[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1889107484.20040127005856@Sniff-em.com>
From: Thierry at Sniff-em.com (Thierry)
Subject: massive outbreak - expect a major network slowdown
Hello Gadi,
GE> Whichever the case this outbreak is HUGE.
GE> Largest in a while and it is spreading VERY FAST.
I can only confirm, it currently slips through my ISP Virus mail
gateway, I have a few files here some in uncompressed state if anybody is
interested and hasn't had the chance to have one of those (should be
rare though). I am not aware whether it selfmodifies or not, here
are the strings I extracted from the uncompressed PIF file.
Tool: BinText
File pos Mem pos ID Text
======== ======= == ====
0000269C 004A269C 0 iphlpapi.dll
000026AC 004A26AC 0 DnsQuery_A
000026B8 004A26B8 0 dnsapi.dll
000026C4 004A26C4 0 GetNetworkParams
000026D8 004A26D8 0 sandra
000026E0 004A26E0 0 linda
000026E8 004A26E8 0 julie
000026F0 004A26F0 0 jimmy
000026F8 004A26F8 0 jerry
00002700 004A2700 0 helen
00002708 004A2708 0 debby
00002710 004A2710 0 claudia
00002718 004A2718 0 brenda
00002728 004A2728 0 alice
00002730 004A2730 0 brent
00002764 004A2764 0 smith
0000276C 004A276C 0 steve
00002798 004A2798 0 robert
000027A0 004A27A0 0 peter
000027C0 004A27C0 0 brian
000027CC 004A27CC 0 maria
000027E0 004A27E0 0 andrew
000027EC 004A27EC 0 george
000027F4 004A27F4 0 david
000027FC 004A27FC 0 kevin
0000280C 004A280C 0 james
00002814 004A2814 0 michael
0000282C 004A282C 0 accoun
00002834 004A2834 0 certific
00002840 004A2840 0 listserv
0000284C 004A284C 0 ntivi
00002854 004A2854 0 support
0000285C 004A285C 0 icrosoft
00002868 004A2868 0 admin
00002878 004A2878 0 the.bat
00002880 004A2880 0 gold-certs
00002890 004A2890 0 feste
00002898 004A2898 0 submit
000028AC 004A28AC 0 service
000028B4 004A28B4 0 privacy
000028BC 004A28BC 0 somebody
000028D4 004A28D4 0 contact
000028E4 004A28E4 0 rating
00002904 004A2904 0 someone
0000290C 004A290C 0 anyone
00002914 004A2914 0 nothing
0000291C 004A291C 0 nobody
00002924 004A2924 0 noone
0000292C 004A292C 0 webmaster
00002938 004A2938 0 postmaster
00002944 004A2944 0 samples
0000295E 004A295E 0 be_loyal:
00002968 004A2968 0 mozilla
00002970 004A2970 0 utgers.ed
0000297C 004A297C 0 tanford.e
0000298C 004A298C 0 acketst
00002994 004A2994 0 secur
0000299C 004A299C 0 isc.o
000029A4 004A29A4 0 isi.e
000029AC 004A29AC 0 ripe.
000029B4 004A29B4 0 arin.
000029BC 004A29BC 0 sendmail
000029C8 004A29C8 0 rfc-ed
000029E0 004A29E0 0 usenet
000029F0 004A29F0 0 linux
000029F8 004A29F8 0 kernel
00002A00 004A2A00 0 google
00002A08 004A2A08 0 ibm.com
00002A1C 004A2A1C 0 mit.e
00002A38 004A2A38 0 berkeley
00002A68 004A2A68 0 ruslis
00002A70 004A2A70 0 nodomai
00002A78 004A2A78 0 mydomai
00002A80 004A2A80 0 example
00002A88 004A2A88 0 inpris
00002A90 004A2A90 0 borlan
00002A98 004A2A98 0 sopho
00002AA0 004A2AA0 0 panda
00002AA8 004A2AA8 0 hotmail
00002AB8 004A2AB8 0 icrosof
00002AD4 004A2AD4 0 -._!@
00002ADC 004A2ADC 0 abuse
00002E34 004A2E34 0 USERPROFILE
00002E40 004A2E40 0 Ybpny Frggvatf
0000345C 004A345C 0 %s.%s
00003480 004A3480 0 %s.zip
0000348C 004A348C 0 Mail transaction failed. Partial message is available.
000034C8 004A34C8 0 The message contains Unicode characters and has been sent as a binary attachment.
00003520 004A3520 0 The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
00003590 004A3590 0 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
000035DE 004A35DE 0 K-ZFZnvy-Cevbevgl: Abezny
File pos Mem pos ID Text
======== ======= == ====
000035FA 004A35FA 0 K-Cevbevgl: 3
00003608 004A3608 0 boundary="%s"
0000361A 004A361A 0 Pbagrag-Glcr: zhygvcneg/zvkrq;
0000363E 004A363E 0 ZVZR-Irefvba: 1.0
00003652 004A3652 0 Qngr:
0000365E 004A365E 0 Fhowrpg:
00003670 004A3670 0 Sebz:
00003678 004A3678 0 ----=_%s_%.3u_%.4u_%.8X.%.8X
00003698 004A3698 0 NextPart
000036A8 004A36A8 0 --%s--
000036BE 004A36BE 0 Pbagrag-Glcr: nccyvpngvba/bpgrg-fgernz;
000036E7 004A36E7 0 anzr="%f"
000036F3 004A36F3 0 Pbagrag-Genafsre-Rapbqvat: onfr64
00003716 004A3716 0 Pbagrag-Qvfcbfvgvba: nggnpuzrag;
00003738 004A3738 0 svyranzr="%f"
0000375E 004A375E 0 Pbagrag-Glcr: grkg/cynva;
00003779 004A3779 0 punefrg="Jvaqbjf-1252"
00003792 004A3792 0 Pbagrag-Genafsre-Rapbqvat: 7ovg
00003890 004A3890 0 gate.%s
00003898 004A3898 0 ns.%s
000038A0 004A38A0 0 relay.%s
000038AC 004A38AC 0 mail1.%s
000038B8 004A38B8 0 mxs.%s
000038C0 004A38C0 0 mx1.%s
000038C8 004A38C8 0 smtp.%s
000038D0 004A38D0 0 mail.%s
000038D8 004A38D8 0 mx.%s
0000A009 004AA009 0 CreateFileMappingA
0000A01D 004AA01D 0 FindNextFileA
0000A02C 004AA02C 0 FindFirstFileA
0000A03C 004AA03C 0 GetEnvironmentVariableA
0000A055 004AA055 0 GetWindowsDirectoryA
0000A06B 004AA06B 0 GetDriveTypeA
0000A07A 004AA07A 0 GetFileSize
0000A087 004AA087 0 FindClose
0000A092 004AA092 0 FileTimeToSystemTime
0000A0A8 004AA0A8 0 GlobalAlloc
0000A0B5 004AA0B5 0 GetTempFileNameA
0000A0C7 004AA0C7 0 SetFilePointer
0000A0D7 004AA0D7 0 GetSystemTime
0000A0E6 004AA0E6 0 GetCurrentThread
0000A0F8 004AA0F8 0 WriteFile
0000A103 004AA103 0 LoadLibraryA
0000A111 004AA111 0 lstrcpyA
0000A11B 004AA11B 0 CloseHandle
0000A128 004AA128 0 GetFileAttributesA
0000A13C 004AA13C 0 CreateFileA
0000A149 004AA149 0 lstrlenA
0000A153 004AA153 0 GetTempPathA
0000A161 004AA161 0 GetSystemDirectoryA
0000A176 004AA176 0 lstrcatA
0000A180 004AA180 0 GetLastError
0000A18E 004AA18E 0 CreateMutexA
0000A19C 004AA19C 0 CopyFileA
0000A1A7 004AA1A7 0 DeleteFileA
0000A1B4 004AA1B4 0 SetFileAttributesA
0000A1C8 004AA1C8 0 GetModuleFileNameA
0000A1DC 004AA1DC 0 SystemTimeToFileTime
0000A1F2 004AA1F2 0 GetSystemTimeAsFileTime
0000A20B 004AA20B 0 Sleep
0000A212 004AA212 0 ExitThread
0000A21E 004AA21E 0 WaitForSingleObject
0000A233 004AA233 0 CreateProcessA
0000A243 004AA243 0 CreateThread
0000A251 004AA251 0 GetTickCount
0000A25F 004AA25F 0 ExitProcess
0000A26C 004AA26C 0 GetTimeZoneInformation
0000A284 004AA284 0 MapViewOfFile
0000A293 004AA293 0 FileTimeToLocalFileTime
0000A2AC 004AA2AC 0 GetLocalTime
0000A2BA 004AA2BA 0 WideCharToMultiByte
0000A2CF 004AA2CF 0 GetProcAddress
0000A2DF 004AA2DF 0 GetModuleHandleA
0000A2F1 004AA2F1 0 HeapFree
0000A2FB 004AA2FB 0 GetProcessHeap
0000A30B 004AA30B 0 HeapAlloc
0000A316 004AA316 0 lstrcpynA
0000A321 004AA321 0 lstrcmpA
0000A32B 004AA32B 0 lstrcmpiA
0000A336 004AA336 0 GlobalFree
0000A342 004AA342 0 InterlockedDecrement
0000A358 004AA358 0 InterlockedIncrement
0000A36E 004AA36E 0 ReadFile
0000A378 004AA378 0 UnmapViewOfFile
0000A389 004AA389 0 SetThreadPriority
0000A3A5 004AA3A5 0 RegCloseKey
0000A3B2 004AA3B2 0 RegOpenKeyExA
0000A3C1 004AA3C1 0 RegSetValueExA
0000A3D1 004AA3D1 0 RegQueryValueExA
0000A3E3 004AA3E3 0 RegEnumKeyA
0000A3F0 004AA3F0 0 RegCreateKeyExA
0000A40A 004AA40A 0 memset
0000A412 004AA412 0 tolower
0000A41B 004AA41B 0 memcpy
0000A423 004AA423 0 isdigit
0000A42C 004AA42C 0 toupper
0000A435 004AA435 0 isxdigit
0000A43F 004AA43F 0 isalnum
0000A448 004AA448 0 isspace
0000A45A 004AA45A 0 CharUpperBuffA
0000A46A 004AA46A 0 CharUpperA
0000A476 004AA476 0 CharLowerA
0000A482 004AA482 0 wvsprintfA
0000A48E 004AA48E 0 wsprintfA
0000A5CB 004AA5CB 0 .text
0000A5F3 004AA5F3 0 .rsrc
0000C290 004AC290 0 KERNEL32.DLL
0000C29D 004AC29D 0 ADVAPI32.dll
0000C2AA 004AC2AA 0 MSVCRT.dll
0000C2B5 004AC2B5 0 USER32.dll
0000C2C0 004AC2C0 0 WS2_32.dll
0000C2CC 004AC2CC 0 LoadLibraryA
0000C2DA 004AC2DA 0 GetProcAddress
0000C2EA 004AC2EA 0 ExitProcess
0000C2F8 004AC2F8 0 RegCloseKey
0000C306 004AC306 0 memset
0000C30E 004AC30E 0 wsprintfA
--
Best regards,
Thierry mailto:Thierry@...ff-em.com
Powered by blists - more mailing lists