[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <C0E13AA9.22A0F%ltr@isc.upenn.edu>
Date: Mon Jul 17 18:05:15 2006
From: ltr at isc.upenn.edu (David Taylor)
Subject: Re: Google Malware Search
One other thing which may already be known by most of you, on the google
results you can click ?View as HTML? and get a lot of file information.
WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT
Technical File Information:
Image File Header
Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 43e3d0b9
Symbols Pointer: 00000000
Number of Symbols: 00000000
Size of Optional Header 00e0
Characteristics: Relocation info stripped from file.
File is executable (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
32 bit word machine.
Image Optional Header
Magic: 010b
Linker Version: 5.12
Size of Code: 00003800
Size of Initialized Data: 00004000
Size of Uninitialized Data: 00000000
Address of Entry Point: 0000b037
Base of Code: 00001000
Base of Data: 00005000
Image Base: 00400000
Section Alignment: 00001000
File Alignment: 00000200
Operating System Version: 4.00
Image Version: 0.00
Subsystem Version: 4.00
Reserved1: 00000000
Size of Image: 00010000
Size of Headers: 00000400
Checksum: 00000000
Subsystem: Image runs in the Windows GUI subsystem.
DLL Characteristics: 0000
Size of Stack Reserve: 00100000
Size of Stack Commit: 00001000
Size of Heap Reserve: 00100000
Size of Heap Commit: 00001000
Loader Flags: 00000000
Size of Data Directory: 00000010
Import Directory Virtual Address: 0000a000
Import Directory Size: 00000240
Import Table
~tY???? u
Ordinal Function Name
kernel32.dll
Ordinal Function Name
0000 Sleep
user32.dll
Ordinal Function Name
0000 wsprintfA
wsock32.dll
Ordinal Function Name
0000 send
ole32.dll
Ordinal Function Name
0000 CoInitialize
shlwapi.dll
Ordinal Function Name
0000 StrDupA
wininet.dll
Ordinal Function Name
0000 InternetOpenA
advapi32.dll
Ordinal Function Name
0000 RegCloseKey
urlmon.dll
Ordinal Function Name
0000 URLDownloadToFileA
shell32.dll
Ordinal Function Name
0000 ShellExecuteA
gdi32.dll
Ordinal Function Name
0000 DeleteDC
Section Table
Section name: UPX0
Virtual Size: 00009000
Virtual Address: 00001000
Size of raw data: 00000000
Pointer to Raw Data: 00000400
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is executable
Section is readable
Section is writeable
Section name: UPX1
Virtual Size: 00000240
Virtual Address: 0000a000
Size of raw data: 00000400
Pointer to Raw Data: 00000400
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable
Section name: UPX2
Virtual Size: 00005000
Virtual Address: 0000b000
Size of raw data: 00004400
Pointer to Raw Data: 00000800
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains code
Section is executable
Section is readable
Section is writeable
Header Information
Signature: 5a4d
Last Page Size: 0090
Total Pages in File: 0003
Relocation Items: 0000
Paragraphs in Header: 0004
Minimum Extra Paragraphs: 0000
Maximum Extra Paragraphs: ffff
Initial Stack Segment: 0000
Initial Stack Pointer: 00b8
Complemented Checksum: 0000
Initial Instruction Pointer: 0000
Initial Code Segment: 0000
Relocation Table Offset: 0040
Overlay Number: 0000
Reserved: 0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
Offset to New Header: 000000c0
Memory Needed: 2K
On 7/17/06 12:21 PM, "Mike M" <mkmaxx@...il.com> wrote:
>
>>
>> Message: 11
>> Date: Sun, 16 Jul 2006 23:58:30 -0500
>> From: H D Moore < fdlist@...italoffense.net
>> <mailto:fdlist@...italoffense.net> >
>> Subject: [Full-disclosure] Google Malware Search
>> To: full-disclosure@...ts.grok.org.uk
>> Message-ID: < 200607162358.30574.fdlist@...italoffense.net
>> <mailto:200607162358.30574.fdlist@...italoffense.net> >
>> Content-Type: text/plain; charset="us-ascii"
>>
>> http://metasploit.com/research/misc/mwsearch/?q=bagle
>> <http://metasploit.com/research/misc/mwsearch/?q=bagle>
>>
>> Enjoy,
>>
>> -HD
>
>
>
> Didnt know google crawls scr's and com's.. Since when?
>
> MM
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================
Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060717/3bf16a05/attachment.html
Powered by blists - more mailing lists