Back to the article
View the full discussion
Dear Steven Foster you don't know how right you are
As a security analyst that decompiled this particular i give you a string dump
// File name: C:\Program Files\e-Jihad\e-Jihad.exe
// Created : 02.11.2007 23:21
// Type : Strings List
00405720: 'Download Initialized.',0000h
00405750: 'Synchronous Download Has Started.',0000h
00405798: 'Local Cache File Is Available.',0000h
004057DC: 'Connecting To Resource.',0000h
00405810: 'Download In Progress.',0000h
00405840: 'Download Complete.',0000h
0040586C: 'Synchronous Download Complete.',0000h
004058B0: 'An Error Has Occurred.',0000h
004058E4: 'Finding Resource.',0000h
0040590C: 'MIME Type Is Available.',0000h
00405940: 'Redirecting.',0000h
00405960: 'Sending Request.',0000h
00405988: 'Using Cached Copy.',0000h
004059B4: 'Unknown.',0000h
00405AFC: 'kernel32',0
00405B0C: 'CreateToolhelp32Snapshot',0
00405B60: 'Process32First',0
00405BA8: 'Process32Next',0
00405BF0: 'TerminateProcess',0
00405C3C: 'GetExitCodeProcess',0
00405CFC: 'OpenProcess',0
00405D88: 'CloseHandle',0
00405DD8: '\',0000h
00405DE0: 'ping.exe',0000h
00405DF8: 'ping',0000h
00405F28: 'advapi32.dll',0
00405F3C: 'RegCloseKey',0
00406060: 'RegOpenKeyA',0
004060A4: 'RegQueryValueExA',0
00406144: ' ',0000h
004063B8: 'http://al-jinan.org/ntarg.php?notdoing=yes',0000h
00406414: 'targit',0000h
004064C8: 'http://al-jinan.org/ntarg.php?howme=re',0000h
0040651C: '&uname=',0000h
00406530: '*-*',0000h
0040653C: 'yours',0000h
00406598: 'Rong',0000h
0040660C: 'http://www.jofpmuytrvcf.com/ntarg.php',0000h
0040665C: 'jo-uf',0000h
0040667C: 'http://www.jo-uf.net/ntarg.php',0000h
004066C0: 'jo-net',0000h
004066D4: 't35',0000h
004066E0: 'host',0000h
004066F0: '*',0000h
0040672C: ':',0000h
00406734: 'http://',0000h
00406748: '/',0000h
00406750: 'windir',0000h
00406764: '.bat',0000h
00406774: 'ping -t ',0000h
0040678C: ' -l ',0000h
0040679C: 0Dh,0Ah,0000h
004067A8: 'HNetCfg.FwMgr',0000h
004067D8: 'HNetCfg.FwAuthorizedApplication',0000h
0040682C: 'HNetCfg.FwOpenPort',0000h
00406868: 'Attacker',0000h
00406890: '.exe',0000h
0040689C: 'AuthorizedApplications',0000h
004068D8: 'http://al-jinan.org/ntarg.php?',0000h
0040691C: 'uname=',0000h
004069BC: 'Software\Microsoft\Windows\CurrentVersion\Internet Settings',0000h
00406A38: 'ProxyEnable',0000h
00406A54: '0',0000h
00406A5C: 'ProxyServer',0000h
00406A78: 'OPEN',0000h
00406A88: 'GET ',0000h
00406A98: ' HTTP/1.0',0000h
00406AB0: 'Accept: */*',0000h
00406ACC: 'Accept: text/html',0000h
00406AF4: 'Tam',0000h
00406B20: 'usernotfound',0000h
00406DC8: 'http://al-jinan.org/tlog.php?',0000h
00406E08: 'logn=',0000h
00406E18: '&pss=',0000h
00406E28: 'login',0000h
00406E84: 'userautho',0000h
00406E9C: 'usernotautho',0000h
00406FF4: '\system32\rptjv.dll',0000h
004070A0: 'khgf&*(%gh&*(%IGU',0000h
004070C8: 'http://al-jinan.org/tnewu.php?',0000h
0040710C: 'nlogn=',0000h
00407120: '&npss=',0000h
00407134: '&invitedby=',0000h
00407150: 'new',0000h
0040715C: 'userfound',0000h
004071D8: 'noinvitedby',0000h
00407280: 'userentered',0000h
