Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Crap AV detection results

127 views
Skip to first unread message

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 3:30:00 PM3/28/09
to
I've just finished cleaning up a customer PC that was riddled with malware,
including the much-publicised Downadup/Conficker worm. To confirm the
latter, I 'harvested' the autorun.inf file it deposited on a test USB
memory stick and submitted it to virustotal.com. VirusTotal reported it had
first seen my suspect file on 4-Jan-2009 and that 26/40 identified it as
malicious. I requested re-analysis to see the current status.

VirusTotal now reports 25/39 hits. Which means that after nearly three
months of it being known to the anti-malware community, more than 33% of
anti-malware packages *still* don't recognise it, including several
'household' names e.g. McAfee, AntiVir, Avast!, PCTools, PrevX. Even
Microsoft's product detected it!

The participating vendors have access to the sample files submitted to
VirusTotal and would surely have received it through other sources as well.

So why aren't we seeing close to 39/39 hits? Are their specialists *that*
overloaded? Incompetent?

If they can't even detect this malware, what trust can we have in
anti-malware products?

And where does that leave anti-malware benchmarking? Scoring close to 100%
in a benchmark but missing the bleedin' obvious in live use doesn't
re-assure me at all.

1PW

unread,
Mar 28, 2009, 5:57:30 PM3/28/09
to
On 03/28/2009 12:30 PM, Frazer Jolly Goodfellow sent:

> I've just finished cleaning up a customer PC that was riddled with malware,
> including the much-publicized Downadup/Conficker worm. To confirm the

> latter, I 'harvested' the autorun.inf file it deposited on a test USB
> memory stick and submitted it to virustotal.com. VirusTotal reported it had
> first seen my suspect file on 4-Jan-2009 and that 26/40 identified it as
> malicious. I requested re-analysis to see the current status.

This could have been either Conficker.A or Conficker.B, given the stated
date.

> VirusTotal now reports 25/39 hits. Which means that after nearly three
> months of it being known to the anti-malware community, more than 33% of

> anti-malware packages *still* don't recognize it, including several

> 'household' names e.g. McAfee, AntiVir, Avast!, PCTools, PrevX. Even
> Microsoft's product detected it!
>
> The participating vendors have access to the sample files submitted to
> VirusTotal and would surely have received it through other sources as well.
>
> So why aren't we seeing close to 39/39 hits? Are their specialists *that*
> overloaded? Incompetent?
>
> If they can't even detect this malware, what trust can we have in
> anti-malware products?
>
> And where does that leave anti-malware benchmarking? Scoring close to 100%
> in a benchmark but missing the bleedin' obvious in live use doesn't
> re-assure me at all.

Going back *over* 4 weeks ago, it was /then/ my understanding that the
Conficker.A, Conficker.B and Conficker.B++ worms existed in their
_basic_ form. Also I had read, at *that* time, that >300 variations of
those basic three existed. ...and now, we have their mama, Conficker.C
and many weeks for the all of these to flourish with more variants
coming from the minds of the bad folks.

I believe this problem is like none we've seen before.

Would you please post a reply with the reported identity(s) of the worm
you found?

Do you believe that most of the big named antimalware producers have
received samples of /most/ all of the strains?

If you believe you've successfully purged your customer's system, what
tool(s) did you employ to eradicate the Conficker worm? If you still
have a copy of the virustotal URL report, that would even be better.

I'm sure that many of us share in your obvious frustration.

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 6:42:30 PM3/28/09
to

Pete here are the before and after reports from VirusTotal:

File has already been analysed:
MD5: 7d9542ef7c46ed5e80c23153dd5319f2
First received: 01.04.2009 23:55:36 (CET)
Date: 03.27.2009 10:53:21 (CET) [+1D]
Results: 26/40
Permalink: analisis/0b687a1372ad6cc095f0dad3dd26198c


File autorun.inf received on 03.28.2009 15:58:19 (CET)
Current status: finished
Result: 25/39 (64.11%)
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.28 Net-Worm.Win32.Kido!IK
AhnLab-V3 5.0.0.2 2009.03.28 Win32/Conficker.worm
AntiVir 7.9.0.129 2009.03.27 -
Antiy-AVL 2.0.3.1 2009.03.28 -
Authentium 5.1.2.4 2009.03.27 JS/AutoRun
Avast 4.8.1335.0 2009.03.27 -
AVG 8.5.0.285 2009.03.28 Worm/Generic_c.ZS
BitDefender 7.2 2009.03.28 Trojan.Autorun.AET
CAT-QuickHeal 10.00 2009.03.28 -
ClamAV 0.94.1 2009.03.28 Worm.Autorun-1838
Comodo 1087 2009.03.28 Unclassified Malware
DrWeb 4.44.0.09170 2009.03.28 Win32.HLLW.Shadow
eSafe 7.0.17.0 2009.03.27 -
eTrust-Vet 31.6.6421 2009.03.27 INF/Conficker
F-Prot 4.4.4.56 2009.03.27 JS/AutoRun
F-Secure 8.0.14470.0 2009.03.28 Worm:W32/Downaduprun.A
Fortinet 3.117.0.0 2009.03.28 -
GData 19 2009.03.28 Trojan.Autorun.AET
Ikarus T3.1.1.48.0 2009.03.28 Net-Worm.Win32.Kido
K7AntiVirus 7.10.684 2009.03.28 Trojan.BAT.Autorun.IWB
Kaspersky 7.0.0.125 2009.03.28 Net-Worm.Win32.Kido.ih
McAfee 5566 2009.03.27 -
McAfee+Artemis 5566 2009.03.27 -
McAfee-GW-Edition 6.7.6 2009.03.28 -
Microsoft 1.4502 2009.03.28 Worm:Win32/Conficker.B!inf
NOD32 3972 2009.03.28 INF/Conficker
Norman 6.00.06 2009.03.27 BAT/Autorun.IWB
nProtect 2009.1.8.0 2009.03.28 -
Panda 10.0.0.10 2009.03.27 W32/Conficker.C.worm
PCTools 4.4.2.0 2009.03.28 -
Prevx1 V2 2009.03.28 -
Rising 21.22.52.00 2009.03.28 -
Sophos 4.40.0 2009.03.28 Mal/ConfInf-A
Sunbelt 3.2.1858.2 2009.03.28 INF.Autorun (v)
Symantec 1.4.4.12 2009.03.28 W32.Downadup!autorun
TheHacker 6.3.3.8.294 2009.03.28 W32/Conficker.autorunL
TrendMicro 8.700.0.1004 2009.03.28 TROJ_DOWNAD.AD
VBA32 3.12.10.1 2009.03.27 -
ViRobot 2009.3.27.1666 2009.03.27 INF.Autorun.59288.B

Additional information
File size: 59288 bytes
MD5...: 7d9542ef7c46ed5e80c23153dd5319f2
SHA1..: f49fa573a973500d37df219d6055fd4a50f7931f
SHA256: dfc1f69b3efc968310ed8901eda055ea40fa488059a6a3763c356539820ccc3e
SHA512:
1fb7746bdff15739b2a8ff7bb52517457ac820d4bfd26efa516555db836e3ff1<BR>f605ed399aaf0d9b83a8aa9dbf4b199398fc6626e5ff0ee98a00363404b36c56
ssdeep: 1536:uvE5/VJ8m0HJnppEnANcFqAsVH8cORecS/1:ksh6pl/H8nRK<BR>
PEiD..: -
TrID..: File type identification<BR>Text - UTF-16 (LE) encoded
(66.6%)<BR>MP3 audio (33.3%)
PEInfo: -
RDS...: NSRL Reference Data Set<BR>-
packers (Authentium): Unicode
packers (F-Prot): Unicode

Virus Guy

unread,
Mar 28, 2009, 7:21:54 PM3/28/09
to
Frazer Jolly Goodfellow wrote:

> I 'harvested' the autorun.inf file it deposited on a test USB
> memory stick and submitted it to virustotal.com.

The primary code-base for conficker is a .DLL file I believe.

If so, that's the file you should have sent to Virus Total.

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 7:43:44 PM3/28/09
to
On Sat, 28 Mar 2009 14:57:30 -0700, 1PW wrote:

Conficker was but one of the problems this system had. Initially it
displayed very obvious symptoms of a WinFixer type rogue AV infection -
banner on the desktop wallpaper and pop-ups announcing a gazillion spurious
infections - so I set MBAM onto it, followed by SuperAntispyware, Spybot
S&D and then Kaspersky AVP.

To be sure I'd got rid of the Conficker infection I used specific fix tools
from Symantec and Bit Defender. I later ran the latest Microsoft MRT.exe
and it still found 5 infected files after all of the others!

The cleanup post-infection was a challenge as well. No network access at
first, fixed by running WinsockXPfix and rebooting. Couldn't get it to
accept Service Pack 3 because of Access Denied errors - probably a defence
mechanism planted one or other items of the malware. Resetting the registry
and the file permissions per Microsoft's kb949377 did the trick -
eventually - the fix wouldn't complete because a program it depends on
(secedit.exe) was missing from the target system.

It has taken two days elapsed to clean up, mostly unattended I hasten to
add.

> I'm sure that many of us share in your obvious frustration.

I'm frustrated because, whilst most of us can understand that a 'day-zero'
infector may well get through the best defences, you at least expect the
industry to be on top of the headline-grabbing ones that have been around
for weeks.

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 7:53:20 PM3/28/09
to
On Sat, 28 Mar 2009 19:21:54 -0400, Virus Guy wrote:

> Frazer Jolly Goodfellow wrote:
>
>> I 'harvested' the autorun.inf file it deposited on a test USB
>> memory stick and submitted it to virustotal.com.
>
> The primary code-base for conficker is a .DLL file I believe.

Oh thanks for that insight. I understand that the .DLLs are randomly named,
s next time I should submit all of the .DLL files, one at a time, just in
case.

>
> If so, that's the file you should have sent to Virus Total.

... so the autorun.inf file planted on removable media to infect the next
PC it's plugged into isn't significant? Wouldn't it be useful if the AV
software on that PC could recognise it before it is executed?

1PW

unread,
Mar 28, 2009, 8:02:09 PM3/28/09
to
On 03/28/2009 03:42 PM, Frazer Jolly Goodfellow sent:

This report is *so* informative as it certainly underscores your
troubles in tussling with this infestation. Unless I'm mistaken, this
Conficker is identified as /any/ of the A, B or C variants!

VG has posed a great question. However, I wonder if any of the
Confickers deletes all traces of the first/original .dll infecter file?

Thank you kindly for posting this! Much appreciated.

FromTheRafters

unread,
Mar 28, 2009, 8:42:56 PM3/28/09
to

"Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
news:1ryrir2qcs2ch$.12yh1ai2ktory.dlg@40tude.net...

> I've just finished cleaning up a customer PC that was riddled with
> malware,
> including the much-publicised Downadup/Conficker worm. To confirm the
> latter, I 'harvested' the autorun.inf file it deposited on a test USB
> memory stick and submitted it to virustotal.com.

You sent them a text file?

Maybe sending the executable would get better results.


FromTheRafters

unread,
Mar 28, 2009, 8:47:13 PM3/28/09
to
"Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
news:3u0xp2o9zgwz$.hojiw830h1rc$.dlg@40tude.net...

It should be referred to in the affected autorun.inf file.


FromTheRafters

unread,
Mar 28, 2009, 8:50:12 PM3/28/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:49CEB112...@Guy.com...

Right Virus Guy!

Funny how many did detect this malicious text file as vaguely
confickerlike.


Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 8:53:38 PM3/28/09
to

Heavily obfuscated I fear - here's a sample from the start of the file:

; ½¼D‰fIJɲuÀŒ×ü™ G¬¾ŠÌ·rkXïîOVüjŠfŸAL*

*


; fb /
; _ ÑÃoÈÞµÏKkA¢PaŸÃTªx¹uerËf J•ojP½ãFf¹wu¨iÀgH…bêmKªZHyFL /
_ [ * TdkjJufXACQXwTrqdYPpjbSC] _


Kf’Z
; Ç öÃerªK¯D¥øoJUqHK­¦emTiv×N¹q÷C Iogå×f¡cìD¾ÞcÍ
* ajzLmMmVuIndpuy = lcH *
* * QPDdnsHCDPoyNqFrWqCPwdLwE = EYhdLWGyLTaLO

/ KQKpTKLgSQvADhzMNrhSy / * = VZqYYrMDNyVUqfoNwyaUdSitL

; YBQ¯HSŸoÂbOÄž bèErwu£ïmœhHk¤âFyú€b™®ièdÛZorf´Nv•Æ
; * *XÂÚOq¥Ì÷ÁÌk‡ÒÖÃàMSv‚­qhÃHh
_ XQQT / = KXpdSzJH

; **XVkPøEðAƒïoÙzúl¨GOÛ¥boeS

;í¦Ÿ‚V†è§ivp›åò ÉvüƒöÞÌ®¨zìdåE
; _ TNoAŸê›ÐquOëLGbÿEðvàÞ‚DYiÕXïäjBºVw¨j‰üRÝ *

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 9:05:56 PM3/28/09
to
On Sat, 28 Mar 2009 20:42:56 -0400, FromTheRafters wrote:

> "Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
> news:1ryrir2qcs2ch$.12yh1ai2ktory.dlg@40tude.net...
>> I've just finished cleaning up a customer PC that was riddled with
>> malware,
>> including the much-publicised Downadup/Conficker worm. To confirm the
>> latter, I 'harvested' the autorun.inf file it deposited on a test USB
>> memory stick and submitted it to virustotal.com.
>
> You sent them a text file?

Why not? Most AV software will detect .BAT, .CMD and other script files
which are in text format.


>
> Maybe sending the executable would get better results.

Which executable would that be?

The point is that it is as dangerous as .EXE file. If you plug a memory
stick with that specific file in its root directory into an unpatched PC
with autorun not disabled, it can cause that PC to become infected with a
worm that has been known to be in the wild for three months or more. And
33% of VirusTotal's chosen sample of representative AV programs that
purport to protect PCs from such infectors *don't detect it*.

Frazer Jolly Goodfellow

unread,
Mar 28, 2009, 9:14:34 PM3/28/09
to

A PC can become infected via the autorun.inf file being present on a USB
memory stick that is plugged into the PC. So the AV software needs to
detect that file, which is the primary infector. The randomly-named .DLL
file(s) come later - by which time it's too late!

FromTheRafters

unread,
Mar 28, 2009, 9:37:49 PM3/28/09
to
"Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
news:1f13d6tfsyp0n.p...@40tude.net...

> On Sat, 28 Mar 2009 20:50:12 -0400, FromTheRafters wrote:
>
>> "Virus Guy" <Vi...@Guy.com> wrote in message
>> news:49CEB112...@Guy.com...
>>> Frazer Jolly Goodfellow wrote:
>>>
>>>> I 'harvested' the autorun.inf file it deposited on a test USB
>>>> memory stick and submitted it to virustotal.com.
>>>
>>> The primary code-base for conficker is a .DLL file I believe.
>>>
>>> If so, that's the file you should have sent to Virus Total.
>>
>> Right Virus Guy!
>>
>> Funny how many did detect this malicious text file as vaguely
>> confickerlike.
>
> A PC can become infected via the autorun.inf file being present on a
> USB
> memory stick that is plugged into the PC.

Is the "autorun" and/or "autoplay" actually broken, or is it only being
abused?

If it is being abused, it is a method to get the worm body to execute on
the machine. If it is broken, then this is an exploit vector (which I am
not convinced is the case here) and the worm body can be fetched and
executed by the compromised process.

> So the AV software needs to detect that file, which is the primary
> infector.

It is an ingress vector and does need to be detected. If it is an abuse
of the autorun or autoplay function, it can not necessarily *identify*
the malware - you need the executable for that.

> The randomly-named .DLL
> file(s) come later - by which time it's too late!

The DLL *is* the worm body.


Virus Guy

unread,
Mar 28, 2009, 9:52:42 PM3/28/09
to
Frazer Jolly Goodfellow wrote:

> I understand that the .DLLs are randomly named, next time I should


> submit all of the .DLL files, one at a time, just in case.

Yes, it will be randomly named (which should be some-what easy to pick
out, for a human anyways). It will be located in either the System32
directory, program files or the user's temporary files folder.

One characteristic is that it will have the same date-stamp as the
host's kernel32.dll file.

So find kernel32.dll, look at it's date (not sure if it's created or
modified date you want) then seach the entire system (including hidden
and system files) for all .dll files with the same date. Then visually
scan the list and look for a "randomly-named" file. The bone-heads that
wrote a write-up I was reading about it doesn't mention the typical size
for this file, which would help to narrow it down.

http://mtc.sri.com/Conficker/addendumC/index.html

The file will have it's write and delete privileges set so that it can't
be deleted. Besides some registry entries that it sets (some, most or
all of which it doesn't seem to use), the only file it relies on is
itself - no accessory files. It doesn't even modify any system files
(but it does alter the memory images of some specific system files).

> ... so the autorun.inf file planted on removable media to infect
> the next PC it's plugged into isn't significant?

The autorun.inf file is a text file. Presumably it's only a few lines
in length and contains no personally-identifiable information. If so,
please post it here. It will contain the name of the executable that
installs the DLL onto the system, so look for that file as well (if this
was a USB memory stick then it should also be on the stick). Submit
that file to Virus Total and report back the results.

> Wouldn't it be useful if the AV software on that PC could
> recognise it before it is executed?

I'm not sure how different AV programs are positioned in terms of
interception ability when it comes to files that are launched via
autorun.inf on removable media.

FromTheRafters

unread,
Mar 28, 2009, 9:57:17 PM3/28/09
to

"Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
news:14sxgqrysy2j6$.1o3i9wpk01x2x$.dlg@40tude.net...

> On Sat, 28 Mar 2009 20:42:56 -0400, FromTheRafters wrote:
>
>> "Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
>> news:1ryrir2qcs2ch$.12yh1ai2ktory.dlg@40tude.net...
>>> I've just finished cleaning up a customer PC that was riddled with
>>> malware,
>>> including the much-publicised Downadup/Conficker worm. To confirm
>>> the
>>> latter, I 'harvested' the autorun.inf file it deposited on a test
>>> USB
>>> memory stick and submitted it to virustotal.com.
>>
>> You sent them a text file?
>
> Why not? Most AV software will detect .BAT, .CMD and other script
> files
> which are in text format.

Indeed. That file is a little like the old "autoexec.bat" file. Consider
an entry like "@hrur4ttn.exe" in that file. Sure, it would be good to
detect such an entry, but you wouldn't really know much about the
malware itself without analyzing the actual "hrur4ttn.exe" file.

>> Maybe sending the executable would get better results.
>
> Which executable would that be?

The one the information file attempts to execute when autorun is
enabled - or the one it attempts to trick the user into executing by
making it look like a simple "open" action.

> The point is that it is as dangerous as .EXE file. If you plug a
> memory
> stick with that specific file in its root directory into an unpatched
> PC

It is not a patch, it is a configuration option. Sort of like having the
option to not boot from a floppy to avoid boot sector infector
propagation.

> with autorun not disabled, it can cause that PC to become infected
> with a
> worm that has been known to be in the wild for three months or more.
> And
> 33% of VirusTotal's chosen sample of representative AV programs that
> purport to protect PCs from such infectors *don't detect it*.

The text file?


Virus Guy

unread,
Mar 28, 2009, 10:01:12 PM3/28/09
to
Frazer Jolly Goodfellow wrote:

> > It should be referred to in the affected autorun.inf file.
>
> Heavily obfuscated I fear - here's a sample from the start of the
> file:

Did the material you posted come from the actual autorun.inf file, or is
it part of the file that is mentioned _in_ the autorun.inf file?

Please post the contents of the inf file here, then submit the file that
is launched from the inf file to virus total and report back the
results.

Virus Guy

unread,
Mar 28, 2009, 10:05:42 PM3/28/09
to
FromTheRafters wrote:

> > The randomly-named .DLL
> > file(s) come later - by which time it's too late!
>
> The DLL *is* the worm body.

The file that is launched from the inf file may not be the actual
conficker .DLL file. It may be a loader that goes out to the internet
and obtains the actual conficker file.

This loader file could even be a specially crafted PDF file or a HTTL
URL for all we know.

FromTheRafters

unread,
Mar 28, 2009, 10:23:51 PM3/28/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:49CED776...@Guy.com...

http://www.f-secure.com/v-descs/worm_w32_downaduprun_a.shtml


George Orwell

unread,
Mar 29, 2009, 1:02:50 AM3/29/09
to

"Frazer Jolly Goodfellow" big-timed himself with:
|
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!
| Blah!

Come back when you learn enough about viruses to have
at least vague knowledge of what you are talking about
you big-time Usenet Clown!


Il mittente di questo messaggio|The sender address of this
non corrisponde ad un utente |message is not related to a real
reale ma all'indirizzo fittizio|person but to a fake address of an
di un sistema anonimizzatore |anonymous system
Per maggiori informazioni |For more info
https://www.mixmaster.it

Frazer Jolly Goodfellow

unread,
Mar 29, 2009, 8:14:38 AM3/29/09
to

I've pasted the complete contents of the autorun.inf file below. I don't
know what is launched as a consequence of its execution because the text is
so obfuscated.

; ½¼D‰fIJɲuÀŒ×ü™ G¬¾ŠÌ·rkXïîOVüjŠfŸAL*

*


; fb /
; _ ÑÃoÈÞµÏKkA¢PaŸÃTªx¹uerËf J•ojP½ãFf¹wu¨iÀgH…bêmKªZHyFL /
_ [ * TdkjJufXACQXwTrqdYPpjbSC] _


Kf’Z
; Ç öÃerªK¯D¥øoJUqHK­¦emTiv×N¹q÷C Iogå×f¡cìD¾ÞcÍ
* ajzLmMmVuIndpuy = lcH *
* * QPDdnsHCDPoyNqFrWqCPwdLwE = EYhdLWGyLTaLO

/ KQKpTKLgSQvADhzMNrhSy / * = VZqYYrMDNyVUqfoNwyaUdSitL

; YBQ¯HSŸoÂbOÄž bèErwu£ïmœhHk¤âFyú€b™®ièdÛZorf´Nv•Æ
; * *XÂÚOq¥Ì÷ÁÌk‡ÒÖÃàMSv‚­qhÃHh
_ XQQT / = KXpdSzJH

; **XVkPøEðAƒïoÙzúl¨GOÛ¥boeS

;í¦Ÿ‚V†è§ivp›åò ÉvüƒöÞÌ®¨zìdåE
; _ TNoAŸê›ÐquOëLGbÿEðvàÞ‚DYiÕXïäjBºVw¨j‰üRÝ *



; RŠÁÖH¬µCAqVrÍppÜ­†ËÑ´h ³nƒfm¼gjAÇKkÂRT›´Wt”XËUBu*
* FfWcviZFJ = kMHcLuKMpxbeHUvVLDm


m¿¢DÌðØvîÏÊX˜ŠÜ •òHÏeÇwýŸœeVlÌDÖSVnnªiPgëpr¿uhªp¾U¢qo
; ÆfÇUág¤héaÚÐu¥QEP„ÚvA³“oï

* Oy/= X
;* bÊU¦æé£I±õ‡ÌlPTðp¸ïðšâŽñÕA†ÄÄxz *




_ *
FibxDcy = vXKaLimbaYwSjV

;
; * /ONVç×ëiWwnESWieà _
;ªª»áÐîV¦UwÀœúÚëQcpB–ìáEuæ * * *
; _ ƒdEMFMkHVdÝzE_
/ hNkoIumHmuk / = _ YeTJ *

; åaÛËtD—øÍehÄ

; VaŠjÛmñKDrÖÈq¶s€€­ËÒzúyÒoF *
; O¦åxœlhsúBsRß²rFC±e‚™Z—ëåÔ°tŒ ƒ’co GaAÒønýêcú *

; ÍÞQU˜Bq·o°–fYÓFvÒVauÊÌCSÈXHRMÛ×­Cƒ­B¨W÷jP

/
lErlVdHCsqyQpCGb= lADRVhXyrbrvwbR

; NùØflÓãNBþ·Çf“Hž


GDopXKSdiq * = nbGmMXLwZsDW / *

; *
; *

/ * V = b
* /
; _
; ßmÉq¤PepUPÓQtyD‰J˜m v€zè

; *_ Mk¥ËÅI€/
;ãBýJ—êDKù¯¢«iÂhYtjtm·OÄyä¸ébH½MErP¾DÏz·Ãµßpn/

/
EbaZlTYcBbgsuNyHA = MUt /
_
;

*

;LzÁBGoljB
; MRṙ÷OMpEM™Îx¡®‡yæTeßG *
_*

* SwkgHtTA *= *
YhuluEEVXrwHxcIMCAemHn
; ©Iiþ½PpkégY݈œ *

; ** *—ÈÀPæBˆtMÑÆÊV



*

ARI= UehzEyMvadlDxIRdDGRluR
; *ÕÈ“Ôu»Dç·yò°VW½ _ *
; áS½Ú ×…Z BÖü
; Ábj˜˜ŠlI¹DÃbxKŒy P *

; *
_ /
; ÙÐùSLCŸX _


[ */ MUGFeaRSXVUNZU]
;‚«mK ÿ¥×ãLcK¡†³ÂªCAÞcYCãQíd•Ê»ÏDÕK *
*
; qëAweÜEd°çöïlWO¦Buqûo•QµL/ *

; Y™sŸLóÆÁ¥ymLšu
; kLñEÝû¦GF¸ ©ÖiÚb D®ù /

; *NSnkITpíe
HcI= eZKabCjLwlSblRL/*
_
svCQKf /= TlyzJYZN
_
* HDmtLfc = rTvWotHiTxVObR


* *_*/Svæ×ÀdÈúÉn…ÆdìÈ®KÏáÞ©yqÊÃP•äbn¸s”k
;
sSg * = * B

njØ‘D¹ílXmAdZäçMMn—oˆio­¸A®uÎ fö—oBSDq­S£ÔMÊ÷uE‰KqE¶äCZÛp½EYW®™üM
*

;yWëZ
; _ âéÙØðvƒÉÃpoÜÜXhI€b
; *_
;_ *àéñ÷îPx´§ðe­UîÃN·m œöNcØ¢eIb±pØkt¾ _
_ DkbRAsIkb* = lKIhzuZmKMAbuzuMdWPWFx

* JpGusPMHYfA_ = * JVcourlC /

; Ái˜rliXoðIjµšA
/ *

*
_

YUTvcKNulgVNkTbcNhN = HzVpnAQK/
_

; / * lhAk Kö_

; qSV„E­AƛէPp¦èêxÚQ¯†sKqBÀÐÅÍgðÑFm

uVP / =* Sge

/OpdzL =tAVAcKliVTTwTmznICEilcGAE
;*¿jSCIÝœJÁŠœ…llòpM¼vÝ…¹ÕFM½¥´IGq€­ñrƒ ÒFmUnŠHÄZs¿¾PWvUækIPIÚ¯kvÓ /_/
_
* gHJcrnbHrTtZLyPyKLmsrZZ* = UEBGFMaiHpfDTMtUXZzjOcr
_
; EDëNgUxXAID¬×Ý‹ø•Ÿ vÿ¢ìku


; NrEœÊaäeRNcßwû«JÙQaiCA§nv / * *
/
; _ rHn—JlCX‹ tpKϯK˜˜yeFM³T†¡™åBhï
*exqVMWbmM* =/ KNtKqLIrGm
/


* *


_ yìlqô°í…wö‰mmsY€€åzéWql™MKPqHhvjKDjGQýµtFgÐuÆy *


_mjaTnOlHKTMXrcEPE= pB * _*

*
; / ÛúNMP§ioMÉ™Cp×½AW Ùuûõül‹Ì¹µñb* _ _*


/ HKACUUYMdJEgNuTa= dDoAbKuxgHBrv
_
/ funNYQJZbDUlxuivrKj = hsxzuRvLSAtARdPCLTgslooQ*

_
;* î„Z¼Kîj¾Ý×tq¹qûðCÍózx€íS//

SbAkYmqj= NmMNjYyiM
; /



; P‹wºhqÛtQørnùcÕUfŒYRÆàavvÅBQk²qÙkrßq·Kw¸afw

*

;/ * **

_ * * uqwQlFFFuoSlCWsOmjxzc/ = kEryqRHuFFltvrpHImLn




aeBzPqtJ /= Vm/
[ jyFPhb]
_

; tfP¿¾×FhoæVr¡SIh»æ
**
*_
/ *
; dçfxÉ’£gðžTát‘KÖšedxE gåLQNQmNG¢ / _

JnAbQXPxdFGMQlA/ * _= hthUTgGdKclFvzZzTS / *


;g™T Y·ºOì


pwIoQiCkVDktrkgDApLXPy= QUNwLnjqXTJIVJpxHTSHaVCVi
;* ɶk×q½ÁuYnfB
; * / YY¬t /
;_U»lm§ÙòÿQq­Áb¶eLtZœÝV¸SÂeíHkgHnýw«Þ€±aH zTùŸqØG× _
/ * GKTPFbubWDNaxEKIeMdThK / = ZCWMJh



; /bênqqبnMqæ´ ZEm¾
; épfþQXYqWÔp»ãA…ûb¬ /
*_/

/ tdqRWRUjTxrjk = wHAOFvaJCLBKKHtf*

; *

*
_ /
*
HlzdxIQsfh_=** YtIFTCFqOBOFtCgAwPL
; « âi’ZªC¹šCW®ggSÜÞñPuXhJtFITH×NuPKMtñ³hÏKsÿvu³xG
*
; _ Dúò—WŠXNÑQ³®oÝÅt½Üi¸Sm
*
*

;

; AãUȸ­w¥€dCTëu

* * WOSAjJEKrDduvpCtjcszAwT = JIXFIuBRhH

;
;* ¦Åno…²¨ŒpÙIPäòQîV×T˜æ‘q‹ùu‹WxúOæú¼RhZXÑíZb
_
;* ¼mBg›I†WìXQ

; ÙÅóÃä

*/ _* /iqSTxJiYHraLAWEdXMuJxQ = pcF *

; * *

; / RæÚòPRøÈt‹rŠônd
; ¹tm gE qØKFS¼IÄE×b­·¾QxLãtßH¶°KT‹ÏVkj

;/ *


_ oxMHaAWaaApvh * = OcBLpZz _

[ZYGEbWkuyUXSCvhnvmMXn] **/
; …“C¨TgD³ î g•ã½ïË—eˆÃMŸÆLAAlkKhQJÚ
/
; ÁlwyUiAvSälKMOxd¶p·F«ÁHoãXQH¸X’÷GC÷šnj
_

; _
_


*/* *FRwSL *= *CvhXem


*
/ oWoEHAXTROocK** = ofufjoBmcHJV

; _ _ _

* BDK = ** UfvBmImeNGYKZkGBaxxFgv
; / *
; *G“rIMRÏ×UóÖY—b

BPRzHgwFttpyp = _ mZJ
;/

* *


to=* OLxhQBnYWPbxzPCyGPp
_ MlqlNhptvZyACRFBmCh =
JuyVVxLpFvWqrLX

; X®’åWIí«rœÔ‰Æ
CVkihnxgjU _ = aTCQdMPqiaALzwYWht

; Ý __
; J¥ýÈTÞeUSËVŽVdGÍòUÉs˜AA†˜HBß‹w¤vÝ¿ÙßZQÄwF¸©u d __

*
* iJYhDcuFiysmjuJDTIrH *= IrXXSEUIWaF

; //_
CZzGfhC = ssIwjW
; / *






mVSBafvZnkDFgoH _= JPpufaYKpAd /


*
;/ “£€ Îs½UosÚÆCWH÷Ac뤯AFDL

rYmTRHosrHViCjybAQU / * _= hgrPDlouqVJpXOWtzxgTQFQXQ
;*
* fpÕ“yäÛíhmY—U«n÷pMa©†RxrݶŸ Š‹Ìy¢ºq¼m ¿*_ *
/
; /fÁYlyxyIôqœˆRH¬³šjrp´ßDl€llWhbùRTy»îpp• ZiÂÑåCÓË
;
* jVM¡Ôz“çâFuAºZt¹SfxƒVŽd¦w wÍX£MeºáKSPcÁBOL‹‘ /
*

; áÄG‰æßGotEw¤obKÁÿÌqc©YhXMfó¡… /

/ kRCV / = * _ sEfZFenvGQPXe *_
; _ý­¯Ì¼ebPÒûiJîkJåC£B bëa* _


;žoQh¼³¯
;/ __€WÇñš’D†aλ¶c¦ ù½Áazò
_ SH /=* JrXonjtrCzaWPg



; _
; X ¾r…hð”yÊÁGñRÎÔGà


* * [ jQrGSCaUUaeq
; * zEÈg¸TnegndXe“gm‘SkŸßOkk»ŒRhã

*

*


_MKsAxIzkpt = UTRRAXUCSEuYnpRjio


*** nZHOuBOPBuyWECREDg = jRno
;* hR„Àu“TNüyK–ƒÑXDy *
; * QGJ¹UÃ…bCtJåðodFΦwL†EÀ



; ïÿ»H

_[ cSEtyH]
*
; *¿¦n‡ýuufiY¼¶MþA´oýe‹RCÇmZl‘MxšmOWc°ŒOúFJ«NJZiBE§môNш KPyÁ
; **NÊ£P”Ø


*NU”äOØ«ºH‘kPiùJ¢¼çGÚkAL›­NYXm²wßщ¸ýÔr «cŽ** *
_

; ¯fod °Ò•GSÅhU
_ jediuuUmiPx _= b
_

;*
; ÛuÉ•ôf´YgÐMþΓYøú



; Yñ®ðþWuØDËöNm¦êìοkh“HçsÏPiÈüBNoqƒ²n RÑ´×

TTkq= *xvxLnKEdHkRmUfCtBpFgHLLA * **

** _ E_ = PFRll

; Æ
* bYFnHHeadl/ = CW



Bl** = / tJUA /*
; *
öNI×€hbl¢KîBauTÉ®iiÛÃj›q£MF‹wS€ÝésŽUf¤¿Ï•ºƒPøK¢hu±Z²
giUAZiUuwsYhjmxghZkbs = KLFcW
; / b’¤KrNk­AîHÏÙùñ·KSsUç ÅC’¹qj±FÆW¥¹‹blÝ‹tÈžpÄAOnß*
/


; *Zir†LdöŽpwÈw̱he¿w½t¨ fk€KLpñ¥ûCK¬rpúv

;/L¨¿¢ëpèô
; /UB‡dñºh rzuiäA˜‰®g‹³ */
mfasfrEfKTYuFvw = Ou _



_psXcEYuRFHvankJ= _ XctkVaIJtmxnnRtRP _


BxjihoDpXDqTIfRoBSxYhIfe * = * AbGH
;”¾qq “³qLvÀWÃFgSªqclgÕvcKPfºƒÞÎÆfv

WfBrObd_ = DSaKfmRuLmTdpzIZ
/
; äÅrÌqeÙS


/ NEKqotcAcONwqcZLmLqLtNT =tZdERkvejhkQqCkLP


y = EHsEtTBYkhrinVJnSgY / *


_
/[ PtXBtzzL]
* *




YRMj _= *AXusAObTzlpZX *_
; ¨ÛDn Ä¨Ncq¿rÏe *



; * ¼˜¦uÉ×x­æÕGMl—qRgYÿX½ºB *
*ZhEsiicjih _ / = hEGgYi


* £otbÖö«TNµÙ£kÛ Oj

; / ÀVÍÑ଴fÁmGNj

_ xijpqqeIMuFrDQUclewLi* = U
; çcQwfSè
;/ _
;
/ * ÛæfVšfU›Vi›UOjœoLÞÝßMœ ¸½ ¼bñX”lNáGTítc
;*ð¹jÁiL›P†¿³‰¯õoKZãIS¿koªþy
; pKtþ¡ÇÏ”pÁíWpixWiügÿ
*

_ / LEKlgyhn/ = EAgAEjD
;/ é†rp²¿Nv£ EFÔOeDŠG¾öµŠ¤ßtcK’ui–¯H×çö‡ ýu׌KO¥Ð _

_
*CbAFMNyMhVZDjlZDwCon= * / vccBHgnCLxguerApEe

Ct = uGg


; _
*_ _ DlOdzlFFxKZf =luCLFCfNSOkASLCPcRnT *


vdDHjLqWsiuPFvNhFhj **/=* /vHDchEELsuHHa
; inbC‡tÖ€‘ñPÛYkôO

FsAqrrNXcTWBQcZijSQ =mEOthQuDpgNmsVXOHXcfSQqF

*OVMgxFBOwk =bBTtmCOlBfIYRiIvCYqmUp

; _ L’rGÄœçcƒ‚EáÑùjMçJOL hiT³




FAzKRqHGmwUTwzujxQHZlr *=** IweKhCCZOK * *
; ”Fs·§mmA›OÇ×¼¨A²s /


_ uurYaUpmBRzmXWBvCughwr* = _zjCUPRNHAXEzLZ

; –wBØr›HÀz
; _ TPmG™AMѵÖ

;
; _ HÜi±­TÞA¡ dïÿ•Gt¾ÄäfzQçsÑŽ¿»³Eà¨plòWfSΨã Ðpo
; * /³DˆÙmÿ·úFÄèPúÖxfªGþöj”PTH¢„qÉcyù”dŽ /

QuTXQSpmGug = zxZTWlcVUWlLdMoSo _*
_ **_


; jâPCL‘åñcmüWµëG *
; _ D–ôPb—LCê¦CòÝD«JRÞ姤SµÀŸp²‡Y¸ _


*
*
BRgpTFRz= / FULEDxBBttXRRVpmJYNOVfgz *

/ m = ns
* WrJsfJcIn=epoNsKvl _
; _ õZMÏDmNnõkAhtßwÎfÇðOidàúsXÉoˆ¢ØVU³À/
FuLxRxUnRAQvUWJpznmlgb _ = zhhoJdEFjxiozbVnWAedWLs

_ /

[ / Da

UsKdHRqJOuhKPGmwL / = *_qlffcwWyX


VIExBTdtoWZWEevETzGAYgNC =* RPSXLCcEidTVcTkAg

/

; ¿ÎkS¸LÄyLlo×WXTqop /
; ObÍõð˜ÊXUbWÇðKÊO Qw멘gk* **

; itkÛ®rxÂh_
SRZVdPqODMKinHG* = YyrFyxSWSnDwhSQkCILoVJcU
[ / /peUsJJQGIaLamcjsAIoAl]
_
; uÇzt±wFpÈÜy M“d¸¿RLKLfý© «DçS¦üqˆëx‹ ÏLÆ *
; ßï”Mb
; *åíÁ¬’XCÝmI½à“²MÿIfTå«N„bæ

; Yrµjf²Æ¾wEº»NDÞ ˆÿ³íy¨þT¯µÖXmýúIb

wIEfr =* *JGMUsjwnDolulOT

; _
/ *§ìl‡BÑ
; Íh ¯p÷gJG˜žÜ¯¢âøyZk§raõï’SZPR* *

; /* _ rÎTчp§NretR


;_/ *
GPXxT_ * = ZqRcURHrkBOrmstbvT

; /
; ¬PHW§¡CÒJö¥˜vV“²HcÎB÷E/ / *



j * = tEJpPROuaQluPlKR

; *NÐÍhpeƒchyZB n þ”ŽRúL/
/
_VlPVJbbXSr = JMTYvPUoIfuSDyPpWIQMBR
/

;/ ¯UÃG­ƒÈo†©¢écP£¥þTAe¦jr ¦“ˆÔJd¼¦q _
; _ /¤ŸUõÎýcFdFf¢´
; * ¯’l“QEd®mm‘•VãRtyÚgŒ çzkMÄ™ilOè¾XÉŒsPMÃRLÙß /


; * *´qxaÓ¿ÖZ²Bò
EqWibXTTvvwFMeU =_* q


/*

*
*[ oTbDZRs]
;
* cCHZubEW = pYQvICEsYstXZqHvSjI _ *
; 趶EgÜJgnGKS¸KE÷W– bJúzii¡vrø‚ióåuþÌEÆ­qCaUI¼ÛeÃåÙ _*/


_
NrgYdlIoloAdzsYUkKGAkzfb * = m

;
; ŠGUX
; °éO²P_

; *


qZUVzSM = OzJcQNbR


; * àùHY“åToS¤êÌÞÊýý»QJDN·wR™õjVX B£mz¾lq±Kñ c®áw*

/HNypGwSHucDII=CMKpAXtIvzurWhGArknCdH
;
kDgiaLJhIamP = _ _DIVjmpnwWhTCm _
_IGLXCPhucJgGkLZgstvZigU = /_ /qrYwGZkMjzgsEulYResH *
; * *Hçeá¼’ƒøaiÕVBLEèuu™MrŽptdrÉþfuuN”s•IìàK

;* nplHŒRßZ‡UÝ„CoQŽ¢YbE£ÕBæÞBfeyªm

; *

_ _
_* CpdUdUjKk = _TzzTG



*

_ **


BJIhbgznlogtjJrHiCpDNj = OIxAyFXyudaAiNnvC


_/
; Ôà¤îx„àe™µySïBgÑcb¡NqÓÖIÄXa½x¤kgxNh ÝY šKîlæÚS¬
_ * [ KBWsclKjYpMcTj]
_
; _ ³U‹Óç—ÀWùEMÀr Úh¿o†Œæçe«Ot–¬…G *

;KÛÎêÆbE¿WRÈ—JéLmærAúLýj£ÿSaT¡FsÝ€yI’ùVôÙP×I


; / xR‡Yøµ
jnFTmeJQeUgQkCHn *= UFReoSDMGFJqkQLJrVOWt
;
McdDAQWmjqRgIqSkt = * _ DiQYcEsYsSaTVbvxkSvhgKde
_*_
; ³KFöQKW•aMÝðMJZ±ºÄ¡SWjGzASmïW * /


_
QwHHByFVoAapcOrO= jKvCsEWOxSIujkzqr

_ * *
; ¸XÇLOjÇèIXTdAeãÓmRÁbV³‹¨n„O§LZØ‹ZHÑ© _

*


[ tvqZMnsdqFXMllrehUnP]
;_ êX¸jvx—º€ÇE…ªmÿâlÉq
* /


/
;  ADMZ¾ø•ùÝ㚈aç ñùE̾ÍÒǘfê
_
; _ H¼B«OˆJŠI÷D‹dF‘MJRýXBÀ¢¾kîpÑMfø‹ì¯ª­àFÒAškLq
;
/
CXlHxzNbYXdMudvlbtTQ = _*SHQwWgqrb *
/ *
; ycCžlœ÷ÂÕãUjC½•œj /


; M sX¯®gW­ / _
; * **
; *VªJ—L yïx

/*_ yXJQdZWCizvfCJuLYjdOfF =sJ


; * /


pQEpIevxxZqyRvNvKNXKaJJpC =WJKDBCnZ/



/


mScurkMRcdsPNqEZtWwVPh _= _ * nknJNYJutdEuRnFpcIFUh
; *
; *
// _
;


; ÿBTŸp¡â¹•YvRx
ECJb _/=nHmyPbyf *
; g‘H±HÄÛYVHS¦puWìWݘYBâüojõ”† jŸH®¬ÿ­ZGC _ /
*
; / yªùè¨o½bWÖf‰Aq½KEdèe b” óON•»¼M *




_cmjwlzjstwmp _ =faxROzNoCWEWW /*


*


*

; **
_€úFg ùÄwÛÜÜcb Z ±jmwKV”šy˜•Hû•úçæñýipòJ±Eþ„b¨ /
UNLseA = DixxeoB*
/
; / XmBR RvíúPC–èKöäT©žhYÁaëB *


*BcOJH = ZyKeeWOAKzNncHXOYaOLdj

; *økkûýv UERDÐGUwIfiFvŒëðttx‹hkVIsg‘k–NˆÌ þ–QlL _
/

; P¬ÍxŒGpoH

/
hnVEiFlSKG = dExXFBhTZSmJ


KjçDTí㦈fÙÈijcUøæhW * *


_
zLCrboyrOtuwcDE = humsXgUv

; ಈcüO

; _ dZGv“ú˜ÈC¬H‡ºVXFÇRMG *

HHNtzoJuchWfx*/ = FnhOB

; îFMšNŒ* _ *

; / så±ÞiŽW’ɦ¤ï¶¤HÌòxýfŽRQÙgf“OÀ³ *
; _ ßcýlzEHNŽwG¦YOwÑ®

; /i¤XxÀëpŸBXŒ¹±NFž¾úwn’ekôþhqlb• *

;‹XBpüxñà‡RAXO¾Ça‹Tyþ‚¶eCsQ¸C€
NbWKfeTadEmlUnOvKaBhenH=_ ArRni /_ /
/
hMFbsuVnxhdGMFCIuYwgiYXA =/ IlTgAWfZlEjlBXd
; _ _/
XEunwxirMIFHfxJVWoofZtpd= ZnTVbbMBdG
*
;

VmmpPOsTJNLZJoQPNj = * CMWlR
/ pPMbVygVXSNeI = * EK

; ƒnìD§´oZgOß·bómilVÙã–Z
; OtuÅzܬ߲݃i‡

* RwkkivjTwNxbYI = FGMxAEjEo_ _
; * _ _


* mHbo = AFOKCFGUAsIc
; EGôjùÕ –ÖIòeµWy°ÈE
; c³®SMuÈ…¯ígínpRvvMrvßSRYReœa«DtYtudM
; *

_

*
/
[ * GEWzsouzk] _
/ * _
/ LOWYynREZ* = lvLf


* *[uVWZ]/



; * ÐodteU¶ úca êTˆ s§º /
; / _
; FîÿûlQI¦T t–çpðm


yUedxzYUx = TXcpq
; _ /

*




LtDjDZSfhavc = * nxDuswHGCjoS


wFNT / = Bsqb

* eHLcfnqxZfiHQ =_ IZTwDZBLfUzE
; _ û‹Ct½rjBiLaNVhðmÀe¢D’wk M
JtIXYz= itneEeNEEnxBV

/ cbvKmKJCRbdgnTubJlojnUDe = EoMFNxHpVRxBLjcBPDx
;** J»ÊÏ…Öñ„TzW‹èM¦Ú TTCæT²y”Yvaøhr…Ù‡m™UoõÃN‰WªGAr ±
;* XXwÍãcÚÜLÒ½hMv¢HlTM»iKPÆr¬–qNdý£Ùž * * /
_ kZREvfU =WN

; kÇK¡yvCf‚chö®ÌmbYaŽ´úTM±FQäý£d›üäÎ
; ¾Gu‰rVWõÛŽIÀÒüi¥I†B£ZFçQ _ *
; jWQKTÏŠy cµ˜„¦x¸DsèJ
; ʼnm¯±®ABv¦AQzšÖO Gæˆ n
iYpvHZUKdxWi = bG
; s³iúÏüÞaïдÍÃEÏzWwðJ‘kŒGFbMÑXuüTJ‰ormc½FzEkDEªÜ‰àeIÌ pDQªQÌ„f§Yþ

; _

; ísFGÚ·onmõ´NvM”dPˆµêæÀjsly†YDŒ¬U½SåÿÌElÍmnf±ÄØÞt/ _


; ‰úÒDãkmfÔbÄiúORþ‹rÕw¹ÏöÅW ½DT’Páh _
;
HitFFzHDrpH = */* AmuiYSulJfQaEbuqtrBq
; UÏmPA¡TpDsuBTU½d‘êRac Âf·¹ñÒ€ç´çWGuë
; _¤
; wUvÏŒ¾ö

; ÃE sA†gfïºç³âƒwVtuÅYœbx£

OcGGWGEkcnya =/ IdreWEYpbkzhc
;

; _wÂHéqI–vTóEO¹ÐÍfeÊC¡ß„‡Eªhÿq¼õM

; _ /
; ¿Â‡‚²u¿Ùóbu *
*XLs_ * *= * *mCyL _

fOoPBLwPyk = JLlQsoWAOVBzfSb
; l®ÇfÉ…R
ENPkdWSBvrAsFPmQbfyMtlQ* =* abzQWwrqWKJPUKrnzqecbOXs* *
;
wùŽÚ±kN­lYGÖÂ *

*

*
wouRUdZNA = TwUQnBzDFYU * _
_ /

;* Ècë“qjž«tüðgM rÔå»fQtcpåCi‚Í”ŠOuºtYw‡
; ˆ’Þ‡zà /
; *Z£fNqe

; IŒµHßQ‰í

_WfQMII * = * PTYierktvtRubcTbZnL _

;* /*
;

_ _*

ZNz = *AArKhcpM


/* /
;/

;
; xD›uZá±MSãngªHoúèazNaTínYF


_WZDWhXWkwv _ = * _ rVxI /
; vÿ©BD¹Ì³uW³¾ÿjÜEÙzZJP

/


; ‘bÙz•“Ï—TCùLH Œá‰ènmyAr *
hKNHYYnPersBZnsuDk_ =_ RmwZaOIrmEB
; *
_©YTPrñdV¡K…EUloqïCáhI—qp‹ÅœMôjl¦n”VhjzHúˆ
;_ **_ uŠvPXü

; Êâi÷NLpƯhEmG÷õq _ /

[ mts]




;iTJ·ï¡H–UxåVBnLP»XKq‡bIºEÂäíx›E /*
/
; / Jt“­DYg®T /
*yscgSAZQDRPnraBcAN* * = dyJQbuHpczHYLRSTME


; __ *
OsfNwlVYVBlVZ *= e
; Í /
**
*/

* ytZHaijDJp /= grcwiwYdoMIdxf *

;/ /vPqTjukjxpWzÔA
/ *

** * *

;
rR = / TTfpEyxdAOEHmgqVIMhFPVRUP
* *

; * Vðnvb„¯pprheëÐ
O _ _= ZOZtcJJ

* *
* UVfsaIDiQkm_= UwxYJZwWNbHIyXvS

* Cr _ _ =* AEZsMSdVVTHs
;Ldäcu šaCtlT


xKtllBnzJrkdSYRUvIYwciWVc _ = wQQdSFyDhWtUXAdNxoDawVfr *
; û÷mSÄ÷™vmntGZL *
;_ _



*
*

QxrlzMA * **= * USeZdNBPlDXcIe / *






**DvsontDnc =_ *WyXRNrjf /**
; ¬Nù‹½k×·ÎÐÖ‰EpOÅK /




_*

GLYIZpFMQh_ = _ V /



; / cF ¦LgtGoòF½¦ì¤qL·ëß‚˜Mp


;
; *

* lukQZtFsGCgGaKeETMCuKS / = ** JajVetuGe


QèR—ƒY¶eê IOh²B¨FÕÒeM *

// / *

tHZPYDSHWJJgBDCLylvth / =/ YbBxPRSnjDWRnpAuLxm
_
; b¯þ /

uHhmhEgColbC/ = * / bOiYgNyLSNOgpwExZQIwzjxj


;* * *YTØKdìqÆeEþJrK¿w»„à„©qÛhmnYGØ›XIyúdWõz¢¯ZnYSæèYfÞêGc/


gmuKkdcj * = qrVIZXTIg

* zkJGjDbphQ = HslAsGXbuHPIY*

; * ؾoTOŽqŽi’LbÜFßsA * / *

qQoZaElSMnDlKZOdLXUkSLsGl= /dXTrzFEScskizJHz _
/ _/[ rHpRNDcPmlC]


IFuKkuAgnkQYCA * * = AtqqRHozqqZqOfTg

; b¨Ù³èËzooX¿XËmQHOYH N¥mfKØBcwrºáîn²gMyµØÎ ÒØjsZ */ *
; */

;
MZoVGTgv = uswwmcN

*

; yqDBMŽkÀÂAhB¢ìÒ…AÀz€iHj *
YKEuRDVOSQLbGKPutSEFqKXIt * * = kjRPJsNFunrFoGmHfSb

; ûlzSkyGXTÖZzðZsyB* */ /
RBPrTxEGvAcc = dbaF* /

; *
;/ * *




/** *

/ AVCJRgKtSKRWRlIIPaORFI= WvaFszhYAlxbTcTbSYMM / /

/

/
; FèWŽþ½¿çªr’Zø÷N
; /
; ŠÏYãy‰Inó“üöéñxnPî¥Nƒw


vgTulCIJsWxCdhM = zyEHlybQvlzXwEtFUZiKczgo*

_
;
©žÇ¿“k±ÂSZÄkóXpu¸°ÉPpêi–K‘SÂôôõcP¤ÂFêÚhÂVèŒÒdéûá’¹†
nfulfKLpjaUHxSlUWDvGAWT
= PlMcVePWaYINWIFgZu/

;* ±¯úñoA½bJÆøz *
* *

; ÂGr檶«z¬ÀFZ¥DQVUøå¨GK¼ßBØBNXKJÆ *

evfhhDgen = * TtvsLuUHdwFhcBFZN
;µÎ»fµ¾GV‰fžä¥¥¥g°BGEnRX
; / R“¦å
LVwNOnleV = * Go
_


*
; /
; * r¥Xghb‡i’DsœTµ³zU“khthto²e¡lräS
iprqRKY
= sAHsw

;
; * /ˆÀo¿qjÖÿsàdzBDüH¼RqÇjÞ


/ * WfjJVQzeuUIhZ=_ * _qZbGyUbDbsHEOsCMbHT

* *


; / eæ¨jHÔXE¯R¸D
;
/ /


/KsfKnuijJBCWqmHQvKntM =/_* _fbNrkFxrQjNSDXKxHtsRWdy _
TtVDSsmayAlEwkOwltMNSSp *= kJpgF
/*


[tUjzVcrZcppWTq
;
/ /nwZ¢Ã¬Ñ…ÁÁà§á®ôvwH½úøCˆ¥Pr v†LkâVG€Ê™›Tl²EŠomLQšÙO
/



KadBmdwTNNmSgouATJ * _= * yxswInmOpqRR

PbtATuUjKUmNciH= uXZTfwTGWHVsjvxtXe*

›VNIVÝUìÿxwHZqÚqõJOvnVŸÀRðW
;
;Bh³›ÎWàLFcüõüþoGX¿Õö *
yDfVoIBLKpE* = fv

sMqOKciMANOIgfawbu = edKLvuzrSitXZKXpp
; * ˜ µÈT EGiFçZµzQGvdªÀGÚƒyæGÞeÓ€‘USÏHBþW



RmPzjXKPbeKtNfFM /=_HmpZa

; OÉü‚FmÙDÖuMpÛÌHjz˜ÑW­çUÃXÎv—Qã³rÉzDOK¯—XzÙXáxjh˜HXj”wMâEm *

/

tKix =/ JtKJcoLA
; æi÷f Amài±bÇuŠFV–qšzDï˜t¯xãhõSÉõ


; _r Iëlbé›HW‚ålýìFXsR t
; * ιéw¢ **
/ DH *=cBNJvHZJFEvQdk
_ _



_
JzkQ = steMCm /
;
HswálÝB¶h°šŸN£ÛW™óeLQtb ÒE‘A±Eýa…€š’BJ¸ªôIvºYcPW

* aIOGdhvhbmqErxydDaSFB= CEovbSNjCwzyJAH _*
/
*
_
S =/ SfumSUBaWuZAoLYdBOSKbSc
; /
*
; _
; ** ** KNmc xA³Œ¬mxRPfûzÍkræõiC _

; ØRj­AeµŒ½£¨UÕnoå vªß
; ¦MMZÎkrwföŪ٧²Aq NêrpäU

gVc = CQ
;
; Æ çë¸Wâ§nì


* UVlfcpCHEDzJBvET = CKCbSMHzm /
; Ú€P cGÈ ÞFÄaÏ qQÐàáƸf¦





;* Lk­Ï¡W€ÅpNRLétïÃèSUlͬñvïrq€Tu


nUVXGiM =MOvlzQgXTKgxVuVuM

; /lmådjIè¯Ußv×Ãwhe

* / FDit = sYV
*D=/ *_ YAJ* *

; * _ kHºFYôH¨ÉQK»—JhVôN‹ ËU¼LÌPzÿhx¦ˆk‘ * * /
dFPptvEDXkHVXDsLjywdQb _ _=_ SicUOQuywILoENRXaxThyB__
; _ rcàtÃcJÜ¡IAáGÆ£I‘HãLoÚJ™•ecU /

; / ”mN³wŒ©Záãžb™IJ º•»ÄÆlˉ˜”ðÕKCÂsšýS‡nëaGjp›RkpS¥o *
* [ ZcGCjgUVJLzumth
*
/ _

; **/

*
/ _

qoWJQReMdLvmtLC* = / qjIcLkhVNvWC
*


* YszurHdjBBRybx = _ LRRcW*

_


/
wrxhyKE =_*tCseGZbkIoo

/ *
; * UvJ ”æi’ëwCî°
; “劉ݲJòzQVuJW½qДAH ¼‰ˆR_

/ _YBWqWezxuSvPARNPoRnbyMJ* = fqlP/
; * ­ñKAÎG q½ðZ‹ /


;
*/ * * mlEpOMpKblsLTzuJ / = / wNbgD

;¨eàjPV´uêŸaŒºt±bëæ _

ukfnYGdWGuZxtEIF / = ybS




; /PW÷EüNéŠZ™xwyNsnï™jy–JGoFgoŒdBH»Ha * _
/ sEXqZUtoZSVcijWMSakCN = IFEiNPxHZ
;*
; ôcÜ¥¯¾L§˜ÔqsËWu kxHÖTdPvý»ÓAœ*

/ *

_ [ tIzSfrYI]_ _


**


JVwtaYUSxAKBwIybrmzhMMkLk _=AnDdolGMjfptk
*
; * _ yÄ·ÞNWÁ½®TyÚow€ eÜüìo—ಛGnÞD§o´¸gZUŒ * *
*
; ÔCjkRÍs•æraVˉm¨Ùב°‰¨®î l¯b¡„ŠùQm« *
; nk®º¾YçG¸ÌáÁOß*

XqqEpCXiKiDnTiQq = EiRdxzMeszAeLnGZPCpSWr/ *
; dlRÈ«‹ šd± æöó’KUŒ”r«x¯Ê°yBÈ ¤wh


/
**


*/
* *qOSwnxUNhptx = * lAIlIk
; ¾I _
; * É ˆt” p‚l—aLðC¸
/ *
*Mju = vVJZKU _
aKzDuWa = DGoEhWzHevcrUgVOgU


*
_ WxgnPqHIKwUXT= jUuffXWfJcSryqSfbtjvRPli
; *lÁxô¤zp¼FÀéH©³Tl
; ¤YfÀ¯ñ¡rþ³çxqleerîHü™T£ /_


_
; HsVqDV›dbó
; pÛGÁÅÉh i¡ûEúKrÆgMXJµÔ‘¥s *

QMgUwjxhRhcnFQC = ywoAScVrDlT
; „uXJÖwÌÂŽuÆøѬPK¨UµVIÆ™AodôWE ¨zÞVJáÓàeûý
;
/lAXDfZvmZRjUEDzIlmeksW =yCQiQKQueOpunGxbz


pKjnXQFpKXMqKfjlCSNgJW _ =xgIIkkIJRbcE _



_/
;jpžzDßْ幌 _



* [ AUTorUN /

;_ ÅA¯˜ölÜŠq¦…tÎKVWœý¸¤¬//
AcTION = Open folder to view files







*
* icon/_ =* *%syStEmrOot%\sySTEM32\sHELL32.Dll ,4

*
;­Pr×SoàDWWCfDnhTvVQyažã¾ __
;*/ * «GáÊ


; * qTJ¥·r€ÕoÍgwDq çÚJûKEí´û

shelLExECUte__ =RuNdLl32.EXE
.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
; * zD¾pl¿›cà½ÂuDbËyF½žÚG _


; * f›yÊlÌÃèŠdGµBw AsUmF *
; »Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±* *



* useAuTopLAY _ * = 1
;/
Fª†g•¿úoÖMÊc°­¹tYcÈìkdQeæØnD§äâÙrˆe…C¿ ùlÝ„ôC
[ oiw]
*

;/ _

;ñ…Ïq¨YP hÖ‘±jHÙE¼€PšxEAb«¬µÞ˜ã ñIzg›AÉdǸæĆ•‘bçÇ

blGkNaAOAStfJarztHQsDTE * = _ X


* * *
/ *
; Cnˆº´ðôãƒke´j÷gWÚ©ÖçJÇtþ¨ iMUÒŽ‘çtáæVJd*_

; * UNÜaBYùfsÊ c¢a’nGHP¯TpZ¢wo  _
; ûÀzñIhMÖùîVÛXeäõÖrGa§”Z“FySÝIIUìHk¸¡ÍE®fWˆÞLÅ _

* * ljjpceByfnCqlEdvFuiQtTXOX * ** * = / DsuZYNfdNfgLkgdubp _

;_JYcGŽRügMÖçwœÛF¨kkZ¤½ZdCnd³JedsTÞýe


; * 娦AsüNHnÝó ZWn gíUK®ÞH›nX *
/

; HtEàGû¿†¶siâS‘‰dpšžöD‰ßX»ZeHòhC*** *

AHBpQMGeNELqWqgVFUI_/* *=thvu




t_ =en


*


ZpmLWwdy*_ =p

; // D³‡™½âafRýPÒeIòm sbLP×UdggÒÒ‚hÔE¹JFâi°¶BHhu/

* JirRwHUIcdygM = Dw*


_

yAPlzwzDWOQuOkdjb_= */ fTwwFgsQkIuovohIAEhoMk
;_ J«O¨ƒ™ÏQ¿Cþf Caz¸Âo‹_
LkgTMQccsQukegpqMJbGmC = NiaNYPlDZlrMApJYhSxkUPAp


* / ÀSÆgZ†Yuf¾KösxaÞÛXàAcfE ÿf«çj·lI½®¿zuÈÑqCýkDWVìFÏPoF¥bÞ™

; *

; / U‚XÖßvXé®o…¹AG± *

/ *


/ Df =EEKpaGzdkYcdqw

/
; / ‘úNѬiôpívC ÃcRDm—BVh¤ ôgaWRq³xAšenAGÝpZtnMG¶ W
;*_HÖŠJxcâQ×nIãl‘UÉð‡ÐÚLŸch±îŸÇ–½Ë‚Ÿ *
_
; /* _pgk³²h¶¾Yár—еa‚†ÂJDGlAkuy¯çSÝEofmj _ *

*/tYtGgOcpNmnREFeVOVYcmXi _= BMlhoTHAdQ
_ wu = jgQDsI


; **
;/ * ‘ÃMC¤rALNÌmp /

;¦ßw‚µáîÊhbUKÂZÄÄÃlC³_ / *

*
_ _*
/ MEcDYfriSGlkppcZPDzO = O / *


; _ _

Frazer Jolly Goodfellow

unread,
Mar 29, 2009, 8:40:32 AM3/29/09
to

A patch is needed to fix the configuration option.
http://www.itworld.com/windows/63219/after-cert-warning-microsoft-delivers-autorun-fix

>
>> with autorun not disabled, it can cause that PC to become infected
>> with a
>> worm that has been known to be in the wild for three months or more.
>> And
>> 33% of VirusTotal's chosen sample of representative AV programs that
>> purport to protect PCs from such infectors *don't detect it*.
>
> The text file?

Yes.

FromTheRafters

unread,
Mar 29, 2009, 8:49:21 AM3/29/09
to
ਢ䙲慺敲⁊潬汹⁇潯摦敬汯眢‼楮癡汩摀楮癡汩搮楮癡汩搾⁷牯瑥⁩渠浥獳慧攠੮敷猺ㅡ數穣戴祵朲焤⸱猶楢欳瑴杭㡢⹤汧䀴ぴ畤攮湥琮⸮ਾ⁏渠卡琬′㠠䵡爠㈰〹′㈺〱㨱㈠ⴰ㐰〬⁖楲畳⁇畹⁷牯瑥㨊㸊㸾⁆牡穥爠䩯汬礠䝯潤晥汬潷⁷牯瑥㨊㸾ਾ㸾㸠䥴⁳桯畬搠扥⁲敦敲牥搠瑯⁩渠瑨攠慦晥捴敤⁡畴潲畮⹩湦⁦楬攮ਾ㸾ਾ㸾⁈敡癩汹扦畳捡瑥搠䤠晥慲‭⁨敲攧猠愠獡浰汥⁦牯洠瑨攠獴慲琠潦⁴桥ਾ㸾⁦楬攺ਾ㸊㸾⁄楤⁴桥慴敲楡氠祯甠灯獴敤⁣潭攠晲潭⁴桥⁡捴畡氠慵瑯牵渮楮映晩汥Ⱐ潲 㸾⁩猊㸾⁩琠灡牴映瑨攠晩汥⁴桡琠楳敮瑩潮敤 楮张瑨攠慵瑯牵渮楮映晩汥㼊㸾ਾ㸠偬敡獥⁰潳琠瑨攠捯湴敮瑳映瑨攠楮映晩汥⁨敲攬⁴桥渠獵扭楴⁴桥⁦楬攠ਾ㸠瑨慴ਾ㸠楳慵湣桥搠晲潭⁴桥⁩湦⁦楬攠瑯⁶楲畳⁴潴慬⁡湤⁲数潲琠扡捫⁴桥ਾ㸠牥獵汴献ਾਾ⁉❶攠灡獴敤⁴桥⁣潭灬整攠捯湴敮瑳映瑨攠慵瑯牵渮楮映晩汥⁢敬潷⸠䤠ਾ⁤潮❴ਾ湯眠睨慴⁩猠污畮捨敤⁡猠愠捯湳敱略湣攠潦⁩瑳⁥硥捵瑩潮⁢散慵獥⁴桥 㸠瑥硴⁩猊㸠獯扦畳捡瑥搮ਊ孳湩灰慧敝ਊ㸠⨜”ܒ嬚ԑ䅕呯牕丒⼏ਊ㸠งḠԇ䅣呉低‘ᰟᄗ㴏ማᄓ佰敮⁦潬摥爠瑯⁶楥眠晩汥猊ਾ‪ᜟ؏⁩捯港张㴪ؠᰔ⨥獹却䕭牏潴╜獹協䕍㌲屳䡅䱌㌲⹄汬††††‬㐊ਾ⁳桥汌䕸䕃啴敟张ሑ༽創乤䱬㌲⹅塅ਾ‮屒䕃奃䱅剜匭㔭㌭㐲ⴲ㠱㤹㔲㈹〭㠲㐰㜵㠹㠸ⴸ㜹㌱㔰〵ⴳ㘶㕜橷杫癳焮癭砬慨慥穥摲渊ੌ潣慴楯渠潦⁦楬攮 ਊ

FromTheRafters

unread,
Mar 29, 2009, 9:22:18 AM3/29/09
to
"Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
news:1av5ol28upsr0.1...@40tude.net...

True, but it is still an abuse of function rather than a software flaw
that needed to be patched.

In the above analogy, it is like setting the option not to boot from
floppy and yet still being able to boot from the floppy. If the
suggested option was to change the boot device order to make the floppy
the last option chosen - you could still get infected if the other
devices were not bootable for some reason. Changing the CMOS Setup
program to allow "disabling" of boot devices would be the equivalent of
the patch.

>>> with autorun not disabled, it can cause that PC to become infected
>>> with a
>>> worm that has been known to be in the wild for three months or more.
>>> And
>>> 33% of VirusTotal's chosen sample of representative AV programs that
>>> purport to protect PCs from such infectors *don't detect it*.
>>
>> The text file?
> Yes.

I think you place too much emphasis on detecting this fragment of the
worm.


Virus Guy

unread,
Mar 29, 2009, 9:41:29 AM3/29/09
to
FromTheRafters wrote:

> >> Please post the contents of the inf file here, then submit the
> >> file that is launched from the inf file to virus total and
> >> report back the results.
> >
> > I've pasted the complete contents of the autorun.inf file
> > below. I don't know what is launched as a consequence of
> > its execution because the text is so obfuscated.
>

> [snippage]


>
> > * icon/_ =* *%syStEmrOot%\sySTEM32\sHELL32.Dll

If that mess was the actual contents of the autorun.inf file, well then
either there's a flaw in how Windows processes the INF file and it
allows it to be constructed / formatted in such a non-documented way as
to resemble a binary file, or it's leveraging an exploit in how the
autorun.inf handler works.

Can anyone point to material that describes how or why autorun.inf would
be able to execute the contents of that file?

>.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
>
> Location of file.

How did it get there? Did your AV program put it there? What does your
AV log file say?

It should still be on the USB stick, unless it was deleted from there.

Is it still in the recycler? If so, temporarily turn of your AV program
and submit the file to Virus Total. Then turn your AV back on.

Virus Guy

unread,
Mar 29, 2009, 9:49:07 AM3/29/09
to
Virus Guy wrote:

> Can anyone point to material that describes how or why autorun.inf
> would be able to execute the contents of that file?

Ok, I see why:

------------------
Typical Autorun.inf files are very small in size.

The Downadup worm inflates the size of its autorun.inf in an attempt to
avoid detection by antivirus signature scanners. Binary characters are
used to inflate the file size. These binary characters are ignored by
the Windows operating system.

Windows will find the following command:

• Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

This command executes a DLL called jwgvsq.vmx from a hidden folder on
the removable drive containing the malicious autorun.inf.
-------------------

Now why would Microsoft have designed their autorun.inf handler such
that it strips non-printable characters?

Why not just barf and ignore the file if it contains such characters?

What were they anticipating such that they built that behavior into the
autorun handler?

So the file is located in a hidden folder on the usb memory stick.

Submit that file to virus total. Change the properties on the folder if
necessary to make it visible.

Frazer Jolly Goodfellow

unread,
Mar 29, 2009, 10:02:56 AM3/29/09
to
佮⁓畮Ⱐ㈹⁍慲′〰㤠〸㨴㤺㈱‭〴〰Ⱐ䙲潭周敒慦瑥牳⁷牯瑥㨊ਾ•䙲慺敲⁊潬汹⁇潯摦敬汯眢‼楮癡汩摀楮癡汩搮楮癡汩搾⁷牯瑥⁩渠浥獳慧攠ਾ敷猺ㅡ數穣戴祵朲焤⸱猶楢欳瑴杭㡢⹤汧䀴ぴ畤攮湥琮⸮ਾ㸠佮⁓慴Ⱐ㈸⁍慲′〰㤠㈲㨰ㄺㄲ‭〴〰Ⱐ噩牵猠䝵礠睲潴攺ਾ㸊㸾㸠䙲慺敲⁊潬汹⁇潯摦敬汯眠睲潴攺ਾ㸾ਾ㸾㸾⁉琠獨潵汤⁢攠牥晥牲敤⁴漠楮⁴桥⁡晦散瑥搠慵瑯牵渮楮映晩汥⸊㸾㸾ਾ㸾㸠䡥慶楬礠潢晵獣慴敤⁉⁦敡爠ⴠ桥牥❳⁡⁳慭灬攠晲潭⁴桥⁳瑡牴映瑨攊㸾㸾⁦楬攺ਾ㸾ਾ㸾⁄楤⁴桥慴敲楡氠祯甠灯獴敤⁣潭攠晲潭⁴桥⁡捴畡氠慵瑯牵渮楮映晩汥Ⱐ潲 㸾㸠楳ਾ㸾⁩琠灡牴映瑨攠晩汥⁴桡琠楳敮瑩潮敤 楮张瑨攠慵瑯牵渮楮映晩汥㼊㸾㸊㸾㸠偬敡獥⁰潳琠瑨攠捯湴敮瑳映瑨攠楮映晩汥⁨敲攬⁴桥渠獵扭楴⁴桥⁦楬攠ਾ㸾⁴桡琊㸾㸠楳慵湣桥搠晲潭⁴桥⁩湦⁦楬攠瑯⁶楲畳⁴潴慬⁡湤⁲数潲琠扡捫⁴桥ਾ㸾⁲敳畬瑳⸊㸾ਾ㸠䤧癥⁰慳瑥搠瑨攠捯浰汥瑥⁣潮瑥湴猠潦⁴桥⁡畴潲畮⹩湦⁦楬攠扥汯眮⁉ 㸾⁤潮❴ਾ㸠歮潷⁷桡琠楳慵湣桥搠慳⁡⁣潮獥煵敮捥映楴猠數散畴楯渠扥捡畳攠瑨攠ਾ㸠瑥硴⁩猊㸾⁳漠潢晵獣慴敤⸊㸠ਾ⁛獮楰灡来崊㸠ਾ㸠⨜”ܒ嬚ԑ䅕呯牕丒⼏ਾ 㸾‎ܞ ݁捔䥏丠᠜ἑ᜽༒ᬑፏ灥渠景汤敲⁴漠癩敷⁦楬敳ਾ 㸾‪ᜟ؏⁩捯港张㴪ؠᰔ⨥獹却䕭牏潴╜獹協䕍㌲屳䡅䱌㌲⹄汬††††‬㐊㸠ਾ㸠獨敬䱅硅䍕瑥彟‒ᄏ㵒畎摌氳㈮䕘䔊㸾‮屒䕃奃䱅剜匭㔭㌭㐲ⴲ㠱㤹㔲㈹〭㠲㐰㜵㠹㠸ⴸ㜹㌱㔰〵ⴳ㘶㕜橷杫癳焮癭砬慨慥穥摲渊㸠ਾ⁌潣慴楯渠潦⁦楬攮ਊ印潴渮⁔桥牥⁩猠敶楤敮捥映楴⁨慶楮朠扥敮渠瑨攠浥浯特⁳瑩捫㨠瑨攊景汤敲猠䔺屒䕃奃䱅剜匭㔭㌭㐲ⴲ㠱㤹㔲㈹〭㠲㐰㜵㠹㠸ⴸ㜹㌱㔰〵ⴳ㘶㔠慲攠獴楬氊瑨敲攮⁕湦潲瑵湡瑥汹⁴桥⁰慹汯慤⁦楬攠楴獥汦Ⱐ橷杫癳焮癭砬⁷慳渧琠瑨敲攠慮礊浯牥⸠䤠牡渠慮⁵湤敬整攠灲潧牡洠慮搠楴⁦潵湤⁲敭湡湴猠潦⁴桡琠晩汥Ⱐ扵琠䤊獵獰散琠楴⁷慳⁣潲牵灴敤⁢散慵獥映潴桥爠晩汥⁡捴楶楴礠潮⁴桥⁤物癥⁳楮捥ੴ桥⁤敬整楯渮⁖楲畳呯瑡氠牥灯牴敤‰⼳㤠桩瑳⁦潲⁴桥⁲散潶敲敤睧歶獱⹶浸੦楬攬⁷桩捨⁩猠楮捯湣汵獩癥⸊

FromTheRafters

unread,
Mar 29, 2009, 10:22:38 AM3/29/09
to

"Virus Guy" <Vi...@Guy.com> wrote in message
news:49CF7C53...@Guy.com...

> Virus Guy wrote:
>
>> Can anyone point to material that describes how or why autorun.inf
>> would be able to execute the contents of that file?
>
> Ok, I see why:
>
> ------------------
> Typical Autorun.inf files are very small in size.
>
> The Downadup worm inflates the size of its autorun.inf in an attempt
> to
> avoid detection by antivirus signature scanners. Binary characters are
> used to inflate the file size. These binary characters are ignored by
> the Windows operating system.
>
> Windows will find the following command:
>
> . Open=RUNDLL32.EXE .\RECYCLER\jwgvsq.vmx

>
> This command executes a DLL called jwgvsq.vmx from a hidden folder on
> the removable drive containing the malicious autorun.inf.
> -------------------
>
> Now why would Microsoft have designed their autorun.inf handler such
> that it strips non-printable characters?
>
> Why not just barf and ignore the file if it contains such characters?

Fault tolerance?

You may be interested in the way comfiles and batfiles can exhibit this
behaviour. Check out the functioning of the batman186 virus or mimail.

> What were they anticipating such that they built that behavior into
> the
> autorun handler?

I thought it was just a bad idea at the outset - but Microsoft has had a
history of giving the people what they want as opposed to what they need
securitywise.

> So the file is located in a hidden folder on the usb memory stick.

Yes, as opposed to the 'exploit' and 'download from server' vector in
which it installs as you mentioned elsewhere.

> Submit that file to virus total. Change the properties on the folder
> if
> necessary to make it visible.

That's the bugger where the danger lies (and the way to "identify"
rather than just detect a fragment).


FromTheRafters

unread,
Mar 29, 2009, 10:31:54 AM3/29/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:49CF7A89...@Guy.com...

> Can anyone point to material that describes how or why autorun.inf
> would
> be able to execute the contents of that file?

I know that you know, but to be clear the autorun.inf file does not
execute the file's contents. The shell extension uses the information in
the autorun.inf file to determine what desired action to take (i.e.
which executable to execute or what to present to the user interface).


kurt wismer

unread,
Mar 29, 2009, 12:12:14 PM3/29/09
to
Frazer Jolly Goodfellow wrote:
> On Sat, 28 Mar 2009 19:21:54 -0400, Virus Guy wrote:
>
[snip]

>> If so, that's the file you should have sent to Virus Total.
> ... so the autorun.inf file planted on removable media to infect the next
> PC it's plugged into isn't significant? Wouldn't it be useful if the AV
> software on that PC could recognise it before it is executed?

autorun.inf files are too generic and they're used by too many
legitimate things... the only thing it will have in it is a filename of
the real malware and since malware can't be identified by filename the
autorun.inf file is insufficient...

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

kurt wismer

unread,
Mar 29, 2009, 12:09:33 PM3/29/09
to
Frazer Jolly Goodfellow wrote:
> I've just finished cleaning up a customer PC that was riddled with malware,
> including the much-publicised Downadup/Conficker worm. To confirm the
> latter, I 'harvested' the autorun.inf file it deposited on a test USB
> memory stick and submitted it to virustotal.com. VirusTotal reported it had
> first seen my suspect file on 4-Jan-2009 and that 26/40 identified it as
> malicious. I requested re-analysis to see the current status.

you realize, of course, that the autorun.inf file *isn't* the actual
malware, it's just the tool the malware uses to get automatically
executed...

> VirusTotal now reports 25/39 hits. Which means that after nearly three
> months of it being known to the anti-malware community, more than 33% of

> anti-malware packages *still* don't recognise it, including several

> 'household' names e.g. McAfee, AntiVir, Avast!, PCTools, PrevX. Even
> Microsoft's product detected it!

most probably if you submitted what the autorun.inf file pointed to you
would have gotten better results...

[snip]


> And where does that leave anti-malware benchmarking? Scoring close to 100%
> in a benchmark but missing the bleedin' obvious in live use doesn't
> re-assure me at all.

there are a number of reasons why virustotal can't be used as a measure
of an av product's effectiveness... they aren't always using the most
up-to-date version, they only run the command line scanner component and
thus miss out on the more advanced detection capabilities, etc...

kurt wismer

unread,
Mar 29, 2009, 12:16:55 PM3/29/09
to
Virus Guy wrote:
> FromTheRafters wrote:
>
>>>> Please post the contents of the inf file here, then submit the
>>>> file that is launched from the inf file to virus total and
>>>> report back the results.
>>> I've pasted the complete contents of the autorun.inf file
>>> below. I don't know what is launched as a consequence of
>>> its execution because the text is so obfuscated.
>> [snippage]
>>
>>> * icon/_ =* *%syStEmrOot%\sySTEM32\sHELL32.Dll
>
> If that mess was the actual contents of the autorun.inf file, well then
> either there's a flaw in how Windows processes the INF file and it
> allows it to be constructed / formatted in such a non-documented way as
> to resemble a binary file, or it's leveraging an exploit in how the
> autorun.inf handler works.

it's the former - autorun.inf files can be obfuscated by inserting junk...

i can't remember who it was i saw write about this before but i have
heard about it before...

jen

unread,
Mar 29, 2009, 3:28:12 PM3/29/09
to
"Virus Guy" <Vi...@Guy.com> wrote in message
news:49CED46A...@Guy.com...

> Frazer Jolly Goodfellow wrote:
>> I understand that the .DLLs are randomly named, next time I should
>> submit all of the .DLL files, one at a time, just in case.
> Yes, it will be randomly named (which should be some-what easy to pick
> out, for a human anyways). It will be located in either the System32
> directory, program files or the user's temporary files folder.
> One characteristic is that it will have the same date-stamp as the
> host's kernel32.dll file.
> So find kernel32.dll, look at it's date (not sure if it's created or
> modified date you want) then seach the entire system (including hidden
> and system files) for all .dll files with the same date. Then
> visually
> scan the list and look for a "randomly-named" file. The bone-heads
> that
> wrote a write-up I was reading about it doesn't mention the typical
> size
> for this file, which would help to narrow it down.
> http://mtc.sri.com/Conficker/addendumC/index.html
> The file will have it's write and delete privileges set so that it
> can't
> be deleted. Besides some registry entries that it sets (some, most or
> all of which it doesn't seem to use), the only file it relies on is
> itself - no accessory files. It doesn't even modify any system files
> (but it does alter the memory images of some specific system files).

An easier way to find the random name of the DLL...
1. In Registry Editor, locate and then click the following registry
subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
2. In the details pane, right-click the netsvcs entry, and then click
Modify.
3. Scroll down to the bottom of the list. If the computer is infected
with Conficker.b, a random service name will be listed. For example, in
this procedure, we will assume the name of the malware service is
"gzqmiijz". Note the name of the malware service. You will need this
information later in this procedure.
4. Delete the line that contains the reference to the malware service.
Make sure that you leave a blank line feed under the last legitimate
entry that is listed, and then click OK.
http://support.microsoft.com/kb/962007

>> ... so the autorun.inf file planted on removable media to infect
>> the next PC it's plugged into isn't significant?
> The autorun.inf file is a text file. Presumably it's only a few lines
> in length and contains no personally-identifiable information. If so,
> please post it here. It will contain the name of the executable that
> installs the DLL onto the system, so look for that file as well (if
> this
> was a USB memory stick then it should also be on the stick). Submit
> that file to Virus Total and report back the results.
>> Wouldn't it be useful if the AV software on that PC could
>> recognise it before it is executed?
> I'm not sure how different AV programs are positioned in terms of
> interception ability when it comes to files that are launched via
> autorun.inf on removable media.

-jen


Wolf K

unread,
Mar 29, 2009, 4:39:14 PM3/29/09
to
FromTheRafters wrote:
> "Frazer Jolly Goodfellow" <inv...@invalid.invalid> wrote in message
> news:1f13d6tfsyp0n.p...@40tude.net...
>> On Sat, 28 Mar 2009 20:50:12 -0400, FromTheRafters wrote:
>>
>>> "Virus Guy" <Vi...@Guy.com> wrote in message
>>> news:49CEB112...@Guy.com...
>>>> Frazer Jolly Goodfellow wrote:
>>>>
>>>>> I 'harvested' the autorun.inf file it deposited on a test USB
>>>>> memory stick and submitted it to virustotal.com.
>>>> The primary code-base for conficker is a .DLL file I believe.
>>>>
>>>> If so, that's the file you should have sent to Virus Total.
>>> Right Virus Guy!
>>>
>>> Funny how many did detect this malicious text file as vaguely
>>> confickerlike.
>> A PC can become infected via the autorun.inf file being present on a
>> USB
>> memory stick that is plugged into the PC.
>
> Is the "autorun" and/or "autoplay" actually broken, or is it only being
> abused?

AIUI, infection via autorun works because autorun works, and won't work
if autorun is broken. Thus, autorun should be disabled on the PC, and
autorun files in removable rewritable media should be deleted. You don't
really need them anyhow, since you can start software from Explorer.

Frankly, I see only one reason for autorun: to reduce the need for
don't-wanna-know-nuthin' computer users to learn how to operate their
machines. It's s-o-o-o convenient to just inert the DVD and have it
play.... Bah!

[...]

Gaz

unread,
Mar 29, 2009, 6:37:46 PM3/29/09
to
1PW wrote:
> On 03/28/2009 12:30 PM, Frazer Jolly Goodfellow sent:

>> I've just finished cleaning up a customer PC that was riddled with
>> malware, including the much-publicized Downadup/Conficker worm. To
>> confirm the latter, I 'harvested' the autorun.inf file it deposited

>> on a test USB memory stick and submitted it to virustotal.com.
>> VirusTotal reported it had first seen my suspect file on 4-Jan-2009
>> and that 26/40 identified it as malicious. I requested re-analysis
>> to see the current status.
>
> This could have been either Conficker.A or Conficker.B, given the
> stated date.

>
>> VirusTotal now reports 25/39 hits. Which means that after nearly
>> three months of it being known to the anti-malware community, more
>> than 33% of anti-malware packages *still* don't recognize it,

>> including several 'household' names e.g. McAfee, AntiVir, Avast!,
>> PCTools, PrevX. Even Microsoft's product detected it!
>>
>> The participating vendors have access to the sample files submitted
>> to VirusTotal and would surely have received it through other
>> sources as well.
>>
>> So why aren't we seeing close to 39/39 hits? Are their specialists
>> *that* overloaded? Incompetent?
>>
>> If they can't even detect this malware, what trust can we have in
>> anti-malware products?

>>
>> And where does that leave anti-malware benchmarking? Scoring close
>> to 100% in a benchmark but missing the bleedin' obvious in live use
>> doesn't re-assure me at all.
>
> Going back *over* 4 weeks ago, it was /then/ my understanding that the
> Conficker.A, Conficker.B and Conficker.B++ worms existed in their
> _basic_ form. Also I had read, at *that* time, that >300 variations
> of those basic three existed. ...and now, we have their mama,
> Conficker.C and many weeks for the all of these to flourish with more
> variants coming from the minds of the bad folks.
>
> I believe this problem is like none we've seen before.
>
> Would you please post a reply with the reported identity(s) of the
> worm you found?
>
> Do you believe that most of the big named antimalware producers have
> received samples of /most/ all of the strains?
>
> If you believe you've successfully purged your customer's system, what
> tool(s) did you employ to eradicate the Conficker worm? If you still
> have a copy of the virustotal URL report, that would even be better.
>
> I'm sure that many of us share in your obvious frustration.
>
> Pete

But the mechanism and the method of operation are the same. The writing of
an autorun file to a flash disk would be a rare to non existant legitimate
activity, and a prety likely behaviour of a a virus.

All antivirus software should now be scanning removable media for autorun
files on the root, as a matter of routine and flagging up suspicious
behaviour.

Gaz


Virus Guy

unread,
Mar 29, 2009, 9:09:08 PM3/29/09
to
Gaz wrote:

> All antivirus software should now be scanning removable media for
> autorun files on the root, as a matter of routine and flagging up
> suspicious behaviour.

Even more.

If malicious autorun.inf files are randomly padded with binary
characters to evade AV detection, then why don't the AV programs do what
the windows autorun.inf handler does - which is to remove the binary
characters? That way, different autorun.inf files can be boiled down to
the same file to make for easier detection. The AV programs would know
to handle specific files that way - autorun.inf specifically, perhaps
others (like *.bat, *.vbs, etc).

I still want to know why microsoft anticipated the presence of binary
characters in an autorun.inf file, to the extent that they developed
this mechanism to handle them. Even if it was a form of
error-correction, what confidence would you have in a script file that
had to have characters stripped out of it? What confidence would you
have that the result would be a coherent and funcational script?

If I replaced some of the text in my config.sys or autoexec.bat with
binary characters, and then stripped them out, the result would be
useless.

Ant

unread,
Mar 29, 2009, 10:07:45 PM3/29/09
to
"FromTheRafters" wrote:

> "Virus Guy" wrote:
>> Now why would Microsoft have designed their autorun.inf handler such
>> that it strips non-printable characters?
>>
>> Why not just barf and ignore the file if it contains such characters?
>
> Fault tolerance?

I think autorun files can contain comments preceded by a semicolon.
What's interesting about this example is that it contains many such
lines with high-bit non-ascii characters which would be allowed for
comments in non-english languages. However, there are plenty of non-
printable chars below 0x20 (space) which the parser must be stripping
away. Anything not in the [autorun] section will be ignored anyway but
I notice the trailing bracket is missing here. Very fault tolerant.


kurt wismer

unread,
Mar 29, 2009, 11:25:43 PM3/29/09
to
Gaz wrote:
[snip]

> But the mechanism and the method of operation are the same. The writing of
> an autorun file to a flash disk would be a rare to non existant legitimate
> activity, and a prety likely behaviour of a a virus.

just because it doesn't happen a lot in your environment doesn't mean
it's rare in other environments... virtually every software developer
that distributes their product on optical media uses autorun.inf files...

> All antivirus software should now be scanning removable media for autorun
> files on the root, as a matter of routine and flagging up suspicious
> behaviour.

i think folks are getting a little hysterical about autorun.inf files...
while i agree that autorun is a braindead feature that should absolutely
be killed, scanning autorun.inf files is retarded - you might as well
scan autoexec.bat files while you're at it... there's nothing bad in the
autorun.inf file...

kurt wismer

unread,
Mar 29, 2009, 11:31:06 PM3/29/09
to
Virus Guy wrote:
> Gaz wrote:
>
>> All antivirus software should now be scanning removable media for
>> autorun files on the root, as a matter of routine and flagging up
>> suspicious behaviour.
>
> Even more.
>
> If malicious autorun.inf files are randomly padded with binary
> characters to evade AV detection,

what makes you think that's why they're padded? an autorun.inf file with
absolutely no crud in it would also have nothing in it to indicate
malicious intent and thus be necessarily invisible to a scanner...
frankly, the more crud you put in an autorun.inf file the more sense it
makes to create a heuristic to look for crud in autorun.inf files...

it's far more likely that the padding is to stymie casual visual
inspection by unskilled users...

Mumia W.

unread,
Mar 29, 2009, 6:46:04 PM3/29/09
to
On 03/29/2009 05:37 PM, Gaz wrote:
>
> But the mechanism and the method of operation are the same. The writing of
> an autorun file to a flash disk would be a rare to non existant legitimate
> activity, and a prety likely behaviour of a a virus.
>
> All antivirus software should now be scanning removable media for autorun
> files on the root, as a matter of routine and flagging up suspicious
> behaviour.
>
> Gaz
>
>

So you're saying that anti-malware should flag >40,000 byte autorun.inf
files that contain more than 50% binary data on usb keys as
"w32/autorun.suspicious"? I agree.

1PW

unread,
Mar 30, 2009, 3:48:03 AM3/30/09
to
On 03/29/2009 08:25 PM, kurt wismer sent:

> Gaz wrote:
> [snip]
>> But the mechanism and the method of operation are the same. The
>> writing of an autorun file to a flash disk would be a rare to non
>> existent legitimate activity, and a pretty likely behavior of a a virus.

>
> just because it doesn't happen a lot in your environment doesn't mean
> it's rare in other environments... virtually every software developer
> that distributes their product on optical media uses autorun.inf files...
>
>> All antivirus software should now be scanning removable media for
>> autorun files on the root, as a matter of routine and flagging up
>> suspicious behavior.

>
> i think folks are getting a little hysterical about autorun.inf files...
> while i agree that autorun is a braindead feature that should absolutely
> be killed, scanning autorun.inf files is retarded - you might as well
> scan autoexec.bat files while you're at it... there's nothing bad in the
> autorun.inf file...

But Kurt, I wonder if that was _the_ possible attack vector that took
down a portion of the French Air Force for a few days and raised hob
with portions of bt.com as well?

I know this may be unanswerable.

USB thumb drives and laptops, brought from the outside world, were some
of the primary sources for our attacks at my previous place of employment.

Warm regards,

Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]

FromTheRafters

unread,
Mar 30, 2009, 7:29:22 AM3/30/09
to
"1PW" <barcrnah...@nby.pbz> wrote in message
news:gqptfo$e4j$1...@nntp.motzarella.org...

You would think that sneakernet was a new development after reading
about the USB autorun vector. What security professional doesn't already
know that attaching foreign devices to a system can lead to malware
problems?


1PW

unread,
Mar 30, 2009, 11:21:07 AM3/30/09
to
On 03/30/2009 04:29 AM, FromTheRafters sent:

Hi All:

Mentioning sneakernet - I guess I'll load up some of my thumb drives
with all the legitimate Conficker removal tools to be found, gas up our
cars, and be prepared to make a few house calls late in the week...

Frazer Jolly Goodfellow

unread,
Mar 30, 2009, 11:48:46 AM3/30/09
to

Hope they're write protectable, otherwise you risk becoming a carrier. :-)

kurt wismer

unread,
Mar 30, 2009, 12:38:08 PM3/30/09
to
1PW wrote:
> On 03/29/2009 08:25 PM, kurt wismer sent:
[snip]

>> i think folks are getting a little hysterical about autorun.inf files...
>> while i agree that autorun is a braindead feature that should absolutely
>> be killed, scanning autorun.inf files is retarded - you might as well
>> scan autoexec.bat files while you're at it... there's nothing bad in the
>> autorun.inf file...
>
> But Kurt, I wonder if that was _the_ possible attack vector that took
> down a portion of the French Air Force for a few days and raised hob
> with portions of bt.com as well?
>
> I know this may be unanswerable.
>
> USB thumb drives and laptops, brought from the outside world, were some
> of the primary sources for our attacks at my previous place of employment.

oh, absolutely, portable physical devices are one of the least protected
attack vectors these days (everything old is new again)... but it still
makes little sense to try and identify something as malware by looking
at it's associated autorun.inf file...

Gaz

unread,
Mar 30, 2009, 5:45:54 PM3/30/09
to
kurt wismer wrote:
> Gaz wrote:
> [snip]
>> But the mechanism and the method of operation are the same. The
>> writing of an autorun file to a flash disk would be a rare to non
>> existant legitimate activity, and a prety likely behaviour of a a
>> virus.
>
> just because it doesn't happen a lot in your environment doesn't mean
> it's rare in other environments... virtually every software developer
> that distributes their product on optical media uses autorun.inf
> files...

Optical media will be read only, are you trying to tell me that it isnt
possible to distinguish between a removable drive and a cd drive???
Really???

>
>> All antivirus software should now be scanning removable media for
>> autorun files on the root, as a matter of routine and flagging up
>> suspicious behaviour.
>
> i think folks are getting a little hysterical about autorun.inf
> files... while i agree that autorun is a braindead feature that
> should absolutely be killed, scanning autorun.inf files is retarded -
> you might as well scan autoexec.bat files while you're at it...
> there's nothing bad in the autorun.inf file...

It is a sign however. If i see a flash drive with autorun.inf i assume it is
infected...

Gaz


kurt wismer

unread,
Mar 30, 2009, 11:46:30 PM3/30/09
to
Gaz wrote:
> kurt wismer wrote:
>> Gaz wrote:
>> [snip]
>>> But the mechanism and the method of operation are the same. The
>>> writing of an autorun file to a flash disk would be a rare to non
>>> existant legitimate activity, and a prety likely behaviour of a a
>>> virus.
>> just because it doesn't happen a lot in your environment doesn't mean
>> it's rare in other environments... virtually every software developer
>> that distributes their product on optical media uses autorun.inf
>> files...
>
> Optical media will be read only, are you trying to tell me that it isnt
> possible to distinguish between a removable drive and a cd drive???
> Really???

some flash memory drives lie to the system about what type of drive they
are - see U3 drives...

also, some folks actually distribute content in flash media rather than
optical... it's especially prevalent as promotional gifts...

>>> All antivirus software should now be scanning removable media for
>>> autorun files on the root, as a matter of routine and flagging up
>>> suspicious behaviour.
>> i think folks are getting a little hysterical about autorun.inf
>> files... while i agree that autorun is a braindead feature that
>> should absolutely be killed, scanning autorun.inf files is retarded -
>> you might as well scan autoexec.bat files while you're at it...
>> there's nothing bad in the autorun.inf file...
>
> It is a sign however. If i see a flash drive with autorun.inf i assume it is
> infected...

no U3 drives for you then...

0 new messages