Novarg.A Virus
Also known as W32/Novarg.A, W32/Shimg, W32/Mydoom,or WORM_MIMAIL.R
This virus has been reported to open a backdoor
to the compromised system and possibly launch a
denial-of-service attack against a web site at
a fixed time in the future.
The W32/Novarg.A virus attempts to do the following:
- Modify various Windows registry values so that the virus
is run again upon reboot
- Open a listening TCP port in the range of 3127-3198,
suggesting remote access capabilities
- Install a copy of itself in the C:\Program Files\KaZaA\
My Shared Folder\ folder, which will be available for download by KaZaA users
The virus arrives as an email message with a
22,528-byte attachment that has a random filename with
a file extension of .cmd, .pif, .scr, .exe, or .bat.
The attachment may also arrive as a ZIP archive.
There are reports of a new variant of the
Novarg/MyDoom worm being found. Initial reports
indicate that the new worm adds www.microsoft.com
as a DDoS target and also alters an infected machine's
"hosts" file to block access to several "banner" site,
windowsupdate.microsoft.com, and many antivirus vendor
websites. It appears that most AV software will require
new signatures to flag this.
The new MyDoom.B will replace the 'hosts' file on infected system.
This file is used to override DNS resolution. If a system is
infected with MyDoom.B, sites like support.microsoft.com,
some anti virus sites (www.symantec.com, www.sophos.com,
www.my-etrust.com and other) will no longer be reachable.
There are reports that MyDoom.B will scan for systems which
are infected with MyDoom.A, and it will upload itself to such systems.
While MyDoom.A included code to launch a DDOS attack on
www.sco.com, MyDoom.B modified the target host to www.microsoft.com
Our Viruswall log show the outbreak of this virus
| Date | No. of MyDOOM/
total virus detected |
Virus detected/Total Mail received |
|---|
| Jan24 | 0/9 (00.0%) |
9/8,075 (0.11%) |
| Jan25 | 0/10 (00.0%) |
10/7,758 (0.13%) |
| Jan26 | 0/21 (00.0%) |
21/8,750 (0.24%) |
| Jan27 | 1,226/1,245 (90.4%) |
1,245/12,200 (10.20%) |
| Jan28 | 1,887/1,902 (99.2%) |
1,902/12,950 (14.69%) |
| Jan29 | 1,953/1,981 (98.5%) |
1,981/12,692 (15.61%) |
| Jan30 | 2,222/2,240 (99.2%) |
2,240/12,988 (17.25%) |
| Jan31 | 1,222/1,226 (99.7%) |
1,226/11,120 (11.03%) |
| Feb1 | 982/992 (99.0%) |
992/11,633 (8.53%) |
| Feb2 | 943/957 (98.5%) |
957/12,929 (7.40%) |
| Feb3 | 414/422 (98.1%) |
422/12,874 (3.28%) |
| Feb4 | 543/553 (98.2%) |
553/12,411 (4.46%) |
| Feb5 | 394/403 (97.8%) |
403/11,787 (3.42%) |
| Feb6 | 638/644 (99.1%) |
644/11,775 (5.47%) |
| Feb7 | 335/342 (98.0%) |
342/11,126 (3.07%) |
| Feb8 | 329/332 (99.1%) |
332/9,824 (3.38%) |
| Feb9 | 356/364 (97.8%) |
364/13,059 (2.79%) |
| Feb10 | 335/347 (96.5%) |
347/14,651 (2.37%) |
| Feb11 | 361/369 (97.8%) |
369/11,829 (3.12%) |
Our sniffer also picked up the backdoor port 3127 scanning after Feb
<![CDATA[
18:49:56.706145 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 <mss 1460> (DF)
18:49:56.728093 [--ip from ca --].2586 > 137.189.2.41.3127: S 434112710:434112710(0) win 8192 <mss 1460> (DF)
18:49:56.737887 [--ip from ca --].2587 > 137.189.2.42.3127: S 434148033:434148033(0) win 8192 <mss 1460> (DF)
18:49:56.748221 [--ip from ca --].2588 > 137.189.2.43.3127: S 434212538:434212538(0) win 8192 <mss 1460> (DF)
18:49:56.758830 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 <mss 1460> (DF)
18:49:56.758831 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 <mss 1460> (DF)
18:49:57.414454 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 <mss 1460> (DF)
18:49:58.113647 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 <mss 1460> (DF)
18:49:58.820031 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 <mss 1460> (DF)
18:49:59.718890 [--ip from ca --].2588 > 137.189.2.43.3127: S 434212538:434212538(0) win 8192 <mss 1460> (DF)
18:49:59.728904 [--ip from ca --].2587 > 137.189.2.42.3127: S 434148033:434148033(0) win 8192 <mss 1460> (DF)
18:49:59.728905 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 <mss 1460> (DF)
18:49:59.728905 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 <mss 1460> (DF)
18:49:59.728906 [--ip from ca --].2586 > 137.189.2.41.3127: S 434112710:434112710(0) win 8192 <mss 1460> (DF)
18:54:01.438863 [--ip from ca --].2762 > 137.189.96.1.3127: S 1671427082:1671427082(0) win 8192 <mss 1460> (DF)
18:54:01.449012 [--ip from ca --].2763 > 137.189.96.2.3127: S 1671482107:1671482107(0) win 8192 <mss 1460> (DF)
18:54:01.459189 [--ip from ca --].2764 > 137.189.96.3.3127: S 1671536492:1671536492(0) win 8192 <mss 1460> (DF)
18:54:01.470951 [--ip from ca --].2765 > 137.189.96.4.3127: S 1671582682:1671582682(0) win 8192 <mss 1460> (DF)
18:54:01.480338 [--ip from ca --].2766 > 137.189.96.5.3127: S 1671645459:1671645459(0) win 8192 <mss 1460> (DF)
18:54:01.490949 [--ip from ca --].2767 > 137.189.96.6.3127: S 1671701503:1671701503(0) win 8192 <mss 1460> (DF)
18:54:01.501207 [--ip from ca --].2768 > 137.189.96.7.3127: S 1671761464:1671761464(0) win 8192 <mss 1460> (DF)
18:54:01.512025 [--ip from ca --].2769 > 137.189.96.8.3127: S 1671798631:1671798631(0) win 8192 <mss 1460> (DF)
]]>
Analysis from our honeynet
| Virus Filename: | document.pif |
| Size: | 22530 byte |
| md5 signature |
MD5(document.pif)= ebc57c0c3b2c44291928f230eb61c3bc |
nmap information before running document.pif
<![CDATA[
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
3389/tcp open msrdp
5000/tcp open fics
]]>
nmap information after running document.pif
<![CDATA[
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
3128/tcp open squid-http
3389/tcp open msrdp
5000/tcp open fics
]]>
The backdoor program is listening to 3128 tcp port
<![CDATA[
telnet honey2 3128
Trying 192.168.20.2...
Connected to honey2 (192.168.20.2).
Escape character is '^]'.
]]>
The tcpdump data shows that the victim starts
access the mail servers of
- 62.53.231.213 (c.scanner.um.mediaways.net)
- 62.53.235.73 (mvs-ng.um.mediaways.net)
- 64.26.62.254 (host in siteprotect.com)
<![CDATA[
15:03:12.804544 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:13.082234 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 3182454276 win 0
15:03:13.448557 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:13.564509 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:13.843083 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 1 win 0
15:03:14.265493 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:14.540893 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 1 win 0
15:03:15.019558 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:15.301993 64.26.62.254.25 > 192.168.20.2.1053: R 0:0(0) ack 3183115790 win 0
15:03:15.767617 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:16.041876 64.26.62.254.25 > 192.168.20.2.1053: R 0:0(0) ack 1 win 0
15:03:16.368454 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:16.468575 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:16.740532 64.26.62.254.25 > 192.168.20.2.1053: S 1939088427:1939088427(0) ack 3183115790 win 32120 <mss 1460> (DF)
15:03:16.740982 192.168.20.2.1053 > 64.26.62.254.25: . ack 1 win 64240 (DF)
15:03:16.869009 192.168.20.2.1056 > 64.26.62.254.25: S 3183607047:3183607047(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:17.130040 192.168.20.2.1057 > 62.53.235.73.25: S 3183724339:3183724339(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:17.151596 64.26.62.254.25 > 192.168.20.2.1056: S 2779794541:2779794541(0) ack 3183607048 win 32120 <mss 1460> (DF)
15:03:17.151880 192.168.20.2.1056 > 64.26.62.254.25: . ack 1 win 64240 (DF)
15:03:20.073636 192.168.20.2.1057 > 62.53.235.73.25: S 3183724339:3183724339(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:22.376854 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
15:03:22.677692 192.168.20.2.1060 > 64.26.62.254.25: S 3185165024:3185165024(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
....
....
...
]]>
The victim host DNS query of the following host
<![CDATA[
gate.gto.net.om.
gate.lebanon-online.com.lb.
gate.msdirectservices.com.
gto.net.om.
lebanon-online.com.lb.
mail1.gto.net.om.
mail1.lebanon-online.com.lb.
mail1.msdirectservices.com.
mail.gto.net.om.
mail.msdirectservices.com.
msdirectservices.com.
mvs-ng.um.mediaways.net.
mx1.gto.net.om.
mx1.lebanon-online.com.lb.
mx1.msdirectservices.com.
mx.gto.net.om.
mx.lebanon-online.com.lb.
mx.msdirectservices.com.
mxs.gto.net.om.
mxs.lebanon-online.com.lb.
mxs.msdirectservices.com.
ns.gto.net.om.
ns.lebanon-online.com.lb.
ns.msdirectservices.com.
relay.gto.net.om.
relay.lebanon-online.com.lb.
relay.msdirectservices.com.
sc.msn.com.
smtp.gto.net.om.
smtp.lebanon-online.com.lb.
smtp.msdirectservices.com.
time.windows.com.
www.microsoft.com.
www.msn.com.
www.passportimages.com.
]]>
The tcpdump data shows
<![CDATA[
15:02:36.170355 192.168.20.2.1027 > DNS_IP.53: 5+ A? a.sc.msn.com. (30)
15:02:37.156058 192.168.20.2.1027 > DNS_IP.53: 6+ A? www.passportimages.com. (40)
15:02:37.162277 192.168.20.2.1027 > DNS_IP.53: 7+ A? c.msn.com. (27)
15:02:37.190704 192.168.20.2.1043 > DNS_IP.53: 8+ A? sc.msn.com. (28)
15:03:11.707127 192.168.20.2.1027 > DNS_IP.53: 9+ MX? gto.net.om. (28)
15:03:11.893217 192.168.20.2.1043 > DNS_IP.53: 10+ MX? lebanon-online.com.lb. (39)
15:03:12.154167 192.168.20.2.1048 > DNS_IP.53: 11+ MX? msdirectservices.com. (38)
15:03:12.390246 192.168.20.2.1049 > DNS_ip.53: 33294+ MX? gto.net.om. (28)
15:03:12.865284 192.168.20.2.1027 > DNS_IP.53: 12+ A? mvs-ng.um.mediaways.net. (41)
15:03:12.994529 192.168.20.2.1051 > DNS_IP.53: 58640+ MX? gto.net.om. (28)
15:03:14.542178 192.168.20.2.1027 > DNS_IP.53: 13+ A? lebanon-online.com.lb. (39)
15:03:16.617566 192.168.20.2.1054 > DNS_ip.53: 1055+ MX? gto.net.om. (28)
15:03:16.621046 192.168.20.2.1055 > DNS_IP.53: 3615+ MX? gto.net.om. (28)
15:03:17.702982 192.168.20.2.1058 > DNS_ip.53: 18467+ MX? gto.net.om. (28)
15:03:17.706101 192.168.20.2.1059 > DNS_IP.53: 18467+ MX? gto.net.om. (28)
15:03:20.007876 192.168.20.2.1027 > DNS_IP.53: 14+ A? mx.gto.net.om. (31)
15:03:22.868495 192.168.20.2.1027 > DNS_IP.53: 15+ A? mail.gto.net.om. (33)
15:03:25.422284 192.168.20.2.1027 > DNS_IP.53: 16+ A? smtp.gto.net.om. (33)
15:03:28.176140 192.168.20.2.1027 > DNS_IP.53: 17+ A? mx1.gto.net.om. (32)
15:03:30.719703 192.168.20.2.1027 > DNS_IP.53: 18+ A? mxs.gto.net.om. (32)
15:03:31.740884 192.168.20.2.1027 > DNS_IP.53: 19+ A? mx.lebanon-online.com.lb. (42)
15:03:33.273464 192.168.20.2.1027 > DNS_IP.53: 20+ A? mail1.gto.net.om. (34)
15:03:33.571518 192.168.20.2.1027 > DNS_IP.53: 21+ A? relay.gto.net.om. (34)
15:03:33.867246 192.168.20.2.1027 > DNS_IP.53: 22+ A? ns.gto.net.om. (31)
15:03:34.394548 192.168.20.2.1027 > DNS_IP.53: 23+ A? msdirectservices.com. (38)
15:03:34.659736 192.168.20.2.1027 > DNS_IP.53: 24+ A? mx.msdirectservices.com. (41)
15:03:34.987197 192.168.20.2.1027 > DNS_IP.53: 25+ A? mail.msdirectservices.com. (43)
15:03:35.314042 192.168.20.2.1027 > DNS_IP.53: 26+ A? smtp.msdirectservices.com. (43)
15:03:35.580722 192.168.20.2.1027 > DNS_IP.53: 27+ A? mx1.msdirectservices.com. (42)
15:03:35.852661 192.168.20.2.1027 > DNS_IP.53: 28+ A? mxs.msdirectservices.com. (42)
15:03:36.180583 192.168.20.2.1027 > DNS_IP.53: 29+ A? mail1.msdirectservices.com. (44)
15:03:36.417760 192.168.20.2.1043 > DNS_IP.53: 30+ A? gate.gto.net.om. (33)
15:03:36.447674 192.168.20.2.1027 > DNS_IP.53: 31+ A? relay.msdirectservices.com. (44)
15:03:36.711199 192.168.20.2.1027 > DNS_IP.53: 32+ A? ns.msdirectservices.com. (41)
15:03:36.975868 192.168.20.2.1043 > DNS_IP.53: 33+ A? gate.msdirectservices.com. (43)
15:03:48.674730 192.168.20.2.1043 > DNS_IP.53: 34+ A? smtp.lebanon-online.com.lb. (44)
15:03:48.950007 192.168.20.2.1043 > DNS_IP.53: 35+ A? mx1.lebanon-online.com.lb. (43)
15:03:49.226521 192.168.20.2.1043 > DNS_IP.53: 36+ A? mxs.lebanon-online.com.lb. (43)
15:03:49.498808 192.168.20.2.1043 > DNS_IP.53: 37+ A? mail1.lebanon-online.com.lb. (45)
15:03:49.776479 192.168.20.2.1043 > DNS_IP.53: 38+ A? relay.lebanon-online.com.lb. (45)
15:03:50.049942 192.168.20.2.1043 > DNS_IP.53: 39+ A? ns.lebanon-online.com.lb. (42)
15:03:50.334769 192.168.20.2.1043 > DNS_IP.53: 40+ A? gate.lebanon-online.com.lb. (44)
15:04:08.724947 192.168.20.2.1082 > DNS_ip.53: 38890+ MX? gto.net.om. (28)
15:04:08.727215 192.168.20.2.1083 > DNS_IP.53: 38890+ MX? gto.net.om. (28)
15:04:15.303919 192.168.20.2.1087 > DNS_ip.53: 19204+ MX? gto.net.om. (28)
15:04:15.307080 192.168.20.2.1088 > DNS_IP.53: 19204+ MX? gto.net.om. (28)
15:04:21.882907 192.168.20.2.1091 > DNS_ip.53: 65053+ MX? gto.net.om. (28)
15:04:21.885152 192.168.20.2.1092 > DNS_IP.53: 65053+ MX? gto.net.om. (28)
15:04:48.333160 192.168.20.2.1103 > DNS_ip.53: 20101+ MX? gto.net.om. (28)
15:04:48.336489 192.168.20.2.1104 > DNS_IP.53: 20101+ MX? gto.net.om. (28)
15:07:55.678473 192.168.20.2.1031 > DNS_ip.53: 1+ MX? gto.net.om. (28)
15:07:55.747725 192.168.20.2.1032 > DNS_ip.53: 37936+ MX? gto.net.om. (28)
15:07:55.750794 192.168.20.2.1033 > DNS_IP.53: 37936+ MX? gto.net.om. (28)
15:07:55.902325 192.168.20.2.1031 > DNS_ip.53: 2+ MX? lebanon-online.com.lb. (39)
15:07:56.163086 192.168.20.2.1034 > DNS_ip.53: 3+ MX? msdirectservices.com. (38)
15:07:56.889886 192.168.20.2.1031 > DNS_ip.53: 4+ A? mvs-ng.um.mediaways.net. (41)
15:07:57.884143 192.168.20.2.1031 > DNS_IP.53: 4+ A? mvs-ng.um.mediaways.net. (41)
15:07:58.575565 192.168.20.2.1031 > DNS_IP.53: 5+ A? lebanon-online.com.lb. (39)
15:07:59.715160 192.168.20.2.1031 > DNS_IP.53: 6+ A? msdirectservices.com. (38)
15:07:59.728494 192.168.20.2.1031 > DNS_IP.53: 7+ A? mx.msdirectservices.com. (41)
15:07:59.731682 192.168.20.2.1031 > DNS_IP.53: 8+ A? mail.msdirectservices.com. (43)
15:07:59.733730 192.168.20.2.1031 > DNS_IP.53: 9+ A? smtp.msdirectservices.com. (43)
15:07:59.736892 192.168.20.2.1031 > DNS_IP.53: 10+ A? mx1.msdirectservices.com. (42)
15:07:59.739019 192.168.20.2.1031 > DNS_IP.53: 11+ A? mxs.msdirectservices.com. (42)
15:07:59.742128 192.168.20.2.1031 > DNS_IP.53: 12+ A? mail1.msdirectservices.com. (44)
15:07:59.744148 192.168.20.2.1031 > DNS_IP.53: 13+ A? relay.msdirectservices.com. (44)
15:07:59.747354 192.168.20.2.1031 > DNS_IP.53: 14+ A? ns.msdirectservices.com. (41)
15:07:59.749411 192.168.20.2.1031 > DNS_IP.53: 15+ A? gate.msdirectservices.com. (43)
15:08:00.276016 192.168.20.2.1031 > DNS_IP.53: 16+ A? mx.lebanon-online.com.lb. (42)
15:08:01.712189 192.168.20.2.1039 > DNS_ip.53: 58439+ MX? gto.net.om. (28)
15:08:01.714380 192.168.20.2.1040 > DNS_IP.53: 58439+ MX? gto.net.om. (28)
15:08:01.978989 192.168.20.2.1031 > DNS_IP.53: 17+ A? smtp.lebanon-online.com.lb. (44)
15:08:01.982330 192.168.20.2.1031 > DNS_IP.53: 18+ A? mx1.lebanon-online.com.lb. (43)
15:08:01.984374 192.168.20.2.1031 > DNS_IP.53: 19+ A? mxs.lebanon-online.com.lb. (43)
15:08:01.987498 192.168.20.2.1031 > DNS_IP.53: 20+ A? mail1.lebanon-online.com.lb. (45)
15:08:01.989534 192.168.20.2.1031 > DNS_IP.53: 21+ A? relay.lebanon-online.com.lb. (45)
15:08:01.992684 192.168.20.2.1031 > DNS_IP.53: 22+ A? ns.lebanon-online.com.lb. (42)
15:08:01.994700 192.168.20.2.1031 > DNS_IP.53: 23+ A? gate.lebanon-online.com.lb. (44)
15:08:03.988072 192.168.20.2.1031 > DNS_IP.53: 24+ A? mx.gto.net.om. (31)
15:08:06.236676 192.168.20.2.1031 > DNS_IP.53: 25+ A? mail.gto.net.om. (33)
15:08:08.490088 192.168.20.2.1031 > DNS_IP.53: 26+ A? smtp.gto.net.om. (33)
15:08:10.743069 192.168.20.2.1031 > DNS_IP.53: 27+ A? mx1.gto.net.om. (32)
15:08:12.996202 192.168.20.2.1031 > DNS_IP.53: 28+ A? mxs.gto.net.om. (32)
15:08:15.249514 192.168.20.2.1031 > DNS_IP.53: 29+ A? mail1.gto.net.om. (34)
15:08:15.252228 192.168.20.2.1031 > DNS_IP.53: 30+ A? relay.gto.net.om. (34)
15:08:15.255542 192.168.20.2.1031 > DNS_IP.53: 31+ A? ns.gto.net.om. (31)
15:08:17.502689 192.168.20.2.1031 > DNS_IP.53: 32+ A? gate.gto.net.om. (33)
15:08:41.324010 192.168.20.2.1031 > DNS_IP.53: 33+ A? mvs-ng.um.mediaways.net. (41)
15:13:46.207235 192.168.20.2.1031 > DNS_IP.53: 34+ A? mvs-ng.um.mediaways.net. (41)
15:19:01.860253 192.168.20.2.1031 > DNS_IP.53: 35+ A? mvs-ng.um.mediaways.net. (41)
15:23:09.494757 192.168.20.2.1031 > DNS_ip.53: 36+ A? msdirectservices.com. (38)
15:23:09.821407 192.168.20.2.1031 > DNS_ip.53: 37+ A? mx.msdirectservices.com. (41)
15:23:10.139964 192.168.20.2.1031 > DNS_ip.53: 38+ A? mail.msdirectservices.com. (43)
15:23:10.466204 192.168.20.2.1031 > DNS_ip.53: 39+ A? smtp.msdirectservices.com. (43)
15:23:10.792675 192.168.20.2.1031 > DNS_ip.53: 40+ A? mx1.msdirectservices.com. (42)
15:23:11.162149 192.168.20.2.1031 > DNS_ip.53: 41+ A? mxs.msdirectservices.com. (42)
15:23:11.490562 192.168.20.2.1031 > DNS_ip.53: 42+ A? mail1.msdirectservices.com. (44)
15:23:11.689199 192.168.20.2.1034 > DNS_ip.53: 43+ A? mail1.msdirectservices.com. (44)
15:23:11.818805 192.168.20.2.1031 > DNS_ip.53: 44+ A? relay.msdirectservices.com. (44)
15:23:11.819370 192.168.20.2.1034 > DNS_ip.53: 45+ A? relay.msdirectservices.com. (44)
15:23:12.147850 192.168.20.2.1031 > DNS_ip.53: 46+ A? ns.msdirectservices.com. (41)
15:23:12.148305 192.168.20.2.1034 > DNS_ip.53: 47+ A? ns.msdirectservices.com. (41)
15:23:12.476384 192.168.20.2.1031 > DNS_ip.53: 48+ A? gate.msdirectservices.com. (43)
15:23:12.476817 192.168.20.2.1034 > DNS_ip.53: 49+ A? gate.msdirectservices.com. (43)
15:23:14.852241 192.168.20.2.1031 > DNS_ip.53: 50+ A? gto.net.om. (28)
15:23:16.869443 192.168.20.2.1031 > DNS_ip.53: 51+ A? mx.lebanon-online.com.lb. (42)
15:23:17.105286 192.168.20.2.1031 > DNS_ip.53: 52+ A? mx.gto.net.om. (31)
15:23:19.959306 192.168.20.2.1031 > DNS_ip.53: 53+ A? mail.gto.net.om. (33)
15:23:22.502746 192.168.20.2.1031 > DNS_ip.53: 54+ A? smtp.gto.net.om. (33)
15:23:25.046325 192.168.20.2.1031 > DNS_ip.53: 55+ A? mx1.gto.net.om. (32)
15:23:27.800143 192.168.20.2.1031 > DNS_ip.53: 56+ A? mxs.gto.net.om. (32)
15:23:30.353779 192.168.20.2.1031 > DNS_ip.53: 57+ A? mail1.gto.net.om. (34)
15:23:30.651845 192.168.20.2.1031 > DNS_ip.53: 58+ A? relay.gto.net.om. (34)
15:23:30.950109 192.168.20.2.1031 > DNS_ip.53: 59+ A? ns.gto.net.om. (31)
15:23:33.498197 192.168.20.2.1031 > DNS_ip.53: 60+ A? gate.gto.net.om. (33)
15:24:03.553788 192.168.20.2.1031 > DNS_ip.53: 61+ A? mvs-ng.um.mediaways.net. (41)
]]>
String of the virus file
<![CDATA[
UPX0
UPX1
.rsrc
1.24
UPX!
xph`XP
804M
|ph)o\
xp({h
tld\Ti
D@80
mT4C
3NlrN
{nd]YX
Z_gr
aadjs
NB;788=EP^o
??THQ{o~
|2ik
Xvhc]PRQSjdw
@~T>
oQ!5
I:$/0
^`Ir
V;_=J
l[3QB
i\l"
/ZIO
/&V@
L,i7
sZAV
hI~fK
e^ha
J~2A
bP)i
o!92(C~
"C#Zr
$OB(
/@Dx
+#Q;
#Ty"
H~qa@-
1ezB:[
kp~Kk
zy()
-JbO4
F6x[
qmlns{
}m`VOKJLQYdr
SSV\eq
/7BPau
(m `N
JC!*
W<'i{h
,AYt
&@]}
(sync.c,v 0.1 2004
1/xx
: andy)
fuvztMv.qyy7Fb
sgjner\Zvpebf
\Jvaqbjf\Phe
agIrefvba\RkcyberebzQyt3
CjroFvkFz
gkF0Sgnfxz
.rkr
#gEy
notepad %s
Message
.2u:
/-?+
oCec
nSay
aSa'Fri
ThDWe
usMo
/abcd
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ahxr
_'npx
bgxvgKC
-tvey-2.0oqp
_cNpurf
3\vi
mHdV-Q
nzc5
tga[_)
Qg0#Xn
n\G+
[afs
W|.dll
Qu&n
immyerr3
cl3di8bre
Sack_i
smith[C
&joe?neo/
eoOsK
c#Gv
Khncc
=];_
uppo
/mkph
gold-Pxc
afe%Cb5
9wX+d
6[pl93foo/[
_loyG:s
TiAb
cxfZ
hOni
7oo.bn
a<;:
._!;
|EFn(
cE(@)
l Svyr
dbxq
5vmb/xH*.*
USERPROFI
Ybp5
ayGr
n;^
Qkk7l
i]Wb
7}pj
MGiI
wn>Jj
#.zf
+o*7
-TRG / UGGC/V
g: j
.fj=j
6xORe
Er=
v-cFl
n#,=r u
qnga
u&q/
hzEGp
p!w f
t8hmUK
: {p
G7-?
ASCII
r=it
OaA!0123456789+
K-ZF1-kK
Vq;a
ZVZR-X\
48X.a
?%f`iad
4g-Ra
A8fr64"
^+}Qvf
P,E6!`T
nj@J
m+Mmg?
QUIT
DATAEPCGo
kB:<
ZNVYoEBZv
URYB
e5n;
9q*#l
^-?[@
`}|<
<'SP
8*l2e
P7Sh
8SS:
af[8u
`td@%4
5TJ]]
t2Ht-P$
5=tl<
_WSQ
8%Sf
p54MI
39>Y
-jY$E/
Q.VVAy
(J,3
Y]MDU
]p$vh
##IF
e2F<AY(
C(QMtA
BK8F
^m4t
K;x^t
GYFc
X4tYbH
&A>[
|&f+m
RSX$
2Bcf.
Yhx&:
lt.hp
h(df
V$v5
tJ6O
>F@Ju
X:Em
Y;wY|
a`:H
"n<t
'GSU
<`F^
]8PU
SDId1
/('4;
'F.v
<@(O(
A+Yu
$% G
$ylDa
b4`K
=ts!
oW;j
pxtaS
rJpQ
@@CtY
tOD$
M@t?iPUj%
+CY<J
\+@u
#'!x
F/5]`
b5wFG
Hvsx
n,!j
va"f5Q>
b@jO4
YYgu
"9X\
VX;PXsj
\j`S
Ji_g
vFJ-
Yc*Wuf
oHmj
kDqD
~,u
RqGdH
|6-9
E+SQ
*rWQ*
&S0W
YW&#
Mp6l:p
^/uQi
F,p=
-D1-j
jg/h\
#[E$.
9F w5
_tX\
d[95
'90.h@
Pu#5
TP+L
t jK(
h@.=x
,<4I
Jt1u
Vl`xx
/WiF%
T1-2<
P=G'/<
k=3#pW
_0QE?
Fj?D
khNu
b}G*
#De+
[%K7
;6,3
8%u!
X` f
UTN<
+b!Jt
E< r8<=
<+t0<y,<
E9d1
$cbX
fxW-
XY-$
9Y]!
xH,D
47vG
t`@t
'LO2
%H`&u
FW9u
D)}BGm
><:t9.51*
NEbl
8:ua
l+m0
PQPd
hD8JH7
@Shu
]ujT
=+6~<8(
3tO+
t.P.u
Fx|#
tsGS
FSKC
L"06
-P):!
WY#r
%SKKD
}S<Ts{
H\@WnV v
q;ip
Sao}
Q=p9
teFp
Mapp
wEnvQu
W+owsD
tory
D"veTyp$v
GSizeZClos
QToSyjem
op)NamLSPoG%
Curr
Libra
5rcp
*u:sA
QM_xo
6Y;X]De
VGModu
KxExi%aF
ulL)
iZMIf
pViewOf
adeC
HByt"nAdn
FIq5ked
isdigi
upps
spaKO
U/BuffA
<Lowwv9r
O.5t+v
#~'@
KERNEL32.DLL
ADVAPI32.dll
MSVCRT.dll
USER32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
memset
wsprintfA
]]>