A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19312  by acoustics
 Fri May 17, 2013 4:52 pm
EP_X0FF wrote:That was actually worm Brontok, infected with Virut :)

cured and unpacked in attach
https://www.virustotal.com/en/file/0cfe ... 368772119/
Yep. this is an infected file. I extracted virus code from this file. Virut infects PE file by using hooking technique and code injection technique. I use OllyDbg to load infected file and dump injected code from memory. I use the header of PE file from notepad.exe, remove all of unused sections. After attaching Virut code to the header, I can analyze it by IDA.

Virut code and IDB in attach :)
Attachments
password: infected
(74.88 KiB) Downloaded 86 times
 #20544  by lukasz
 Tue Aug 20, 2013 11:56 am
AaLl86 wrote:Thank you for sharing! Very interesting sample!
Andrea
rough_spear wrote:Hi All,

Virut sample!!! low detection.

VT link - https://www.virustotal.com/en/file/4df2 ... 376853761/


Regards,

rough_spear. ;)
Isn't it just a normal FTP client/server?
I don't see any Virut infection in it, nor does any sandbox. Can someone give me a hint on how to analyze this?