lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <C0E13AA9.22A0F%ltr@isc.upenn.edu>
Date: Mon Jul 17 18:05:15 2006
From: ltr at isc.upenn.edu (David Taylor)
Subject: Re: Google Malware Search

One other thing which may already be known by most of you, on the google
results you can click ?View as HTML? and get a lot of file information.

WINDOWS EXECUTABLE

32bit for Windows 95 and Windows NT

Technical File Information:

Image File Header 

Signature: 00004550

Machine: Intel 386

Number of Sections: 0003

Time Date Stamp: 43e3d0b9

Symbols Pointer: 00000000

Number of Symbols: 00000000

Size of Optional Header 00e0

Characteristics: Relocation info stripped from file.
File is executable  (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
32 bit word machine.
 
 

Image Optional Header

Magic: 010b

Linker Version: 5.12

Size of Code: 00003800

Size of Initialized Data: 00004000

Size of Uninitialized Data: 00000000

Address of Entry Point: 0000b037

Base of Code: 00001000

Base of Data: 00005000

Image Base: 00400000

Section Alignment: 00001000

File Alignment: 00000200

Operating System Version: 4.00

Image Version: 0.00

Subsystem Version: 4.00

Reserved1: 00000000

Size of Image: 00010000

Size of Headers: 00000400

Checksum: 00000000

Subsystem: Image runs in the Windows GUI subsystem.

DLL Characteristics: 0000

Size of Stack Reserve: 00100000

Size of Stack Commit: 00001000

Size of Heap Reserve: 00100000

Size of Heap Commit: 00001000

Loader Flags: 00000000

Size of Data Directory: 00000010

Import Directory Virtual Address:  0000a000

Import Directory Size:  00000240

  
 

Import Table 

~tY???? u

Ordinal Function Name
 
 

kernel32.dll

Ordinal Function Name

0000 Sleep 
 

user32.dll

Ordinal Function Name

0000 wsprintfA 
 

wsock32.dll

Ordinal Function Name

0000 send 
 

ole32.dll

Ordinal Function Name

0000 CoInitialize 
 

shlwapi.dll

Ordinal Function Name

0000 StrDupA 
 

wininet.dll

Ordinal Function Name

0000 InternetOpenA 
 

advapi32.dll

Ordinal Function Name

0000 RegCloseKey 
 

urlmon.dll

Ordinal Function Name

0000 URLDownloadToFileA
 

shell32.dll

Ordinal Function Name

0000 ShellExecuteA 
 

gdi32.dll

Ordinal Function Name

0000 DeleteDC 
 

Section Table 

Section name: UPX0

Virtual Size: 00009000

Virtual Address: 00001000

Size of raw data: 00000000

Pointer to Raw Data: 00000400

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains initialized data
Section is executable
Section is readable
Section is writeable

  

Section name: UPX1

Virtual Size: 00000240

Virtual Address: 0000a000

Size of raw data: 00000400

Pointer to Raw Data: 00000400

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains initialized data
Section is readable
Section is writeable

  

Section name: UPX2

Virtual Size: 00005000

Virtual Address: 0000b000

Size of raw data: 00004400

Pointer to Raw Data: 00000800

Pointer to Relocations: 00000000

Pointer to Line Numbers: 00000000

Number of Relocations: 0000

Number of Line Numbers: 0000

Characteristics: Section contains code
Section is executable
Section is readable
Section is writeable

 

Header Information 

Signature: 5a4d

Last Page Size: 0090

Total Pages in File: 0003

Relocation Items: 0000

Paragraphs in Header: 0004

Minimum Extra Paragraphs: 0000

Maximum Extra Paragraphs: ffff

Initial Stack Segment: 0000

Initial Stack Pointer: 00b8

Complemented Checksum: 0000

Initial Instruction Pointer: 0000

Initial Code Segment: 0000

Relocation Table Offset: 0040

Overlay Number: 0000

Reserved: 0000 0000 0000 0000

0000 0000 0000 0000

0000 0000 0000 0000

0000 0000 0000 0000

Offset to New Header: 000000c0

Memory Needed: 2K


On 7/17/06 12:21 PM, "Mike M" <mkmaxx@...il.com> wrote:

> 
>> 
>> Message: 11
>> Date: Sun, 16 Jul 2006 23:58:30 -0500
>> From: H D Moore < fdlist@...italoffense.net
>> <mailto:fdlist@...italoffense.net> >
>> Subject: [Full-disclosure] Google Malware Search
>> To: full-disclosure@...ts.grok.org.uk
>> Message-ID: < 200607162358.30574.fdlist@...italoffense.net
>> <mailto:200607162358.30574.fdlist@...italoffense.net> >
>> Content-Type: text/plain;  charset="us-ascii"
>> 
>> http://metasploit.com/research/misc/mwsearch/?q=bagle
>> <http://metasploit.com/research/misc/mwsearch/?q=bagle>
>> 
>> Enjoy,
>> 
>> -HD
> 
>  
> 
> Didnt know google crawls scr's and com's.. Since when?
> 
> MM
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060717/3bf16a05/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ