Malware Archive

Home | Objdump info | Perdr info | Strings info

MD5 : 29f0569b6b287b09a0a296e8eb616566
SHA1SUM : d9c08c49be51d2bef577eeb30e750f04f663d903

architecture: i386, flags 0x0000010a:
EXEC_P, HAS_DEBUG, D_PAGED
start address 0x00421000

Characteristics 0x10f
relocations stripped
executable
line numbers stripped
symbols stripped
32 bit words

Time/Date Sun Aug 19 01:14:41 2007
Magic 010b (PE32)
MajorLinkerVersion 6
MinorLinkerVersion 0
SizeOfCode 00016000
SizeOfInitializedData 00008200
SizeOfUninitializedData 00000000
AddressOfEntryPoint 0000000000021000
BaseOfCode 0000000000001000
BaseOfData 0000000000017000
ImageBase 0000000000400000
SectionAlignment 0000000000001000
FileAlignment 0000000000000200
MajorOSystemVersion 4
MinorOSystemVersion 0
MajorImageVersion 0
MinorImageVersion 0
MajorSubsystemVersion 4
MinorSubsystemVersion 0
Win32Version 0000abcd
SizeOfImage 0002115d
SizeOfHeaders 00000288
CheckSum 00000000
Subsystem 00000002 (Windows GUI)
DllCharacteristics 00000000
SizeOfStackReserve 0000000000100000
SizeOfStackCommit 0000000000001000
SizeOfHeapReserve 0000000000100000
SizeOfHeapCommit 0000000000001000
LoaderFlags 00000000
NumberOfRvaAndSizes 00000010

The Data Directory
Entry 0 0000000000000000 00000000 Export Directory [.edata (or where ever we found it)]
Entry 1 0000000000020477 00000096 Import Directory [parts of .idata]
Entry 2 0000000000000000 00000000 Resource Directory [.rsrc]
Entry 3 0000000000000000 00000000 Exception Directory [.pdata]
Entry 4 0000000000000000 00000000 Security Directory
Entry 5 0000000000000000 00000000 Base Relocation Directory [.reloc]
Entry 6 0000000000000000 00000000 Debug Directory
Entry 7 0000000000000000 00000000 Description Directory
Entry 8 0000000000000000 00000000 Special Directory
Entry 9 0000000000000000 00000000 Thread Storage Directory [.tls]
Entry a 0000000000000000 00000000 Load Configuration Directory
Entry b 0000000000000000 00000000 Bound Import Directory
Entry c 0000000000017000 00000270 Import Address Table Directory
Entry d 0000000000000000 00000000 Delay Import Directory
Entry e 0000000000000000 00000000 CLR Runtime Header
Entry f 0000000000000000 00000000 Reserved

There is an import table in .Polyene at 0x420477

The Import Tables (interpreted .Polyene section contents)
vma: Hint Time Forward DLL First
Table Stamp Chain Name Thunk
00020477 00000000 00000000 ffffffff 0002049f 000204ac

DLL Name: KERNEL32.dll

0002048b 00000000 00000000 00000000 00000000 00000000

Sections:
Idx Name Size VMA LMA File off Algn
0 .text 0000ac00 00401000 00401000 00000400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
1 .rdata 00000800 00417000 00417000 0000b000 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
2 .data 00002c00 00418000 00418000 0000b800 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
3 .Polyene 000005fe 00420000 00420000 0000e400 2**2
CONTENTS, ALLOC, LOAD, CODE, DATA
4 .avc 0000015d 00421000 00421000 0000f000 2**2
CONTENTS, ALLOC, LOAD, CODE

PeRdr by Frediano Ziglio. Build Dec 27 2007
++++++++++++++++++++++++ FILE HEADER INFORMATION +++++++++++++++++++++++++

TimeStamp: 46C77D61 Sun Aug 19 01:14:41 2007
Subsystem: 2 (Windows GUI)
Image Base: 00400000 Size: 0002115D
Code Base: 00001000 Size: 00016000
Data Base: 00017000 Size: 00008200
Entry Point: 00021000 (file offset 0000F000)

++++++++++++++++++++++++++++++++ SECTIONS ++++++++++++++++++++++++++++++++

1: .text RVA: 00001000 Offset: 00000400 Size: 0000AC00 Flags: E0000060 (CDERW)
2: .rdata RVA: 00017000 Offset: 0000B000 Size: 00000800 Flags: E0000060 (CDERW)
3: .data RVA: 00018000 Offset: 0000B800 Size: 00002C00 Flags: E0000060 (CDERW)
4: .Polyene RVA: 00020000 Offset: 0000E400 Size: 00000600 Flags: E0000060 (CDERW)
5: .avc RVA: 00021000 Offset: 0000F000 Size: 00000200 Flags: E00000A0 (CUERW)

++++++++++++++++++++++++++++++++ IMPORTS +++++++++++++++++++++++++++++++++

DLL: KERNEL32.dll
Addr: 000204AC hint: 360(0168) Name: GlobalAlloc
Addr: 000204B0 hint: 367(016F) Name: GlobalFree
Addr: 000204B4 hint: 425(01A9) Name: LoadLibraryA
Addr: 000204B8 hint: 297(0129) Name: GetProcAddress
Addr: 000204BC hint: 117(0075) Name: ExitProcess

'0'& |
&84~
bxaB
&!<~
tYNa
?-OR
MI#r
sTFn
Dw{P
bnkU
]2f6
U`:8XF
nTjNX
nxME
+nM1
H/6DDz
{(N:`
K|+c
!1pZ`
BC^t
|*N9'"g
uRU!
aU?0S
;{sp
SFyN
&|iF
@I|v
p4Uf
?"_X
"&TA#I
zWc}8
]./\
</&1
NxuI
3IL)
`vK=
[7/=
a9oe6
\ Dt
Qtce
>4Nf
<]aX
|3C(
c0idT&
pTXi
JV<!
OV7L
qB+;
:r9(
:+H$r
y fc
D*!w
5|FzX
0jvF
Dp%!
*|6pu
-5M-
/bt`5
4H->H
S|[*
@Z\n[}
jDQv
?p(=f=X
t]{f
_LOu
:&o`f
a@PH
n_J/
#`WC
b/!vp
~I<F
GAy?
uen
)DSv
`16z
xJ[|
OCV`%
ab?X
oBKu1
]qh *
/FV/'
[j7E
A #'
=@Z+
DNQpp
k_>Y
o@~v
#0q(
#^n#7
rtLLh
;q~1$
{pnp
<zoz
IgU!m
(,~>
-,/i
~~9i
`OR9
bZS$
-5$Lpw
%zV k
mL P
1."q+
S`zDU.
'K&"
=+UdF
!V@/jx
IS b8
H4`\
HDC<
5(=m
)v}1S
KkP.
UZP}/
Cxe}
*E}d
ymbL
'wcr
h!Y:
g9Tm
n/yE
]L};
%,8Tz
IPvp^0
W]F>
gT;u
,3ti
;d-C%26
3P4di_
324f
*PS~
mR"1
\j*0
'X-"
l},#
[OO>
j4\fp
<'1O
k@Le
@y%W
ZH0R8
l6^9u
!oV/5X&
iquH
/xo37
{Z'c
6R*:E
kfCe
~.3{
8ll5
3wbQ%
yE3R
`2/\
*I,6Y
S%8Oy}
YW".8
W*#DqR
)K8Rz87
`0"[
ht:xHo
Fag*
BMH3
'='4{*?
[0:9$
9P&&U
D8<d
31RLs|
bx)z
m[frl
8DZ=L
<0z
~< -y
6=wQ]m
o=x~
yz'x
Pw%F!v
7r->.s
57.Nk
:KW:
r-0`
*Ymd
bC1Q
T9W
~[i:
^IjAw
8r347Rs
9xl?X
u3,{
?Ykx
z!pH
'kXz
<}0;K2
20sv
lw9C
dA0b
^G}A
;BIux
I!(L
xLSF
aV.0
"K+AC u
4y+^
G~ce
9'Ys
gEWE
t<5J.
@IOd
U-Qs
&<Ga@EZ)
5S|{g
sWKF
cHuG
rLgf
d]0fw
d/LR
!~?C
?XO9
+)`C
8"4l
+9DR
LHt'Y
zJ~W
r#D<
][&[
W4 p
v>Xz|$J
UFSU}
Spd_ w
~cDO/
;^G.
5kT|
Jtru
a{}+,
L|(I
6:8B,
|:VzT
D=(N
^|Q&
Ca}m
*tLn(
Q>W=$d
}{-"
F(=<Q!
%a'=
7 +R
pJ|fG
Bev=\-
y/?}
_6PK
TKr&
*a!f
6b<$
bVai
BdOG
[wn6
{p^-
oFw '
T n5
c}I@
hjY&
h]o"
Tl?&
{AD
i<rPj
0]fO
+71G
^[<<PH
2KH,+=
P|h}TJ%
98WY
I'v[.j
\HB$
::U{
\3jaI]
`x?.
rWsz
_vR6
LDTn
<AvRJ^
L(r:
Mj|=g
sY=Q
^#S+
M`z<
n#,[
;+IQ;<x
5ycM0
)X,t
_cO__
e_0^
72J7
/daJi
3_k1
ea^s(
E*Le
E%I55
SzwS
MO~^
=y!a
~G~{Gi
_GJz
vdc'C31
?,OZ#J{
B?iO
#r(G
YF+W
3Grg
1$bU
y:|P
#c-.
D2XC
](r%/
fDRd
hckz
nb)]zyH^
Mh#,
<o4Av`
$dBs
,VoN
.HG;!
%^L6
c$x|
A@#5q
w%ok
.}|J
{8<{
@bb{=
ZV.\
$FyZ
`c\3
#T@b
yAS1
@2X$
6&CM
I-5*
0n$"
M )}
W_~yH
9$WB
[m5#<.:
YNJA1
yBJ(
;`>}
aO,tE
m77]
T4.'
\Az|
_cme
dgtN
/Q3a,
`,A&
6i:^m
:,:H7
K$Jj
1A> u/
Je06
],)y
WCOv_<(
IV5[
5*5D
@zHU
*h=6
Yl-_
knX'
5=Hzd
gHFS
s*bB)p_
a([#
^jtk
W~j,
g:@M"
PNiU<5
~}k3Zi
*J&oT=6
evXwQ5
Xdg,
@o5!
R}VK
Zn[_C
R3s%9
P(5!R
=@=9
7Z_8TA
+/NW
mVT\
"gBB
W"~a
%8]=
A|bs~
\'9H
E!sv@
'Mh|
x=nI;
&J=@
H'spV
7r]A
)@u["
Zv#O
'd6Q
2B%E0
`mYwp2V
KPR
7U'#A
IZdFN
M:4h
-j0;STe
50/@
U2Pr
D4*BWHZ
vE/JR@kt
{;A@
_nDS
4OYiT
]dCa-2
u6D_
u_U@
p.uh
w:/5M
ykkj
nSS
4T Vh
|VGqY
*(>O
~mGYrM
>`&5
k&w$
q!D
5Vq@
<lp)
+;@M$
:|Yn
XAg=M
KD]^
s5e<
xvoK
gE&2%u
=>\u1
L.z$^
X(RF
L][D
a[)>
oa5:f^,2
J8l,Q
%_?(
L,QG
|d/_
6T[\Eag
t_a0
dmG4
kQu%U
T=8JA
4dc{
(4IR+l
'[}{
qVRC
wbpz
AuQ(
L=?9
`h..
igTL
xee(d
W-Gv
tmb2bG&
BZ`,
MIay
AvN%
_$kc"
iQbU
N:JQ
{K71&2qE
Qj6j0J7
uV0W
MhbN
peP |p
9lUN%
u1]K
HW$v*zM
lrH;
1sYI
N=b
0LX&
pu?3
/ESp
*R-
;LBa
2Qq=
7Ud|
}G^t^
p(C;
vXS9
Lqc+
3?0/W*
U@)^
"Zaq
t&1@
5BRT%:M
k<&5
De^J(
Zd'/
s-/j
g)@)
Y(9f
~"ov
-ZG$
NFv#
S;4WM
tpiG
/DDu
2kp3
xYOk]n
4{w<
h7VQ
LLk)
`y5Y
_AyM
b(S[S2
$"{J6
P8m+
[R$
5J1g
R4Wq
@Kw
!(yY8N
Vr{&A/H
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJ
RcTU
MXIM]7LNO
6'ce
dc/LDL
+~h S
dT^
%(lVs
xkT*
}ndM
gc[]w
K/2%o/
CzQzm
HbYd
?&O4H
rtrA
wh,5U
0<>\
bM:@
AOwV/
IE0A{
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJ
*=Qa
XC5E}}
Z=4 8 7
6Lyb
S1(kI?
Q}b X
2tOe
`bb
F:ZX
6HJ]>
*?J7
tRLpm^f
(%x/{-
BvMnN
I3i*
QsWz
>2-vZT
I[?<:
oy-%z
~v|Q
rF8u
3Tu|
je=k\
_Gs&
(}(%6E1
a%Q5
A~Rt
MEP]
8 4
'_e~1
+fiY
-.7_
qmEp
aCUU
@u+d
26GV
`r}O
5XEd
?Ub7
1mdyU
BRI.
ct%4Q
eD!)
kh
cTva
Mz1Y
amw_
;&Mc
.mD\
Naris
< *UE<
-p "
Sw\O
l\`3j
n.A5
:imU
/BNc
\\^t
nosmX
N/zcQ
"dli
LR@h
w(z9}
pfOiV'
CP!(
kwZM
<cgD5O
Ib](
QK5'
iba4|
GM3rwekv#O
hb5
]IJu
i8?~
H?U<
SUpf
4yW2O
Y4D}
6,>#P
1j]w
S7G$
oin\
So4;%
_M,'
Yt;B
y^q=
BW,i_
x]P*N
9]z
cX/;
:IRd
27IAH
>aJ2
Md%}
MnKB
&dEle
4jAV
~nav
p#Y8
Q8`[k
\&Yl
|=K^:
ho8C
UJA ~
$gW.c
1.V,
oc-Z
3.[)
Y)vt
|X2d
iiP*
?4zp7
0WO>#
BK*G
c|Sr}t
?f"U
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJv
DISJ
XH@h@
$_h@
$_h@
0H@%
1H@RQ9
KERNEL32.dll
GlobalAlloc
GlobalFree
LoadLibraryA
GetProcAddress
ExitProcess
:Unable to fix importtable.
PolyEnE
MessageBoxA
USER32.dll