Hex dump of Gibe-F worm.

Hostile Data — The Mytob.KB Worm

The header as received

This is an odd one — I only get it from infected Windows machines in the 86.128.0.0/10 IP block run by btcentralplus.com. As per some of the whois output when I look up any of the individual IP addresses:

inetnum:      86.128.0.0 - 86.135.255.255
netname:      BT-CENTRAL-PLUS
descr:        IP pools
country:      GB
route:        86.128.0.0/10
descr:        BT Public Internet Service
origin:       AS2856
mnt-by:       BTNET-MNT

This one probably got through because they were pretending to be my ISP at the time, insightbb.com, which was really a part of att.net reselling connectivity through the local cable TV company. See the "From" and "From:" fields for the lie and the "Received:" field for the truth:

From mail@insightbb.com Mon Jan 16 15:48:31 2006
Received: from insightbb.com (host86-134-133-170.range86-134.btcentralplus.com[86.134.133.170](untrusted sender))
          by sccqmxc96.asp.att.net (sccqmxc96) with SMTP
          id <20060116204831q96002m2j4e>; Mon, 16 Jan 2006 20:48:31 +0000
X-Originating-IP: [86.134.133.170]
From: mail@insightbb.com
To: bob.cromwe11@insightbb.com
Subject: We have suspended your account
Date: Mon, 16 Jan 2006 20:48:31 +0000
MIME-Version: 1.0
Content-Type: multipart/mixed;
  boundary="----=_NextPart_000_0002_96169331.5D92CA61"
X-Priority: 3
X-MSMail-Priority: Normal
Status: R
X-Status: NT

The clumsy message content

It is foolish to allow your mail interface to render HTML. Among other things, this is used by spammers to create "web bugs" that report back to them if you read their message, guaranteeing you will get far more spam. Using mail safely, it should appear precisely as below, except that the text "Your e-mail account ... the online service" is all one gigantic line which I broke for display here:

<html> 
<body> 
<BR><STRONG>Dear Insightbb Member, </STRONG><BR> 
<BR>Your e-mail account was used to send a huge amount of unsolicited spam messages
during the recent week. If you could please take 5-10 minutes out of your online
experience and confirm the attached document so you will not run into any future
problems with the online service.<BR> 
<BR>Virtually yours,
<BR>The Insightbb Support Team <BR> 
</body> 
</html> 

There are a number of variations on this theme. Probably at least five or six combinations of subject line, clumsily worded message content (most of them far more lame than the above), and attached zip file name. The common theme is that the recipient seems to be in some sort of trouble, their e-mail account is about to be, or has already been, suspended, but maybe if they just opened that zip file under Windows things can be fixed. Yeah, right.

The attachment

This was followed by an attached zip file. The zip file usually has a name like important-details.zip, information.zip, account-report.zip, and so on. One message that claimed to be from my ISP had an attached zip file name dczzorg.zip, which makes no sense to me.

A completely different variation, Worm.Mytob.BP, had text that promised pictures of UK football star David Beckham, and named its zip file David_Beckham.zip

When you unzip any of these, you get a file with the same base name, followed by either .txt or .htm, followed by 70 space characters, followed by either .scr or .pif. In other words, the archive file:
account-report.zip
contains a file named:
"account-report.htm                                                                      .pif"
The resulting files have identical contents. The Mytob.KB worm code has a SHA-1 hash of:
  0x833e05d8c724890fd46e52aeb51f416d00e48f50
and the Mytob.BP worm code has a SHA-1 hash of:
  0x01b848d91b2da1f913d6cc35596c14780c92d942

The executable contents

GNU utilities such as file, strings, and hexdump are useful for getting some limited idea about what this malicious code might do. The file utility reports that these executables are each:
PE executable for MS Windows (GUI) Intel 80386 32-bit, UPX compressed

The following is partial output from running
  hexdump -C account-report.htm*"
under Linux or BSD. The interesting stuff appears, among many other places:

00000000  4d 5a 90 00 03 00 00 00  04 00 00 00 ff ff 00 00  |MZ..............|
00000010  b8 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 f0 00 00 00  |................|
00000040  0e 1f ba 0e 00 b4 09 cd  21 b8 01 4c cd 21 54 68  |........!..L.!Th|
00000050  69 73 20 70 72 6f 67 72  61 6d 20 63 61 6e 6e 6f  |is program canno|
00000060  74 20 62 65 20 72 75 6e  20 69 6e 20 44 4f 53 20  |t be run in DOS |
00000070  6d 6f 64 65 2e 0d 0d 0a  24 00 00 00 00 00 00 00  |mode....$.......|
00000080  1f aa 76 6d 5b cb 18 3e  5b cb 18 3e 5b cb 18 3e  |..vm[..>[..>[..>|
00000090  d8 c3 45 3e 49 cb 18 3e  20 d7 14 3e 58 cb 18 3e  |..E>I..> ..>X..>|
000000a0  34 d4 13 3e 5a cb 18 3e  d8 d7 16 3e 5f cb 18 3e  |4..>Z..>...>_..>|
000000b0  34 d4 12 3e 50 cb 18 3e  34 d4 1c 3e 5e cb 18 3e  |4..>P..>4..>^..>|
000000c0  5b cb 19 3e a3 cb 18 3e  6d ed 12 3e 52 cb 18 3e  |[..>...>m..>R..>|
000000d0  6d ed 13 3e 71 cb 18 3e  52 69 63 68 5b cb 18 3e  |m..>q..>Rich[..>|
000000e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000000f0  50 45 00 00 4c 01 03 00  35 b7 c2 43 00 00 00 00  |PE..L...5..C....|
00000100  00 00 00 00 e0 00 0f 01  0b 01 06 00 00 70 01 00  |.............p..|
00000110  00 10 00 00 00 30 0b 00  4f a7 0c 00 00 40 0b 00  |.....0..O....@..|
00000120  00 b0 0c 00 00 00 40 00  00 10 00 00 00 02 00 00  |......@.........|
00000130  04 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
00000140  00 c0 0c 00 00 10 00 00  00 00 00 00 02 00 00 00  |................|
00000150  00 00 10 00 00 10 00 00  00 00 10 00 00 10 00 00  |................|
00000160  00 00 00 00 10 00 00 00  00 00 00 00 00 00 00 00  |................|
00000170  00 b0 0c 00 88 02 00 00  00 00 00 00 00 00 00 00  |................|
00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
000001e0  00 00 00 00 00 00 00 00  63 6f 64 65 00 00 00 00  |........code....|
000001f0  00 30 0b 00 00 10 00 00  00 00 00 00 00 04 00 00  |.0..............|
00000200  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 c0  |............@...|
00000210  74 65 78 74 00 00 00 00  00 70 01 00 00 40 0b 00  |text.....p...@..|
00000220  00 6a 01 00 00 04 00 00  00 00 00 00 00 00 00 00  |.j..............|
00000230  00 00 00 00 40 00 00 c0  72 73 72 63 00 00 00 00  |....@...rsrc....|
00000240  00 10 00 00 00 b0 0c 00  00 04 00 00 00 6e 01 00  |.............n..|
00000250  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 c0  |............@...|
00000260  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
[....]
00014160  69 28 20 18 0c 04 d8 34  cd b2 fc 88 f4 ec e4 dc  |i( ....4........|
00014170  88 a8 99 d6 2e 67 d4 0e  cc 06 c4 01 9f bf 8f 0e  |.....g..........|
00014180  73 ff 64 72 61 21 61 64  61 6d 66 72 de d1 b2 2d  |s.dra!adamfr...-|
00014190  6b 2e 6c 69 61 be 75 13  65 b7 7f 7e fe 0e 69 6d  |k.lia.u.e..~..im|
000141a0  6d 79 65 72 72 68 65 6c  65 6e 1e 64 65 62 45 7e  |myerrhelen.debE~|
000141b0  f7 9f 62 63 6c 61 75 64  69 62 79 62 72 65 9d c2  |..bclaudibybre..|
000141c0  de f6 93 6e 61 c7 57 73  2f d3 b3 33 bd f2 a9 70  |...na.Ws/..3...p|
000141d0  61 2e 74 d6 df 08 ae bb  57 76 f6 61 63 6b 77 69  |a.t.....Wv.ackwi|
000141e0  6c 37 53 7b 0f ad 0e ce  3e 6d 69 74 68 1f 65 76  |l7S{....>mith.ev|
000141f0  0e 6d 57 b2 fd ee de 84  ef 61 1c 0e 4d 6a 6f 65  |.mW......a..Mjoe|
00014200  7e 6e 65 6f 07 77 35 6f  a7 72 07 4b 74 ce 65 74  |~neo.w5o.r.Kt.et|
00014210  65 72 1b 9c ea 3e 6f 6d  27 ee 77 74 96 6e 70 17  |er...>om'.wt.np.|
[....]
00014710  76 8a 65 07 c5 08 8e 6d  3c eb 30 f3 9a 40 31 c2  |v.e....m<.0..@1.|
00014720  73 70 ed 1a 6f 65 10 2d  52 74 36 33 f1 21 73 dc  |sp..oe.-Rt63.!s.|
00014730  ff 4b 26 3c 53 54 52 4f  4e 47 3e 44 ed 41 4d 16  |.K&<STRONG>D.AM.|
00014740  f6 8e 70 73 7d 2c fb 2f  31 71 ec 70 f4 85 1c 56  |..ps},./1q.p...V|
00014750  69 27 75 27 ea 62 b3 81  fd d6 73 2c 0a 37 59 fb  |i'u'.b....s,.7Y.|
[....]
00014990  17 26 6e 62 21 0f fa 36  ff a2 c9 28 61 74 29 28  |.&nb!..6...(at)(|
000149a0  40 0d 40 40 92 9a 79 27  e6 07 0f 20 06 5c 98 fd  |@.@@..y'... .\..|
000149b0  00 af c6 53 45 52 50 71  46 49 4c 45 7f 59 50 f0  |...SERPqFILE.YP.|
000149c0  50 b5 b1 54 46 39 67 f0  66 ba 86 10 43 bf 72 10  |P..TF9g.f...C.r.|
000149d0  cd 20 28 a1 38 9c 83 20  53 3a 4b 5e 38 0d fe 2a  |. (.8.. S:K^8..*|
000149e0  2e 2a 00 77 5d 86 be f3  e6 0f bd bd 5f 64 62 68  |.*.w]......._dbh|
000149f0  74 62 62 67 c1 ec 20 72  64 62 78 2b 64 47 68 a1  |tbbg.. rdbx+dGh.|
00014a00  b2 10 ef a8 4e 65 73 36  63 67 77 97 49 37 6a 3f  |....Nes6cgw.I7j?|
00014a10  67 99 0e a6 e3 41 d9 8c  62 0e 3a 5c a5 67 6a b0  |g....A..b.:\.gj.|
00014a20  1d 8d 1e e1 5c 5a 0b d5  66 1a 5c 4a 95 e0 70 ef  |....\Z..f.\J..p.|
00014a30  65 06 34 09 43 29 f7 03  83 63 47 66 1f 44 6e 73  |e.4.C)...cGf.Dns|
00014a40  51 75 65 0c 10 ca ed 79  5f 41 1f 64 43 e9 f1 bd  |Que....y_A.dC...|
00014a50  18 d9 74 4e 05 77 6f 3d  5e 2b 4c b0 1a 61 6d 17  |..tN.wo=^+L..am.|
00014a60  67 77 82 f6 0b 41 be 96  6e cd 61 79 15 dd 1d 7b  |gw...A..n.ay...{|
00014a70  c4 8e 31 17 78 40 0e da  8d ad d2 22 c6 74 70 77  |..1.x@.....".tpw|
00014a80  4e 17 98 fc e8 6d 78 13  54 6f 57 51 55 49 54 e8  |N....mx.ToWQUIT.|
00014a90  ff 7d e0 1c 46 41 54 41  10 45 50 43 47 20 47 42  |.}..FATA.EPCG GB|
00014aa0  3a 3c f6 c1 8f e3 7d 3e  4b 5a 4e 56 59 b1 45 42  |:<....}>KZNVY.EB|
00014ab0  5a 2b 25 db e8 07 55 52  59 42 20 c4 16 52 55 0f  |Z+%...URYB ..RU.|
00014ac0  90 41 8b 6b f1 6d 47 43  03 86 bb 15 84 65 69 05  |.A.k.mGC.....ei.|
00014ad0  1c 6f d1 10 23 15 91 fd  5a e7 90 8a b0 e5 6e 74  |.o..#...Z.....nt|
[....]
000150c0  00 3a 4a ac 12 39 5f 2d  47 0b 6b ed 36 2d 30 02  |.:J..9_-G.k.6-0.|
000150d0  3a 37 5d 60 6b db d8 05  57 7d 0c bc fd af ad 2f  |:7]`k...W}...../|
000150e0  71 5b 50 55 42 4c 49 43  5d 17 52 49 5d e9 77 04  |q[PUBLIC].RI].w.|
000150f0  15 45 18 77 61 6e 4a 2e  e1 12 22 ac 08 6c 17 7d  |.E.wanJ..."..l.}|
00015100  0f 4d b3 3c 50 90 7e 69  64 3c 3e 3d 0c 13 e2 9a  |.M.<P.~id<>=....|
00015110  3d 3d be 86 0f 64 02 9f  81 8b 0c b6 65 6e a5 ec  |==...d......en..|
00015120  19 73 db 65 ef 62 20 05  88 5b fe a1 98 54 43 50  |.s.e.b ..[...TCP|
00015130  00 2d 0e 27 f0 03 6d 2e  c6 2d e3 3a 2e 12 40 9e  |.-.'..m..-.:..@.|
00015140  7f b3 1a 16 21 61 64 76  73 63 61 6e 2e 40 18 dc  |....!advscan.@..|
00015150  f6 69 70 15 46 23 7b e1  60 97 bb 2e 17 4c 13 44  |.ip.F#{.`....L.D|
00015160  c9 25 07 bb 46 17 6c 2e  f2 47 ce 7e 33 36 36 20  |.%..F.l..G.~366 |
00015170  0f 30 32 4a 4f 49 4e 20  23 68 34 f8 d4 42 33 73  |.02JOIN #h4..B3s|
00015180  87 e3 70 31 9e 72 de 5d  7a 6e 6f 77 01 4f 7d 01  |..p1.r.]znow.O}.|
00015190  f2 49 52 43 20 4f e1 e1  1d 27 16 1b af 72 80 4e  |.IRC O...'...r.N|
000151a0  3f 76 e7 ef bf 4b 0e 4f  50 45 52 58 8f 50 41 53  |?v...K.OPERX.PAS|
000151b0  53 f7 24 9f 7c 36 55 53  46 54 50 70 61 79 05 ff  |S.$.|6USFTPpay..|
000151c0  da 88 81 6c 2d 56 59 05  4c 2e 43 4f 4d cb 1c 13  |...l-VY.L.COM...|
000151d0  70 1a 1f 3d 80 ec 05 7b  10 12 65 1f ed dd 67 0b  |p..=...{..e...g.|
000151e0  57 17 43 56 56 32 10 5d  76 0f de ed 20 c8 76 81  |W.CVV2.]v... .v.|
000151f0  64 2f 74 d1 65 10 ce ad  ef 12 16 6e 75 32 1a dc  |d/t.e......nu2..|
00015200  c0 f9 7b 9d 78 0e 76 69  73 61 07 04 7f 04 b6 6b  |..{.x.visa.....k|
00015210  e6 49 53 41 3d 4f 91 b6  19 b6 d1 83 3d 1f 33 41  |.ISA=O......=.3A|
00015220  0a 6e bb 4a 17 12 7f af  58 81 da 1a 16 d9 17 7e  |.n.J....X......~|
[....]
00015450  4e 52 45 53 66 6b 55 6e  25 1c 02 57 b7 6d e5 50  |NRESfkUn%..W.m.P|
00015460  a1 16 fe cf 99 53 59 53  54 45 4d 5c 43 75 72 30  |.....SYSTEM\Cur0|
00015470  b5 41 17 df 08 74 72 6f  6c 53 21 5c 29 55 ba 41  |.A...trolS!\)U.A|
00015480  1b 15 4f 44 60 50 5b b7  d2 4a 49 2b 85 05 da fb  |..OD`P[..JI+....|
00015490  b1 0f 2b 64 75 1d 46 24  4e 63 85 16 38 f6 45 78  |..+du.F$Nc..8.Ex|
000154a0  41 5f 45 95 a1 47 97 da  6d 47 73 2f 24 df 53 2f  |A_E..G..mGs/$.S/|
000154b0  b9 64 fe 41 50 49 2e 44  4c 4c c8 d2 ed 44 b2 69  |.d.API.DLL...D.i|
000154c0  17 3f 00 00 22 27 c3 2f  78 48 d9 55 b1 20 6b 65  |.?.."'./xH.U. ke|
000154d0  79 d1 d7 c2 40 18 ab 10  73 df 7d 8a 85 72 b3 77  |y...@...s.}..r.w|
[....]
00015740  3e 0f 4f db 03 0a 87 90  42 03 68 f8 97 d4 87 99  |>.O.....B.h.....|
00015750  0f 0f 20 f0 fd 7f 66 53  7b 11 3c d5 4d 42 9b 18  |.. ...fS{.<.MB..|
00015760  53 c8 6b 37 13 0d 0d fc  ff 28 05 02 50 43 20 4e  |S.k7.....(..PC N|
00015770  45 54 57 4f 52 4b 20 1d  bc 10 7e 1d 47 52 41 4d  |ETWORK ...~.GRAM|
00015780  f4 02 4c 2b 4d 70 7d 00  d9 05 15 b5 64 30 41 c1  |..L+Mp}.....d0A.|
00015790  c1 50 f7 9f 57 ac 67 95  b1 7f ed ef 75 70 1d 33  |.P..W.g.....up.3|
000157a0  2e 31 61 4e 4d 47 32 58  30 30 32 65 08 96 ff dd  |.1aNMG2X002e....|
000157b0  32 2d 15 4e 54 20 4c 4d  20 30 32 0f c4 09 64 e4  |2-.NT LM 02...d.|
[....]
00015c50  88 30 85 ff ff fe 14 f2  84 40 07 a4 5c d2 84 83  |.0.......@..\...|
00015c60  16 10 06 a4 20 df 43 38  26 09 69 1d 97 53 53 f7  |.... .C8&.i..SS.|
00015c70  48 fe a8 50 6c 97 82 08  e0 57 00 49 70 d9 b3 ff  |H..Pl....W.Ip...|
00015c80  6e 00 64 00 6f 00 77 00  73 74 e9 30 03 12 cc 5e  |n.d.o.w.st.0...^|
00015c90  a2 7d 19 39 00 35 47 3b  2e 0e 01 79 4e 14 0c da  |.}.9.5G;...yN...|
00015ca0  57 08 20 da 90 64 92 01  57 9f 0b 01 d1 1a 24 01  |W. ..d..W.....$.|
00015cb0  02 46 55 0f ec d9 80 0c  40 06 02 0e 10 02 ff dd  |.FU.....@.......|
[....]
00015e00  01 9a a8 df 86 52 05 8c  68 27 79 da 6a f6 ef 25  |.....R..h'y.j..%|
00015e10  26 3c 12 15 75 02 0f 1c  fc 01 a1 82 a6 82 63 82  |&<..u.........c.|
00015e20  19 ff 19 8b e1 44 65 78  69 74 20 2f 6e c6 36 98  |.....Dexit /n.6.|
00015e30  92 35 37 44 2f 46 20 fb  c1 46 cb 31 41 47 2e 70  |.57D/F ..F.1AG.p|
00015e40  69 66 3f 42 5b e3 42 36  1a 6b 56 1b d4 c8 2f 17  |if?B[.B6.kV.../.|
00015e50  79 25 90 1b d3 4f 40 2d  e1 b2 5b 63 b5 b7 b5 69  |y%...O@-..[c...i|
[....]
00016020  3f 08 9f 61 73 66 4d 45  6e 63 2d 23 70 04 b7 45  |?..asfMEnc-#p..E|
00016030  00 ff 4c b9 d2 2c 6c a3  e9 29 29 d2 0c 04 08 fd  |..L..,l..)).....|
00016040  d5 ad a5 82 d5 4f 33 59  86 d4 b0 ad 2b 1f bd 57  |.....O3Y....+..W|
00016050  6d 0b 3e b4 47 58 7f 3b  b6 40 e4 9f 17 43 4f 4e  |m.>.GX.;.@...CON|
00016060  4e 45 43 54 45 4f 31 b0  48 51 b7 c7 e8 a0 1b b8  |NECTEO1.HQ......|
00016070  22 b8 70 aa fc 70 56 ab  69 22 a5 2e 07 bc 09 a0  |".p..pV.i"......|
00016080  5b c5 4f 45 a5 bf 5e 3b  0a ad 57 53 6f 9b 73 34  |[.OE..^;..WSo.s4|
00016090  52 db 52 04 07 ad a7 4a  a4 08 de 6b 20 50 05 e6  |R.R....J...k P..|
000160a0  a0 3a c2 b6 01 0f 06 99  ff 14 c6 56 b7 96 86 81  |.:.........V....|
000160b0  b4 6b 6b 2b 99 97 ff 52  6d 81 8c 5c 72 50 27 27  |.kk+...Rm..\rP''|
000160c0  d3 56 30 c1 5b 4d 35 6f  81 20 be 85 c5 b1 5b 73  |.V0.[M5o. ....[s|
000160d0  3a d9 50 3a b8 d8 9a d8  ef 8b f1 7c 8b a4 67 0a  |:.P:.......|..g.|
000160e0  4b 57 e7 2a e0 56 1a 11  f5 87 74 55 02 24 f8 ad  |KW.*.V....tU.$..|
000160f0  63 b6 12 b8 13 8f eb d6  74 73 fa 60 5c b8 89 6f  |c.......ts.`\..o|
00016100  7d 18 90 40 58 cb b8 41  cc a5 bb 10 de 3b 87 00  |}..@X..A.....;..|
00016110  1e 70 06 a6 0d 14 1f 74  dd 53 e0 76 87 3b 20 67  |.p.....t.S.v.; g|
00016120  20 8a e7 6f e1 6e 0b 97  20 0e a6 8f bd 85 45 3d  | ..o.n.. .....E=|
00016130  ae 17 77 72 04 ae 72 49  59 a2 49 50 0b 2b ec 5b  |..wr..rIY.IP.+.[|
00016140  7c fc ac 1c 7d 20 59 53  54 4f 52 16 52 0f e8 7e  ||...} YSTOR.R..~|
00016150  f2 f9 4c 49 53 54 4e 4c  54 59 50 45 5d 85 1c 17  |..LISTNLTYPE]...|
00016160  73 83 4d 71 73 9b 3a 41  4b 43 54 31 9e 54 e7 30  |s.Mqs.:AKCT1.T.0|
00016170  86 d4 72 b3 35 08 bc 89  2b 85 50 bd 54 0e 62 5b  |..r.5...+.P.T.b[|
00016180  4c 38 05 37 4f 1b 66 c5  52 06 6e 23 67 5f b6 d8  |L8.7O.f.R.n#g_..|
00016190  83 0d 0b 76 75 2c 05 6d  11 2c 84 c1 e6 c0 af 31  |...vu,.m.,.....1|
000161a0  d8 82 d7 6d 11 a4 63 0a  27 85 14 8c c2 49 7c d7  |...m..c.'....I|.|
000161b0  8e 42 a8 41 42 0a 75 7a  69 81 34 52 65 c2 56 77  |.B.AB.uzi.4Re.Vw|
000161c0  cb 78 86 2b d7 5f 7f 28  33 29 40 4a c0 fc 83 74  |.x.+._.(3)@J...t|
000161d0  75 72 6e 35 64 68 6b d7  45 3d a7 5f 32 7c 02 64  |urn5dhk.E=._2|.d|
000161e0  28 31 53 49 54 45 53 b8  84 51 af 86 17 4b c9 f7  |(1SITES..Q...K..|
000161f0  b0 b3 44 25 43 57 0f 44  55 50 2e 52 4d 42 b4 20  |..D%CW.DUP.RMB. |
00016200  ca 50 47 12 24 80 c6 91  35 1b 66 53 10 a3 6c e8  |.PG.$...5.fS..l.|
00016210  1f 67 60 f3 0e 03 2b 6d  22 6f ef 77 fe b1 2f c9  |.g`...+m"o.w../.|
00016220  ec 34 ff 5a bd 54 4d 17  f6 21 2f f9 52 4e 54 4f  |.4.Z.TM..!/.RNTO|
00016230  46 52 44 45 4c 5f c3 20  b7 91 8e cf 49 2c 20 70  |FRDEL_. ....I, p|
00016240  43 64 28 97 a1 a1 70 24  4a 72 81 be bb 01 99 e3  |Cd(...p$Jr......|
00016250  b7 45 8b 75 33 32 b1 42  69 21 e7 d6 3a 8f 69 0c  |.E.u32.Bi!..:.i.|
00016260  cc d0 41 96 1a 30 26 21  c1 57 ad 45 42 c7 9b 5d  |..A..0&!.W.EB..]|
00016270  5c 4c b6 43 98 5c 98 90  76 ad 2e 67 20 3f 9f 8d  |\L.C.\..v..g ?..|
00016280  d0 a8 50 ed 24 20 66 be  01 d3 45 4d c4 c2 2e d7  |..P.$ f...EM....|
00016290  02 7c ef 0b 57 41 42 06  34 09 61 62 9c 13 a0 14  |.|..WAB.4.ab....|
000162a0  0c bc 16 4f 0c 5c 00 03  02 b3 f9 32 b0 00 8a 48  |...O.\.....2...H|
000162b0  31 db a6 06 ce ff f7 73  0e ff 43 e2 f9 e3 2f c2  |1......s..C.../.|
[....]
000163a0  0a 64 14 40 15 c8 28 80  2a 90 51 00 54 20 a3 00  |.d.@..(.*.Q.T ..|
000163b0  a8 40 46 01 50 81 8c 02  a0 02 19 05 40 05 32 0a  |.@F.P.......@.2.|
000163c0  80 0a 64 14 00 15 c8 28  00 2a 90 51 01 54 20 a3  |..d....(.*.Q.T .|
000163d0  02 a8 40 46 05 50 81 8c  0a a0 02 19 46 05 54 32  |..@F.P......F.T2|
000163e0  f8 17 ca 16 94 38 08 0c  00 01 47 65 74 df 7f 01  |.....8....Get...|
000163f0  43 9c 75 70 49 6e 66 6f  41 21 54 6c 10 fe de b7  |C.upInfoA!Tl....|
00016400  73 26 56 61 6c 75 65 19  53 13 4c 61 73 74 cc 3e  |s&Value.S.Last.>|
00016410  1b c2 b6 35 46 72 65 65  11 41 ff b7 80 21 2e 7c  |...5Free.A...!.||
00016420  45 78 69 74 43 6f 64 65  f8 ce 30 84 54 3e 25 52  |ExitCode..0.T>%R|
00016430  65 ee ef 4d 48 dc 75 6d  61 70 68 6d b5 35 0c c1  |e..MH.umaphm.5..|
00016440  5c 18 21 ab 6d 08 d9 41  6d 75 dd 9b 6d 08 a1 49  |\.!.m..Amu..m..I|
00016450  64 28 73 01 12 8e 1b 41  e6 ab 20 c9 04 ef 79 4d  |d(s....A.. ...yM|
00016460  8f 6b 23 53 bf f7 1d fc  00 4c 69 62 72 65 79 19  |.k#S.....Librey.|
00016470  57 61 49 46 a3 4d 75 6c  21 8c fd ef 74 69 70 eb  |WaIF.Mul!...tip.|
00016480  4f 62 6a 65 63 74 73 e1  16 24 b6 b4 2e d9 45 c3  |Objects..$....E.|
00016490  10 ec fb d6 44 75 5f 69  63 48 bb 83 ed 76 6f 48  |....Du_icH...voH|
000164a0  3b 05 69 a3 f6 39 0c 09  02 f8 67 61 08 81 6d 2d  |;.i..9....ga..m-|
000164b0  43 1f a4 66 1f 3e 78 74  40 23 f7 73 75 6d b6 0d  |C..f.>xt@#.sum..|
000164c0  2c 0d 13 3e 06 2f 17 81  d9 86 90 f4 bb ec 99 63  |,..>./.........c|
[....]
00016660  db 46 b7 2c fa e7 4d 8a  d0 05 48 93 bb 20 61 b5  |.F.,..M...H.. a.|
00016670  17 a5 70 23 b2 13 34 21  7a 1a 52 32 38 2f 3a 16  |..p#..4!z.R28/:.|
00016680  d3 10 cf 59 d9 e5 40 14  3b 56 61 61 62 d9 b9 6e  |...Y..@.;Vaab..n|
00016690  29 56 34 af 15 4e e8 77  6c 64 db 8e 33 a4 eb 1f  |)V4..N.wld..3...|
000166a0  55 75 2c 76 fb 0f 45 56  69 65 77 4f 66 d3 4d 1d  |Uu,v..EViewOf.M.|
000166b0  b7 70 b4 15 87 30 70 2c  ea cf 76 fd 81 6f 25 00  |.p...0p,..v..o%.|
000166c0  00 5d 3f 6c 07 0c 57 10  1d 1e 1b 95 17 59 42 01  |.]?l..W......YB.|
000166d0  09 d9 bd fd 6a 75 cb 19  d8 16 d7 18 a3 a7 51 5b  |....ju........Q[|
000166e0  20 c9 e7 3c 47 75 70 7e  c8 17 0c e1 01 da 73 fb  | ..<Gup~......s.|
000166f0  ea c0 71 43 de ef 73 1b  74 63 68 23 c5 44 48 b0  |..qC..s.tch#.DH.|
00016700  38 ad 8d dd ed b8 3e 9d  38 29 6f 6d c1 c5 56 d3  |8.....>.8)om..V.|
00016710  97 41 07 1b 1b 27 20 61  29 21 9d a5 8d 22 b9 1d  |.A...' a)!..."..|
00016720  59 43 4d 04 b6 21 f2 bb  61 67 21 7d 30 a5 69 3b  |YCM..!..ag!}0.i;|
00016730  cc 1d 8b 24 5b f0 36 76  51 29 be 66 69 67 32 6b  |...$[.6vQ).fig2k|
00016740  7b a5 eb 71 7d 4b 65 79  e5 55 73 dd 05 77 21 82  |{..q}Key.Us..w!.|
00016750  3c 7f 3a 1e 17 09 48 d8  b2 25 21 36 36 d8 cc b6  |<.:...H..%!66...|
00016760  7a 19 34 95 1c 89 8d 0c  09 a0 7d 86 e0 ee 06 36  |z.4.......}....6|
00016770  d8 19 6e 1f 73 98 2b 7c  1b 2b 43 00 6a b9 08 6d  |..n.s.+|.+C.j..m|
00016780  60 32 24 1b 75 28 b8 de  e3 69 d1 0d 0c 15 a5 54  |`2$.u(...i.....T|
[....]
00016f20  36 b2 0c 00 00 00 00 00  54 b2 0c 00 00 00 00 00  |6.......T.......|
00016f30  5a b2 0c 00 00 00 00 00  6a b2 0c 00 00 00 00 00  |Z.......j.......|
00016f40  7a b2 0c 00 00 00 00 00  01 00 00 80 00 00 00 00  |z...............|
00016f50  4b 45 52 4e 45 4c 33 32  2e 44 4c 4c 00 41 44 56  |KERNEL32.DLL.ADV|
00016f60  41 50 49 33 32 2e 64 6c  6c 00 44 4e 53 41 50 49  |API32.dll.DNSAPI|
00016f70  2e 64 6c 6c 00 69 70 68  6c 70 61 70 69 2e 64 6c  |.dll.iphlpapi.dl|
00016f80  6c 00 4d 50 52 2e 64 6c  6c 00 4d 53 56 43 50 36  |l.MPR.dll.MSVCP6|
00016f90  30 2e 64 6c 6c 00 4d 53  56 43 52 54 2e 64 6c 6c  |0.dll.MSVCRT.dll|
00016fa0  00 50 53 41 50 49 2e 44  4c 4c 00 53 48 45 4c 4c  |.PSAPI.DLL.SHELL|
00016fb0  33 32 2e 64 6c 6c 00 55  53 45 52 33 32 2e 64 6c  |32.dll.USER32.dl|
00016fc0  6c 00 57 53 32 5f 33 32  2e 64 6c 6c 00 00 4c 6f  |l.WS2_32.dll..Lo|
00016fd0  61 64 4c 69 62 72 61 72  79 41 00 00 47 65 74 50  |adLibraryA..GetP|
00016fe0  72 6f 63 41 64 64 72 65  73 73 00 00 45 78 69 74  |rocAddress..Exit|
00016ff0  50 72 6f 63 65 73 73 00  00 00 52 65 67 45 6e 75  |Process...RegEnu|
00017000  6d 4b 65 79 41 00 00 00  44 6e 73 51 75 65 72 79  |mKeyA...DnsQuery|
00017010  5f 41 00 00 47 65 74 54  63 70 54 61 62 6c 65 00  |_A..GetTcpTable.|
00017020  00 00 57 4e 65 74 41 64  64 43 6f 6e 6e 65 63 74  |..WNetAddConnect|
00017030  69 6f 6e 32 57 00 00 00  3f 3f 31 6f 75 74 5f 6f  |ion2W...??1out_o|
00017040  66 5f 72 61 6e 67 65 40  73 74 64 40 40 55 41 45  |f_range@std@@UAE|
00017050  40 58 5a 00 00 00 5f 69  6f 62 00 00 45 6e 75 6d  |@XZ..._iob..Enum|
00017060  50 72 6f 63 65 73 73 65  73 00 00 00 53 68 65 6c  |Processes...Shel|
00017070  6c 45 78 65 63 75 74 65  41 00 00 00 77 73 70 72  |lExecuteA...wspr|
00017080  69 6e 74 66 41 00 00 00  00 00 00 00 00 00 00 00  |intfA...........|
00017090  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00017200