{"id":1364,"date":"2012-10-09T18:22:42","date_gmt":"2012-10-09T18:22:42","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1364"},"modified":"2012-10-11T15:36:24","modified_gmt":"2012-10-11T15:36:24","slug":"skype-worm-strings","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/10\/09\/skype-worm-strings\/","title":{"rendered":"Skype worm &#8211; strings &#038; some metadata"},"content":{"rendered":"<p><strong>Update<\/strong><br \/>\nA few guys asked what are the hashes associated with the samples; here they are:<\/p>\n<pre>c483bffc879233d99ba52f05fd100872\u00a0\u00a0\u00a0 skype_02102012_images.exe\r\n393b4c117e15fbcfe56f560a8e6a3f0c\u00a0\u00a0\u00a0 skype_04102012_image.exe\r\n98f74b530d4ebf6850c4bc193c558a98\u00a0\u00a0\u00a0 skype_05102012_image.exe\r\ne8e2ba08f9aff27eed45daa8dbde6159\u00a0\u00a0\u00a0 skype_06102012_image.exe\r\ne3af8159d2f1af293bb43cd41d4171db\u00a0\u00a0\u00a0 skype_08102012_image.exe<\/pre>\n<p>I just had a very quickly look at the code today and interestingly, there are some &#8216;funny&#8217; snippets e.g.<\/p>\n<ul>\n<li>directly reading value at @7FFE002Ch _KUSER_SHARED_DATA.ImageNumberLow and if not equal to IMAGE_FILE_MACHINE_I386 is launching Internet Explorer &#8211; its PID is later used by some extra thread which I have not explored yet<\/li>\n<li>a dead code attempting to wipe out the PhysicalDrive0<\/li>\n<li>checking if the host&#8217;s drive is USB via\u00a0 DeviceIoControl (&#8230;(IOCTL_STORAGE_QUERY_PROPERTY&#8230;)<\/li>\n<li>code removing ADS :Zone.Identifier<\/li>\n<li>seems to be also hooking a few APIs, but need to check that as well<\/li>\n<\/ul>\n<p><strong>Older post<\/strong><\/p>\n<p>Info on skype worm does the rounds, so I had a quick look and dumped the strings from the process inject &#8211; some are quite interesting and indicative of the functionality described in various blogs. Don&#8217;t have time to look at the code today, but it does look interesting enough to come back to it.<\/p>\n<p>Interestingly, while timestamps indicate compilation timestamps from 2012<\/p>\n<pre>2012-10-02 19:36:26\u00a0\u00a0\u00a0\u00a0 .\\skype_02102012_images.exe\r\n2012-10-04 15:03:38\u00a0\u00a0\u00a0\u00a0 .\\skype_04102012_image.exe\r\n2012-10-06 06:24:55\u00a0\u00a0\u00a0\u00a0 .\\skype_05102012_image.exe\r\n2012-10-07 01:15:19\u00a0\u00a0\u00a0\u00a0 .\\skype_06102012_image.exe\r\n2012-10-08 12:09:07\u00a0\u00a0\u00a0\u00a0 .\\skype_08102012_image.exe<\/pre>\n<p>The compilation time of one of the injects is 2011-05-16 21:46:39, so it seems to be quite an old code.<\/p>\n<p>%s.%s<br \/>\npdef<br \/>\n%s.%S<br \/>\nbrk<br \/>\ndll<br \/>\nexe<br \/>\nDBWIN<br \/>\n\\\\.\\pipe<br \/>\n%s.Protect &#8220;%s&#8221; against file removal done!!<br \/>\n%s.Protect &#8220;%S&#8221; against removal of our pc!!<br \/>\nblock<br \/>\nbdns<br \/>\nkernel32.dll<br \/>\nCreateFileW<br \/>\n0123456789ABCDEF<br \/>\ni.root-servers.org<br \/>\n%s.Stopped &#8220;%s&#8221; against removal of file!<br \/>\n%s.Stopped &#8220;%S&#8221; against moving the file!<br \/>\n%s.MSN-&gt; Done, MSG is sent<br \/>\n%s.MSN-&gt; Succesfully sent to %s!<br \/>\n%s.MSN-&gt; Message Pwned :)!<br \/>\nmsnmsg<br \/>\nmsnint<br \/>\nbaddr<br \/>\nX-MMS-IM-Format:<br \/>\nCAL %d %256s<br \/>\nmsnu<br \/>\nDone frst<br \/>\nssssssssssssss: %d<br \/>\nssssssssss: %d<br \/>\nNtFreeVirtualMemory<br \/>\nNtAllocateVirtualMemory<br \/>\nNtQuerySystemInformation<br \/>\nLdrEnumerateLoadedModules<br \/>\nNtQueryInformationProcess<br \/>\nLdrGetProcedureAddress<br \/>\nNtQueryVirtualMemory<br \/>\nLdrLoadDll<br \/>\nNtQueryInformationThread<br \/>\nLdrGetDllHandle<br \/>\nRtlAnsiStringToUnicodeString<br \/>\nntdll.dll<br \/>\n\\\\.\\pipe\\%s<br \/>\nkernel32.dll<br \/>\nGetNativeSystemInfo<br \/>\n%s_%d<br \/>\n%s_0<br \/>\n%s-Mutex<br \/>\nSeDebugPrivilege<br \/>\nntdll.dll<br \/>\nNtGetNextProcess<br \/>\n%s-pid<br \/>\n%s-comm<br \/>\nNtResumeThread<br \/>\nInternet Explorer\\iexplore.exe<br \/>\nPONG<br \/>\nJOIN #<br \/>\nPRIVMSG #<br \/>\n%s.Stopped &#8220;%S&#8221; against makin &#8220;%S&#8221;<br \/>\n%s.Stopped &#8220;%S&#8221; against makin &#8220;%S&#8221; &#8211; &#8220;%s&#8221; file deleted successfully!<br \/>\n.exe<br \/>\nautorun.inf<br \/>\n%s.Identified Proc- &#8220;%S&#8221; sending a suspicious message to %s:%d.<br \/>\n%s.Identified Proc- &#8220;%S&#8221; as malicious upon checking port %s:%d {Nigger: %s}.<br \/>\nPRIVMSG %255s<br \/>\nJOIN %255s<br \/>\nPRIVMSG<br \/>\nJOIN<br \/>\ncnc<br \/>\n%s:%d<br \/>\npidgin.exe<br \/>\nwlcomm.exe<br \/>\nmsnmsgr.exe<br \/>\nmsmsgs.exe<br \/>\nflock.exe<br \/>\nopera.exe<br \/>\nchrome.exe<br \/>\nieuser.exe<br \/>\niexplore.exe<br \/>\nfirefox.exe<br \/>\nNtSetInformationProcess<br \/>\n%s.%s%s<br \/>\n%S%s%s<br \/>\nHKCU\\<br \/>\nHKLM\\<br \/>\n%s.%S%S<br \/>\n%S%S%S<br \/>\nHKCU\\<br \/>\nHKLM\\<br \/>\nmsn<br \/>\n%s_<br \/>\naaaaa_%s<br \/>\noff<br \/>\n%s.%s (p=&#8217;%S&#8217;)<br \/>\npop3:\/\/%s:%s@%s:%d<br \/>\npopgrab<br \/>\n%s:%s@%s:%d<br \/>\nanonymous<br \/>\nftp:\/\/%s:%s@%s:%d<br \/>\nftpgrab<br \/>\n%s.%s -&gt;&gt; %s (%s : %s)<br \/>\n%s.%s -&gt;&gt; %s : %s<br \/>\nasdadasdsss<br \/>\nasds<br \/>\nsss<br \/>\nssssss<br \/>\nssss<br \/>\n%s-%s-%s<br \/>\ndasdsd<br \/>\nasdsds<br \/>\nMicrosoft Unified Security Protocol Provider<br \/>\n%s.ewfewewrtwertwerterfegergwregwergwergretretwerfrr &#8216;%s&#8217;<br \/>\nscr<br \/>\npif<br \/>\ncom<br \/>\n%s.eufhquwefh9wef89qwey8fhqwehf89hqwe89fh8w9ehf89h8e &#8216;%S&#8217;<br \/>\ndddddsds<br \/>\nasdasdsds<br \/>\n234534543324534545445<br \/>\n23423415644556<br \/>\n894848<br \/>\n89234543464554544<br \/>\n345487544<br \/>\n8944451<br \/>\n843456544<br \/>\n298548344565454458449<br \/>\n8344584458495<br \/>\n345234545<br \/>\n8344584544<br \/>\n2854844<br \/>\n81254848484450<br \/>\nsdfdfcs<br \/>\nasdsdsasffsds<br \/>\nssdasccxzxccefrg<br \/>\nerffssd<br \/>\neeefiyu<br \/>\netwegfg<br \/>\nerttergh<br \/>\nertrtgb<br \/>\nertgfd<br \/>\nerttrf<br \/>\nrrrr<br \/>\ndfhtrstgthgh<br \/>\nrthfg<br \/>\nertrtfdgfg<br \/>\ncvbhrthgfgh<br \/>\ndfbbghth<br \/>\nthtrhhgf<br \/>\ndfgdgggbvf<br \/>\ndfgerhrthth<br \/>\nrthhth<br \/>\ndfgrthrtggfgv<br \/>\nrthrtgtrhthrt<br \/>\ndgrthgfhhhg<br \/>\nipconfig.exe<br \/>\nverclsid.exe<br \/>\nregedit.exe<br \/>\nrundll32.exe<br \/>\ncmd.exe<br \/>\nregsvr32.exe<br \/>\nlogin[password]<br \/>\nlogin[username]<br \/>\n*members*.iknowthatgirl*\/members*<br \/>\nIKnowThatGirl<br \/>\n*youporn.*\/login*<br \/>\nYouPorn<br \/>\n*members.brazzers.com*<br \/>\nBrazzers<br \/>\nclave<br \/>\nnumeroTarjeta<br \/>\n*clave=*<br \/>\n*bcointernacional*login*<br \/>\nBcointernacional<br \/>\n*:2222\/CMD_LOGIN*<br \/>\n*whcms*dologin*<br \/>\n*:2086\/login*<br \/>\n*:2083\/login*<br \/>\n*:2082\/login*<br \/>\n*webnames.ru\/*user_login*<br \/>\nWebnames<br \/>\n*dotster.com\/*login*<br \/>\nDotster<br \/>\nloginid<br \/>\n*enom.com\/login*<br \/>\nEnom<br \/>\nlogin.Pass<br \/>\nlogin.User<br \/>\n*login.Pass=*<br \/>\n*1and1.com\/xml\/config*<br \/>\n1and1<br \/>\ntoken<br \/>\n*moniker.com\/*Login*<br \/>\nMoniker<br \/>\nLoginPassword<br \/>\nLoginUserName<br \/>\n*LoginPassword=*<br \/>\n*namecheap.com\/*login*<br \/>\nNamecheap<br \/>\nloginname<br \/>\n*godaddy.com\/login*<br \/>\nGodaddy<br \/>\nPassword<br \/>\nEmailName<br \/>\n*Password=*<br \/>\n*alertpay.com\/login*<br \/>\nAlertpay<br \/>\n*netflix.com\/*ogin*<br \/>\nNetflix<br \/>\n*thepiratebay.org\/login*<br \/>\nThepiratebay<br \/>\n*torrentleech.org\/*login*<br \/>\nTorrentleech<br \/>\n*vip-file.com\/*\/signin-do*<br \/>\nVip-file<br \/>\npas<br \/>\nlog<br \/>\n*pas=*<br \/>\n*sms4file.com\/*\/signin-do*<br \/>\nSms4file<br \/>\n*letitbit.net*<br \/>\nLetitbit<br \/>\n*what.cd\/login*<br \/>\nWhatcd<br \/>\n*oron.com\/login*<br \/>\nOron<br \/>\n*filesonic.com\/*login*<br \/>\nFilesonic<br \/>\n*speedyshare.com\/login*<br \/>\nSpeedyshare<br \/>\n*pw=*<br \/>\n*uploaded.to\/*login*<br \/>\nUploaded<br \/>\n*uploading.com\/*login*<br \/>\nUploading<br \/>\nloginUserPassword<br \/>\nloginUserName<br \/>\n*loginUserPassword=*<br \/>\n*fileserv.com\/login*<br \/>\nFileserve<br \/>\n*hotfile.com\/login*<br \/>\nHotfile<br \/>\n*4shared.com\/login*<br \/>\n4shared<br \/>\ntxtpass<br \/>\ntxtuser<br \/>\n*txtpass=*<br \/>\n*netload.in\/index*<br \/>\nNetload<br \/>\n*freakshare.com\/login*<br \/>\nFreakshare<br \/>\nlogin_pass<br \/>\n*login_pass=*<br \/>\n*mediafire.com\/*login*<br \/>\nMediafire<br \/>\n*sendspace.com\/login*<br \/>\nSendspace<br \/>\n*megaupload.*\/*login*<br \/>\nMegaupload<br \/>\n*depositfiles.*\/*\/login*<br \/>\nDepositfiles<br \/>\nuserid<br \/>\n*signin.ebay*SignIn<br \/>\neBay<br \/>\nrut<br \/>\n*officebanking.cl\/*login.asp*<br \/>\nOfficeBanking<br \/>\n*secure.logmein.*\/*logincheck*<br \/>\nLogMeIn<br \/>\nsession[password]<br \/>\nsession[username_or_email]<br \/>\n*password]=*<br \/>\n*twitter.com\/sessions<br \/>\nTwitter<br \/>\ntxtPassword<br \/>\ntxtEmail<br \/>\n*&amp;txtPassword=*<br \/>\n*.moneybookers.*\/*login.pl<br \/>\nMoneybookers<br \/>\n*runescape*\/*weblogin*<br \/>\nRunescape<br \/>\n*dyndns*\/account*<br \/>\nDynDNS<br \/>\n*&amp;password=*<br \/>\n*no-ip*\/login*<br \/>\nNoIP<br \/>\n*steampowered*\/login*<br \/>\nSteam<br \/>\nquick_password<br \/>\nquick_username<br \/>\nusername<br \/>\n*hackforums.*\/member.php<br \/>\nHackforums<br \/>\nemail<br \/>\n*facebook.*\/login.php*<br \/>\nFacebook<br \/>\n*login.yahoo.*\/*login*<br \/>\nYahoo<br \/>\npasswd<br \/>\nlogin<br \/>\n*passwd=*<br \/>\n*login.live.*\/*post.srf*<br \/>\nLive<br \/>\nTextfieldPassword<br \/>\nTextfieldEmail<br \/>\n*TextfieldPassword=*<br \/>\n*gmx.*\/*FormLogin*<br \/>\nGMX<br \/>\n*Passwd=*<br \/>\nGmail<br \/>\nFLN-Password<br \/>\nFLN-UserName<br \/>\n*FLN-Password=*<br \/>\n*fastmail.*\/mail\/*<br \/>\nFastmail<br \/>\npass<br \/>\nuser<br \/>\n*pass=*<br \/>\n*bigstring.*\/*index.php*<br \/>\nBigString<br \/>\nscreenname<br \/>\n*screenname.aol.*\/login.psp*<br \/>\npassword<br \/>\nloginId<br \/>\n*password=*<br \/>\n*aol.*\/*login.psp*<br \/>\nAOL<br \/>\nPasswd<br \/>\nEmail<br \/>\n*service=youtube*<br \/>\n*google.*\/*ServiceLoginAuth*<br \/>\nYouTube<br \/>\nlogin_password<br \/>\nlogin_email<br \/>\n*login_password=*<br \/>\n*paypal.*\/webscr?cmd=_login-submit*<br \/>\nPayPal<br \/>\n%s \/ ?%d HTTP\/1.1<br \/>\nHost: %s<br \/>\nUser-Agent: %s<br \/>\nKeep-Alive: 300<br \/>\nConnection: keep-alive<br \/>\nContent-Length: 42<br \/>\nGET<br \/>\nPOST<br \/>\nMozilla\/4.0<br \/>\nConnection: Close<br \/>\nX-a: b<br \/>\n\\\\.\\PHYSICALDRIVE0<br \/>\n00100<br \/>\n%d.<br \/>\nSeShutdownPrivilege<br \/>\nNtShutdownSystem<br \/>\nuwifhuewgfhkjhsduyrhdhd<br \/>\neiueriufjeidj<br \/>\nweiouriweojrioejeicn<br \/>\neriuioiuerhoiohwefhjidj<br \/>\newoueiuroyihehdkjjfbcn<br \/>\nSystem Issue<br \/>\nshell32.dll<br \/>\n&#8220;%s&#8221; %S<br \/>\nmsg<br \/>\nhttp<br \/>\nint<br \/>\nhttpi<br \/>\nusbi<br \/>\ndnsapi.dll<br \/>\nDnsFlushResolverCache<br \/>\nPOST<br \/>\nhttp:\/\/%s\/%s<br \/>\nhttp:\/\/%s\/<br \/>\nHTTP<br \/>\nHost:<br \/>\nPOST \/%1023s<br \/>\n.exe<br \/>\nlol<br \/>\nlol.exe<br \/>\n{%s|%s%s}%s<br \/>\nn%s{%s|%s%s}%s<br \/>\n&lt;br&gt;<br \/>\nERR<br \/>\n2K8<br \/>\nVIS<br \/>\n2K3<br \/>\nadmin<br \/>\nisadmin<br \/>\n127.0.0.1<br \/>\n%s|%s|%s<br \/>\nDnS Redir3cted!!!! &#8220;%s&#8221; to &#8220;%s&#8221;<br \/>\ndisabled<br \/>\nenabled<br \/>\n%s|%s<br \/>\n[Logins]: Cleared %d logins<br \/>\n#user<br \/>\n#admin<br \/>\n#new<br \/>\nremoving<br \/>\nexiting<br \/>\nreconnecting<br \/>\n332<br \/>\n433<br \/>\n001<br \/>\n376<br \/>\nMOTD<br \/>\nbsod<br \/>\ndisable<br \/>\nPOP3 -&gt;<br \/>\nFTP -&gt;<br \/>\n[d=&#8221;%s&#8221; s=&#8221;%d bytes&#8221;] Problem Found!: Check ur MD5 (%s != %s)<br \/>\ndlds<br \/>\nhttp:\/\/<br \/>\nR3b00tinG<br \/>\n[Login]: %s<br \/>\n[DNS]: Blocked %d domain(s) &#8211; Redirected %d domain(s)<br \/>\nasdasdweifuhwuiefggweihwuerhiiuhwerhueb<br \/>\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run<br \/>\n%s:Zone.Identifier<br \/>\nlolsup<br \/>\nrunning<br \/>\nIPC_Check<br \/>\nwininet.dll<br \/>\nsecur32.dll<br \/>\nws2_32.dll<br \/>\nshell\\open\\command=<br \/>\nshell\\explore\\command=<br \/>\nicon=shell32.dll,7<br \/>\nuseautoplay=1<br \/>\naction=Open folder to view files<br \/>\nshellexecute=<br \/>\n[autorun]<br \/>\n.lnk<br \/>\n%windir%\\system32\\cmd.exe<br \/>\n&amp;&amp;%%windir%%\\explorer.exe %%cd%%%s<br \/>\n\/c &#8220;start %%cd%%RECYCLER\\%s<br \/>\nRECYCLER<br \/>\n.inf<br \/>\n%s%s<br \/>\n\\\\.\\%c:<br \/>\n%S%S\\Desktop.ini<br \/>\n%s\\%s<br \/>\n%sautorun.tmp<br \/>\n%sautorun.inf<br \/>\n%c:\\<br \/>\ngdkWindowToplevelClass<br \/>\n%0x.exe<br \/>\ncomment-text<br \/>\n*bebo.*\/c\/home\/ajax_post_lifestream_comment<br \/>\nbebo Lifestream<br \/>\n*bebo.*\/c\/profile\/comment_post.json<br \/>\nbebo Comment<br \/>\nMessage<br \/>\n*bebo.*\/mail\/MailCompose.jsp*<br \/>\nbebo Message<br \/>\n*friendster.*\/sendmessage.php*<br \/>\nFriendster Message<br \/>\ncomment<br \/>\nFriendster Comment<br \/>\nshoutout<br \/>\n*friendster.*\/rpc.php<br \/>\nFriendster Shoutout<br \/>\n*vkontakte.ru\/mail.php<br \/>\nvkontakte Message<br \/>\n*vkontakte.ru\/wall.php<br \/>\nvkontakte Wall<br \/>\nmessage<br \/>\n*vkontakte.ru\/api.php<br \/>\nvkontakte Chat<br \/>\ntext<br \/>\n*twitter.*\/*direct_messages\/new*<br \/>\nTwitter Message<br \/>\n*twitter.*\/*status*\/update*<br \/>\nTwitter Tweet<br \/>\nstatus<br \/>\n*facebook.*\/ajax\/*MessageComposerEndpoint.php*<br \/>\nFacebook Message<br \/>\nmsg_text<br \/>\n*facebook.*\/ajax\/chat\/send.php*<br \/>\nFacebook IM<br \/>\n-_.!~*'()<br \/>\nContent-Length:<br \/>\n%s.%s hijacked!<br \/>\n%s=<br \/>\nMSG %d %s %d<br \/>\nMSG %d %1s<br \/>\nSDG %d %d<br \/>\nReliability:<br \/>\nFrom:<br \/>\nContent-Length: %d<br \/>\nX-MMS-IM-Format:<br \/>\nSDG %d<br \/>\nbmsn<br \/>\n%s_0x%08X<br \/>\nwinlogon.exe<br \/>\nexplorer.exe<br \/>\nRegCreateKeyExW<br \/>\nRegCreateKeyExA<br \/>\nadvapi32.dll<br \/>\nURLDownloadToFileW<br \/>\nURLDownloadToFileA<br \/>\nurlmon.dll<br \/>\nPR_Write<br \/>\nnspr4.dll<br \/>\nDnsQuery_W<br \/>\nDnsQuery_A<br \/>\ndnsapi.dll<br \/>\nInternetWriteFile<br \/>\nHttpSendRequestW<br \/>\nHttpSendRequestA<br \/>\nGetAddrInfoW<br \/>\nsend<br \/>\nCreateFileA<br \/>\nMoveFileW<br \/>\nMoveFileA<br \/>\nDeleteFileW<br \/>\nDeleteFileA<br \/>\nkernel23.dll<br \/>\nCopyFileW<br \/>\nCopyFileA<br \/>\nNtQueryDirectoryFile<br \/>\nNtEnumerateValueKey<br \/>\n%s\\%s.exe<br \/>\n%08x<br \/>\nOPEN<br \/>\nlsass.exe<br \/>\nFt7<br \/>\nDnsFree<br \/>\nDnsQuery_A<br \/>\nDNSAPI.dll<br \/>\nFreeContextBuffer<br \/>\nInitializeSecurityContextW<br \/>\nFreeCredentialsHandle<br \/>\nDeleteSecurityContext<br \/>\nQueryContextAttributesW<br \/>\nAcquireCredentialsHandleW<br \/>\nEncryptMessage<br \/>\nDecryptMessage<br \/>\nInitializeSecurityContextA<br \/>\nApplyControlToken<br \/>\nSecur32.dll<br \/>\nSHGetSpecialFolderPathW<br \/>\nSHGetFileInfoA<br \/>\nShellExecuteA<br \/>\nSHELL32.dll<br \/>\nInternetCloseHandle<br \/>\nInternetReadFile<br \/>\nInternetQueryDataAvailable<br \/>\nHttpQueryInfoA<br \/>\nInternetOpenUrlA<br \/>\nInternetOpenA<br \/>\nHttpQueryInfoW<br \/>\nInternetQueryOptionW<br \/>\nWININET.dll<br \/>\nPathAppendW<br \/>\nStrStrIA<br \/>\nPathAppendA<br \/>\nPathFindExtensionA<br \/>\nSHLWAPI.dll<br \/>\nWS2_32.dll<br \/>\nmemset<br \/>\nwcsstr<br \/>\nstrstr<br \/>\nwcsrchr<br \/>\n??3@YAXPAX@Z<br \/>\natoi<br \/>\nsscanf<br \/>\n_strcmpi<br \/>\nprintf<br \/>\n_snprintf<br \/>\nsprintf<br \/>\nstrncpy<br \/>\n_memicmp<br \/>\n_wcsnicmp<br \/>\n_vsnprintf<br \/>\n_stricmp<br \/>\nstrtok<br \/>\nstrchr<br \/>\n_snwprintf<br \/>\n??2@YAPAXI@Z<br \/>\n_strnicmp<br \/>\nisxdigit<br \/>\nmemmove<br \/>\nstrncmp<br \/>\ntoupper<br \/>\nstrrchr<br \/>\nvsprintf<br \/>\nisalnum<br \/>\nstrncat<br \/>\nMSVCRT.dll<br \/>\nlstrcpyA<br \/>\nMoveFileExA<br \/>\nlstrcmpA<br \/>\nWideCharToMultiByte<br \/>\nMoveFileExW<br \/>\nlstrcmpW<br \/>\nExitThread<br \/>\nMultiByteToWideChar<br \/>\nGetFileAttributesA<br \/>\nSetFileAttributesW<br \/>\nGetFileAttributesW<br \/>\nLoadLibraryW<br \/>\nCloseHandle<br \/>\nSetFileTime<br \/>\nCreateFileW<br \/>\nGetFileTime<br \/>\nGetSystemTimeAsFileTime<br \/>\nWriteFile<br \/>\nGetModuleHandleW<br \/>\nGetLastError<br \/>\nReadFile<br \/>\nGetTickCount<br \/>\nHeapAlloc<br \/>\nGetProcessHeap<br \/>\nHeapFree<br \/>\nlstrlenA<br \/>\nSleep<br \/>\nWriteProcessMemory<br \/>\nReadProcessMemory<br \/>\nInitializeCriticalSection<br \/>\nLeaveCriticalSection<br \/>\nEnterCriticalSection<br \/>\nHeapReAlloc<br \/>\nSetEvent<br \/>\nConnectNamedPipe<br \/>\nCreateNamedPipeA<br \/>\nCreateEventA<br \/>\nDisconnectNamedPipe<br \/>\nGetOverlappedResult<br \/>\nWaitForMultipleObjects<br \/>\nCreateFileA<br \/>\nVirtualFreeEx<br \/>\nVirtualAllocEx<br \/>\nIsWow64Process<br \/>\nCreateRemoteThread<br \/>\nOpenProcess<br \/>\nWaitForSingleObject<br \/>\nReleaseMutex<br \/>\nMapViewOfFile<br \/>\nOpenFileMappingA<br \/>\nCreateFileMappingA<br \/>\nInterlockedIncrement<br \/>\nUnmapViewOfFile<br \/>\nCreateMutexA<br \/>\nGetVersionExA<br \/>\nGetModuleFileNameW<br \/>\nInterlockedCompareExchange<br \/>\nCreateThread<br \/>\nGetWindowsDirectoryW<br \/>\nDeleteFileW<br \/>\nGetTempFileNameW<br \/>\nlstrcatW<br \/>\nlstrcpynW<br \/>\nDeleteFileA<br \/>\nSetFileAttributesA<br \/>\nlstrcpyW<br \/>\nLocalFree<br \/>\nLocalAlloc<br \/>\nlstrcpynA<br \/>\nSetFilePointer<br \/>\nDeviceIoControl<br \/>\nVirtualAlloc<br \/>\nCreateProcessW<br \/>\nExitProcess<br \/>\nlstrcatA<br \/>\nGetVolumeInformationW<br \/>\nGetLocaleInfoA<br \/>\nFlushFileBuffers<br \/>\nCopyFileW<br \/>\nFindClose<br \/>\nFindNextFileA<br \/>\nFindFirstFileA<br \/>\nSetCurrentDirectoryA<br \/>\nLockFile<br \/>\nGetFileSize<br \/>\nCreateDirectoryA<br \/>\nGetLogicalDriveStringsA<br \/>\nOpenMutexA<br \/>\nGetModuleFileNameA<br \/>\nGetWindowsDirectoryA<br \/>\nKERNEL32.dll<br \/>\nMessageBoxA<br \/>\nwvsprintfA<br \/>\nwsprintfW<br \/>\nDefWindowProcA<br \/>\nDispatchMessageA<br \/>\nTranslateMessage<br \/>\nGetMessageA<br \/>\nRegisterDeviceNotificationA<br \/>\nCreateWindowExA<br \/>\nRegisterClassExA<br \/>\nUSER32.dll<br \/>\nCryptGetHashParam<br \/>\nCryptDestroyHash<br \/>\nCryptHashData<br \/>\nCryptReleaseContext<br \/>\nCryptCreateHash<br \/>\nCryptAcquireContextA<br \/>\nAdjustTokenPrivileges<br \/>\nLookupPrivilegeValueA<br \/>\nOpenProcessToken<br \/>\nRegCloseKey<br \/>\nRegSetValueExW<br \/>\nRegCreateKeyExW<br \/>\nRegNotifyChangeKeyValue<br \/>\nRegSetValueExA<br \/>\nRegOpenKeyExA<br \/>\nADVAPI32.dll<br \/>\nCoCreateInstance<br \/>\nCoInitialize<br \/>\nole32.dll<br \/>\nw,a<br \/>\njp5<\/p>\n<p>IOCTL_STORAGE_QUERY_PROPERTY<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update A few guys asked what are the hashes associated with the samples; here they are: c483bffc879233d99ba52f05fd100872\u00a0\u00a0\u00a0 skype_02102012_images.exe 393b4c117e15fbcfe56f560a8e6a3f0c\u00a0\u00a0\u00a0 skype_04102012_image.exe 98f74b530d4ebf6850c4bc193c558a98\u00a0\u00a0\u00a0 skype_05102012_image.exe e8e2ba08f9aff27eed45daa8dbde6159\u00a0\u00a0\u00a0 skype_06102012_image.exe e3af8159d2f1af293bb43cd41d4171db\u00a0\u00a0\u00a0 skype_08102012_image.exe I just had a very quickly look at the code today and interestingly, there &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/09\/skype-worm-strings\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1364"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1364"}],"version-history":[{"count":5,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1364\/revisions"}],"predecessor-version":[{"id":1366,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1364\/revisions\/1366"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1364"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1364"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1364"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}