Full Disclosure mailing list archives
Re: Re: Google Malware Search
From: David Taylor <ltr () isc upenn edu>
Date: Mon, 17 Jul 2006 13:01:29 -0400
One other thing which may already be known by most of you, on the google results you can click “View as HTML” and get a lot of file information. WINDOWS EXECUTABLE 32bit for Windows 95 and Windows NT Technical File Information: Image File Header Signature: 00004550 Machine: Intel 386 Number of Sections: 0003 Time Date Stamp: 43e3d0b9 Symbols Pointer: 00000000 Number of Symbols: 00000000 Size of Optional Header 00e0 Characteristics: Relocation info stripped from file. File is executable (i.e. no unresolved external references). Line numbers stripped from file. Local symbols stripped from file. 32 bit word machine. Image Optional Header Magic: 010b Linker Version: 5.12 Size of Code: 00003800 Size of Initialized Data: 00004000 Size of Uninitialized Data: 00000000 Address of Entry Point: 0000b037 Base of Code: 00001000 Base of Data: 00005000 Image Base: 00400000 Section Alignment: 00001000 File Alignment: 00000200 Operating System Version: 4.00 Image Version: 0.00 Subsystem Version: 4.00 Reserved1: 00000000 Size of Image: 00010000 Size of Headers: 00000400 Checksum: 00000000 Subsystem: Image runs in the Windows GUI subsystem. DLL Characteristics: 0000 Size of Stack Reserve: 00100000 Size of Stack Commit: 00001000 Size of Heap Reserve: 00100000 Size of Heap Commit: 00001000 Loader Flags: 00000000 Size of Data Directory: 00000010 Import Directory Virtual Address: 0000a000 Import Directory Size: 00000240 Import Table ~tY–µý u Ordinal Function Name kernel32.dll Ordinal Function Name 0000 Sleep user32.dll Ordinal Function Name 0000 wsprintfA wsock32.dll Ordinal Function Name 0000 send ole32.dll Ordinal Function Name 0000 CoInitialize shlwapi.dll Ordinal Function Name 0000 StrDupA wininet.dll Ordinal Function Name 0000 InternetOpenA advapi32.dll Ordinal Function Name 0000 RegCloseKey urlmon.dll Ordinal Function Name 0000 URLDownloadToFileA shell32.dll Ordinal Function Name 0000 ShellExecuteA gdi32.dll Ordinal Function Name 0000 DeleteDC Section Table Section name: UPX0 Virtual Size: 00009000 Virtual Address: 00001000 Size of raw data: 00000000 Pointer to Raw Data: 00000400 Pointer to Relocations: 00000000 Pointer to Line Numbers: 00000000 Number of Relocations: 0000 Number of Line Numbers: 0000 Characteristics: Section contains initialized data Section is executable Section is readable Section is writeable Section name: UPX1 Virtual Size: 00000240 Virtual Address: 0000a000 Size of raw data: 00000400 Pointer to Raw Data: 00000400 Pointer to Relocations: 00000000 Pointer to Line Numbers: 00000000 Number of Relocations: 0000 Number of Line Numbers: 0000 Characteristics: Section contains initialized data Section is readable Section is writeable Section name: UPX2 Virtual Size: 00005000 Virtual Address: 0000b000 Size of raw data: 00004400 Pointer to Raw Data: 00000800 Pointer to Relocations: 00000000 Pointer to Line Numbers: 00000000 Number of Relocations: 0000 Number of Line Numbers: 0000 Characteristics: Section contains code Section is executable Section is readable Section is writeable Header Information Signature: 5a4d Last Page Size: 0090 Total Pages in File: 0003 Relocation Items: 0000 Paragraphs in Header: 0004 Minimum Extra Paragraphs: 0000 Maximum Extra Paragraphs: ffff Initial Stack Segment: 0000 Initial Stack Pointer: 00b8 Complemented Checksum: 0000 Initial Instruction Pointer: 0000 Initial Code Segment: 0000 Relocation Table Offset: 0040 Overlay Number: 0000 Reserved: 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 Offset to New Header: 000000c0 Memory Needed: 2K On 7/17/06 12:21 PM, "Mike M" <mkmaxx () gmail com> wrote:
Message: 11 Date: Sun, 16 Jul 2006 23:58:30 -0500 From: H D Moore < fdlist () digitaloffense net <mailto:fdlist () digitaloffense net> > Subject: [Full-disclosure] Google Malware Search To: full-disclosure () lists grok org uk Message-ID: < 200607162358.30574.fdlist () digitaloffense net <mailto:200607162358.30574.fdlist () digitaloffense net> > Content-Type: text/plain; charset="us-ascii" http://metasploit.com/research/misc/mwsearch/?q=bagle <http://metasploit.com/research/misc/mwsearch/?q=bagle> Enjoy, -HDDidnt know google crawls scr's and com's.. Since when? MM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
================================================== David Taylor //Sr. Information Security Specialist University of Pennsylvania Information Security Philadelphia PA USA (215) 898-1236 http://www.upenn.edu/computing/security/ ================================================== Penn Information Security RSS feed http://www.upenn.edu/computing/security/rss/rssfeed.xml Add link to your favorite RSS reader
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search), (continued)
- Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Debasis Mohanty (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Valdis . Kletnieks (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Brendan Dolan-Gavitt (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Valdis . Kletnieks (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Re: Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Dude VanWinkle (Jul 17)
- Using Magic Values along with filetype to find malicious files (was RE: Google Malware Search) Debasis Mohanty (Jul 17)
- Re: Re: Google Malware Search David Taylor (Jul 17)