sub_outside(): KERNEL32.ExitThread KERNEL32.GetTickCount KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.lstrlenA KERNEL32.lstrcpyA KERNEL32.FreeLibrary |
sub_407708(02a4): KERNEL32.ExitThread "unknown" "mapi32.exe" |
sub_405185(039b): KERNEL32.GetTickCount KERNEL32.Sleep |
sub_409C9D(16f8): KERNEL32.Sleep |
sub_40549A(20d6): KERNEL32.Sleep |
sub_40758E(2461): KERNEL32.GetTickCount |
sub_40A45C(2482): KERNEL32.CreateThread KERNEL32.SetThreadPriority |
sub_4086A6(31c8): "%s" "wb" "\r\n\r\n" "http/1." |
sub_40A8E0(3320): KERNEL32.CreateProcessA "%s %s" |
sub_408E07(3f4b): KERNEL32.SearchPathA KERNEL32.CreateFileA KERNEL32.GetFileTime KERNEL32.CloseHandle KERNEL32.SetFileTime "svchost.exe" |
sub_40969D(3fbd): KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.FreeLibrary "dnsapi.dll" "DnsFlushResolverCache" |
sub_407BC9(40c5): "TFTPDHijack" "mapi32.exe" "mapi32.exe" |
sub_40AF7E(4529): KERNEL32.LocalFree |
sub_409E5D(4e66): KERNEL32.GetVersionExA "95" "NT" "98" "ME" "2000" "XP" "2003" |
sub_40A818(4f88): KERNEL32.GetTickCount |
sub_408A88(4fb3): KERNEL32.GetModuleFileNameA "MAPI Mail Client" "MAPI" "Enables support for the Messaging Appli"... "SYSTEM\\CurrentControlSet\\Control\\SafeBo"... "Minimal" "Service" "MAPI" "Network" "MAPI" |
sub_407F46(6320): KERNEL32.ExitThread "Ftpd" "Ftpd" "Ftpd" "220 ProFTPD 1.%d.%d Server (ProFTPD Def"... "%s %s" "USER" "331 Password required\n" "PASS" "230 User logged in.\n" "SYST" "REST" "350 Restarting.\n" "PWD" "257 \"/\" is current directory.\n" "TYPE" "A" "I" "200 Type set to A.\n" "PASV" "425 Passive not supported on this serve"... "LIST" "226 Transfer complete\n" "PORT" "%*s %[^,],%[^,],%[^,],%[^,],%[^,],%[^\n]"... "%x%x\n" "%s.%s.%s.%s" "200 PORT command successful.\n" "RETR" "150 Opening BINARY mode data connection"... "226 Transfer complete.\n" "425 Can't open data connection.\n" "425 Can't open data connection.\n" "QUIT" "221 Goodbye.\n" "Ftpd" "Ftpd" |
sub_405DB7(6418): KERNEL32.ExitThread "FXNBFXFXNBFXFXFXFX" "\\C$\\123456111111111111111.doc" |
sub_40914C(64b0): "SYSTEM\\CurrentControlSet\\Services\\TcpIp"... "SYSTEM\\CurrentControlSet\\Services\\NetBT"... "NetbiosOptions" "SOFTWARE\\Microsoft\\OLE" "N" "EnableDCOM" "SYSTEM\\CurrentControlSet\\Services\\NetDD"... "Start" "ServicesActive" "Network DDE" "SYSTEM\\CurrentControlSet\\Services\\W3SVC"... "MaxClientRequestBuffer" |
sub_4095E2(7e11): "." |
sub_40A56C(8034): KERNEL32.TerminateThread |
sub_408EAB(8064): KERNEL32.OpenMutexA KERNEL32.ReleaseMutex KERNEL32.GetTempPathA KERNEL32.CreateFileA KERNEL32.WriteFile KERNEL32.CloseHandle KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA KERNEL32.GetFileAttributesA KERNEL32.SetFileAttributesA KERNEL32.ExpandEnvironmentStringsA KERNEL32.ExitProcess "xMAPIMailClientx" "Control Handler" "MAPI" "%serase.bat" "@echo off\r\n:repeat\r\ndel \"%%1\"\r\nif exist"... "%%comspec%% /c %s %s %s" |
sub_404530(8a84): KERNEL32.ExitProcess KERNEL32.Sleep KERNEL32.GetTickCount " " ".bot.compilation" "dETOX/0x91 (win32)" ".bot.leave" "QUIT :god hates us all\r\n" ".harvest.passwords" "Password Finder" ".open" "open" ".scan.start" "Scanner" "-s" "." "%s%d.%d" "-x" "-r" "-x" "-l" "Scanner" ".scan.enable" "Scanner" "Scanner" ".secure.install" ".shellcode.status" ".sniffer.on" "Sniffer" ".sniffer.off" "Sniffer" ".thread.find" |
sub_40899B(91aa): KERNEL32.GetModuleHandleA KERNEL32.GetModuleFileNameA KERNEL32.lstrlenA "MAPI" "SYSTEM\\CurrentControlSet\\Services\\%s" "Start" "ImagePath" |
sub_408D6E(92f8): "MAPI" |
sub_409016(938b): KERNEL32.GetModuleFileNameA KERNEL32.GetSystemDirectoryA KERNEL32.lstrlenA KERNEL32.lstrcatA KERNEL32.CreateFileA KERNEL32.GetFileAttributesA KERNEL32.CloseHandle KERNEL32.CopyFileA KERNEL32.SetFileAttributesA "\\" "mapi32.exe" |
sub_408953(9ae8): "ServicesActive" |
sub_409F1F(9db1): KERNEL32.GlobalMemoryStatus "dETOX/0x91 (win32)" |
sub_409D65(b17f): KERNEL32.QueryPerformanceCounter KERNEL32.QueryPerformanceFrequency KERNEL32.GetTickCount "days" "day" "hours" "hour" "minutes" "minute" |
sub_405CEC(b3c2): KERNEL32.ExitProcess KERNEL32.Sleep "Sniffer" "MAPI" |
sub_40933F(b542): KERNEL32.GetTickCount KERNEL32.Sleep KERNEL32.ExitProcess KERNEL32.SetErrorMode "%d.%d.%d.%d" "Protocol Handler" "Control Handler" "TFTPDHijack" "ShellcodeDaemon" "Ftpd" "MAPI" |
sub_40AA5D(b77a): "SOFTWARE\\VMware, Inc.\\" |
sub_408DE9(b897): KERNEL32.CreateMutexA NTDLL.RtlGetLastWin32Error "xMAPIMailClientx" |
sub_407282(b8aa): KERNEL32.Sleep NTDLL.RtlDeleteCriticalSection KERNEL32.InitializeCriticalSectionAndSpinCount KERNEL32.ExitThread NTDLL.RtlEnterCriticalSection KERNEL32.TerminateThread NTDLL.RtlLeaveCriticalSection "enabled" "Scanner" "Scanner" |
sub_4052A5(bd42): KERNEL32.Sleep "PASS %s\r\n" "dETOX/0x91 (win32)" |
sub_407125(bda9): KERNEL32.GetTickCount |
sub_40785E(c085): KERNEL32.ExitThread KERNEL32.CreateThread "ShellcodeDaemon" "€" |
sub_40AAA5(c8fa): KERNEL32.GetModuleHandleA KERNEL32.LoadLibraryA KERNEL32.GetProcAddress KERNEL32.GetTickCount "KERNEL32.DLL" "IsDebuggerPresent" |
sub_40862D(cd67): "http://" |
sub_40A6A6(cd75): "0123456789abcdefghijklmnopqrstuvwxyz" "%c%c%c%c%c%c%c" |
sub_40A690(ce34): "r" |
sub_4055A6(ce69): KERNEL32.Sleep " " "PING" "PONG %s\r\n" "PRIVMSG" "dETOX/0x91 (win32)" "ERROR" "KICK" "009" "MODE %s +i\r\n" "Sniffer" "001" "422" "366" "332" " :" "PRIVMSG" "433" "dETOX/0x91 (win32)" "432" "471" "473" "474" "475" "480" "513" "%s %s\r\n" "!" "@" ":" "*" "MODE %s +i\r\n" "Sniffer" "@" |
sub_408825(ceea): "GET %s HTTP/1.0\r\n\r\n" |
sub_408C2B(d286): KERNEL32.SetEvent |
sub_407E7D(e03d): KERNEL32.GetModuleFileNameA KERNEL32.Sleep |
sub_409834(e3b6): "paypal" "ebay" "e-bay" "login" "bank" "JOIN" "OPER" "login" |
sub_408C7B(f2ec): KERNEL32.CreateEventA KERNEL32.WaitForSingleObject KERNEL32.CloseHandle "MAPI" |
sub_4098E2(f41a): KERNEL32.InitializeCriticalSectionAndSpinCount KERNEL32.ExitThread NTDLL.RtlEnterCriticalSection KERNEL32.Sleep NTDLL.RtlLeaveCriticalSection "Sniffer" "Sniffer" |
sub_407207(f756): KERNEL32.Sleep KERNEL32.ExitThread |