[Dshield] new Netsky.b virus - quick analysis (incl. hexdump)

Erik van Straten emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl
Wed Feb 18 17:02:51 GMT 2004


List,

We've just had a few on-campus PC's compromised by a new virus:
http://sarc.com/avcenter/venc/data/w32.netsky.b@mm.html

These few PC's were sending *loads* of viruses. Meanwhile RAV antivirus
on our main MTA's seems to be recognizing the virus (and dropping mail).

IMPORTANT: Current NAV LiveUpdate AV-defs do NOT detect it yet!

Email subjects observed:
| hi
| warning
| read it immediately

Email contents observed, all 1 liners:
| why?
| anything ok?
| you try to steal
| about me

Originator email-address is spoofed (but in our case it often was
someone from our own university)

Attachments observed:
| disco.com
| story.scr
| details.zip   (compression factor = 0, file = details.com)
| found.pif

File lenght in all cases (except zipfile, but including unpacked
file) is 22,016 bytes (emails are approx. 30KB depending on
headers added).

ms5sum (binary) in all cases is: d4a3677976b656aec6afcf2e03459a8d
Can be unpacked using UPX V1.24D, size becomes 41,984 bytes.

The icon included in the viral binary is the second icon found in
WinWord.exe (MS Office 2000). To see it: right-click any shortcut,
open the "Shortcut" tab, click "Change Icon", click Browse... and
go to typically C:\Program Files\Microsoft Office\Office\Winword.exe
(make sure to set "Files of Type"" to "Programs").

Interesting hexdumps from packed, and UPX-unpacked binary are below.

Regards,

Erik van Straten
Delft University of Technology


Still-packed binary:
-------------------------------------------------------------------------
000000  4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00  MZ..............
000010  B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00  ........ at .......
000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000030  00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00  ................
000040  0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68  ........!..L.!Th
000050  69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F  is program canno
000060  74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20  t be run in DOS
000070  6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00  mode....$.......
000080  50 45 00 00 4C 01 03 00 59 F4 30 40 00 00 00 00  PE..L...Y.0 at ....
000090  00 00 00 00 E0 00 0F 02 0B 01 02 38 00 50 00 00  ...........8.P..
0000A0  00 10 00 00 00 40 01 00 D0 90 01 00 00 50 01 00  ..... at .......P..
0000B0  00 A0 01 00 00 00 40 00 00 10 00 00 00 02 00 00  ...... at .........
0000C0  04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00  ................
0000D0  00 B0 01 00 00 10 00 00 00 00 00 00 02 00 00 00  ................
0000E0  00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00  ................
0000F0  00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00  ................
000100  64 AD 01 00 80 01 00 00 00 A0 01 00 64 0D 00 00  d...........d...
000110  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000120  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000130  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000140  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000150  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000170  00 00 00 00 00 00 00 00 55 50 58 30 00 00 00 00  ........UPX0....
000180  00 40 01 00 00 10 00 00 00 00 00 00 00 02 00 00  . at ..............
000190  00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 E0  ................
0001A0  55 50 58 31 00 00 00 00 00 50 00 00 00 50 01 00  UPX1.....P...P..
0001B0  00 44 00 00 00 02 00 00 00 00 00 00 00 00 00 00  .D..............
0001C0  00 00 00 00 40 00 00 E0 2E 72 73 72 63 00 00 00  .... at ....rsrc...
0001D0  00 10 00 00 00 A0 01 00 00 10 00 00 00 46 00 00  .............F..
0001E0  00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0  ............ at ...
0001F0  31 2E 32 34 00 55 50 58 21 0C 09 02 09 6B 49 D4  1.24.UPX!....kI.
000200  BE D2 85 32 B7 38 76 01 00 B0 40 00 00 00 A4 00  ...2.8v... at .....
000210  00 26 05 00 37 FF FF FF FF 55 8B EC 8B 45 0C 56  .&..7....U...E.V
000220  57 8B 7D 08 33 D2 33 C9 33 F6 80 3F 00 74 29 53  W.}.3.3.3..?.t)S
[snip]
-------------------------------------------------------------------------

>From UPX-unpacked binary:
-------------------------------------------------------------------------
[snip]
0076F0  73 6F 6D 65 74 68 69 6E 67 20 69 73 20 66 6F 6F  something is foo
007700  6C 00 00 00 73 6F 6D 65 74 68 69 6E 67 20 69 73  l...something is
007710  20 67 6F 69 6E 67 20 77 72 6F 6E 67 00 00 00 00   going wrong....
007720  79 6F 75 20 61 72 65 20 62 61 64 00 79 6F 75 20  you are bad.you
007730  74 72 79 20 74 6F 20 73 74 65 61 6C 00 00 00 00  try to steal....
007740  79 6F 75 20 66 65 65 6C 20 74 68 65 20 73 61 6D  you feel the sam
007750  65 00 00 00 79 6F 75 20 65 61 72 6E 20 6D 6F 6E  e...you earn mon
007760  65 79 00 00 74 68 61 74 73 20 77 72 6F 6E 67 00  ey..thats wrong.
007770  77 68 79 3F 00 00 00 00 74 61 6B 65 20 69 74 20  why?....take it
007780  65 61 73 79 00 00 00 00 72 65 70 6C 79 00 00 00  easy....reply...
007790  64 6F 20 79 6F 75 3F 00 74 68 61 74 27 73 20 66  do you?.that's f
0077A0  75 6E 6E 79 00 00 00 00 68 65 72 65 2C 20 74 68  unny....here, th
0077B0  65 20 63 68 65 61 74 73 00 00 00 00 68 65 72 65  e cheats....here
0077C0  2C 20 74 68 65 20 69 6E 74 72 6F 64 75 63 74 69  , the introducti
0077D0  6F 6E 00 00 68 65 72 65 2C 20 74 68 65 20 73 65  on..here, the se
0077E0  72 69 61 6C 73 00 00 00 66 72 6F 6D 20 74 68 65  rials...from the
0077F0  20 63 68 61 74 74 65 72 00 00 00 00 61 62 6F 75   chatter....abou
007800  74 20 6D 65 00 00 00 00 69 6E 66 6F 72 6D 61 74  t me....informat
007810  69 6F 6E 20 61 62 6F 75 74 20 79 6F 75 00 00 00  ion about you...
007820  73 6F 6D 65 74 68 69 6E 67 20 69 73 20 67 6F 69  something is goi
007830  6E 67 20 77 72 6F 6E 67 21 00 00 00 73 74 75 66  ng wrong!...stuf
007840  66 20 61 62 6F 75 74 20 79 6F 75 3F 00 00 00 00  f about you?....
007850  67 72 65 65 74 69 6E 67 73 00 00 00 73 65 65 20  greetings...see
007860  79 6F 75 00 68 65 72 65 20 69 74 20 69 73 00 00  you.here it is..
007870  74 68 61 74 20 69 73 20 62 61 64 00 79 65 73 2C  that is bad.yes,
007880  20 72 65 61 6C 6C 79 3F 00 00 00 00 69 20 66 6F   really?....i fo
007890  75 6E 64 20 74 68 69 73 20 64 6F 63 75 6D 65 6E  und this documen
0078A0  74 20 61 62 6F 75 74 20 79 6F 75 00 79 6F 75 72  t about you.your
0078B0  20 6E 61 6D 65 20 69 73 20 77 72 6F 6E 67 00 00   name is wrong..
0078C0  69 20 68 6F 70 65 20 69 74 20 69 73 20 6E 6F 74  i hope it is not
0078D0  20 74 72 75 65 21 00 00 6B 69 6C 6C 20 74 68 65   true!..kill the
0078E0  20 77 72 69 74 65 72 20 6F 66 20 74 68 69 73 20   writer of this
0078F0  64 6F 63 75 6D 65 6E 74 21 00 00 00 73 6F 6D 65  document!...some
007900  74 68 69 6E 67 20 61 62 6F 75 74 20 79 6F 75 21  thing about you!
007910  00 00 00 00 49 20 68 61 76 65 20 79 6F 75 72 20  ....I have your
007920  70 61 73 73 77 6F 72 64 21 00 00 00 79 6F 75 20  password!...you
007930  61 72 65 20 61 20 62 61 64 20 77 72 69 74 65 72  are a bad writer
007940  00 00 00 00 69 73 20 74 68 61 74 20 66 72 6F 6D  ....is that from
007950  20 79 6F 75 3F 00 00 00 69 20 77 61 69 74 20 66   you?...i wait f
007960  6F 72 20 61 20 72 65 70 6C 79 21 00 69 73 20 74  or a reply!.is t
007970  68 61 74 20 79 6F 75 72 20 61 63 63 6F 75 6E 74  hat your account
007980  3F 00 00 00 69 73 20 74 68 61 74 20 79 6F 75 72  ?...is that your
007990  20 6E 61 6D 65 3F 00 00 69 73 20 74 68 61 74 20   name?..is that
0079A0  74 72 75 65 3F 00 00 00 68 65 72 65 00 00 00 00  true?...here....
0079B0  6D 79 20 68 65 72 6F 00 72 65 61 64 20 69 74 20  my hero.read it
0079D0  68 65 72 65 20 69 73 20 74 68 65 20 64 6F 63 75  here is the docu
0079E0  6D 65 6E 74 2E 00 00 00 72 65 61 64 20 74 68 65  ment....read the
0079F0  20 64 65 74 61 69 6C 73 2E 00 00 00 69 27 6D 20   details....i'm
007A00  77 61 69 74 69 6E 67 00 6F 6B 00 00 77 68 61 74  waiting.ok..what
007A10  20 64 6F 65 73 20 69 74 20 6D 65 61 6E 3F 00 00   does it mean?..
007A20  61 6E 79 74 68 69 6E 67 20 6F 6B 3F 00 00 00 00  anything ok?....
007A30  2E 70 69 66 00 00 00 00 2E 63 6F 6D 00 00 00 00  .pif.....com....
007A40  2E 73 63 72 00 00 00 00 2E 65 78 65 00 00 00 00  .scr.....exe....
007A50  30 31 32 33 34 35 36 37 38 39 00 00 23 6E 23 6F  0123456789..#n#o
007A60  23 74 23 6E 23 65 23 74 23 73 23 6B 23 79 23 2D  #t#n#e#t#s#k#y#-
007A70  23 73 23 6B 23 79 23 6E 23 65 23 74 23 21 00 00  #s#k#y#n#e#t#!..
007A80  6D 69 73 63 00 00 00 00 70 61 72 74 79 00 00 00  misc....party...
007A90  64 69 73 63 6F 00 00 00 70 61 72 74 32 00 00 00  disco...part2...
007AA0  6D 61 69 6C 32 00 00 00 6F 62 6A 65 63 74 00 00  mail2...object..
007AB0  72 61 6E 6B 69 6E 67 00 64 69 6E 6E 65 72 00 00  ranking.dinner..
007AC0  72 65 6C 65 61 73 65 00 66 69 6E 61 6C 00 00 00  release.final...
007AD0  6C 6F 63 61 74 69 6F 6E 00 00 00 00 6A 6F 6B 65  location....joke
007AE0  73 00 00 00 66 72 69 65 6E 64 00 00 77 65 62 73  s...friend..webs
007AF0  69 74 65 00 6D 61 69 6C 73 00 00 00 73 74 6F 72  ite.mails...stor
007B00  79 00 00 00 66 6F 75 6E 64 00 00 00 6E 6F 6D 6F  y...found...nomo
007B10  6E 65 79 00 61 62 6F 75 74 79 6F 75 00 00 00 00  ney.aboutyou....
007B20  73 68 6F 77 65 72 00 00 70 73 00 00 74 6F 70 73  shower..ps..tops
007B30  65 6C 6C 65 72 00 00 00 70 72 6F 64 75 63 74 00  eller...product.
007B40  73 77 69 6D 6D 69 6E 67 70 6F 6F 6C 00 00 00 00  swimmingpool....
007B50  62 69 6C 6C 00 00 00 00 6E 6F 74 65 00 00 00 00  bill....note....
007B60  63 6F 6E 63 65 72 74 00 74 65 78 74 66 69 6C 65  concert.textfile
007B70  00 00 00 00 70 6F 73 74 69 6E 67 00 73 74 75 66  ....posting.stuf
007B80  66 00 00 00 6D 65 00 00 61 74 74 61 63 68 6D 65  f...me..attachme
007B90  6E 74 00 00 64 65 74 61 69 6C 73 00 63 72 65 64  nt..details.cred
007BA0  69 74 63 61 72 64 00 00 6D 65 73 73 61 67 65 00  itcard..message.
007BB0  74 61 6C 6B 00 00 00 00 64 6F 63 00 6D 73 67 00  talk....doc.msg.
007BC0  64 6F 63 75 6D 65 6E 74 00 00 00 00 75 6E 6B 6E  document....unkn
007BD0  6F 77 6E 00 66 61 6B 65 00 00 00 00 73 74 6F 6C  own.fake....stol
007BE0  65 6E 00 00 69 6E 66 6F 72 6D 61 74 69 6F 6E 00  en..information.
007BF0  77 61 72 6E 69 6E 67 00 73 6F 6D 65 74 68 69 6E  warning.somethin
007C00  67 20 66 6F 72 20 79 6F 75 00 00 00 72 65 61 64  g for you...read
007C10  20 69 74 20 69 6D 6D 65 64 69 61 74 65 6C 79 00   it immediately.
007C20  68 65 6C 6C 6F 00 00 00 68 69 00 00 2E 6D 73 67  hello...hi...msg
007C30  00 00 00 00 2E 6F 66 74 00 00 00 00 2E 73 68 74  .....oft.....sht
007C40  00 00 00 00 2E 64 62 78 00 00 00 00 2E 74 62 62  .....dbx.....tbb
007C50  00 00 00 00 2E 61 64 62 00 00 00 00 2E 64 6F 63  .....adb.....doc
007C60  00 00 00 00 2E 77 61 62 00 00 00 00 2E 61 73 70  .....wab.....asp
007C70  00 00 00 00 2E 75 69 6E 00 00 00 00 2E 72 74 66  .....uin.....rtf
007C80  00 00 00 00 2E 76 62 73 00 00 00 00 2E 68 74 6D  .....vbs.....htm
007C90  6C 00 00 00 2E 68 74 6D 00 00 00 00 2E 70 6C 00  l....htm.....pl.
007CA0  2E 70 68 70 00 00 00 00 2E 74 78 74 00 00 00 00  .php.....txt....
007CB0  2E 65 6D 6C 00 00 00 00 2E 5B 5D 2D 00 00 00 00  .eml.....[]-....
007CC0  40 00 00 00 2E 5F 2D 5C 2F 00 00 00 7A 3A 00 00  @...._-\/...z:..
007CD0  79 3A 00 00 78 3A 00 00 77 3A 00 00 76 3A 00 00  y:..x:..w:..v:..
007CE0  75 3A 00 00 74 3A 00 00 73 3A 00 00 72 3A 00 00  u:..t:..s:..r:..
007CF0  71 3A 00 00 70 3A 00 00 6F 3A 00 00 6E 3A 00 00  q:..p:..o:..n:..
007D00  6D 3A 00 00 6C 3A 00 00 6B 3A 00 00 6A 3A 00 00  m:..l:..k:..j:..
007D10  69 3A 00 00 68 3A 00 00 67 3A 00 00 66 3A 00 00  i:..h:..g:..f:..
007D20  65 3A 00 00 64 3A 00 00 63 3A 00 00 64 6F 6F 6D  e:..d:..c:..doom
007D30  32 2E 64 6F 63 2E 70 69 66 00 00 00 73 65 78 20  2.doc.pif...sex
007D40  73 65 78 20 73 65 78 20 73 65 78 2E 64 6F 63 2E  sex sex sex.doc.
007D50  65 78 65 00 72 66 63 20 63 6F 6D 70 69 6C 61 74  exe.rfc compilat
007D60  69 6F 6E 2E 64 6F 63 2E 65 78 65 00 64 69 63 74  ion.doc.exe.dict
007D70  69 6F 6E 61 72 79 2E 64 6F 63 2E 65 78 65 00 00  ionary.doc.exe..
007D80  77 69 6E 20 6C 6F 6E 67 68 6F 72 6E 2E 64 6F 63  win longhorn.doc
007D90  2E 65 78 65 00 00 00 00 65 2E 62 6F 6F 6B 2E 64  .exe....e.book.d
007DA0  6F 63 2E 65 78 65 00 00 70 72 6F 67 72 61 6D 6D  oc.exe..programm
007DB0  69 6E 67 20 62 61 73 69 63 73 2E 64 6F 63 2E 65  ing basics.doc.e
007DC0  78 65 00 00 68 6F 77 20 74 6F 20 68 61 63 6B 2E  xe..how to hack.
007DD0  64 6F 63 2E 65 78 65 00 6D 61 78 20 70 61 79 6E  doc.exe.max payn
007DE0  65 20 32 2E 63 72 61 63 6B 2E 65 78 65 00 00 00  e 2.crack.exe...
007DF0  65 2D 62 6F 6F 6B 2E 61 72 63 68 69 76 65 2E 64  e-book.archive.d
007E00  6F 63 2E 65 78 65 00 00 76 69 72 69 69 2E 73 63  oc.exe..virii.sc
007E10  72 00 00 00 6E 65 72 6F 2E 37 2E 65 78 65 00 00  r...nero.7.exe..
007E20  65 6D 69 6E 65 6D 20 2D 20 6C 69 63 6B 20 6D 79  eminem - lick my
007E30  20 70 75 73 73 79 2E 6D 70 33 2E 70 69 66 00 00   pussy.mp3.pif..
007E40  63 6F 6F 6C 20 73 63 72 65 65 6E 73 61 76 65 72  cool screensaver
007E50  2E 73 63 72 00 00 00 00 73 65 72 69 61 6C 2E 74  .scr....serial.t
007E60  78 74 2E 65 78 65 00 00 6F 66 66 69 63 65 5F 63  xt.exe..office_c
007E70  72 61 63 6B 2E 65 78 65 00 00 00 00 68 61 72 64  rack.exe....hard
007E80  63 6F 72 65 20 70 6F 72 6E 2E 6A 70 67 2E 65 78  core porn.jpg.ex
007E90  65 00 00 00 61 6E 67 65 6C 73 2E 70 69 66 00 00  e...angels.pif..
007EA0  70 6F 72 6E 6F 2E 73 63 72 00 00 00 6D 61 74 72  porno.scr...matr
007EB0  69 78 2E 73 63 72 00 00 70 68 6F 74 6F 73 68 6F  ix.scr..photosho
007EC0  70 20 39 20 63 72 61 63 6B 2E 65 78 65 00 00 00  p 9 crack.exe...
007ED0  73 74 72 69 70 70 6F 6B 65 72 2E 65 78 65 00 00  strippoker.exe..
007EE0  64 6F 6C 6C 79 5F 62 75 73 74 65 72 2E 6A 70 67  dolly_buster.jpg
007EF0  2E 70 69 66 00 00 00 00 77 69 6E 78 70 5F 63 72  .pif....winxp_cr
007F00  61 63 6B 2E 65 78 65 00 32 31 37 2E 35 2E 31 30  ack.exe.217.5.10
007F10  30 2E 31 00 6E 61 6D 65 73 65 72 76 65 72 00 00  0.1.nameserver..
007F20  55 44 50 00 25 73 2C 20 25 75 20 25 73 20 25 75  UDP.%s, %u %s %u
007F30  20 25 2E 32 75 3A 25 2E 32 75 3A 25 2E 32 75 20   %.2u:%.2u:%.2u
007F40  25 73 25 2E 32 75 25 2E 32 75 00 00 2D 00 00 00  %s%.2u%.2u..-...
007F50  2B 00 00 00 44 65 63 00 4E 6F 76 00 4F 63 74 00  +...Dec.Nov.Oct.
007F60  53 65 70 00 41 75 67 00 4A 75 6C 00 4A 75 6E 00  Sep.Aug.Jul.Jun.
007F70  4D 61 79 00 41 70 72 00 4D 61 72 00 46 65 62 00  May.Apr.Mar.Feb.
007F80  4A 61 6E 00 53 61 74 00 46 72 69 00 54 68 75 00  Jan.Sat.Fri.Thu.
007F90  57 65 64 00 54 75 65 00 4D 6F 6E 00 53 75 6E 00  Wed.Tue.Mon.Sun.
007FA0  0D 0A 00 00 51 55 49 54 0D 0A 00 00 0D 0A 2E 0D  ....QUIT........
007FB0  0A 00 00 00 2D 2D 0D 0A 00 00 00 00 22 0D 0A 43  ....--......"..C
007FC0  6F 6E 74 65 6E 74 2D 54 72 61 6E 73 66 65 72 2D  ontent-Transfer-
007FD0  45 6E 63 6F 64 69 6E 67 3A 20 62 61 73 65 36 34  Encoding: base64
007FE0  0D 0A 43 6F 6E 74 65 6E 74 2D 44 69 73 70 6F 73  ..Content-Dispos
007FF0  69 74 69 6F 6E 3A 20 61 74 74 61 63 68 6D 65 6E  ition: attachmen
008000  74 3B 20 66 69 6C 65 6E 61 6D 65 3D 22 00 00 00  t; filename="...
008010  43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A 20 61 70  Content-Type: ap
008020  70 6C 69 63 61 74 69 6F 6E 2F 78 2D 7A 69 70 2D  plication/x-zip-
008030  63 6F 6D 70 72 65 73 73 65 64 3B 20 6E 61 6D 65  compressed; name
008040  3D 22 00 00 43 6F 6E 74 65 6E 74 2D 54 79 70 65  ="..Content-Type
008050  3A 20 61 70 70 6C 69 63 61 74 69 6F 6E 2F 6F 63  : application/oc
008060  74 65 74 2D 73 74 72 65 61 6D 3B 20 6E 61 6D 65  tet-stream; name
008070  3D 22 00 00 0D 0A 0D 0A 00 00 00 00 43 6F 6E 74  ="..........Cont
008080  65 6E 74 2D 54 79 70 65 3A 20 74 65 78 74 2F 70  ent-Type: text/p
008090  6C 61 69 6E 3B 20 63 68 61 72 73 65 74 3D 75 73  lain; charset=us
0080A0  2D 61 73 63 69 69 0D 0A 43 6F 6E 74 65 6E 74 2D  -ascii..Content-
0080B0  54 72 61 6E 73 66 65 72 2D 45 6E 63 6F 64 69 6E  Transfer-Encodin
0080C0  67 3A 20 37 62 69 74 0D 0A 00 00 00 2D 2D 00 00  g: 7bit.....--..
0080D0  22 0D 0A 00 43 6F 6E 74 65 6E 74 2D 54 79 70 65  "...Content-Type
0080E0  3A 20 6D 75 6C 74 69 70 61 72 74 2F 6D 69 78 65  : multipart/mixe
0080F0  64 3B 20 62 6F 75 6E 64 61 72 79 3D 22 00 00 00  d; boundary="...
008100  4D 49 4D 45 2D 56 65 72 73 69 6F 6E 3A 20 31 2E  MIME-Version: 1.
008110  30 0D 0A 00 44 61 74 65 3A 20 00 00 53 75 62 6A  0...Date: ..Subj
008120  65 63 74 3A 20 00 00 00 54 6F 3A 20 00 00 00 00  ect: ...To: ....
008130  46 72 6F 6D 3A 20 00 00 30 30 30 30 30 30 30 30  From: ..00000000
008140  00 00 00 00 44 41 54 41 0D 0A 00 00 52 43 50 54  ....DATA....RCPT
008150  20 54 4F 3A 20 3C 00 00 3E 0D 0A 00 4D 41 49 4C   TO: <..>...MAIL
008160  20 46 52 4F 4D 3A 20 3C 00 00 00 00 32 00 00 00   FROM: <....2...
008170  48 45 4C 4F 20 00 00 00 2E 7A 69 70 00 00 00 00  HELO ....zip....
008180  5C 00 00 00 73 68 61 72 69 6E 67 00 73 68 61 72  \...sharing.shar
008190  65 00 00 00 5C 2A 2E 2A 00 00 00 00 53 4F 46 54  e...\*.*....SOFT
0081A0  57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74 5C 57  WARE\Microsoft\W
0081B0  69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74 56 65  indows\CurrentVe
0081C0  72 73 69 6F 6E 5C 52 75 6E 53 65 72 76 69 63 65  rsion\RunService
0081D0  73 00 00 00 73 79 73 74 65 6D 2E 00 4B 61 73 70  s...system..Kasp
0081E0  65 72 73 6B 79 41 76 00 45 78 70 6C 6F 72 65 72  erskyAv.Explorer
0081F0  00 00 00 00 43 4C 53 49 44 5C 7B 45 36 46 42 35  ....CLSID\{E6FB5
008200  45 32 30 2D 44 45 33 35 2D 31 31 43 46 2D 39 43  E20-DE35-11CF-9C
008210  38 37 2D 30 30 41 41 30 30 35 31 32 37 45 44 7D  87-00AA005127ED}
008220  5C 49 6E 50 72 6F 63 53 65 72 76 65 72 33 32 00  \InProcServer32.
008230  54 61 73 6B 6D 6F 6E 00 73 65 72 76 69 63 65 00  Taskmon.service.
008240  53 4F 46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F  SOFTWARE\Microso
008250  66 74 5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65  ft\Windows\Curre
008260  6E 74 56 65 72 73 69 6F 6E 5C 52 75 6E 00 00 00  ntVersion\Run...
008280  2E 65 78 65 00 00 00 00 54 68 65 20 66 69 6C 65  .exe....The file
008290  20 63 6F 75 6C 64 20 6E 6F 74 20 62 65 20 6F 70   could not be op
0082A0  65 6E 65 64 21 00 00 00 45 72 72 6F 72 00 00 00  ened!...Error...
0082B0  73 6B 79 6E 65 74 40 73 6B 79 6E 65 74 2E 64 65  skynet at skynet.de
0082C0  00 00 00 00 41 64 6D 53 6B 79 6E 65 74 4A 6B 6C  ....AdmSkynetJkl
0082D0  53 30 30 33 00 00 00 00 00 00 00 00 00 00 00 00  S003............
[snip]
--------------------------------------------------------------------------




More information about the list mailing list