Skip navigation.
Home

Malware

WMF original exploit files and analysis

These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:

bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52

tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.

Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/

WMF related files

| |

NEW: I recommend reading this site for more defense information.
http://www.f-secure.com/weblog/
This thing is really really nasty. I completely destroyed a computer trying to analyse it and am almost done rebuilding it :) Luckily I keep my analysis computers segragated, and you should too!

V.-------------------

These files were obtained at CastleCops.com and contain all of the related files of the Zero-day IE .wmf exploit. Haven't had time for analysis yet.
Included is a.exe, kl.exe, loaderadv562.exe, ms1.exe, paytime.exe, tool 1 through 5.exe, toolbar.exe, and

WMF

| |

NEW: added more related files contributed by seville THANKS!

V.

d5932e0901c0379b8df3f80a137f5910 *xpl.wmf

Scanning -> C:\malware\wmf\vscan\xpl.wmf
[-] File is NON executable..(non MZ)
- Scan Took : 0.0 Seconds

AntiVir Found Trojan/Dldr.WMF.Agent.D
ArcaVir Found nothing
Avast Found Win32:Exdown
AVG Antivirus Found nothing
BitDefender Found Exploit.Win32.WMF-PFV.C
ClamAV Found Exploit.WMF.A
Dr.Web Found Exploit.MS05-053
F-Prot Antivirus Found security risk or a "backdoor" program
Fortinet Found W32/WMF-exploit
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.acd

n/a

n/a

CodeRed_A

exe sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 win_codred_a.exe
exe md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 *win_codred_a.exe
zip md5sum: 55f9524bbbed7f8ae0850ed01562090b *win_codred_a.zip
info: 4039 Jul 16 2001 win_codred_a.exe

http://www.f-secure.com/v-descs/bady.shtml

Courtesy:eEye Team
Update: I attached idb that was provided by eEye research team. The idb is fully commented.

Bagle_ai

exe sha1sum: be4f2b7ca634ce946317acdc54b1423e2f5329ce win_bagle_ai.exe
zip md5sum: 23d344f3b2e5f4dfaa1bdbd56ee39b02 *win_bagle_ai.zip
exe md5sum: 239644e31ce940a25a8ca907feba0d19 *win_bagle_ai.exe
info: 24010 Jul 20 2004

http://www.f-secure.com/v-descs/bagle_ai.shtml

WELCHIA

sha1sum: bdc843c65e6984b35dd26c53e84338ff3982da2d win_welchia.exe

md5sum: 24837f736517f367a11dcb8bd8ed6306 *win_welchia.exe
info: 12800 Feb 13 2005 win_welchia.exe
zip md5sum: 3913187407b74597753f324bb9818ba5 *win_welchia.zip

http://www.f-secure.com/v-descs/welchi.shtml

Syndicate content