000000 0000f15f 0000f104

DLL Name: WININET.dll

0000f0a0 00000000 00000000 00000000 0000f16b 0000f10c

DLL Name: WS2_32.dll

0000f0b4 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 UPX0 00009000 56301000 56301000 00000400 2**2
CONTENTS, ALLOC, CODE
1 UPX1 00004200 5630a000 5630a000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
2 UPX2 00000200 5630f000 5630f000 00004600 2**2
CONTENTS, ALLOC, LOAD, DATA
Perdr info
PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 42137D76 Wed Feb 16 18:05:58 2005
Subsystem: 2 (Windows GUI)
Image Base: 56300000 Size: 00010000
Code Base: 0000A000 Size: 00005000
Data Base: 0000F000 Size: 00001000 (plus 00009000 uninitialized)
Entry Point: 0000DEC0 (file offset 000042C0)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: UPX0 RVA: 00001000 Offset: 00000400 Size: 00000000 Flags: E0000080 (UERW)
2: UPX1 RVA: 0000A000 Offset: 00000400 Size: 00004200 Flags: E0000040 (DERW)
3: UPX2 RVA: 0000F000 Offset: 00004600 Size: 00000200 Flags: C0000040 (DRW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: KERNEL32.DLL
Addr: 0000F0C8 hint: 0(0000) Name: LoadLibraryA
Addr: 0000F0CC hint: 0(0000) Name: GetProcAddress

DLL: ADVAPI32.dll
Addr: 0000F0D4 hint: 0(0000) Name: RegCloseKey

DLL: ICMP.DLL
Addr: 0000F0DC Ord#: 2(0002)

DLL: MPR.dll
Addr: 0000F0E4 hint: 0(0000) Name: WNetOpenEnumA

DLL: MSVCRT.dll
Addr: 0000F0EC hint: 0(0000) Name: exp

DLL: ole32.dll
Addr: 0000F0F4 hint: 0(0000) Name: CoInitialize

DLL: urlmon.dll
Addr: 0000F0FC hint: 0(0000) Name: URLDownloadToFileA

DLL: WININET.dll
Addr: 0000F104 hint: 0(0000) Name: InternetOpenA

DLL: WS2_32.dll
Addr: 0000F10C Ord#: 8(0008) Name: htonl

Strings info
SOFTWARE
\ODBC<ciNOPQRSTUVWXYZab
cdefghijklmnopqrstuvwxyz01234567
89+/ADEFGHIJKLM
GMozill
a/4.0 (compatible; MSIE 6
Windows NT 5.1)
.tmp
\%dParadoxoftw
e\Micros
\DNaAccess+
base;hfddsfsdhaazzdgf
1ejuy
g gdpo&
7!0;ttp://%s/
ex.php?i
d&li s
cu:%02v=0&n+
ank.
h.frb.org
/-2ru
l-U#dau
edLK'l
ppr[l
ertyn
etH[orq
~ sw=
ussw
ngtonG*4
c_vG
y{pm
O*Ee
[X[i
' 8&
-,{bho{n
R?'mp
'ff5d
-\dsp
pc`_H
nawe
n(ck.
^B[ea
,%c,
c6?H
9p"/cM
fabVh
l1.Y
ov}L
/ <mdm
b2X{`
guc|
BWB#
iBymk
sOli
\mu+
I'pw
37cw
&0;vt
ow*que-}
D]yd
;-cd
ni%|mg
.s2l
5Wkm
=lC0
X)Kc~
brf1?mmw
B)rgaF
9J.j
<Hoalf
K'tv
--teJh
o=h4G
DeKyLoGTh+
t_Hs`
5M@ x
}3PO
0_n#
sKold
COM+
h: %d
sco0
#er-EnF
POST
t/fp30
HTTP/
gPrv
gC\k
l-KH&
hnkp
PC NEU
ORK PROGRAM
LANM
kgfup
'M#2X00222.1`
LKSSP
^F#G
uItmy0
1g6r
"710
TZ&c
s[Y"\
?"{C
FDE<
80/lsd
,0F4
AqWm
qp;g
f,u?
JGXY
o,32*
urlm
/ph!
m4rHa-
QZo0C)
googz
#*5Y1{:g
roDFs
RPVdK
k|5=
7G=2
nG3Pow
Addr
V-ry
L@FcN
csr
!A.H
buC
c) u
p;Xs
?xml v
="@"?>
<g:(T!
g!DAV:"
()//0 \
tW/|
CH P
404 No
* 2; O
KBD]u
tJGET
%[Cz
@!7M
({a[
,A[?
_^Qr
[{j~ ;
\Wv fn6
2 ?P
bu=fB<f
W0;jc1
Um,w
@.pL
rfb@
@hCr
W]Uy
d9YN
d9YNt
t8`<T
@@D$HY
X9YN
ld9YNpp`tN
Lx@|
d9YN
d9Y$8,(YN
Xl\'
rT`<d(9
NR?
mop<
]6zG
~$3eh
$Nr`
Jt"gg
\i0RT
phl@
`GFFF
Y0Z[
vUKRP
Ehl{
@)@CL
^W;Q
9;WS
va&zF
#AL$
jt)T"
7HFA
ll r
jPuPR
jDa5.l
Vc]lw
P PV
mbFs$
$$_h
Q2OP
LS&hG
-eOFx4
vp*l
{w!h
D& 9
/g;Wu
Hu3/!
@G_4
3VoY
g:O,
b }4dl
@DxH
e9N>
lrQ>
0;{9u
!dk#
@s@
B|jOZ
K8N#
`#wa
pROV(
:v%z
W}[9
^^VA
{rKE
v1Ig
c4 @
SS.~
JSQz
cVR]
SNsM
*V(7B4
`8Qx
/SEc
U/_%t
WVVT
%qm^
^|wO
#3<G
KW`wU3]
F&dd
#Lu#
92r2
#i 8
[CP"ND@
aZ~qWK
up uD_
f5VM
Z9+f
!PB`,
gEpx
<jl3
aFx$f
dmw5
%TPJ
2H'D
U-TK
9a3,
[ZB;
OXlG
$s q#
vT2]/
QZ^&
9XFFF
\dlp|FFF|tx
Exit
ABc/
A)!+
1sWa#
o_ForM9tiplmf
m#{RHo
*LaZ
'W ?v=E/
`32SD
Id$l
Ns#Sy,
DkcOD4o
o!c#sec
aCXDy+
5Ipm
l6a]
ool_7
SnapshN
(echOge
A cG
ApyWiv
m^Car
Byy@
o e_
gQu@yV
ypt_nR
Acqu
Vjm:
'sr
.-[S
numX
_h3,
??3@YAXP
_EH_\o
gm/__Cxx1p
URLDownl
]rxhSth
? %#
p)%1<+.x
$5.l
CR2*l
d\0
s/\x
.@)
KERNEL32.DLL
ADVAPI32.dll
ICMP.DLL
MPR.dll
MSVCRT.dll
ole32.dll
urlmon.dll
WININET.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
RegCloseKey
WNetOpenEnumA
CoInitialize
URLDownloadToFileA
InternetOpenA