# Listings zum Artikel "Exe und hopp", iX 11/2004, S. 140 # Listing 1 Received: from uthra.com (unknown [203.101.42.79]) by mrbusi1.netcologne.de (Postfix) with SMTP id A210D1A002D for ; Thu, 2 Sep 2004 06:01:48 +0200 (CEST) Date: Thu, 02 Sep 2004 09:16:35 +0530 To: "Feh" From: "Qmail" Subject: RE: Incoming Msg Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="--------zxwdebapwptyxeusrsyb" ----------zxwdebapwptyxeusrsyb Content-Type: text/html; charset=üs-ascii" Content-Transfer-Encoding: 7bit
----------zxwdebapwptyxeusrsyb Content-Type: application/octet-stream; name="Information.exe" Content-Transfer-Encoding: BASE64 Content-Disposition: attachment; filename="Information.exe" TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAKgAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAkAAAAKkm3RPtR7NA7UezQO1Hs0DtR7NA7kezQGNYoEBtR7NAEWehQOxHs0AqQbVA 7EezQFJpY2jtR7NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBAwBpcnVzAAAAAAAA AADgAA8BCwEFDABQAAAAEAAAAJAAAPDiAAAAoAAAAPAAAAAAQAAAEAAAAAIAAAQAAAAAAAAA BAAAAAAAAAAAEAEAABAAACdUAQACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA AACk8wAATAIAAADwAACkAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ... # Listing 2a Received: from fehcom.de (unknown [203.110.83.2]) by mrbusi1.netcologne.de (Postfix) with ESMTP id BCB411A004C for ; Sat, 4 Sep 2004 08:42:21 +0200 (CEST) From: 1071109382.8140@86.exgon.com To: feh@fehcom.de Subject: Re: Proof of concept Date: Sat, 4 Sep 2004 12:12:22 +0530 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0016----=_NextPart_000_0016" X-Priority: 3 X-MSMail-Priority: Normal Message-Id: <20040904064221.BCB411A004C@mrbusi1.netcologne.de> This is a multi-part message in MIME format. ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit I hope you accept the result! ++++ Attachment: No Virus found ++++ F-Secure AntiVirus - www.f-secure.com ------=_NextPart_000_0016----=_NextPart_000_0016 Content-Type: application/octet-stream; name="part_01.zip" Content-Transfer-Encoding: BASE64 Content-Disposition: attachment; filename="part_01.zip" UEsDBAoAAAAAAMAoJDGjiB3egHMAAIBzAABTAAAAZG9jdW1lbnQudHh0ICAgICAgICAgICAg ... # Listing 2b document.txt .exeMZ !Windows Program KERNEL32.dll LoadLibraryA ... # Listing 3 void put(ch) char *ch; { uint32 dlen; int i; if (!stralloc_catb(&line,ch,1)) die_nomem(); /* Reassamble chars to line; prepend with 'L' */ if (*ch == '\n') { nolines++; if (*(line.s+1) == 'C' || *(line.s+1) == 'c') if (case_startb(line.s+1,line.len-2,"content-transfer-encoding: BASE64")) flag64 = nolines; /* BASE64 attachments */ if (line.len == 2 && flag64 > 0 && nolines > flag64 && nolines > flagbase) flagblank = nolines; if (line.len > MIME_LEN && nolines == flagblank + 1) { flagbase = nolines; flag64 = 0; flagblank = 0; if (flagmimetype == 1) { if (cdb_seek(fdbmt,line.s+1,MIMETYPE_LEN,&dlen)) { flagmimetype = -1; qmail_fail(&qqt); } } } if (flagloadertype == 1 && flagmimetype != -1) { if (flagbase > 0 && flag64 == 0 && flagblank == 0) { i = checkline(line.s); if (i > 1 && i < line.len - LOADER_LEN - 1 ) { if (cdb_seek(fdblt,line.s+i,LOADER_LEN,&dlen)) { flagloadertype = -1; qmail_fail(&qqt); } } } } byte_zero(line.s,str_len(line.s)); stralloc_copys(&line,"L"); } if (bytestooverflow) if (!--bytestooverflow) qmail_fail(&qqt); qmail_put(&qqt,ch,1); } # Listing 4a TVqQAAMAA TVpQAAIAA TVpAALQAc TVpyAXkAX TVrmAU4AA TVrhARwAk TVoFAQUAA TVoAAAQAA TVoIARMAA TVouARsAA TVrQAT8AA TVrvAEQAe # MyDoom (*.zip) UEsDBAoAA # *.zip # UEsDBAkAA # *.z (gnu-zip) # H4sIADWWb # double Base 64 Windows Executable VFZxUUFBT # triple Base 64 Windows Executable VkZaeFVVR # Pif File TVoAAAEAA # Bagle ZGltIGZpb # Listing 4b Mi5kb MzIuZ MyLmR