I have a UPX compressed version of it I received a while ago. I saved it and uuencoded it if soemone wants it for analytical purposes email me personally. What I received was readme.pif
-b On Mon, 2004-01-26 at 18:58, Thierry wrote: > Hello Gadi, > > GE> Whichever the case this outbreak is HUGE. > GE> Largest in a while and it is spreading VERY FAST. > > I can only confirm, it currently slips through my ISP Virus mail > gateway, I have a few files here some in uncompressed state if anybody is > interested and hasn't had the chance to have one of those (should be > rare though). I am not aware whether it selfmodifies or not, here > are the strings I extracted from the uncompressed PIF file. > > Tool: BinText > > File pos Mem pos ID Text > ======== ======= == ==== > > 0000269C 004A269C 0 iphlpapi.dll > 000026AC 004A26AC 0 DnsQuery_A > 000026B8 004A26B8 0 dnsapi.dll > 000026C4 004A26C4 0 GetNetworkParams > 000026D8 004A26D8 0 sandra > 000026E0 004A26E0 0 linda > 000026E8 004A26E8 0 julie > 000026F0 004A26F0 0 jimmy > 000026F8 004A26F8 0 jerry > 00002700 004A2700 0 helen > 00002708 004A2708 0 debby > 00002710 004A2710 0 claudia > 00002718 004A2718 0 brenda > 00002728 004A2728 0 alice > 00002730 004A2730 0 brent > 00002764 004A2764 0 smith > 0000276C 004A276C 0 steve > 00002798 004A2798 0 robert > 000027A0 004A27A0 0 peter > 000027C0 004A27C0 0 brian > 000027CC 004A27CC 0 maria > 000027E0 004A27E0 0 andrew > 000027EC 004A27EC 0 george > 000027F4 004A27F4 0 david > 000027FC 004A27FC 0 kevin > 0000280C 004A280C 0 james > 00002814 004A2814 0 michael > 0000282C 004A282C 0 accoun > 00002834 004A2834 0 certific > 00002840 004A2840 0 listserv > 0000284C 004A284C 0 ntivi > 00002854 004A2854 0 support > 0000285C 004A285C 0 icrosoft > 00002868 004A2868 0 admin > 00002878 004A2878 0 the.bat > 00002880 004A2880 0 gold-certs > 00002890 004A2890 0 feste > 00002898 004A2898 0 submit > 000028AC 004A28AC 0 service > 000028B4 004A28B4 0 privacy > 000028BC 004A28BC 0 somebody > 000028D4 004A28D4 0 contact > 000028E4 004A28E4 0 rating > 00002904 004A2904 0 someone > 0000290C 004A290C 0 anyone > 00002914 004A2914 0 nothing > 0000291C 004A291C 0 nobody > 00002924 004A2924 0 noone > 0000292C 004A292C 0 webmaster > 00002938 004A2938 0 postmaster > 00002944 004A2944 0 samples > 0000295E 004A295E 0 be_loyal: > 00002968 004A2968 0 mozilla > 00002970 004A2970 0 utgers.ed > 0000297C 004A297C 0 tanford.e > 0000298C 004A298C 0 acketst > 00002994 004A2994 0 secur > 0000299C 004A299C 0 isc.o > 000029A4 004A29A4 0 isi.e > 000029AC 004A29AC 0 ripe. > 000029B4 004A29B4 0 arin. > 000029BC 004A29BC 0 sendmail > 000029C8 004A29C8 0 rfc-ed > 000029E0 004A29E0 0 usenet > 000029F0 004A29F0 0 linux > 000029F8 004A29F8 0 kernel > 00002A00 004A2A00 0 google > 00002A08 004A2A08 0 ibm.com > 00002A1C 004A2A1C 0 mit.e > 00002A38 004A2A38 0 berkeley > 00002A68 004A2A68 0 ruslis > 00002A70 004A2A70 0 nodomai > 00002A78 004A2A78 0 mydomai > 00002A80 004A2A80 0 example > 00002A88 004A2A88 0 inpris > 00002A90 004A2A90 0 borlan > 00002A98 004A2A98 0 sopho > 00002AA0 004A2AA0 0 panda > 00002AA8 004A2AA8 0 hotmail > 00002AB8 004A2AB8 0 icrosof > 00002AD4 004A2AD4 0 -._!@ > 00002ADC 004A2ADC 0 abuse > 00002E34 004A2E34 0 USERPROFILE > 00002E40 004A2E40 0 Ybpny Frggvatf > 0000345C 004A345C 0 %s.%s > 00003480 004A3480 0 %s.zip > 0000348C 004A348C 0 Mail transaction failed. Partial message is available. > 000034C8 004A34C8 0 The message contains Unicode characters and has been > sent as a binary attachment. > 00003520 004A3520 0 The message cannot be represented in 7-bit ASCII > encoding and has been sent as a binary attachment. > 00003590 004A3590 0 > ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/ > 000035DE 004A35DE 0 K-ZFZnvy-Cevbevgl: Abezny > > File pos Mem pos ID Text > ======== ======= == ==== > > 000035FA 004A35FA 0 K-Cevbevgl: 3 > 00003608 004A3608 0 boundary="%s" > 0000361A 004A361A 0 Pbagrag-Glcr: zhygvcneg/zvkrq; > 0000363E 004A363E 0 ZVZR-Irefvba: 1.0 > 00003652 004A3652 0 Qngr: > 0000365E 004A365E 0 Fhowrpg: > 00003670 004A3670 0 Sebz: > 00003678 004A3678 0 ----=_%s_%.3u_%.4u_%.8X.%.8X > 00003698 004A3698 0 NextPart > 000036A8 004A36A8 0 --%s-- > 000036BE 004A36BE 0 Pbagrag-Glcr: nccyvpngvba/bpgrg-fgernz; > 000036E7 004A36E7 0 anzr="%f" > 000036F3 004A36F3 0 Pbagrag-Genafsre-Rapbqvat: onfr64 > 00003716 004A3716 0 Pbagrag-Qvfcbfvgvba: nggnpuzrag; > 00003738 004A3738 0 svyranzr="%f" > 0000375E 004A375E 0 Pbagrag-Glcr: grkg/cynva; > 00003779 004A3779 0 punefrg="Jvaqbjf-1252" > 00003792 004A3792 0 Pbagrag-Genafsre-Rapbqvat: 7ovg > 00003890 004A3890 0 gate.%s > 00003898 004A3898 0 ns.%s > 000038A0 004A38A0 0 relay.%s > 000038AC 004A38AC 0 mail1.%s > 000038B8 004A38B8 0 mxs.%s > 000038C0 004A38C0 0 mx1.%s > 000038C8 004A38C8 0 smtp.%s > 000038D0 004A38D0 0 mail.%s > 000038D8 004A38D8 0 mx.%s > 0000A009 004AA009 0 CreateFileMappingA > 0000A01D 004AA01D 0 FindNextFileA > 0000A02C 004AA02C 0 FindFirstFileA > 0000A03C 004AA03C 0 GetEnvironmentVariableA > 0000A055 004AA055 0 GetWindowsDirectoryA > 0000A06B 004AA06B 0 GetDriveTypeA > 0000A07A 004AA07A 0 GetFileSize > 0000A087 004AA087 0 FindClose > 0000A092 004AA092 0 FileTimeToSystemTime > 0000A0A8 004AA0A8 0 GlobalAlloc > 0000A0B5 004AA0B5 0 GetTempFileNameA > 0000A0C7 004AA0C7 0 SetFilePointer > 0000A0D7 004AA0D7 0 GetSystemTime > 0000A0E6 004AA0E6 0 GetCurrentThread > 0000A0F8 004AA0F8 0 WriteFile > 0000A103 004AA103 0 LoadLibraryA > 0000A111 004AA111 0 lstrcpyA > 0000A11B 004AA11B 0 CloseHandle > 0000A128 004AA128 0 GetFileAttributesA > 0000A13C 004AA13C 0 CreateFileA > 0000A149 004AA149 0 lstrlenA > 0000A153 004AA153 0 GetTempPathA > 0000A161 004AA161 0 GetSystemDirectoryA > 0000A176 004AA176 0 lstrcatA > 0000A180 004AA180 0 GetLastError > 0000A18E 004AA18E 0 CreateMutexA > 0000A19C 004AA19C 0 CopyFileA > 0000A1A7 004AA1A7 0 DeleteFileA > 0000A1B4 004AA1B4 0 SetFileAttributesA > 0000A1C8 004AA1C8 0 GetModuleFileNameA > 0000A1DC 004AA1DC 0 SystemTimeToFileTime > 0000A1F2 004AA1F2 0 GetSystemTimeAsFileTime > 0000A20B 004AA20B 0 Sleep > 0000A212 004AA212 0 ExitThread > 0000A21E 004AA21E 0 WaitForSingleObject > 0000A233 004AA233 0 CreateProcessA > 0000A243 004AA243 0 CreateThread > 0000A251 004AA251 0 GetTickCount > 0000A25F 004AA25F 0 ExitProcess > 0000A26C 004AA26C 0 GetTimeZoneInformation > 0000A284 004AA284 0 MapViewOfFile > 0000A293 004AA293 0 FileTimeToLocalFileTime > 0000A2AC 004AA2AC 0 GetLocalTime > 0000A2BA 004AA2BA 0 WideCharToMultiByte > 0000A2CF 004AA2CF 0 GetProcAddress > 0000A2DF 004AA2DF 0 GetModuleHandleA > 0000A2F1 004AA2F1 0 HeapFree > 0000A2FB 004AA2FB 0 GetProcessHeap > 0000A30B 004AA30B 0 HeapAlloc > 0000A316 004AA316 0 lstrcpynA > 0000A321 004AA321 0 lstrcmpA > 0000A32B 004AA32B 0 lstrcmpiA > 0000A336 004AA336 0 GlobalFree > 0000A342 004AA342 0 InterlockedDecrement > 0000A358 004AA358 0 InterlockedIncrement > 0000A36E 004AA36E 0 ReadFile > 0000A378 004AA378 0 UnmapViewOfFile > 0000A389 004AA389 0 SetThreadPriority > 0000A3A5 004AA3A5 0 RegCloseKey > 0000A3B2 004AA3B2 0 RegOpenKeyExA > 0000A3C1 004AA3C1 0 RegSetValueExA > 0000A3D1 004AA3D1 0 RegQueryValueExA > 0000A3E3 004AA3E3 0 RegEnumKeyA > 0000A3F0 004AA3F0 0 RegCreateKeyExA > 0000A40A 004AA40A 0 memset > 0000A412 004AA412 0 tolower > 0000A41B 004AA41B 0 memcpy > 0000A423 004AA423 0 isdigit > 0000A42C 004AA42C 0 toupper > 0000A435 004AA435 0 isxdigit > 0000A43F 004AA43F 0 isalnum > 0000A448 004AA448 0 isspace > 0000A45A 004AA45A 0 CharUpperBuffA > 0000A46A 004AA46A 0 CharUpperA > 0000A476 004AA476 0 CharLowerA > 0000A482 004AA482 0 wvsprintfA > 0000A48E 004AA48E 0 wsprintfA > 0000A5CB 004AA5CB 0 .text > 0000A5F3 004AA5F3 0 .rsrc > 0000C290 004AC290 0 KERNEL32.DLL > 0000C29D 004AC29D 0 ADVAPI32.dll > 0000C2AA 004AC2AA 0 MSVCRT.dll > 0000C2B5 004AC2B5 0 USER32.dll > 0000C2C0 004AC2C0 0 WS2_32.dll > 0000C2CC 004AC2CC 0 LoadLibraryA > 0000C2DA 004AC2DA 0 GetProcAddress > 0000C2EA 004AC2EA 0 ExitProcess > 0000C2F8 004AC2F8 0 RegCloseKey > 0000C306 004AC306 0 memset > 0000C30E 004AC30E 0 wsprintfA _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html