hi i have a virus that is unditectable to antivirus (tride norton macafee and avg ).im not infected i just downlaoded it off the internet.

how do i give this file to a antivirus company?

:confused: :confused:



it formats your hard drive and if the computer is turned off wile it was running it starts back up
before the computer boots

Whats the virus called ?

DRR

do you collect viruses? :p


ps missed your posts memory .where in the h$ll were you :xbones:

This document describes how to submit a sample of a suspected virus to Symantec Security Response for testing.

http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031615501306?OpenDocument&src=sec_web_nam

i was here and there;)

where did you get this virus from? can you zip it and attach it to a thread...i'd like to take a look at it if I could.

Tx swordfish, i looked for that site too, couldnt find it:)

Hi
Sorry MemorY The post got deleted when i was editing it. My mouse is acting weird it's time to get a new one. and i am drinking too much Beer :D


Symentics (http://securityresponse.symantec.com/avcenter/submit.html[/url)

McAfee (http://vil.nai.com/vil/submit-sample.asp)

Aladdin's CSRT (http://www.eliashim.com/home/csrt/vsubmit.asp)



If you have Norton and it has detected a posible Virus if will ask you to Quarintine you can send it from there , follow the instrunctions given in the link. Cheers

--Good Luck--

DONT OPEN PLEASE !!!!!!!!!! WILL CAUSE DAMAGE





dont be stupid and open this or this will hapen :killcompu





ps i will not be held responsible for the damges caused with this file


dont open

:)
Question...to anybody...

If you append an extension such as .txt to the file(virus), would that disable it?

i turned it into macafee and norton and they said that they will take a look at it :D

no it wont

to disable it you can quarintine it or encrypt it. but i recomend encrypting it

I just submitted it to Symantec, so i guess we'll find out.

do any of you test viruses?

I used to, but i gave my 2 test machines away. I dont wanna try things out on this one, too many important file on it.

This is what i got,

78: !This program cannot be run in DOS mode.
441: .text
480: `.data
522: .rsrc
577: MSVBVM60.DLL
4123: PDssRsaTQs
4174: TQs\BDs
4198: EDssADs
4251: QsmYOs
4262: `Os0XQsaUQs
4310: ADstEDs
4318: UQsPOQs
4363: Qs"DDsi
5487: kColorDRR
5605: Form1
5615: > DRR 2004
6255: fffff
6279: 3ff3f
6399: f3ff3
6423: 33f33
6770: ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
7698: ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
7892: Form1
7934: TahomaDF
7952: Command1
7996: Text1
8024: }Welcome to DRR 2004.
8049: An unknown error has now occured in order to
8096: remove this error then please restart your computer.
8167: Image1
8188: GIF89a
8207: 333qqqwwdbba
8255: }}}yyy,,,JII
8282: UUFEEE
8300: {{p^]]
8309: RQQ###
8441: jjj::9
8450: lllnnnfff
8497: zKK>qq[
8597: ff_PPK
8609: ooowvvNMFEEA
8672: >>6jjf
8699: tssppp
8717: ???!!!
8741: GGG/..SSRhgh[[[WWWiii666
8777: mmmTTTfeecc`HHH
8843: 888cccLLL
8855: ```POPKKK
8885: CCC100\\\
8933: ;;;
9188: NJ\*0
9269: )4=3G
9366: !W4Q$
10279: A,XX@tS
10682: =(F1F0
10871: `D2P!
11456: F6 99
11666: p&Rs%
11727: PO`ur
12006: $4`}
12417: 2RPa7
14544: -Zw.R
14758: +Xpq?
14862: 9zn`N
15492: <78X=
16303: m}k\K
16388: HE:FQ
16710: B2H^U
16745: UA]QCg
16781: Dq1L@QH
16840: x0/{8
16855: W0?"P
17053: +d2+Xx
17446: zKNzK
17912: nPRBZ
18060: exJg@
18071: //8QK3
18189: )0&eS]
18735: e0<"h
18927: 3`h?sM
19258: \FHUv
19475: (hoR0
19614: D:\u
19623: :w9LP
19918: ES"mS
19924: ]0p K#'
20211: AEhu%B
20270: +S|6]
20582: F2j#Y
21364: RXE ,`PD
22077: H)(#;?
22170: Qo?1X,i:
22356: +4B4\
22698: B9D#5f
22721: TcWfe6
22761: %@YM&P
22955: 7AA0x
23258: aF-kFQd
23392: kTg""
23641: YjV(0
23871: qBdHB
23994: &FU;0
24043: N35Os4
24163: (XB!Dt-
24422: 6PBqsvg
25149: v<1F#
25360: *GA^V
25995: CZd)@
26056: \8(XY
26193: EXb~z
26316: D:3SU
26561: @P#(?
27157: E-Gc+|a
28115: #x`'S
28785: Drr 2004
30329: Form1
30337: Module1
30426: Command1
30454: C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
30531: v@,w@
30570: Text1
30618: Image1
30729: user32
30741: PaintDesktop
30813: advapi32.dll
30833: RegDeleteValueA
30905: ExitWindowsEx
30977: RegOpenKeyExA
31049: RegCloseKey
31153: RegCreateKeyA
31225: RegDeleteKeyA
31297: RegQueryValueExA
31373: RegSetValueExA
38337: VBA6.DLL
38349: __vbaFreeVar
38365: __vbaVarDup
38377: __vbaFreeStr
38393: __vbaSetSystemError
38413: __vbaStrToAnsi
38429: __vbaOnError
38445: __vbaFreeObj
38461: __vbaHresultCheckObj
38517: __vbaObjSetAddref
38537: __vbaNew2
39169: __vbaVarCmpNe
39441: __vbaVarAdd
39453: __vbaVarCmpEq
39469: __vbaVarOr
39481: __vbaBoolVarNull
39501: __vbaInStr
39513: __vbaErrorOverflow
39533: __vbaStrCat
39545: __vbaFreeVarList
39565: __vbaStrCmp
39577: __vbaStrCopy
39593: __vbaStrVarMove
39609: __vbaFreeStrList
39629: __vbaStrI2
39641: __vbaAryUnlock
39661: __vbaAryLock
39677: __vbaVarForNext
39693: __vbaStrMove
39709: __vbaUI1I2
39721: __vbaGenerateBoundsError
39749: __vbaI4Var
39761: __vbaVarForInit
39777: __vbaRedim
39789: __vbaLenBstr
39805: __vbaVarCopy
39821: __vbaVarMove
39837: __vbaStrToUnicode
46977: MSVBVM60.DLL
46993: __vbaStrI2
47007: _CIcos
47017: _adj_fptan
47031: __vbaVarMove
47047: __vbaFreeVar
47063: __vbaLenBstr
47079: __vbaStrVarMove
47097: __vbaFreeVarList
47117: _adj_fdiv_m64
47133: _adj_fprem1
47147: __vbaStrCat
47161: __vbaVarCmpNe
47177: __vbaSetSystemError
47199: __vbaHresultCheckObj
47223: _adj_fdiv_m32
47239: __vbaVarForInit
47257: __vbaOnError
47273: _adj_fdiv_m16i
47291: __vbaObjSetAddref
47311: _adj_fdivr_m16i
47329: __vbaBoolVarNull
47349: _CIsin
47359: __vbaChkstk
47373: EVENT_SINK_AddRef
47393: __vbaGenerateBoundsError
47421: __vbaStrCmp
47435: DllFunctionCall
47453: __vbaVarOr
47467: _adj_fpatan
47481: __vbaRedim
47495: EVENT_SINK_Release
47517: __vbaUI1I2
47531: _CIsqrt
47541: EVENT_SINK_QueryInterface
47569: __vbaExceptHandler
47591: __vbaStrToUnicode
47611: _adj_fprem
47625: _adj_fdivr_m64
47643: __vbaFPException
47663: _CIlog
47673: __vbaErrorOverflow
47695: __vbaInStr
47709: __vbaNew2
47721: _adj_fdiv_m32i
47739: _adj_fdivr_m32i
47757: __vbaStrCopy
47773: __vbaFreeStrList
47793: _adj_fdivr_m32
47811: _adj_fdiv_r
47825: __vbaI4Var
47839: __vbaVarCmpEq
47855: __vbaAryLock
47871: __vbaVarAdd
47885: __vbaStrToAnsi
47903: __vbaVarDup
47917: __vbaVarCopy
47933: _CIatan
47943: __vbaStrMove
47959: _allmul
47969: _CItan
47979: __vbaAryUnlock
47997: __vbaVarForNext
48015: _CIexp
48025: __vbaFreeObj
48041: __vbaFreeStr
54635: fffff
54659: 3ff3f
54779: f3ff3
54803: 33f33
55150: ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
56078: ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]

same with me, fixed and gave my test machine to a freind

this is my second favorite type of virus to test because its cool but not as cool as overwriting viruses

now....my question is, How did u figure out that its a virus? Where did you download it from?

What tools did u guys use to analyze the file? Where can I get some of those tools, preferably for windows.

Doesnt this have the same name as that program grim_reaper was claming could make jpeg viruses?

i know thats its a virus because it contained a read me file (i always read those ) and it said what the virus deos.and it came with snapshots

dont want to sound meen but im not tellling u where i got it from

can u give me a link to that post

HI

Ok i ran it on a test machine . Now lets see what i have got . a compute whit all the display driver gone , the network settins , drivers adapters gone. and my internet explorer is F**ked up i am still trying to repare it , IE was the worst hit by this thing all the setting are gone .

and As yet everything else seems to be fine. i reconfigured them and it's again working. and i am still tring access the damages. and the exe has a cool icon though :D .

The virus came with a self explanimg text file disturd wow when did the virus writes started doing that. and the funny icon too . and i don't think it's spreading or something . it's some kind of program to **** up some things on your system nothing else . i might be wrong but it's highly unlikely for somebody to write such thing with a cool icon .

and my AVG didn't detect nor did housecall.

http://www.antionline.com/showthread.php?threadid=256844#post737654

I believe I pulled the name DRR from that so called "jpeg virus"

I can always create a .exe program and attach a readme to it and claim its a virus. Perhaps its just a hoax??? Not denying that it might be a virus...but lets take into consideration all the aspects of this. Its fine if you do not want to post where you got it from...but is it ok to PM it to me? Whats to hide?

The graphical icon that comes with it even more suspicious of being a hoax...I don't know that much about viruses, but last time I checked they did not come in just .exe format...with a green skull icon?

I tested it on my test computer and it had an error message and it formated my computer

I tested it on my test computer and it had an error message and it formated my computer



Would it be possible to create a batch file to reformat HDD when executed?

i will pm it to u

make sure to read the site disclaimer

I had the link to the web site in my favorites but its not there

what keywords did u use to search the website?...maybe the virus deleted the link?

Hey thehitman

Can you describe actually what happned i tried it on other comp . same thing happned it gave a error message "Your comp has problem please restart" and had a Ok button pressed nothing happned . but when i later restarted my comp . Same as above . same thing as described above but it didn't format my system. and this one dosen't have any AV

It could write a batch file to format on the next boot, but I don't think it could format while the OS is running. Maybe edits/adds aut0ex3c.ba7? But I don't think that file even exists after 98.

sorry about the 1337, NIS was giving me a false alarm with aut0ex3c.ba7 written correctly.

Ok if an av product doesnt detect something on your pc but something starts to delete files or stuff up the regestry. AV should kick in and worn you about virus like activity. So if you can make an exe/batchfile. That tells you to reboot and then leaps in befor your protection, on boot up, it should be able to do some damage, befor any protection can save your arse.

Could this be why we are seing different results from people that have tried it out??

Hi mate

do any of you test viruses?

yesssssssssssssssssss!

Not had a chance with this one yet.............and I am not sorted out here (my new home/family home) yet

Please PM me with any you come across, as well as posting the alert,I have five machines up now, so I have an ARV and a couple of labrats (other two are wife & self :D ) Rest to follow............five to build............but "I have to decorate the breakfast room"..........so there?

Thanks for the interesting post

:D

I'm looking at the file right now.

I can't see all of it yet, cause I cant' remember how to specify my viewing window, but heres some interesting things.

It deletes your reg keys for network connections and various other windows components.. and does something in the registry with kazzaa and yahoo.

Oh and it also does something with cmd.exe (ms-dos)

If you would of never tried to open the file you would of been fine.

Anyone remember how I can use edit in ms-dos to display a certain amount of rows and collumns?

Just looking at the binary (well my interpretation of) I would say that it is a personal comms thing..................Kazaaa, Yahoo and probably AIM, PIRC,mIRC and the usual culprits......................I suppose they chucked in e-mail as well

If you people want to rip off recording companies, and share pr0n....go do it...........but please remember that you are not the only persons using the internet?

Yep.................I am paranoid?

:)

What are you using to view the file nihil?

Maybe this is the start of the virri of the futer that i read about in Computer Securty Info Mag. Called a Micro Code

Hi cheyenne1212

Anyone remember how I can use edit in ms-dos to display a certain amount of rows and collumns?

Edit /70 filename


yes gets your network setting all the connections were deleted. And your Display Driver it busted my display driver too on both machined. and one of them was a dual boot with windows 98 and windows 2000, i ran it on windows 98 , it did busted all my network setting and connections and my display driver it hardly took me 15 to get it running again. But the Windows 2000 i had to do a complete restore. It refused to start just restarted after the initial startup screen without any error message. but there is no sign of it spreading . and yes you are perfectily safe until you run it yourself. one thing more i noticed when you run it your it first Disables your AV.


Ok a few more things about this It's made in Visual Basic - 5 most probably, but can be VB-6 too. .......... And during compiling and creation the whole project was stored in the folder called DarkSide , don't know if it rings a bell ..............All the paths are given by this dumbo in the project are physical paths( e.g C:\windows\cmd.exe and c:\winnt\cmd.exe . ) not relative so my guess is it wouldn't work if the OS is not in C drive.. and it delets a lot og regestry keys hell lot of them of kaza , messengers, winzip, adobe etc etc........Their regestration information got f**ked up i had to again key in the regestration Serials etc


virri of the futer

lol no i don't think so it's the viri of the future , first it's not designed to spread, it dosen't tries to get to start itself at startup and take control , you would have to click it to start , and has a funny icon that tell you not to click on it, it's not designed to create havoc or something it's probably made by somebody for learning or to satsfy his ego most probably . and viruses tries to spread it dosen't spread .

well then its not a virus...malware indeed but not a virus. Because you had to run it to activate it, wouldn't that make it a trojan?

I Hi Cheyenne,

Hands up...........I was a coward............I used vi, I will have a go in notepad a bit later...........I was just looking for the "arrogant messages" bit, or for subtle hints like 29a, cult of the dead cow, and so on?

:D

I will not go with Cyber1d in that it would technically be a trojan, because I have not found out how it is presented..............OK I am a "nitpicker" but to me:

1. This proggy will make your computer run twice as fast = trojan
2. Hey, take a look at my huge **** = virus

Just a thought?

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=257536#post744235) by nihil


2. Hey, take a look at my huge **** = virus

Just a thought?

lol :D

true trojans would be more stealth like than showing off

ps, to SwordFish_13 viruses dont spread worms do. viruses screw somthing up or infect

ps,i changed the icon to that so people would know it was dangerous.the icon it had before was a game icon

If I may add Nihil,

Look at my big Shlong = Worm?

Hi disturb

If it had a game icon on it then i would categorise into Trojan Horse because it pretended to be a harmless little game game but when clicked did something distructive.

Web definitions for Trojan Horse
An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

Problem solved :D

If i may add also.

You will like this Great Tool= Re-format and re-install

I fell for that one once a long time ago.Lol

SwordFish_13 ,i agree now that you put it that way

Look at my big Shlong = Worm?

Speak for yourself old chap..........................

Mind you................we have this feathered aviator, called a "blackbird" (Latin = turdus)

They like sucking worms................

Hmmmmmmmmmmmmm :p

Nihil....you're scaring me :D

I have finally had a reply from Symantec, below is the report:

Dear Anthony

We have analyzed your submission. The following is a report of our findings for each file you have submitted:

filename: C:\Documents and Settings\Anthony\My Documents\DRR.exe
machine: xxxxxxx
result: This file is infected with Trojan Horse

Developer notes:
C:\Documents and Settings\Anthony\My Documents\DRR.exe is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions.

Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions. Downloading and Installing Beta Definition Instructions: 1. Open your Web browser. If you are using a dial-up connection, connect to any Web site, such as: http://securityresponse.symantec.com/
2. Click this link to the ftp site: ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton_antivirus/beta/symcbetadefsi32.exe. If it does not go to the site (this could take a minute or so if you have a slow connection), copy and paste the address into the address bar of your Web browser and then press Enter. 3. When a download dialog box appears, save the file to the Windows desktop. 4. Double-click the downloaded file and follow the prompts.
----------------------------------------------------------------------
This message was generated by Symantec Security Response automation

Hi All,
Long time lurker, first time poster.
Not beating a dead horse, I hope.
I don't know how much of this is VB and how much is his/her code.

BTW: Mcafe Virus scan enterprise 7.1 latest dat file dated May 12 (#4360) doesn't see anything wrong with it.

Rootoo

Doh! Thought I attached it. I'll just paste it.


File pos Mem pos ID Text
======== ======= == ====

0000004D 0040004D 0 !This program cannot be run in DOS mode.
000001B8 004001B8 0 .text
000001E0 004001E0 0 .data
00000208 00400208 0 .rsrc
00000240 00400240 0 MSVBVM60.DLL
0000101E 0040101E 0 RsaTQs
0000104D 0040104D 0 TQs\BDs
00001065 00401065 0 EDssADs
0000109A 0040109A 0 QsmYOs
000010A6 004010A6 0 Os0XQsaUQs
000010D5 004010D5 0 ADstEDs
000010DD 004010DD 0 UQsPOQs
0000110A 0040110A 0 Qs"DDsi
0000156E 0040156E 0 kColorDRR
000015E4 004015E4 0 Form1
000015EE 004015EE 0 > DRR 2004
00001A71 00401A71 0 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
00001E11 00401E11 0 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
00001ED3 00401ED3 0 Form1
00001EFC 00401EFC 0 TahomaD
00001F0F 00401F0F 0 Command1
00001F3B 00401F3B 0 Text1
00001F58 00401F58 0 Welcome to DRR 2004.
00001F70 00401F70 0 An unknown error has now occured in order to
00001F9F 00401F9F 0 remove this error then please restart your computer.
00001FE6 00401FE6 0 Image1
00001FFB 00401FFB 0 GIF89a
0000200E 0040200E 0 333qqqwwdbba
0000203E 0040203E 0 }}}yyy,,,JII
00002059 00402059 0 UUFEEE
00002074 00402074 0 RQQ###
000020F8 004020F8 0 jjj::9
00002101 00402101 0 lllnnnfff
00002130 00402130 0 zKK>qq[
00002194 00402194 0 ff_PPK
000021A0 004021A0 0 ooowvvNMFEEA
000021DF 004021DF 0 >>6jjf
000021FA 004021FA 0 tssppp
0000220C 0040220C 0 ???!!!
00002224 00402224 0 GGG/..SSRhgh[[[WWWiii666
00002248 00402248 0 mmmTTTfeecc
0000228A 0040228A 0 888cccLLL
00002299 00402299 0 POPKKK
000022B4 004022B4 0 CCC100\\\
000022E4 004022E4 0 ;;;
000023E3 004023E3 0 NJ\*0
00002434 00402434 0 )4=3G
00002495 00402495 0 !W4Q$
00002520 00402520 0 5gRS
00002826 00402826 0 A,XX@tS
000029B9 004029B9 0 =(F1F0
00002CBF 00402CBF 0 F6 99
00002D91 00402D91 0 p&Rs%
00003080 00403080 0 2RPa7
00003137 00403137 0 4:i2 T
000038CF 004038CF 0 -Zw.R
000039A5 004039A5 0 +Xpq?
00003C83 00403C83 0 <78X=
00003CF8 00403CF8 0 U$bk
00003FAE 00403FAE 0 m}k\K

File pos Mem pos ID Text
======== ======= == ====

00004003 00404003 0 HE:FQ 5@@
00004168 00404168 0 UA]QCg
0000418B 0040418B 0 Dq1L@
000041C7 004041C7 0 x0/{8
000041D6 004041D6 0 W0?"P
0000429C 0040429C 0 +d2+Xx
00004425 00404425 0 zKNzK
000045F7 004045F7 0 nPRBZ
0000468B 0040468B 0 exJg@
00004696 00404696 0 //8QK3
0000470C 0040470C 0 )0&eS]
0000492E 0040492E 0 e0<"h
00004B39 00404B39 0 \FHUv
00004C12 00404C12 0 (hoR0
00004C9D 00404C9D 0 D:\u
00004CA6 00404CA6 0 :w9LP
00004DCD 00404DCD 0 ES"mS
00004DD3 00404DD3 0 ]0p K#'
00004EF2 00404EF2 0 AEhu%B
00004F38 00404F38 0 XP&:
00005065 00405065 0 F2j#Y
00005373 00405373 0 RXE ,
0000563C 0040563C 0 H)(#;?
00005699 00405699 0 Qo?1X,i:
00005753 00405753 0 +4B4\
000058A9 004058A9 0 B9D#5f
000058B3 004058B3 0 3Rc |
000058BE 004058BE 0 e TcWfe6
000059AA 004059AA 0 7AA0x
00005AD9 00405AD9 0 aF-kFQd
00005B5F 00405B5F 0 kTg""
00005C58 00405C58 0 YjV(0
00005D3E 00405D3E 0 qBdHB
00005DEA 00405DEA 0 N35Os4
00005E62 00405E62 0 (XB!Dt-
00005F66 00405F66 0 PBqsvg
0000623C 0040623C 0 v<1F#
0000658A 0040658A 0 CZd)@
000065C7 004065C7 0 \8(XY
00006650 00406650 0 EXb~z
000066CB 004066CB 0 D:3SU
000067C0 004067C0 0 @P#(?
00006A14 00406A14 0 E-Gc+|a
00007070 00407070 0 Drr 2004
00007678 00407678 0 Form1
00007680 00407680 0 Module1
000076D8 004076D8 0 Command1
000076F4 004076F4 0 C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
00007768 00407768 0 Text1
00007798 00407798 0 Image1
00007808 00407808 0 user32
00007814 00407814 0 PaintDesktop
0000785C 0040785C 0 advapi32.dll
00007870 00407870 0 RegDeleteValueA
000078B8 004078B8 0 ExitWindowsEx
00007900 00407900 0 RegOpenKeyExA
00007948 00407948 0 RegCloseKey
000079B0 004079B0 0 RegCreateKeyA
000079F8 004079F8 0 RegDeleteKeyA
00007A40 00407A40 0 RegQueryValueExA

File pos Mem pos ID Text
======== ======= == ====

00007A8C 00407A8C 0 RegSetValueExA
000095C0 004095C0 0 VBA6.DLL
000095CC 004095CC 0 __vbaFreeVar
000095DC 004095DC 0 __vbaVarDup
000095E8 004095E8 0 __vbaFreeStr
000095F8 004095F8 0 __vbaSetSystemError
0000960C 0040960C 0 __vbaStrToAnsi
0000961C 0040961C 0 __vbaOnError
0000962C 0040962C 0 __vbaFreeObj
0000963C 0040963C 0 __vbaHresultCheckObj
00009674 00409674 0 __vbaObjSetAddref
00009688 00409688 0 __vbaNew2
00009900 00409900 0 __vbaVarCmpNe
00009A10 00409A10 0 __vbaVarAdd
00009A1C 00409A1C 0 __vbaVarCmpEq
00009A2C 00409A2C 0 __vbaVarOr
00009A38 00409A38 0 __vbaBoolVarNull
00009A4C 00409A4C 0 __vbaInStr
00009A58 00409A58 0 __vbaErrorOverflow
00009A6C 00409A6C 0 __vbaStrCat
00009A78 00409A78 0 __vbaFreeVarList
00009A8C 00409A8C 0 __vbaStrCmp
00009A98 00409A98 0 __vbaStrCopy
00009AA8 00409AA8 0 __vbaStrVarMove
00009AB8 00409AB8 0 __vbaFreeStrList
00009ACC 00409ACC 0 __vbaStrI2
00009AD8 00409AD8 0 __vbaAryUnlock
00009AEC 00409AEC 0 __vbaAryLock
00009AFC 00409AFC 0 __vbaVarForNext
00009B0C 00409B0C 0 __vbaStrMove
00009B1C 00409B1C 0 __vbaUI1I2
00009B28 00409B28 0 __vbaGenerateBoundsError
00009B44 00409B44 0 __vbaI4Var
00009B50 00409B50 0 __vbaVarForInit
00009B60 00409B60 0 __vbaRedim
00009B6C 00409B6C 0 __vbaLenBstr
00009B7C 00409B7C 0 __vbaVarCopy
00009B8C 00409B8C 0 __vbaVarMove
00009B9C 00409B9C 0 __vbaStrToUnicode
0000B780 0040B780 0 MSVBVM60.DLL
0000B790 0040B790 0 __vbaStrI2
0000B79E 0040B79E 0 _CIcos
0000B7A8 0040B7A8 0 _adj_fptan
0000B7B6 0040B7B6 0 __vbaVarMove
0000B7C6 0040B7C6 0 __vbaFreeVar
0000B7D6 0040B7D6 0 __vbaLenBstr
0000B7E6 0040B7E6 0 __vbaStrVarMove
0000B7F8 0040B7F8 0 __vbaFreeVarList
0000B80C 0040B80C 0 _adj_fdiv_m64
0000B81C 0040B81C 0 _adj_fprem1
0000B82A 0040B82A 0 __vbaStrCat
0000B838 0040B838 0 __vbaVarCmpNe
0000B848 0040B848 0 __vbaSetSystemError
0000B85E 0040B85E 0 __vbaHresultCheckObj
0000B876 0040B876 0 _adj_fdiv_m32
0000B886 0040B886 0 __vbaVarForInit
0000B898 0040B898 0 __vbaOnError
0000B8A8 0040B8A8 0 _adj_fdiv_m16i
0000B8BA 0040B8BA 0 __vbaObjSetAddref
0000B8CE 0040B8CE 0 _adj_fdivr_m16i

File pos Mem pos ID Text
======== ======= == ====

0000B8E0 0040B8E0 0 __vbaBoolVarNull
0000B8F4 0040B8F4 0 _CIsin
0000B8FE 0040B8FE 0 __vbaChkstk
0000B90C 0040B90C 0 EVENT_SINK_AddRef
0000B920 0040B920 0 __vbaGenerateBoundsError
0000B93C 0040B93C 0 __vbaStrCmp
0000B94A 0040B94A 0 DllFunctionCall
0000B95C 0040B95C 0 __vbaVarOr
0000B96A 0040B96A 0 _adj_fpatan
0000B978 0040B978 0 __vbaRedim
0000B986 0040B986 0 EVENT_SINK_Release
0000B99C 0040B99C 0 __vbaUI1I2
0000B9AA 0040B9AA 0 _CIsqrt
0000B9B4 0040B9B4 0 EVENT_SINK_QueryInterface
0000B9D0 0040B9D0 0 __vbaExceptHandler
0000B9E6 0040B9E6 0 __vbaStrToUnicode
0000B9FA 0040B9FA 0 _adj_fprem
0000BA08 0040BA08 0 _adj_fdivr_m64
0000BA1A 0040BA1A 0 __vbaFPException
0000BA2E 0040BA2E 0 _CIlog
0000BA38 0040BA38 0 __vbaErrorOverflow
0000BA4E 0040BA4E 0 __vbaInStr
0000BA5C 0040BA5C 0 __vbaNew2
0000BA68 0040BA68 0 _adj_fdiv_m32i
0000BA7A 0040BA7A 0 _adj_fdivr_m32i
0000BA8C 0040BA8C 0 __vbaStrCopy
0000BA9C 0040BA9C 0 __vbaFreeStrList
0000BAB0 0040BAB0 0 _adj_fdivr_m32
0000BAC2 0040BAC2 0 _adj_fdiv_r
0000BAD0 0040BAD0 0 __vbaI4Var
0000BADE 0040BADE 0 __vbaVarCmpEq
0000BAEE 0040BAEE 0 __vbaAryLock
0000BAFE 0040BAFE 0 __vbaVarAdd
0000BB0C 0040BB0C 0 __vbaStrToAnsi
0000BB1E 0040BB1E 0 __vbaVarDup
0000BB2C 0040BB2C 0 __vbaVarCopy
0000BB3C 0040BB3C 0 _CIatan
0000BB46 0040BB46 0 __vbaStrMove
0000BB56 0040BB56 0 _allmul
0000BB60 0040BB60 0 _CItan
0000BB6A 0040BB6A 0 __vbaAryUnlock
0000BB7C 0040BB7C 0 __vbaVarForNext
0000BB8E 0040BB8E 0 _CIexp
0000BB98 0040BB98 0 __vbaFreeObj
0000BBA8 0040BBA8 0 __vbaFreeStr
0000D76D 0040D76D 0 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
0000DB0D 0040DB0D 0 ]]]]]]]]]]]]]]]]]]]]]]]]]]]]]]
0000189E 0040189E 0 fff3f
0000192E 0040192E 0 3f333
000070A3 004070A3 0 @*\AD:\My Programs\Darkside\DRR 2004\Project1.vbp
000077E4 004077E4 0 Software\
00007958 00407958 0 Control Panel\
00007B00 00407B00 0 Network\
00007B18 00407B18 0 SRemote Access\
00007B3C 00407B3C 0 AppEvents\
00007B58 00407B58 0 Config\
00007B6C 00407B6C 0 Hardware\
00007B84 00407B84 0 System\
00007B98 00407B98 0 .DEFAULT\
00007BB0 00407BB0 0 Display\

File pos Mem pos ID Text
======== ======= == ====

00007BC8 00407BC8 0 System\CurrentControlSet\Control\Update\
00007C20 00407C20 0 Control Panel\Colours\
00007C54 00407C54 0 RemoteAccess\Profile\
00007C84 00407C84 0 Software\Microsoft\IEAK\
00007CBC 00407CBC 0 Software\Microsoft\Internet Explorer\
00007D10 00407D10 0 Software\Microsoft\IE4\
00007D44 00407D44 0 Software\Microsoft\Internet Domains\
00007D94 00407D94 0 Software\Microsoft\Internet Connection Wizard\
00007DF8 00407DF8 0 Software\Kazaa\
00007E1C 00407E1C 0 SOFTWARE\KAZAA\
00007E40 00407E40 0 Software\Microsoft\MessengerService\
00007E90 00407E90 0 Software\Microsoft\MSNMessenger\
00007ED8 00407ED8 0 Software\Symantec\
00007F04 00407F04 0 SOFTWARE\Symantec\
00007F30 00407F30 0 Software\Microsoft\Office\
00007F6C 00407F6C 0 Software\Adobe\
00007F90 00407F90 0 SOFTWARE\Adobe\
00007FB4 00407FB4 0 Software\Microsoft\MediaPlayer\
00007FF8 00407FF8 0 System\CurrentControlSet\Control\Print\Printers\
00008060 00408060 0 Software\Yahoo\
00008084 00408084 0 Config\0001\System\CurrentControlSet\Control\Print\Printers\
00008104 00408104 0 Control Panel\Appearance\Schemes\
0000814C 0040814C 0 Software\Microsoft\Telnet\
00008188 00408188 0 Software\Microsoft\TelnetServer\
000081D0 004081D0 0 Software\Yahoo\Audio Conferencing\
0000821C 0040821C 0 Software\Yahoo\Pager\
0000824C 0040824C 0 Software\Yahoo\YFriendsBar\
00008288 00408288 0 Software\Yahoo\YServer\
000082BC 004082BC 0 Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
0000833C 0040833C 0 Software\Microsoft\Windows NT\CurrentVersion\Policies\
000083B0 004083B0 0 Network\Logon\
000083D4 004083D4 0 C:\WINDOWS\system32\twain.dll
00008414 00408414 0 SYSTEM\ControlSet001\Services\RemoteAccess\Policy\
00008480 00408480 0 SOFTWARE\Policies\
000084AC 004084AC 0 Software\Policies\
000084D8 004084D8 0 Software\Microsoft\Windows\CurrentVersion\Policies\System\
00008554 00408554 0 C:\WINDOWS\Explorer.exe
00008588 00408588 0 C:\WINDOWS\regedit.exe
000085BC 004085BC 0 C:\WINDOWS\system32\cmd.exe
000085F8 004085F8 0 C:\WINDOWS\system32\Notepad.exe
0000863C 0040863C 0 C:\WINDOWS\system32\aaaamon.dll
00008680 00408680 0 C:\WINDOWS\system32\acctres.dll
000086C4 004086C4 0 C:\WINDOWS\system32\acledit.dll
00008708 00408708 0 C:\WINDOWS\system32\aclui.dll
00008748 00408748 0 C:\WINDOWS\system32\activeds.dll
00008790 00408790 0 C:\WINDOWS\system32\actxprxy.dll
000087DC 004087DC 0 C:\WINDOWS\system32\admparse.dll
00008824 00408824 0 C:\WINDOWS\system32\adptif.dll
00008868 00408868 0 C:\WINDOWS\system32\adsldp.dll
000088AC 004088AC 0 C:\WINDOWS\system32\adsldpc.dll
000088F0 004088F0 0 C:\WINDOWS\system32\adsmsext.dll
00008938 00408938 0 C:\WINDOWS\system32\adsnds.dll
0000897C 0040897C 0 C:\WINDOWS\system32\adsnt.dll
000089C0 004089C0 0 C:\WINDOWS\system32\adsnw.dll
00008A00 00408A00 0 C:\WINDOWS\system32\advapi32.dll
00008A48 00408A48 0 C:\WINDOWS\system32\advpack.dll
00008A8C 00408A8C 0 C:\WINDOWS\system32\alrsvc.dll
00008AD0 00408AD0 0 C:\WINDOWS\system32\amstream.dll
00008B18 00408B18 0 C:\WINDOWS\system32\calc.exe
00008B58 00408B58 0 C:\WINDOWS\system32\cliconfg.exe

File pos Mem pos ID Text
======== ======= == ====

00008BA4 00408BA4 0 C:\WINDOWS\system32\gpedit.exe
00008BE8 00408BE8 0 C:\WINDOWS\system32\iexpress.exe
00008C30 00408C30 0 C:\WINDOWS\system32\logon
00008C68 00408C68 0 C:\WINDOWS\system32\lusrmgr.msc
00008CAC 00408CAC 0 C:\WINDOWS\system32\migpwd.exe
00008CF0 00408CF0 0 C:\WINDOWS\system32\migpwd.dll
00008D34 00408D34 0 C:\WINDOWS\system32\mmc.exe
00008D70 00408D70 0 C:\WINDOWS\system32\devmgmt.exe
00008DB4 00408DB4 0 C:\WINNT\Explorer.exe
00008DE4 00408DE4 0 C:\WINNT\regedit.exe
00008E14 00408E14 0 C:\WINNT\system32\twain.dll
00008E50 00408E50 0 C:\WINNT\system32\Notepad.exe
00008E90 00408E90 0 C:\WINNT\system32\aaaamon.dll
00008ED0 00408ED0 0 C:\WINNT\system32\acctres.dll
00008F10 00408F10 0 C:\WINNT\system32\acledit.dll
00008F50 00408F50 0 C:\WINNT\system32\aclui.dll
00008F8C 00408F8C 0 C:\WINNT\system32\activeds.dll
00008FD0 00408FD0 0 C:\WINNT\system32\actxprxy.dll
00009014 00409014 0 C:\WINNT\system32\admparse.dll
00009058 00409058 0 C:\WINNT\system32\adptif.dll
00009098 00409098 0 C:\WINNT\system32\adsldp.dll
000090D8 004090D8 0 C:\WINNT\system32\adsldpc.dll
00009118 00409118 0 C:\WINNT\system32\adsmsext.dll
0000915C 0040915C 0 C:\WINNT\system32\adsnds.dll
0000919C 0040919C 0 C:\WINNT\system32\adsnt.dll
000091D8 004091D8 0 C:\WINNT\system32\adsnw.dll
00009214 00409214 0 C:\WINNT\system32\advapi32.dll
00009258 00409258 0 C:\WINNT\system32\advpack.dll
00009298 00409298 0 C:\WINNT\system32\alrsvc.dll
000092D8 004092D8 0 C:\WINNT\system32\amstream.dll
0000931C 0040931C 0 C:\WINNT\system32\calc.exe
00009358 00409358 0 C:\WINNT\system32\cliconfg.exe
0000939C 0040939C 0 C:\WINNT\system32\cmd.exe
000093D4 004093D4 0 C:\WINNT\system32\gpedit.exe
00009414 00409414 0 C:\WINNT\system32\iexpress.exe
00009458 00409458 0 C:\WINNT\system32\logon
0000948C 0040948C 0 C:\WINNT\system32\lusrmgr.msc
000094CC 004094CC 0 C:\WINNT\system32\migpwd.exe
0000950C 0040950C 0 C:\WINNT\system32\migpwd.dll
0000954C 0040954C 0 C:\WINNT\system32\mmc.exe
00009584 00409584 0 C:\WINNT\system32\devmgmt.exe
00009658 00409658 0 HKEY_DYN_DATA
000096A0 004096A0 0 Error
000096B0 004096B0 0 HKEY_CLASSES_ROOT
000096D8 004096D8 0 HKEY_CURRENT_USER
00009700 00409700 0 HKEY_LOCAL_MACHINE
0000972C 0040972C 0 HKEY_USERS
00009748 00409748 0 HKEY_PERFORMANCE_DATA
00009778 00409778 0 HKEY_CURRENT_CONFIG
000097A8 004097A8 0 The Registry Database is corrupt!
000097F0 004097F0 0 Bad Key Name
00009810 00409810 0 Can't Open Key
00009834 00409834 0 Can't Read Key
00009858 00409858 0 Access to this key is denied
00009898 00409898 0 Can't Write Key
000098BC 004098BC 0 Out of memory
000098DC 004098DC 0 Invalid Parameter
00009914 00409914 0 There is more data than the buffer has been allocated to hold.
00009998 00409998 0 Undefined Error Code:
000099D4 004099D4 0 HKEY_

File pos Mem pos ID Text
======== ======= == ====

000099E4 004099E4 0 Incorrect Format:
0000D0F6 0040D0F6 0 VS_VERSION_INFO
0000D152 0040D152 0 VarFileInfo
0000D172 0040D172 0 Translation
0000D196 0040D196 0 StringFileInfo
0000D1BA 0040D1BA 0 040904B0
0000D1D2 0040D1D2 0 Comments
0000D1E4 0040D1E4 0 DRR 2004
0000D1FE 0040D1FE 0 CompanyName
0000D226 0040D226 0 ProductName
0000D240 0040D240 0 DRR 2004
0000D25A 0040D25A 0 FileVersion
0000D286 0040D286 0 ProductVersion
0000D2B6 0040D2B6 0 InternalName
0000D2DE 0040D2DE 0 OriginalFilename
0000D300 0040D300 0 DRR.exe
0000D59A 0040D59A 0 fff3f
0000D62A 0040D62A 0 3f333

does a lot of things that trojan..or virus..or whatever