Novarg.A Virus
Also known as W32/Novarg.A, W32/Shimg, W32/Mydoom,or WORM_MIMAIL.R
This virus has been reported to open a backdoor
to the compromised system and possibly launch a
denial-of-service attack against a web site at
a fixed time in the future.
The W32/Novarg.A virus attempts to do the following:
- Modify various Windows registry values so that the virus
is run again upon reboot
- Open a listening TCP port in the range of 3127-3198,
suggesting remote access capabilities
- Install a copy of itself in the C:\Program Files\KaZaA\
My Shared Folder\ folder, which will be available for download by KaZaA users
The virus arrives as an email message with a
22,528-byte attachment that has a random filename with
a file extension of .cmd, .pif, .scr, .exe, or .bat.
The attachment may also arrive as a ZIP archive.
There are reports of a new variant of the
Novarg/MyDoom worm being found. Initial reports
indicate that the new worm adds www.microsoft.com
as a DDoS target and also alters an infected machine's
"hosts" file to block access to several "banner" site,
windowsupdate.microsoft.com, and many antivirus vendor
websites. It appears that most AV software will require
new signatures to flag this.
The new MyDoom.B will replace the 'hosts' file on infected system.
This file is used to override DNS resolution. If a system is
infected with MyDoom.B, sites like support.microsoft.com,
some anti virus sites (www.symantec.com, www.sophos.com,
www.my-etrust.com and other) will no longer be reachable.
There are reports that MyDoom.B will scan for systems which
are infected with MyDoom.A, and it will upload itself to such systems.
While MyDoom.A included code to launch a DDOS attack on
www.sco.com, MyDoom.B modified the target host to www.microsoft.com
Our Viruswall log show the outbreak of this virus
Date | No. of MyDOOM/ total virus detected |
Virus detected/Total Mail received |
Jan24 | 0/9 (00.0%) |
9/8,075 (0.11%) |
Jan25 | 0/10 (00.0%) |
10/7,758 (0.13%) |
Jan26 | 0/21 (00.0%) |
21/8,750 (0.24%) |
Jan27 | 1,226/1,245 (90.4%) |
1,245/12,200 (10.20%) |
Jan28 | 1,887/1,902 (99.2%) |
1,902/12,950 (14.69%) |
Jan29 | 1,953/1,981 (98.5%) |
1,981/12,692 (15.61%) |
Jan30 | 2,222/2,240 (99.2%) |
2,240/12,988 (17.25%) |
Jan31 | 1,222/1,226 (99.7%) |
1,226/11,120 (11.03%) |
Feb1 | 982/992 (99.0%) |
992/11,633 (8.53%) |
Feb2 | 943/957 (98.5%) |
957/12,929 (7.40%) |
Feb3 | 414/422 (98.1%) |
422/12,874 (3.28%) |
Feb4 | 543/553 (98.2%) |
553/12,411 (4.46%) |
Feb5 | 394/403 (97.8%) |
403/11,787 (3.42%) |
Feb6 | 638/644 (99.1%) |
644/11,775 (5.47%) |
Feb7 | 335/342 (98.0%) |
342/11,126 (3.07%) |
Feb8 | 329/332 (99.1%) |
332/9,824 (3.38%) |
Feb9 | 356/364 (97.8%) |
364/13,059 (2.79%) |
Feb10 | 335/347 (96.5%) |
347/14,651 (2.37%) |
Feb11 | 361/369 (97.8%) |
369/11,829 (3.12%) |
Our sniffer also picked up the backdoor port 3127 scanning after Feb
18:49:56.706145 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 (DF)
18:49:56.728093 [--ip from ca --].2586 > 137.189.2.41.3127: S 434112710:434112710(0) win 8192 (DF)
18:49:56.737887 [--ip from ca --].2587 > 137.189.2.42.3127: S 434148033:434148033(0) win 8192 (DF)
18:49:56.748221 [--ip from ca --].2588 > 137.189.2.43.3127: S 434212538:434212538(0) win 8192 (DF)
18:49:56.758830 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 (DF)
18:49:56.758831 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 (DF)
18:49:57.414454 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 (DF)
18:49:58.113647 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 (DF)
18:49:58.820031 [--ip from ca --].2584 > 137.189.2.39.3127: S 433985507:433985507(0) win 8192 (DF)
18:49:59.718890 [--ip from ca --].2588 > 137.189.2.43.3127: S 434212538:434212538(0) win 8192 (DF)
18:49:59.728904 [--ip from ca --].2587 > 137.189.2.42.3127: S 434148033:434148033(0) win 8192 (DF)
18:49:59.728905 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 (DF)
18:49:59.728905 [--ip from ca --].2589 > 137.189.2.44.3127: S 434257041:434257041(0) win 8192 (DF)
18:49:59.728906 [--ip from ca --].2586 > 137.189.2.41.3127: S 434112710:434112710(0) win 8192 (DF)
18:54:01.438863 [--ip from ca --].2762 > 137.189.96.1.3127: S 1671427082:1671427082(0) win 8192 (DF)
18:54:01.449012 [--ip from ca --].2763 > 137.189.96.2.3127: S 1671482107:1671482107(0) win 8192 (DF)
18:54:01.459189 [--ip from ca --].2764 > 137.189.96.3.3127: S 1671536492:1671536492(0) win 8192 (DF)
18:54:01.470951 [--ip from ca --].2765 > 137.189.96.4.3127: S 1671582682:1671582682(0) win 8192 (DF)
18:54:01.480338 [--ip from ca --].2766 > 137.189.96.5.3127: S 1671645459:1671645459(0) win 8192 (DF)
18:54:01.490949 [--ip from ca --].2767 > 137.189.96.6.3127: S 1671701503:1671701503(0) win 8192 (DF)
18:54:01.501207 [--ip from ca --].2768 > 137.189.96.7.3127: S 1671761464:1671761464(0) win 8192 (DF)
18:54:01.512025 [--ip from ca --].2769 > 137.189.96.8.3127: S 1671798631:1671798631(0) win 8192 (DF)
Analysis from our honeynet
Virus Filename: | document.pif |
Size: | 22530 byte |
md5 signature |
MD5(document.pif)= ebc57c0c3b2c44291928f230eb61c3bc |
nmap information before running document.pif
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
3389/tcp open msrdp
5000/tcp open fics
nmap information after running document.pif
Port State Service
135/tcp open loc-srv
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open listen
3128/tcp open squid-http
3389/tcp open msrdp
5000/tcp open fics
The backdoor program is listening to 3128 tcp port
telnet honey2 3128
Trying 192.168.20.2...
Connected to honey2 (192.168.20.2).
Escape character is '^]'.
The tcpdump data shows that the victim starts
access the mail servers of
- 62.53.231.213 (c.scanner.um.mediaways.net)
- 62.53.235.73 (mvs-ng.um.mediaways.net)
- 64.26.62.254 (host in siteprotect.com)
15:03:12.804544 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 (DF)
15:03:13.082234 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 3182454276 win 0
15:03:13.448557 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 (DF)
15:03:13.564509 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 (DF)
15:03:13.843083 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 1 win 0
15:03:14.265493 192.168.20.2.1050 > 64.26.62.254.25: S 3182454275:3182454275(0) win 64240 (DF)
15:03:14.540893 64.26.62.254.25 > 192.168.20.2.1050: R 0:0(0) ack 1 win 0
15:03:15.019558 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 (DF)
15:03:15.301993 64.26.62.254.25 > 192.168.20.2.1053: R 0:0(0) ack 3183115790 win 0
15:03:15.767617 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 (DF)
15:03:16.041876 64.26.62.254.25 > 192.168.20.2.1053: R 0:0(0) ack 1 win 0
15:03:16.368454 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 (DF)
15:03:16.468575 192.168.20.2.1053 > 64.26.62.254.25: S 3183115789:3183115789(0) win 64240 (DF)
15:03:16.740532 64.26.62.254.25 > 192.168.20.2.1053: S 1939088427:1939088427(0) ack 3183115790 win 32120 (DF)
15:03:16.740982 192.168.20.2.1053 > 64.26.62.254.25: . ack 1 win 64240 (DF)
15:03:16.869009 192.168.20.2.1056 > 64.26.62.254.25: S 3183607047:3183607047(0) win 64240 (DF)
15:03:17.130040 192.168.20.2.1057 > 62.53.235.73.25: S 3183724339:3183724339(0) win 64240 (DF)
15:03:17.151596 64.26.62.254.25 > 192.168.20.2.1056: S 2779794541:2779794541(0) ack 3183607048 win 32120 (DF)
15:03:17.151880 192.168.20.2.1056 > 64.26.62.254.25: . ack 1 win 64240 (DF)
15:03:20.073636 192.168.20.2.1057 > 62.53.235.73.25: S 3183724339:3183724339(0) win 64240 (DF)
15:03:22.376854 192.168.20.2.1052 > 62.53.235.73.25: S 3182656143:3182656143(0) win 64240 (DF)
15:03:22.677692 192.168.20.2.1060 > 64.26.62.254.25: S 3185165024:3185165024(0) win 64240 (DF)
....
....
...
The victim host DNS query of the following host
gate.gto.net.om.
gate.lebanon-online.com.lb.
gate.msdirectservices.com.
gto.net.om.
lebanon-online.com.lb.
mail1.gto.net.om.
mail1.lebanon-online.com.lb.
mail1.msdirectservices.com.
mail.gto.net.om.
mail.msdirectservices.com.
msdirectservices.com.
mvs-ng.um.mediaways.net.
mx1.gto.net.om.
mx1.lebanon-online.com.lb.
mx1.msdirectservices.com.
mx.gto.net.om.
mx.lebanon-online.com.lb.
mx.msdirectservices.com.
mxs.gto.net.om.
mxs.lebanon-online.com.lb.
mxs.msdirectservices.com.
ns.gto.net.om.
ns.lebanon-online.com.lb.
ns.msdirectservices.com.
relay.gto.net.om.
relay.lebanon-online.com.lb.
relay.msdirectservices.com.
sc.msn.com.
smtp.gto.net.om.
smtp.lebanon-online.com.lb.
smtp.msdirectservices.com.
time.windows.com.
www.microsoft.com.
www.msn.com.
www.passportimages.com.
The tcpdump data shows
15:02:36.170355 192.168.20.2.1027 > DNS_IP.53: 5+ A? a.sc.msn.com. (30)
15:02:37.156058 192.168.20.2.1027 > DNS_IP.53: 6+ A? www.passportimages.com. (40)
15:02:37.162277 192.168.20.2.1027 > DNS_IP.53: 7+ A? c.msn.com. (27)
15:02:37.190704 192.168.20.2.1043 > DNS_IP.53: 8+ A? sc.msn.com. (28)
15:03:11.707127 192.168.20.2.1027 > DNS_IP.53: 9+ MX? gto.net.om. (28)
15:03:11.893217 192.168.20.2.1043 > DNS_IP.53: 10+ MX? lebanon-online.com.lb. (39)
15:03:12.154167 192.168.20.2.1048 > DNS_IP.53: 11+ MX? msdirectservices.com. (38)
15:03:12.390246 192.168.20.2.1049 > DNS_ip.53: 33294+ MX? gto.net.om. (28)
15:03:12.865284 192.168.20.2.1027 > DNS_IP.53: 12+ A? mvs-ng.um.mediaways.net. (41)
15:03:12.994529 192.168.20.2.1051 > DNS_IP.53: 58640+ MX? gto.net.om. (28)
15:03:14.542178 192.168.20.2.1027 > DNS_IP.53: 13+ A? lebanon-online.com.lb. (39)
15:03:16.617566 192.168.20.2.1054 > DNS_ip.53: 1055+ MX? gto.net.om. (28)
15:03:16.621046 192.168.20.2.1055 > DNS_IP.53: 3615+ MX? gto.net.om. (28)
15:03:17.702982 192.168.20.2.1058 > DNS_ip.53: 18467+ MX? gto.net.om. (28)
15:03:17.706101 192.168.20.2.1059 > DNS_IP.53: 18467+ MX? gto.net.om. (28)
15:03:20.007876 192.168.20.2.1027 > DNS_IP.53: 14+ A? mx.gto.net.om. (31)
15:03:22.868495 192.168.20.2.1027 > DNS_IP.53: 15+ A? mail.gto.net.om. (33)
15:03:25.422284 192.168.20.2.1027 > DNS_IP.53: 16+ A? smtp.gto.net.om. (33)
15:03:28.176140 192.168.20.2.1027 > DNS_IP.53: 17+ A? mx1.gto.net.om. (32)
15:03:30.719703 192.168.20.2.1027 > DNS_IP.53: 18+ A? mxs.gto.net.om. (32)
15:03:31.740884 192.168.20.2.1027 > DNS_IP.53: 19+ A? mx.lebanon-online.com.lb. (42)
15:03:33.273464 192.168.20.2.1027 > DNS_IP.53: 20+ A? mail1.gto.net.om. (34)
15:03:33.571518 192.168.20.2.1027 > DNS_IP.53: 21+ A? relay.gto.net.om. (34)
15:03:33.867246 192.168.20.2.1027 > DNS_IP.53: 22+ A? ns.gto.net.om. (31)
15:03:34.394548 192.168.20.2.1027 > DNS_IP.53: 23+ A? msdirectservices.com. (38)
15:03:34.659736 192.168.20.2.1027 > DNS_IP.53: 24+ A? mx.msdirectservices.com. (41)
15:03:34.987197 192.168.20.2.1027 > DNS_IP.53: 25+ A? mail.msdirectservices.com. (43)
15:03:35.314042 192.168.20.2.1027 > DNS_IP.53: 26+ A? smtp.msdirectservices.com. (43)
15:03:35.580722 192.168.20.2.1027 > DNS_IP.53: 27+ A? mx1.msdirectservices.com. (42)
15:03:35.852661 192.168.20.2.1027 > DNS_IP.53: 28+ A? mxs.msdirectservices.com. (42)
15:03:36.180583 192.168.20.2.1027 > DNS_IP.53: 29+ A? mail1.msdirectservices.com. (44)
15:03:36.417760 192.168.20.2.1043 > DNS_IP.53: 30+ A? gate.gto.net.om. (33)
15:03:36.447674 192.168.20.2.1027 > DNS_IP.53: 31+ A? relay.msdirectservices.com. (44)
15:03:36.711199 192.168.20.2.1027 > DNS_IP.53: 32+ A? ns.msdirectservices.com. (41)
15:03:36.975868 192.168.20.2.1043 > DNS_IP.53: 33+ A? gate.msdirectservices.com. (43)
15:03:48.674730 192.168.20.2.1043 > DNS_IP.53: 34+ A? smtp.lebanon-online.com.lb. (44)
15:03:48.950007 192.168.20.2.1043 > DNS_IP.53: 35+ A? mx1.lebanon-online.com.lb. (43)
15:03:49.226521 192.168.20.2.1043 > DNS_IP.53: 36+ A? mxs.lebanon-online.com.lb. (43)
15:03:49.498808 192.168.20.2.1043 > DNS_IP.53: 37+ A? mail1.lebanon-online.com.lb. (45)
15:03:49.776479 192.168.20.2.1043 > DNS_IP.53: 38+ A? relay.lebanon-online.com.lb. (45)
15:03:50.049942 192.168.20.2.1043 > DNS_IP.53: 39+ A? ns.lebanon-online.com.lb. (42)
15:03:50.334769 192.168.20.2.1043 > DNS_IP.53: 40+ A? gate.lebanon-online.com.lb. (44)
15:04:08.724947 192.168.20.2.1082 > DNS_ip.53: 38890+ MX? gto.net.om. (28)
15:04:08.727215 192.168.20.2.1083 > DNS_IP.53: 38890+ MX? gto.net.om. (28)
15:04:15.303919 192.168.20.2.1087 > DNS_ip.53: 19204+ MX? gto.net.om. (28)
15:04:15.307080 192.168.20.2.1088 > DNS_IP.53: 19204+ MX? gto.net.om. (28)
15:04:21.882907 192.168.20.2.1091 > DNS_ip.53: 65053+ MX? gto.net.om. (28)
15:04:21.885152 192.168.20.2.1092 > DNS_IP.53: 65053+ MX? gto.net.om. (28)
15:04:48.333160 192.168.20.2.1103 > DNS_ip.53: 20101+ MX? gto.net.om. (28)
15:04:48.336489 192.168.20.2.1104 > DNS_IP.53: 20101+ MX? gto.net.om. (28)
15:07:55.678473 192.168.20.2.1031 > DNS_ip.53: 1+ MX? gto.net.om. (28)
15:07:55.747725 192.168.20.2.1032 > DNS_ip.53: 37936+ MX? gto.net.om. (28)
15:07:55.750794 192.168.20.2.1033 > DNS_IP.53: 37936+ MX? gto.net.om. (28)
15:07:55.902325 192.168.20.2.1031 > DNS_ip.53: 2+ MX? lebanon-online.com.lb. (39)
15:07:56.163086 192.168.20.2.1034 > DNS_ip.53: 3+ MX? msdirectservices.com. (38)
15:07:56.889886 192.168.20.2.1031 > DNS_ip.53: 4+ A? mvs-ng.um.mediaways.net. (41)
15:07:57.884143 192.168.20.2.1031 > DNS_IP.53: 4+ A? mvs-ng.um.mediaways.net. (41)
15:07:58.575565 192.168.20.2.1031 > DNS_IP.53: 5+ A? lebanon-online.com.lb. (39)
15:07:59.715160 192.168.20.2.1031 > DNS_IP.53: 6+ A? msdirectservices.com. (38)
15:07:59.728494 192.168.20.2.1031 > DNS_IP.53: 7+ A? mx.msdirectservices.com. (41)
15:07:59.731682 192.168.20.2.1031 > DNS_IP.53: 8+ A? mail.msdirectservices.com. (43)
15:07:59.733730 192.168.20.2.1031 > DNS_IP.53: 9+ A? smtp.msdirectservices.com. (43)
15:07:59.736892 192.168.20.2.1031 > DNS_IP.53: 10+ A? mx1.msdirectservices.com. (42)
15:07:59.739019 192.168.20.2.1031 > DNS_IP.53: 11+ A? mxs.msdirectservices.com. (42)
15:07:59.742128 192.168.20.2.1031 > DNS_IP.53: 12+ A? mail1.msdirectservices.com. (44)
15:07:59.744148 192.168.20.2.1031 > DNS_IP.53: 13+ A? relay.msdirectservices.com. (44)
15:07:59.747354 192.168.20.2.1031 > DNS_IP.53: 14+ A? ns.msdirectservices.com. (41)
15:07:59.749411 192.168.20.2.1031 > DNS_IP.53: 15+ A? gate.msdirectservices.com. (43)
15:08:00.276016 192.168.20.2.1031 > DNS_IP.53: 16+ A? mx.lebanon-online.com.lb. (42)
15:08:01.712189 192.168.20.2.1039 > DNS_ip.53: 58439+ MX? gto.net.om. (28)
15:08:01.714380 192.168.20.2.1040 > DNS_IP.53: 58439+ MX? gto.net.om. (28)
15:08:01.978989 192.168.20.2.1031 > DNS_IP.53: 17+ A? smtp.lebanon-online.com.lb. (44)
15:08:01.982330 192.168.20.2.1031 > DNS_IP.53: 18+ A? mx1.lebanon-online.com.lb. (43)
15:08:01.984374 192.168.20.2.1031 > DNS_IP.53: 19+ A? mxs.lebanon-online.com.lb. (43)
15:08:01.987498 192.168.20.2.1031 > DNS_IP.53: 20+ A? mail1.lebanon-online.com.lb. (45)
15:08:01.989534 192.168.20.2.1031 > DNS_IP.53: 21+ A? relay.lebanon-online.com.lb. (45)
15:08:01.992684 192.168.20.2.1031 > DNS_IP.53: 22+ A? ns.lebanon-online.com.lb. (42)
15:08:01.994700 192.168.20.2.1031 > DNS_IP.53: 23+ A? gate.lebanon-online.com.lb. (44)
15:08:03.988072 192.168.20.2.1031 > DNS_IP.53: 24+ A? mx.gto.net.om. (31)
15:08:06.236676 192.168.20.2.1031 > DNS_IP.53: 25+ A? mail.gto.net.om. (33)
15:08:08.490088 192.168.20.2.1031 > DNS_IP.53: 26+ A? smtp.gto.net.om. (33)
15:08:10.743069 192.168.20.2.1031 > DNS_IP.53: 27+ A? mx1.gto.net.om. (32)
15:08:12.996202 192.168.20.2.1031 > DNS_IP.53: 28+ A? mxs.gto.net.om. (32)
15:08:15.249514 192.168.20.2.1031 > DNS_IP.53: 29+ A? mail1.gto.net.om. (34)
15:08:15.252228 192.168.20.2.1031 > DNS_IP.53: 30+ A? relay.gto.net.om. (34)
15:08:15.255542 192.168.20.2.1031 > DNS_IP.53: 31+ A? ns.gto.net.om. (31)
15:08:17.502689 192.168.20.2.1031 > DNS_IP.53: 32+ A? gate.gto.net.om. (33)
15:08:41.324010 192.168.20.2.1031 > DNS_IP.53: 33+ A? mvs-ng.um.mediaways.net. (41)
15:13:46.207235 192.168.20.2.1031 > DNS_IP.53: 34+ A? mvs-ng.um.mediaways.net. (41)
15:19:01.860253 192.168.20.2.1031 > DNS_IP.53: 35+ A? mvs-ng.um.mediaways.net. (41)
15:23:09.494757 192.168.20.2.1031 > DNS_ip.53: 36+ A? msdirectservices.com. (38)
15:23:09.821407 192.168.20.2.1031 > DNS_ip.53: 37+ A? mx.msdirectservices.com. (41)
15:23:10.139964 192.168.20.2.1031 > DNS_ip.53: 38+ A? mail.msdirectservices.com. (43)
15:23:10.466204 192.168.20.2.1031 > DNS_ip.53: 39+ A? smtp.msdirectservices.com. (43)
15:23:10.792675 192.168.20.2.1031 > DNS_ip.53: 40+ A? mx1.msdirectservices.com. (42)
15:23:11.162149 192.168.20.2.1031 > DNS_ip.53: 41+ A? mxs.msdirectservices.com. (42)
15:23:11.490562 192.168.20.2.1031 > DNS_ip.53: 42+ A? mail1.msdirectservices.com. (44)
15:23:11.689199 192.168.20.2.1034 > DNS_ip.53: 43+ A? mail1.msdirectservices.com. (44)
15:23:11.818805 192.168.20.2.1031 > DNS_ip.53: 44+ A? relay.msdirectservices.com. (44)
15:23:11.819370 192.168.20.2.1034 > DNS_ip.53: 45+ A? relay.msdirectservices.com. (44)
15:23:12.147850 192.168.20.2.1031 > DNS_ip.53: 46+ A? ns.msdirectservices.com. (41)
15:23:12.148305 192.168.20.2.1034 > DNS_ip.53: 47+ A? ns.msdirectservices.com. (41)
15:23:12.476384 192.168.20.2.1031 > DNS_ip.53: 48+ A? gate.msdirectservices.com. (43)
15:23:12.476817 192.168.20.2.1034 > DNS_ip.53: 49+ A? gate.msdirectservices.com. (43)
15:23:14.852241 192.168.20.2.1031 > DNS_ip.53: 50+ A? gto.net.om. (28)
15:23:16.869443 192.168.20.2.1031 > DNS_ip.53: 51+ A? mx.lebanon-online.com.lb. (42)
15:23:17.105286 192.168.20.2.1031 > DNS_ip.53: 52+ A? mx.gto.net.om. (31)
15:23:19.959306 192.168.20.2.1031 > DNS_ip.53: 53+ A? mail.gto.net.om. (33)
15:23:22.502746 192.168.20.2.1031 > DNS_ip.53: 54+ A? smtp.gto.net.om. (33)
15:23:25.046325 192.168.20.2.1031 > DNS_ip.53: 55+ A? mx1.gto.net.om. (32)
15:23:27.800143 192.168.20.2.1031 > DNS_ip.53: 56+ A? mxs.gto.net.om. (32)
15:23:30.353779 192.168.20.2.1031 > DNS_ip.53: 57+ A? mail1.gto.net.om. (34)
15:23:30.651845 192.168.20.2.1031 > DNS_ip.53: 58+ A? relay.gto.net.om. (34)
15:23:30.950109 192.168.20.2.1031 > DNS_ip.53: 59+ A? ns.gto.net.om. (31)
15:23:33.498197 192.168.20.2.1031 > DNS_ip.53: 60+ A? gate.gto.net.om. (33)
15:24:03.553788 192.168.20.2.1031 > DNS_ip.53: 61+ A? mvs-ng.um.mediaways.net. (41)
String of the virus file
UPX0
UPX1
.rsrc
1.24
UPX!
xph`XP
804M
|ph)o\
xp({h
tld\Ti
D@80
mT4C
3NlrN
{nd]YX
Z_gr
aadjs
NB;788=EP^o
??THQ{o~
|2ik
Xvhc]PRQSjdw
@~T>
oQ!5
I:$/0
^`Ir
V;_=J
l[3QB
i\l"
/ZIO
/&V@
L,i7
sZAV
hI~fK
e^ha
J~2A
bP)i
o!92(C~
"C#Zr
$OB(
/@Dx
+#Q;
#Ty"
H~qa@-
1ezB:[
kp~Kk
zy()
-JbO4
F6x[
qmlns{
}m`VOKJLQYdr
SSV\eq
/7BPau
(m `N
JC!*
W<'i{h
,AYt
&@]}
(sync.c,v 0.1 2004
1/xx
: andy)
fuvztMv.qyy7Fb
sgjner\Zvpebf
\Jvaqbjf\Phe
agIrefvba\RkcyberebzQyt3
CjroFvkFz
gkF0Sgnfxz
.rkr
#gEy
notepad %s
Message
.2u:
/-?+
oCec
nSay
aSa'Fri
ThDWe
usMo
/abcd
ghijklm
pqrstNwxyzg
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ahxr
_'npx
bgxvgKC
-tvey-2.0oqp
_cNpurf
3\vi
mHdV-Q
nzc5
tga[_)
Qg0#Xn
n\G+
[afs
W|.dll
Qu&n
immyerr3
cl3di8bre
Sack_i
smith[C
&joe?neo/
eoOsK
c#Gv
Khncc
=];_
uppo
/mkph
gold-Pxc
afe%Cb5
9wX+d
6[pl93foo/[
_loyG:s
TiAb
cxfZ
hOni
7oo.bn
a<;:
._!;
|EFn(
cE(@)
l Svyr
dbxq
5vmb/xH*.*
USERPROFI
Ybp5
ayGr
n;^
Qkk7l
i]Wb
7}pj
MGiI
wn>Jj
#.zf
+o*7
-TRG / UGGC/V
g: j
.fj=j
6xORe
Er=
v-cFl
n#,=r u
qnga
u&q/
hzEGp
p!w f
t8hmUK
: {p
G7-?
ASCII
r=it
OaA!0123456789+
K-ZF1-kK
Vq;a
ZVZR-X\
48X.a
?%f`iad
4g-Ra
A8fr64"
^+}Qvf
P,E6!`T
nj@J
m+Mmg?
QUIT
DATAEPCGo
kB:<
ZNVYoEBZv
URYB
e5n;
9q*#l
^-?[@
`}|<
<'SP
8*l2e
P7Sh
8SS:
af[8u
`td@%4
5TJ]]
t2Ht-P$
5=tl<
_WSQ
8%Sf
p54MI
39>Y
-jY$E/
Q.VVAy
(J,3
Y]MDU
]p$vh
##IF
e2F[
|&f+m
RSX$
2Bcf.
Yhx&:
lt.hp
h(df
V$v5
tJ6O
>F@Ju
X:Em
Y;wY|
a`:H
"n
b@jO4
YYgu
"9X\
VX;PXsj
\j`S
Ji_g
vFJ-
Yc*Wuf
oHmj
kDqD
~,u
RqGdH
|6-9
E+SQ
*rWQ*
&S0W
YW
Mp6l:p
^/uQi
F,p=
-D1-j
jg/h\
#[E$.
9F w5
_tX\
d[95
'90.h@
Pu#5
TP+L
t jK(
h@.=x
,<4I
Jt1u
Vl`xx
/WiF%
T1-2<
P=G'/<
k=3#pW
_0QE?
Fj?D
khNu
b}G*
#De+
[%K7
;6,3
8%u!
X` f
UTN<
+b!Jt
E< r8<=
<+t0<:t9.51*
NEbl
8:ua
l+m0
PQPd
hD8JH7
@Shu
]ujT
=+6~<8(
3tO+
t.P.u
Fx|#
tsGS
FSKC
L"06
-P):!
WY#r
%SKKD
}S