Skip navigation.
Home

looking for Big Yellow

|

I was wondering if anyone has the "big yellow" worm that hits the symantec AV as indicated by eeye at http://research.eeye.com/html/alerts/AL20061215.html. I tried hitting the site but either it's hammered or it's down.
also, is this worm is the same as W32.Spybot.ACYR?

thanks.

Big yellow

I submitted it a while ago.

Search bd56b8bddfb9fc1e148345d9ab900512

The worm itself is very similar to ACYR but was designed more efficiently and batch scripted most of what the other hadn't. Instead of relying on an executable file on disk it creates a dll and injects itself. :)

cool. thanks.

cool. thanks.

another variant

There are a number of variants of this worm/bot.

Here's the sample I have which first appeared around the same time:

It's already in the database, search on md5:

f538d2c73c7bc7ad084deb8429bd41ef

EDIT: BTW, this sample is the original nl.exe that was on ftp://ftpd.3322.org as detailed in the eEye article pointed to. The site was originally username/password protected (available in plain text from the original shellscript exploit) and indeed now appears to be down.

some analysis on this one

f538d2c73c7bc7ad084deb8429bd41ef

OllyDBG syas its a bad or unknown format of 32 bit executable
unix file says MZ executable for MS-DOS

Does a DNS lokoup on nameless.3322.org 205.171.3.65
OrgName: Qwest Communications Corporation
OrgID: QCC-18
Address: 1801 California Street
City: Denver
StateProv: CO
PostalCode: 80202
Country: US

INTERESTING
010028D4 . 57 PUSH EDI ; /pModule = "\xFF\xFF\xFF\xFF]\xE0\x94|f\xE0\x94|3\xC0\x8B\xFE\x8B\xD1\xC1\xE9\x02\xF3\xAB\x8B\xCA\x83\xE1\x03\xF3\xAA\xE9|\xFF\xFF\xFF\x90\x90\x90\x90\x90\x8B\xFFU\x8B\xEC\x83\xEC\x1CSVW3\xDB\xBF\xA0\xC3\x97|\xBE\x80\xC3\x97|\x83M\xF0\xFF\x8DE\xEC"...

CREATED FILES
malware.exe:332 WRITE C:\WINDOWS\system32\wuauclt.dll SUCCESS Offset: 0 Length: 23040
malware.exe:332 WRITE C:\DOCUME~1\root\LOCALS~1\Temp\NL587.bat SUCCESS Offset: 0 Length: 175

STRINGS

This program cannot be run in DOS mode.
Microsoft Corporation
Windows Update AutoUpdate Engine
5.8.0.2469 built by
Ping 0.0.0.0
----------------
GetProcAddress
LoadLibraryA
MFaos
wzsi
Evul
Ijvo
strcat
signal
rand
raise
exit
_access
_stricmp
_snprintf
__GetMainArgs
OpenProcessToken
LookupPrivilegeValueA
AdjustTokenPrivileges
CreateToolhelp32Snapshot
WriteProcessMemory
CreateRemoteThread
WriteFile
VirtualFreeEx
VirtualAllocEx
Sleep
SetFileTime
SetFileAttributesA
RtlZeroMemory
RtlUnwind
CreateFileA
Process32Next
Process32First
OpenProcess
MoveFileExA
LoadLibraryA
GetTempPathA
GetSystemDirectoryA
GetProcAddress
CloseHandle
GetModuleFileNameA
GetFileTime
GetCurrentProcess
FreeLibrary
ShellExecuteA
kernel32.dll
LoadLibraryA
GetProcAddress
SeDebugPrivilege
s\s.bak
Install
Install
sNLii.bat
s GOTO Repeat
Repeat
\svchost.exe
wuauclt.dll
svchost.exe
ServiceMain
LibMain
Install
NameLess.dll
Translation
VarFileInfo
ProductVersion
Operating System
Windows
Microsoft
ProductName
wuauclt.dll
OriginalFilename
Microsoft Corporation. All rights reserved.
LegalCopyright
wuauclt.dll
InternalName
wmbla
FileVersion
FileDescription
CompanyName
StringFileInfo
strtok
msrandqstrcmp
ksprintf
esetbuf
raise_rand
Yprintf
Tmemset
Rmemcpy
Lmalloc
_cexit
fclose
atoi
_vsnprintf
_access
_stricmp
_snprintf
N_open_osfhandle
_fdopen
dSetServiceStatus
IRegisterServiceCtrlHandlerA
/RegOpenKeyExABRegSetValueExA
RegCloseKey
DeleteFileA
CreateThread
WaitForSingleObject
CreateProcessA
dSleepmTerminateThread
CreateMutexA
RtlUnwind
ReleaseMutex
QueryPerformanceFrequency
QueryPerformanceCounter
MoveFileExA
LoadLibraryA
UGetTickCount
MGetTempPathA
GetSystemDirectoryA
GetProcAddress
CloseHandle
GetModuleFileNameA
GetLocaleInfoA
GetLastError
GetEnvironmentStringsA
FreeConsole
ExitThread
ExitProcess
htonl
connect
WSACleanup
WSAStartup
closesocket
gethostbyname
socket
setsockopt
sendto
send
recv
inet_addr
ioctlsocket
htons
Start
s\Parameters
ServiceDll
ss\Parameters
s\wuauserv.dll
d Install
del
ikb/sec
li
lo
sNL_dd.exe
SYSTEM\CurrentControlSet\Services\
wuauserv
.edata
.reloc
.idata
.data
.text
EPuj
VWujj
GetProcAddress
LoadLibraryA

00000000 00400000 0 MZKERNEL32.DLL
0000002A 0040002A 0 LoadLibraryA
000000C0 004000C0 0 GetProcAddress
000001E8 004001E8 0 .mackt
0000104A 0040104A 0 t ;t$$t
0000107D 0040107D 0 SVWUj
00001623 00401623 0 Ph8 @
000016EC 004016EC 0 PhDz@
000017F4 004017F4 0 Ph]z@
00002085 00402085 0 !This program cannot be run in DOS mode.
000021B0 004021B0 0 .text
00002200 00402200 0 .data
00002228 00402228 0 .idata
00002250 00402250 0 .rsrc
00002278 00402278 0 .reloc
000022A0 004022A0 0 .edata
00002488 00402488 0 t ;t$$t
000024BB 004024BB 0 SVWUj
00002FCC 00402FCC 0 QPSVW
00003960 00403960 0 tXhe0
000044A6 004044A6 0 uLh40
000047E7 004047E7 0 uGh40
00004E70 00404E70 0 RVh32
0000574E 0040574E 0 QPSVW
00005D1C 00405D1C 0 wuauserv
00005D25 00405D25 0 SYSTEM\CurrentControlSet\Services\
00005E44 00405E44 0 %s %s :%s
00005E53 00405E53 0 [ts] :) -> %s(%d) k
00005E75 00405E75 0 [ss] :) -> %s:%s -> %s
00005E8C 00405E8C 0 ss (%s:%s).
00005E98 00405E98 0 [s] :) -> %s:%s -> %s
00005EAE 00405EAE 0 s (%s:%s)
00005EB8 00405EB8 0 [dl] :) -> %s -> %s
00005ECC 00405ECC 0 dl (%s)
00005ED4 00405ED4 0 [ud] :) -> %s -> %s
00005EE8 00405EE8 0 ud (%s)
00005EF0 00405EF0 0 %sNL_%d%d%d.exe
00005F00 00405F00 0 [ct] :) -> %s -> %s
00005F14 00405F14 0 [ir] :) -> %s
00005F2C 00405F2C 0 QUIT ::) -> rm
00005F3D 00405F3D 0 [mi] :) -> rm...
00005F4E 00405F4E 0 [mi] :) -> %s -> %s
00005F62 00405F62 0 [mi] :) -> lo -> %s
00005F76 00405F76 0 [mi] :) -> li -> %s
00005F8E 00405F8E 0 NICK %s
00005F9A 00405F9A 0 MODE %s %s %s
00005FAA 00405FAA 0 MODE %s %s
00005FB7 00405FB7 0 USERHOST %s
00005FC5 00405FC5 0 JOIN %s %s
00005FD2 00405FD2 0 PONG %s
00005FE3 00405FE3 0 NICK %s
00005FEC 00405FEC 0 USER %s 0 0 :%s
00005FFE 00405FFE 0 PASS %s
00006008 00406008 0 [ss] :) -> dwf
00006017 00406017 0 [s] :) -> dwf -> %ikb/sec
00006031 00406031 0 [%s] :) -> del
00006040 00406040 0 [ud] :( -> cp
0000604E 0040604E 0 [ud] :) -> %s
0000605C 0040605C 0 [ud] :) -> cp -> %d
00006070 00406070 0 -Install
0000607A 0040607A 0 [dl] :( -> cp
00006088 00406088 0 [dl] :) -> cp -> %d
0000609C 0040609C 0 [%s] :( -> dl
000060B0 004060B0 0 [%s] :) -> dl
000060BE 004060BE 0 %s\wuauserv.dll
000060CE 004060CE 0 %s%s\Parameters
000060DE 004060DE 0 ServiceDll
000060E9 004060E9 0 %s\Parameters
000060F7 004060F7 0 Start
0000653A 0040653A 0 htons
00006542 00406542 0 ioctlsocket
00006552 00406552 0 inet_addr
0000656E 0040656E 0 sendto
0000657A 0040657A 0 setsockopt
0000658A 0040658A 0 socket
00006596 00406596 0 gethostbyname
000065A6 004065A6 0 closesocket
000065B6 004065B6 0 WSAStartup
000065C6 004065C6 0 WSACleanup
000065D6 004065D6 0 connect
000065E2 004065E2 0 WSASocketA
000065F2 004065F2 0 htonl
000065FA 004065FA 0 ExitProcess
0000660A 0040660A 0 ExitThread
0000661A 0040661A 0 FreeConsole
0000662A 0040662A 0 GetEnvironmentStringsA
00006646 00406646 0 GetLastError
00006656 00406656 0 GetLocaleInfoA
0000666A 0040666A 0 GetModuleFileNameA
00006682 00406682 0 CloseHandle
00006692 00406692 0 GetProcAddress
000066A6 004066A6 0 GetSystemDirectoryA
000066BE 004066BE 0 GetTempPathA
000066CE 004066CE 0 GetTickCount
000066DE 004066DE 0 LoadLibraryA
000066EE 004066EE 0 MoveFileExA
000066FE 004066FE 0 QueryPerformanceCounter
0000671A 0040671A 0 QueryPerformanceFrequency
00006736 00406736 0 ReleaseMutex
00006746 00406746 0 RtlUnwind
00006752 00406752 0 CreateMutexA
00006762 00406762 0 Sleep
0000676A 0040676A 0 TerminateThread
0000677E 0040677E 0 CreateProcessA
00006792 00406792 0 WaitForSingleObject
000067AA 004067AA 0 CreateThread
000067BA 004067BA 0 DeleteFileA
000067CA 004067CA 0 RegCloseKey
000067DA 004067DA 0 RegOpenKeyExA
000067EA 004067EA 0 RegSetValueExA
000067FE 004067FE 0 RegisterServiceCtrlHandlerA
0000681E 0040681E 0 SetServiceStatus
00006832 00406832 0 _fdopen
0000683E 0040683E 0 _open_osfhandle
00006852 00406852 0 _snprintf
0000685E 0040685E 0 _stricmp
0000686A 0040686A 0 _access
00006876 00406876 0 _vsnprintf
0000688E 0040688E 0 fclose
0000689A 0040689A 0 _cexit
000068A6 004068A6 0 malloc
000068B2 004068B2 0 memcpy
000068BE 004068BE 0 memset
000068CA 004068CA 0 printf
000068D6 004068D6 0 raise
000068E6 004068E6 0 setbuf
000068F2 004068F2 0 sprintf
000068FE 004068FE 0 srand
00006906 00406906 0 strcmp
00006912 00406912 0 strcpy
0000691E 0040691E 0 strncmp
0000692A 0040692A 0 strncpy
00006936 00406936 0 strstr
00006942 00406942 0 strtok
0000694C 0040694C 0 WS2_32.DLL
00006994 00406994 0 KERNEL32.DLL
00006A08 00406A08 0 ADVAPI32.DLL
00006A2C 00406A2C 0 CRTDLL.DLL
00007860 00407860 0 NameLess.dll
00007898 00407898 0 Install
000078A0 004078A0 0 LibMain
000078AC 004078AC 0 ServiceMain
00007A38 00407A38 0 svchost.exe
00007A44 00407A44 0 wuauclt.dll
00007A50 00407A50 0 \svchost.exe
00007A5D 00407A5D 0 @ECHO OFF
00007A68 00407A68 0 :Repeat
00007A71 00407A71 0 DEL "%s"
00007A7B 00407A7B 0 Ping 0.0.0.0
00007A89 00407A89 0 IF EXIST "%s" GOTO Repeat
00007AA4 00407AA4 0 DEL "%%0"
00007AAE 00407AAE 0 %sNL%i%i%i.bat
00007AC2 00407AC2 0 Install
00007ACA 00407ACA 0 -Install
00007AD7 00407AD7 0 %s\%s.bak
00007AE1 00407AE1 0 %s\%s
00007AE7 00407AE7 0 SeDebugPrivilege
00007AF8 00407AF8 0 GetProcAddress
00007B07 00407B07 0 LoadLibraryA
00007B14 00407B14 0 kernel32.dll
00009004 00409004 0 SHELL32.DLL
00009010 00409010 0 ShellExecuteA
00009023 00409023 0 KERNEL32.DLL
00009030 00409030 0 FreeLibrary
0000903C 0040903C 0 GetCurrentProcess
0000904E 0040904E 0 GetFileTime
0000905A 0040905A 0 GetModuleFileNameA
0000906D 0040906D 0 CloseHandle
00009079 00409079 0 GetProcAddress
00009088 00409088 0 GetSystemDirectoryA
0000909C 0040909C 0 GetTempPathA
000090A9 004090A9 0 LoadLibraryA
000090B6 004090B6 0 MoveFileExA
000090C2 004090C2 0 OpenProcess
000090CE 004090CE 0 Process32First
000090DD 004090DD 0 Process32Next
000090EB 004090EB 0 CreateFileA
000090F7 004090F7 0 RtlUnwind
00009101 00409101 0 RtlZeroMemory
0000910F 0040910F 0 SetFileAttributesA
00009122 00409122 0 SetFileTime
0000912E 0040912E 0 Sleep
00009134 00409134 0 VirtualAllocEx
00009143 00409143 0 VirtualFreeEx
00009151 00409151 0 WriteFile
0000915B 0040915B 0 CreateRemoteThread
0000916E 0040916E 0 WriteProcessMemory
00009181 00409181 0 CreateToolhelp32Snapshot
0000919F 0040919F 0 ADVAPI32.DLL
000091AC 004091AC 0 AdjustTokenPrivileges
000091C2 004091C2 0 LookupPrivilegeValueA
000091D8 004091D8 0 OpenProcessToken
000091EE 004091EE 0 CRTDLL.DLL
000091F9 004091F9 0 __GetMainArgs
00009207 00409207 0 _snprintf
00009211 00409211 0 _stricmp
0000921A 0040921A 0 _access
00009227 00409227 0 raise
00009232 00409232 0 signal
00009239 00409239 0 strcat
00009240 00409240 0 strcmp
00009247 00409247 0 strncpy
00014000 00414000 0 MZKERNEL32.DLL
0001402A 0041402A 0 LoadLibraryA
000140C0 004140C0 0 GetProcAddress
000162F8 004162F8 0 shell32.dll
00016306 00416306 0 ShellExecuteA
00016314 00416314 0 kernel32.dll
00016324 00416324 0 FreeLibrary
00016332 00416332 0 GetCurrentProcess
00016346 00416346 0 GetFileTime
00016354 00416354 0 GetModuleFileNameA
0001636A 0041636A 0 CloseHandle
00016378 00416378 0 GetProcAddress
0001638A 0041638A 0 GetSystemDirectoryA
000163A0 004163A0 0 GetTempPathA
000163B0 004163B0 0 LoadLibraryA
000163C0 004163C0 0 MoveFileExA
000163CE 004163CE 0 OpenProcess
000163DC 004163DC 0 Process32First
000163EE 004163EE 0 Process32Next
000163FE 004163FE 0 CreateFileA
0001640C 0041640C 0 RtlUnwind
00016418 00416418 0 RtlZeroMemory
00016428 00416428 0 SetFileAttributesA
0001643E 0041643E 0 SetFileTime
0001644C 0041644C 0 Sleep
00016454 00416454 0 VirtualAllocEx
00016466 00416466 0 VirtualFreeEx
00016476 00416476 0 WriteFile
00016482 00416482 0 CreateRemoteThread
00016498 00416498 0 WriteProcessMemory
000164AE 004164AE 0 CreateToolhelp32Snapshot
000164C8 004164C8 0 advapi32.dll
000164D8 004164D8 0 AdjustTokenPrivileges
000164F0 004164F0 0 LookupPrivilegeValueA
00016508 00416508 0 OpenProcessToken
0001651A 0041651A 0 crtdll.dll
00016528 00416528 0 __GetMainArgs
00016538 00416538 0 _snprintf
00016544 00416544 0 _strcmpi
00016550 00416550 0 _access
00016562 00416562 0 raise
00016572 00416572 0 signal
0001657C 0041657C 0 strcat
00016586 00416586 0 strcmp
00016590 00416590 0 strncpy
00006C9E 00406C9E 0 VS_VERSION_INFO
00006CFA 00406CFA 0 StringFileInfo
00006D1E 00406D1E 0 080404B0
00006D36 00406D36 0 CompanyName
00006D50 00406D50 0 Microsoft Corporation
00006D82 00406D82 0 FileDescription
00006DA4 00406DA4 0 Windows Update AutoUpdate Engine
00006DEE 00406DEE 0 FileVersion
00006E08 00406E08 0 5.8.0.2469 built by: lab01_n(wmbla)
00006E56 00406E56 0 InternalName
00006E70 00406E70 0 wuauclt.dll
00006E8E 00406E8E 0 LegalCopyright
00006EAC 00406EAC 0 (C) Microsoft Corporation. All rights reserved.
00006F12 00406F12 0 OriginalFilename
00006F34 00406F34 0 wuauclt.dll
00006F52 00406F52 0 ProductName
00006F6C 00406F6C 0 Microsoft(R) Windows(R) Operating System
00006FC6 00406FC6 0 ProductVersion
00006FE4 00406FE4 0 5.8.0.2469
00007002 00407002 0 VarFileInfo
00007022 00407022 0 Translation

Strings from the wuauclt.dll

0000004D 1000004D 0 !This program cannot be run in DOS mode.
00000178 10000178 0 .text
000001C8 100001C8 0 .data
000001F0 100001F0 0 .idata
00000218 10000218 0 .rsrc
00000240 10000240 0 .reloc
00000268 10000268 0 .edata
00000450 10001050 0 t ;t$$t
00000483 10001083 0 SVWUj
00000F94 10001B94 0 QPSVW
00001928 10002528 0 tXhe0
0000246E 1000306E 0 uLh40
000027AF 100033AF 0 uGh40
00002E38 10003A38 0 RVh32
00003716 10004316 0 QPSVW
00003CE4 100130E4 0 wuauserv
00003CED 100130ED 0 SYSTEM\CurrentControlSet\Services\
00003E0C 1001320C 0 %s %s :%s
00003E1B 1001321B 0 [ts] :) -> %s(%d) k
00003E3D 1001323D 0 [ss] :) -> %s:%s -> %s
00003E54 10013254 0 ss (%s:%s).
00003E60 10013260 0 [s] :) -> %s:%s -> %s
00003E76 10013276 0 s (%s:%s)
00003E80 10013280 0 [dl] :) -> %s -> %s
00003E94 10013294 0 dl (%s)
00003E9C 1001329C 0 [ud] :) -> %s -> %s
00003EB0 100132B0 0 ud (%s)
00003EB8 100132B8 0 %sNL_%d%d%d.exe
00003EC8 100132C8 0 [ct] :) -> %s -> %s
00003EDC 100132DC 0 [ir] :) -> %s
00003EF4 100132F4 0 QUIT ::) -> rm
00003F05 10013305 0 [mi] :) -> rm...
00003F16 10013316 0 [mi] :) -> %s -> %s
00003F2A 1001332A 0 [mi] :) -> lo -> %s
00003F3E 1001333E 0 [mi] :) -> li -> %s
00003F56 10013356 0 NICK %s
00003F62 10013362 0 MODE %s %s %s
00003F72 10013372 0 MODE %s %s
00003F7F 1001337F 0 USERHOST %s
00003F8D 1001338D 0 JOIN %s %s
00003F9A 1001339A 0 PONG %s
00003FAB 100133AB 0 NICK %s
00003FB4 100133B4 0 USER %s 0 0 :%s
00003FC6 100133C6 0 PASS %s
00003FD0 100133D0 0 [ss] :) -> dwf
00003FDF 100133DF 0 [s] :) -> dwf -> %ikb/sec
00003FF9 100133F9 0 [%s] :) -> del
00004008 10013408 0 [ud] :( -> cp
00004016 10013416 0 [ud] :) -> %s
00004024 10013424 0 [ud] :) -> cp -> %d
00004038 10013438 0 -Install
00004042 10013442 0 [dl] :( -> cp
00004050 10013450 0 [dl] :) -> cp -> %d
00004064 10013464 0 [%s] :( -> dl
00004078 10013478 0 [%s] :) -> dl
00004086 10013486 0 %s\wuauserv.dll
00004096 10013496 0 %s%s\Parameters
000040A6 100134A6 0 ServiceDll
000040B1 100134B1 0 %s\Parameters
000040BF 100134BF 0 Start
00004502 10014302 0 htons
0000450A 1001430A 0 ioctlsocket
0000451A 1001431A 0 inet_addr
00004536 10014336 0 sendto
00004542 10014342 0 setsockopt
00004552 10014352 0 socket
0000455E 1001435E 0 gethostbyname
0000456E 1001436E 0 closesocket
0000457E 1001437E 0 WSAStartup
0000458E 1001438E 0 WSACleanup
0000459E 1001439E 0 connect
000045AA 100143AA 0 WSASocketA
000045BA 100143BA 0 htonl
000045C2 100143C2 0 ExitProcess
000045D2 100143D2 0 ExitThread
000045E2 100143E2 0 FreeConsole
000045F2 100143F2 0 GetEnvironmentStringsA
0000460E 1001440E 0 GetLastError
0000461E 1001441E 0 GetLocaleInfoA
00004632 10014432 0 GetModuleFileNameA
0000464A 1001444A 0 CloseHandle
0000465A 1001445A 0 GetProcAddress
0000466E 1001446E 0 GetSystemDirectoryA
00004686 10014486 0 GetTempPathA
00004696 10014496 0 GetTickCount
000046A6 100144A6 0 LoadLibraryA
000046B6 100144B6 0 MoveFileExA
000046C6 100144C6 0 QueryPerformanceCounter
000046E2 100144E2 0 QueryPerformanceFrequency
000046FE 100144FE 0 ReleaseMutex
0000470E 1001450E 0 RtlUnwind
0000471A 1001451A 0 CreateMutexA
0000472A 1001452A 0 Sleep
00004732 10014532 0 TerminateThread
00004746 10014546 0 CreateProcessA
0000475A 1001455A 0 WaitForSingleObject
00004772 10014572 0 CreateThread
00004782 10014582 0 DeleteFileA
00004792 10014592 0 RegCloseKey
000047A2 100145A2 0 RegOpenKeyExA
000047B2 100145B2 0 RegSetValueExA
000047C6 100145C6 0 RegisterServiceCtrlHandlerA
000047E6 100145E6 0 SetServiceStatus
000047FA 100145FA 0 _fdopen
00004806 10014606 0 _open_osfhandle
0000481A 1001461A 0 _snprintf
00004826 10014626 0 _stricmp
00004832 10014632 0 _access
0000483E 1001463E 0 _vsnprintf
00004856 10014656 0 fclose
00004862 10014662 0 _cexit
0000486E 1001466E 0 malloc
0000487A 1001467A 0 memcpy
00004886 10014686 0 memset
00004892 10014692 0 printf
0000489E 1001469E 0 raise
000048AE 100146AE 0 setbuf
000048BA 100146BA 0 sprintf
000048C6 100146C6 0 srand
000048CE 100146CE 0 strcmp
000048DA 100146DA 0 strcpy
000048E6 100146E6 0 strncmp
000048F2 100146F2 0 strncpy
000048FE 100146FE 0 strstr
0000490A 1001470A 0 strtok
00004914 10014714 0 WS2_32.DLL
0000495C 1001475C 0 KERNEL32.DLL
000049D0 100147D0 0 ADVAPI32.DLL
000049F4 100147F4 0 CRTDLL.DLL
00005828 10017028 0 NameLess.dll
00005860 10017060 0 Install
00005868 10017068 0 LibMain
00005874 10017074 0 ServiceMain
00004C66 10015066 0 VS_VERSION_INFO
00004CC2 100150C2 0 StringFileInfo
00004CE6 100150E6 0 080404B0
00004CFE 100150FE 0 CompanyName
00004D18 10015118 0 Microsoft Corporation
00004D4A 1001514A 0 FileDescription
00004D6C 1001516C 0 Windows Update AutoUpdate Engine
00004DB6 100151B6 0 FileVersion
00004DD0 100151D0 0 5.8.0.2469 built by: lab01_n(wmbla)
00004E1E 1001521E 0 InternalName
00004E38 10015238 0 wuauclt.dll
00004E56 10015256 0 LegalCopyright
00004E74 10015274 0 (C) Microsoft Corporation. All rights reserved.
00004EDA 100152DA 0 OriginalFilename
00004EFC 100152FC 0 wuauclt.dll
00004F1A 1001531A 0 ProductName
00004F34 10015334 0 Microsoft(R) Windows(R) Operating System
00004F8E 1001538E 0 ProductVersion
00004FAC 100153AC 0 5.8.0.2469
00004FCA 100153CA 0 VarFileInfo
00004FEA 100153EA 0 Translation

NameLess.3322.org is not longer available

It resolves to 192.168.0.255. And it tries to connect to port 5252 of that domain.

there is some strange string in the memory process: irc.fbi.org Yup!

Some analysis of that sample

I wrote a bit on some initial static analysis of the binary. It uses a number of neat tricks to confuse tools, including overlapping MZ/PE headers and misaligned sections.

http://moyix.blogspot.com/2006/12/malware-with-twist.html

nice

clean analysis, keep it comin

V.