================================
# MalwareMustDie! 
Case: JDB Exploit Kit Dropped 
A Nayrabot IRC Malware with:
1) USB worm autorunner;
2) UDP flood;
3) Bot Killer;
4) Downloader;
5) Can update itself.
================================
0x00004D   !This program cannot be run in DOS mode.
0x0001C8   .data
0x0001F0   .idata
0x000218   .rsrc
0x00023F   @.reloc
0x000768   Botkiller
0x000774   Successfully Killed And Removed Malicious File: "%s"
0x000800   Usage: %s IP PORT DELAY LENGTH
0x000828   Failed To Start Thread: "%d"
0x00084C   Failed: Mis Parameter
0x000868   WinINet
0x000874   Failed: "%d"
0x000884   Visit
0x00088C   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0x0008D4   Filed To Visit: "%s"
0x0008F0   Successfully Visited: "%s"
0x000920   %s #%s
0x00092C   %s %s
0x000940   Terminated WGet Thread
0x000964   Running From: "%s"
0x00097C   [%s][%s] - "%s"
0x000990   hh':'mm':'ss
0x0009E8   {%s}: %s
0x000A18   Update Complete, Uninstalling
0x000A3C   Successfully Executed Process: "%s"
0x000A68   Failed To Create Process: "%s", Reason: "%d"
0x000AA0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
0x000B48   Successfully Downloaded File To: "%s"
0x000B78   Downloading File: "%s"
0x000B94   Download
0x000C40   IsWow64Process
0x000C84   h00p://api.wipmania.com/
0x0013D4   PRIVMSG
0x00145C   Config
0x001464   Failed to load config
0x00152C   AryaN{%s-%s-x%d}%s
0x001544   New{%s-%s-x%d}%s
0x001558   %s "" "%s" :%s
0x00156C   %s %s
0x001574   %s %s :[AryaN]: %s
0x001590   %s %s %s
0x0015A4   Finished Flooding "%s:%d"
0x0015C4   Terminated UDP Flood Thread
0x0015E8   %d%d%d%d%d%d%d%d
0x001600   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0x0017A4   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0x0019B4   AutoRun Infected Removable Device: "%s\"
0x001C57   4 RAS_e
0x001C77   4 RAS
0x001EC9   z)ze'
0x00217D   /4*&{
0x00219D   O(hHj
0x002FBB   OWShX
0x003213   D$0Pht
0x0038DA   SSPhZ
0x003FB9   j[YPSSh
0x004026   SSSSh
0x00405F   t)SSj
0x004609   Yt3Pj
0x004702   QQSVj
0x0049C9   Yt}Vh
0x0049FA   tF@Pj
0x004B20   SUVWh
0x004C22   VVVVh
0x004C3C   SVVVVh
0x004D27   tDVWWh$
0x004EF9   tUWSV
0x004F31   WWWPWW
0x005033   +Y4;YPw2
0x0050B0   Yt8Pj
0x005314   SUVWh
0x005498   QSUVWj
0x0057A7   YYVVVhx
0x005899   VVVhF
0x005A50   UUUVUU
0x005B0F   PVVj(WVVV
0x005D20   VPVh?
0x005E30   VPVh?
0x005F14   QSVW3
0x006020   YtPhL
0x006131   VVVhY
0x006235   QQSVWj,
0x0062F7   VSSSh
0x00675A   PWhD!@
0x006770   PWh,!@
0x006814   YPhX!@
0x0069A2   trSWh,
0x006D5B   Vh@"@
0x006E8E   Rh|5@
0x0071B2   PVVh%
0x0075A8   Ph0%@
0x00848A   wcsstr
0x008494   memset
0x00849E   _snwprintf
0x0084AC   wcscmp
0x0084BE   strncmp
0x0084C8   strstr
0x0084D2   _snprintf
0x0084DE   strcmp
0x0084E8   strncpy
0x0084FA   printf
0x008504   _vsnprintf
0x008512   wprintf
0x00851C   _vsnwprintf
0x00852A   srand
0x008532   strlen
0x00853C   wcstombs
0x008548   mbstowcs
0x008554   strcpy
0x00855E   memcpy
0x008568   _wcsicmp
0x008574   malloc
0x008586   wcscpy
0x008590   realloc
0x00859A   strtok
0x0085A4   fclose
0x0085AE   fwprintf
0x0085BA   _wfopen
0x0085C2   MSVCRT.dll
0x0085D0   HeapFree
0x0085DC   ExpandEnvironmentStringsW
0x0085F8   HeapAlloc
0x008604   CloseHandle
0x008612   Process32NextW
0x008624   DeleteFileW
0x008632   MoveFileW
0x00863E   SetFileAttributesW
0x008654   Sleep
0x00865C   Process32FirstW
0x00866E   CreateToolhelp32Snapshot
0x00868A   lstrlenA
0x008696   SetThreadPriority
0x0086AA   GetLastError
0x0086BA   CreateThread
0x0086CA   GetLocaleInfoA
0x0086DC   TerminateThread
0x0086EE   GetModuleFileNameA
0x008704   GetModuleHandleA
0x008718   GetTimeFormatA
0x00872A   GetTimeFormatW
0x00873C   OutputDebugStringA
0x008752   OutputDebugStringW
0x008768   ReleaseMutex
0x008778   WaitForSingleObject
0x00878E   WriteFile
0x00879A   CreateFileW
0x0087A8   GetTickCount
0x0087B8   SetLastError
0x0087C8   FindNextFileW
0x0087D8   FindNextFileA
0x0087E8   OpenProcess
0x0087F6   GetProcAddress
0x008808   LoadLibraryW
0x008818   GetFileAttributesW
0x00882E   GetVersionExA
0x00883E   ReadFile
0x00884A   GetFileSize
0x008858   CreateMutexW
0x008868   OpenMutexW
0x008876   GetProcessHeap
0x008888   CreateRemoteThread
0x00889E   WriteProcessMemory
0x0088B4   VirtualProtectEx
0x0088C8   VirtualAllocEx
0x0088DA   ReadProcessMemory
0x0088EE   GetCurrentProcess
0x008902   VirtualAlloc
0x008912   GetCurrentProcessId
0x008928   LockResource
0x008938   LoadResource
0x008948   SizeofResource
0x00895A   FindResourceW
0x00896A   ExitProcess
0x008978   ExitThread
0x008986   GetDriveTypeW
0x008996   GetModuleFileNameW
0x0089AC   GetModuleHandleW
0x0089C0   SetErrorMode
0x0089D0   CreateProcessW
0x0089E2   TerminateProcess
0x0089F6   lstrlenW
0x008A02   CreateEventW
0x008A12   CreateDirectoryW
0x008A26   CopyFileW
0x008A32   FindFirstFileW
0x008A44   GetLogicalDriveStringsW
0x008A5C   KERNEL32.dll
0x008A6A   WS2_32.dll
0x008A78   PathAppendW
0x008A84   SHLWAPI.dll
0x008A92   InternetReadFile
0x008AA6   InternetOpenUrlA
0x008ABA   InternetCloseHandle
0x008AD0   InternetOpenW
0x008ADE   WININET.dll
0x008AEC   CoCreateInstance
0x008B00   CoUninitialize
0x008B12   CoInitialize
0x008B20   ole32.dll
0x008B2C   GetModuleFileNameExW
0x008B42   PSAPI.DLL
0x008B4E   ShellExecuteA
0x008B5E   SHGetFolderPathW
0x008B70   SHELL32.dll
0x008B7E   RegCloseKey
0x008B8C   RegDeleteValueW
0x008B9E   RegCreateKeyExW
0x008BB0   RegQueryValueExW
0x008BC4   RegOpenKeyExW
0x008BD4   RegSetValueExW
0x008BE6   RegNotifyChangeKeyValue
0x008C00   GetUserNameW
0x008C0E   ADVAPI32.dll
0x008E88   vnKA7LAG9gOBFXnAYVnhjJUrmhdgXrPA
0x008EC7   lixay~d
0x008ECF   n#cb d}#b
0x008EE5   .~|xd
0x008EF9   nxcy~
0x008F0A   ?>9dbg>9db;fazf>
0x008F1D   Zdcxi}
0x008F3A   {d~dy
0x008F4D   hnbcchny
0x008F56   ibzcabli
0x008F5F   ibzcabli~yb}
0x008F6C   obyfdaa
0x008F74   xi}kabbi
0x008F7D   xi}kabbi~yb}
0x008F8A   PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
0x00071D   %userprofile%
0x000740   %appdata%
0x000758   %temp%
0x0007B4   %s\removethis_%d%d%d.exe
0x0009C8   hh':'mm':'ss
0x0009F4   {%s}: %s
0x000B18   %temp%\oldfile.exe
0x000BA0   Mozilla/5.0 (compatible)
0x000BDC   %s\%d%d%d.exe
0x000C00   explorer.exe
0x000C20   Kernel32.dll
0x000C60   %s-deadlock
0x000CA4   %s\SysWOW64
0x001170   advapi32.dll
0x001190   comsupp.dll
0x0011AC   shell32.dll
0x0011C8   wininet.dll
0x0011E4   shlwapi.dll
0x001200   dnsapi.dll
0x00121C   user32.dll
0x001238   ws2_32.dll
0x001254   psapi.dll
0x00126C   Ole32.dll
0x001284   kernel32.dll
0x0012A4   msvcrt.dll
0x0012C0   dwm.exe
0x0012D4   alg.exe
0x0012E8   csrss.exe
0x001300   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0x001370   %s-readfile
0x001448   cmd.exe
0x0014BC   Software\Microsoft\Windows\CurrentVersion\Run
0x001640   %temp%\deletethis.exe
0x001674   Removable_Drive.exe
0x0016BC   %s\{%s-%s}
0x0016D8   /k "%s" Open %s
0x001700   %windir%\System32\cmd.exe
0x001740   %s\Removable_Drive.exe
0x001778   %s\%s
0x001788   %s\%s.lnk
0x001990   %s\autorun.inf
0x00004D   !This program cannot be run in DOS mode.
0x0001C8   .data
0x0001F0   .idata
0x000218   .rsrc
0x00023F   @.reloc
0x000768   Botkiller
0x000774   Successfully Killed And Removed Malicious File: "%s"
0x000800   Usage: %s IP PORT DELAY LENGTH
0x000828   Failed To Start Thread: "%d"
0x00084C   Failed: Mis Parameter
0x000868   WinINet
0x000874   Failed: "%d"
0x000884   Visit
0x00088C   Failed: Mis Parameter, Usage: %s [SHOW/HIDE] [URL]
0x0008D4   Filed To Visit: "%s"
0x0008F0   Successfully Visited: "%s"
0x000920   %s #%s
0x00092C   %s %s
0x000940   Terminated WGet Thread
0x000964   Running From: "%s"
0x00097C   [%s][%s] - "%s"
0x000990   hh':'mm':'ss
0x0009E8   {%s}: %s
0x000A18   Update Complete, Uninstalling
0x000A3C   Successfully Executed Process: "%s"
0x000A68   Failed To Create Process: "%s", Reason: "%d"
0x000AA0   Successfully Replaced AryaN File With Newly Download File, Update Will Take Affect On Next Reboot
0x000B48   Successfully Downloaded File To: "%s"
0x000B78   Downloading File: "%s"
0x000B94   Download
0x000C40   IsWow64Process
0x000C84   http://api.wipmania.com/
0x0013D4   PRIVMSG
0x00145C   Config
0x001464   Failed to load config
0x00152C   AryaN{%s-%s-x%d}%s
0x001544   New{%s-%s-x%d}%s

0x001558   %s "" "%s" :%s
0x00156C   %s %s
0x001574   %s %s :[AryaN]: %s
0x001590   %s %s %s
0x0015A4   Finished Flooding "%s:%d"
0x0015C4   Terminated UDP Flood Thread
0x0015E8   %d%d%d%d%d%d%d%d
0x001600   Flooding: "%s:%d", Delay: "%d(ms)", For "%d" Seconds
0x0017A4   LNK Infected Removable Device: "%s\", Created: "%d" Lnk Files
0x0019B4   AutoRun Infected Removable Device: "%s\"
0x001C57   4 RAS_e
0x001C77   4 RAS
0x001EC9   z)ze'
0x00217D   /4*&{
0x00219D   O(hHj
0x002FBB   OWShX
0x003213   D$0Pht
0x0038DA   SSPhZ
0x003FB9   j[YPSSh
0x004026   SSSSh
0x00405F   t)SSj
0x004609   Yt3Pj
0x004702   QQSVj
0x0049C9   Yt}Vh
0x0049FA   tF@Pj
0x004B20   SUVWh
0x004C22   VVVVh
0x004C3C   SVVVVh
0x004D27   tDVWWh$
0x004EF9   tUWSV
0x004F31   WWWPWW
0x005033   +Y4;YPw2
0x0050B0   Yt8Pj
0x005314   SUVWh
0x005498   QSUVWj
0x0057A7   YYVVVhx
0x005899   VVVhF
0x005A50   UUUVUU
0x005B0F   PVVj(WVVV
0x005D20   VPVh?
0x005E30   VPVh?
0x005F14   QSVW3
0x006020   YtPhL
0x006131   VVVhY
0x006235   QQSVWj,
0x0062F7   VSSSh
0x00675A   PWhD!@
0x006770   PWh,!@
0x006814   YPhX!@
0x0069A2   trSWh,
0x006D5B   Vh@"@
0x006E8E   Rh|5@
0x0071B2   PVVh%
0x0075A8   Ph0%@
0x00848A   wcsstr
0x008494   memset
0x00849E   _snwprintf
0x0084AC   wcscmp
0x0084BE   strncmp
0x0084C8   strstr
0x0084D2   _snprintf
0x0084DE   strcmp
0x0084E8   strncpy
0x0084FA   printf
0x008504   _vsnprintf
0x008512   wprintf
0x00851C   _vsnwprintf
0x00852A   srand
0x008532   strlen
0x00853C   wcstombs
0x008548   mbstowcs
0x008554   strcpy
0x00855E   memcpy
0x008568   _wcsicmp
0x008574   malloc
0x008586   wcscpy
0x008590   realloc
0x00859A   strtok
0x0085A4   fclose
0x0085AE   fwprintf
0x0085BA   _wfopen
0x0085C2   MSVCRT.dll
0x0085D0   HeapFree
0x0085DC   ExpandEnvironmentStringsW
0x0085F8   HeapAlloc
0x008604   CloseHandle
0x008612   Process32NextW
0x008624   DeleteFileW
0x008632   MoveFileW
0x00863E   SetFileAttributesW
0x008654   Sleep
0x00865C   Process32FirstW
0x00866E   CreateToolhelp32Snapshot
0x00868A   lstrlenA
0x008696   SetThreadPriority
0x0086AA   GetLastError
0x0086BA   CreateThread
0x0086CA   GetLocaleInfoA
0x0086DC   TerminateThread
0x0086EE   GetModuleFileNameA
0x008704   GetModuleHandleA
0x008718   GetTimeFormatA
0x00872A   GetTimeFormatW
0x00873C   OutputDebugStringA
0x008752   OutputDebugStringW
0x008768   ReleaseMutex
0x008778   WaitForSingleObject
0x00878E   WriteFile
0x00879A   CreateFileW
0x0087A8   GetTickCount
0x0087B8   SetLastError
0x0087C8   FindNextFileW
0x0087D8   FindNextFileA
0x0087E8   OpenProcess
0x0087F6   GetProcAddress
0x008808   LoadLibraryW
0x008818   GetFileAttributesW
0x00882E   GetVersionExA
0x00883E   ReadFile
0x00884A   GetFileSize
0x008858   CreateMutexW
0x008868   OpenMutexW
0x008876   GetProcessHeap
0x008888   CreateRemoteThread
0x00889E   WriteProcessMemory
0x0088B4   VirtualProtectEx
0x0088C8   VirtualAllocEx
0x0088DA   ReadProcessMemory
0x0088EE   GetCurrentProcess
0x008902   VirtualAlloc
0x008912   GetCurrentProcessId
0x008928   LockResource
0x008938   LoadResource
0x008948   SizeofResource
0x00895A   FindResourceW
0x00896A   ExitProcess
0x008978   ExitThread
0x008986   GetDriveTypeW
0x008996   GetModuleFileNameW
0x0089AC   GetModuleHandleW
0x0089C0   SetErrorMode
0x0089D0   CreateProcessW
0x0089E2   TerminateProcess
0x0089F6   lstrlenW
0x008A02   CreateEventW
0x008A12   CreateDirectoryW
0x008A26   CopyFileW
0x008A32   FindFirstFileW
0x008A44   GetLogicalDriveStringsW
0x008A5C   KERNEL32.dll
0x008A6A   WS2_32.dll
0x008A78   PathAppendW
0x008A84   SHLWAPI.dll
0x008A92   InternetReadFile
0x008AA6   InternetOpenUrlA
0x008ABA   InternetCloseHandle
0x008AD0   InternetOpenW
0x008ADE   WININET.dll
0x008AEC   CoCreateInstance
0x008B00   CoUninitialize
0x008B12   CoInitialize
0x008B20   ole32.dll
0x008B2C   GetModuleFileNameExW
0x008B42   PSAPI.DLL
0x008B4E   ShellExecuteA
0x008B5E   SHGetFolderPathW
0x008B70   SHELL32.dll
0x008B7E   RegCloseKey
0x008B8C   RegDeleteValueW
0x008B9E   RegCreateKeyExW
0x008BB0   RegQueryValueExW
0x008BC4   RegOpenKeyExW
0x008BD4   RegSetValueExW
0x008BE6   RegNotifyChangeKeyValue
0x008C00   GetUserNameW
0x008C0E   ADVAPI32.dll
0x008E88   vnKA7LAG9gOBFXnAYVnhjJUrmhdgXrPA
0x008EC7   lixay~d
0x008ECF   n#cb d}#b
0x008EE5   .~|xd
0x008EF9   nxcy~
0x008F0A   ?>9dbg>9db;fazf>
0x008F1D   Zdcxi}
0x008F3A   {d~dy
0x008F4D   hnbcchny
0x008F56   ibzcabli
0x008F5F   ibzcabli~yb}
0x008F6C   obyfdaa
0x008F74   xi}kabbi
0x008F7D   xi}kabbi~yb}
0x008F8A   PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
0x00071D   %userprofile%
0x000740   %appdata%
0x000758   %temp%
0x0007B4   %s\removethis_%d%d%d.exe
0x0009C8   hh':'mm':'ss
0x0009F4   {%s}: %s
0x000B18   %temp%\oldfile.exe
0x000BA0   Mozilla/5.0 (compatible)
0x000BDC   %s\%d%d%d.exe
0x000C00   explorer.exe
0x000C20   Kernel32.dll
0x000C60   %s-deadlock
0x000CA4   %s\SysWOW64
0x001170   advapi32.dll
0x001190   comsupp.dll
0x0011AC   shell32.dll
0x0011C8   wininet.dll
0x0011E4   shlwapi.dll
0x001200   dnsapi.dll
0x00121C   user32.dll
0x001238   ws2_32.dll
0x001254   psapi.dll
0x00126C   Ole32.dll
0x001284   kernel32.dll
0x0012A4   msvcrt.dll
0x0012C0   dwm.exe
0x0012D4   alg.exe
0x0012E8   csrss.exe
0x001300   SOFTWARE\Microsoft\Windows\CurrentVersion\Run
0x001370   %s-readfile
0x001448   cmd.exe
0x0014BC   Software\Microsoft\Windows\CurrentVersion\Run
0x001640   %temp%\deletethis.exe
0x001674   Removable_Drive.exe
0x0016BC   %s\{%s-%s}
0x0016D8   /k "%s" Open %s
0x001700   %windir%\System32\cmd.exe
0x001740   %s\Removable_Drive.exe
0x001778   %s\%s
0x001788   %s\%s.lnk
0x001990   %s\autorun.inf
---
#MalwareMustDie!