2004-12-01T23:09:00+01:00
192.168.42.1 (Suse Linux 9.0)
handmade
$Id: example.xml,v 1.39 2004/03/29 10:45:58 mic Exp $
none
file://localhost/C:/malware/sample.rar
application/x-rar-compressed
340179
2f90bb1f9be68eecd28b715bfa2e9310de13812e
not analysed
cmd.exe
C:\windows
application/x-msdos-program
13be37723c374b95f18a059dd9ae1aee2119e98a
system core application
Command interpreter
signature
WinXP root certificate
From: "Infected User" user1@example.com
Subject: I send you this file in order to have your advice
date: Sat, 20 Oct 2001 15:42:11 +0200
Message-ID: <01234567.89ABCDEF@example.com>
multipart/mixed
boundary="1234567890"
Content-Transfer-Encoding: quoted-printable
text/plain
charset=ISO-8859-1
91
6f695fca1f1ef736c7f594d432de4371
not infected
possibly created by mass-mailing worm
Content-Transfer-Encoding: base64
application/mixed
name=Demo.doc.bat
157184
37a69526f514f7d9fa97f88914276f83
worm
W32
Sircam
@MM
From: "Infected User" user1@example.com
date: Sat, 20 Oct 2001 16:42:11 +0200
Message-ID: <89ABCDEF.01234567@example.com>
multipart/related
39791
87e8a2b0db14174e6eb295f3814985b2
worm
W32
Badtrans
B
@MM
hda
32c2841701931942130ff21aa9ab20c1
virus
Boot/Parity.B
fd0
0
b0d9bc3fea1bd97b9388ded4bbe93ca8
not infected
scsi0,0
64
66
3
DOS boot code
virus
unknown
multi(0)disk(0)rdisk(0)partition(1)
70
112
43
File Allocation Table
virus
Dir_II
multi(0)disk(0)rdisk(0)partition(1)
1048510
virus
Dir_II
tcp
12-34-56-ff-ff-cb-a9-87
192.168.1.2
631
918
10
6f2a464628809e9d896793892d589c9d
CAN-2003-0195
exploit: cups - denial of service
tcp
::192.168.1.1
135
tcp
0:0:0:0:0:0:192.168.1.1
137
tcp
FEC0:0:0:1:0:0:0:1
139
tcp
fec0:0:0:1::1
445
tcp
fec0:0000:0000:0001:0000:0000:0000:0001
111
tcp
fec00000000000010000000000000001
2049
tcp
c0a80101
80
tcp
C0A80101
25
tcp
192.168.1.1
22
possibly portscan
13005000
130050ff
256
084e6294e33aabae550fa4718922dbd1
worm
W32
SQLSlammer
123456
a7050cc80c0a8c92da8346a3edc7e0cf
unknown
tcpdump
/usr/sbin
application/x-executable
16b579e3a0bbbe776dcac711afeb7471
3.7.2-36
3.7.2-72
ftp://vendor.example.com/update/tcpdump-3.7.2-72.i586.rpm
version number
online catalogue
ps
/bin/
application/x-executable
1f62a7af07af53d5fed8d6a7f0b5879b
mtime: 2004-01-19 15:56
mtime: 2003-09-23 19:03
md5: 1f62a7af07af53d5fed8d6a7f0b5879b
md5: 852d7ca0f51415a4ee39bf90eaadb49a
checksum
local database: /media/cdrom/tw.db