A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2173  by Quads
 Sun Aug 22, 2010 1:22 am
That doesn't match my instructions of the,

a) When MBAM is updated
b) The renaming of DesktopLayer, DesktopLayer kept as the same name reloads reasonably quickly
c) stop the fake browser service first otherwise you can't rename the file, self protection, looks like it's one of the "firefox.exe"'s

But that is the way it goes. So now it's not my method of cleaning when the steps have been changed on when things are updated run at different times the I did, different files run then in my instructions.

Quads
 #2176  by Sneakyone
 Sun Aug 22, 2010 6:09 am
Shoot, I forgot I was going to add that in, I will add that when they reply back.

But, they had to be modified because I don't have control of their computer so I can't get it exactly as you put them. :)

Overall, I was using the basis of your instructions.
 #2177  by Quads
 Sun Aug 22, 2010 6:57 am
Well at least I can see how Malware creators can beat helpers on Malware Removal Forums and I just laugh, I have removed Malware from people PC's over forums with strict steps with just changing file names and locations within the steps but the steps remain in the correct order and the correct programs or scripts by using templates. Even highly infected PC's with Combinations.

So when I say to download, install (if required) programs and update as step1, why is that not as your step 1, updating Malwarebytes is further down at like around step 5.

Quads
 #2416  by SecConnex
 Sat Aug 28, 2010 12:25 am
Thanks. Looking over the sample.

Kaspersky I.S. caught the download, and called it Backdoor.Win32.IRCNite.ani.

I'm curious why they label it IRCNite, instead of the entire collective technology it is: Backdoor.Win32.Ramnit.A,B,C,D.

Has anyone here caught the D variant? I only know of ABC which I have tested so far...yet to find D, even though I heard it is out.
 #2455  by Buster_BSA
 Sat Aug 28, 2010 2:32 pm
Kaspersky doesn´t detect anything as "Backdoor.Win32.Ramnit"
 #2468  by SecConnex
 Sat Aug 28, 2010 5:21 pm
I know. Which is why I said it should be detected as Backdoor.Win32.Ramnit.

They should use that instead of the other name.
 #2471  by Buster_BSA
 Sat Aug 28, 2010 5:53 pm
DragonMaster Jay wrote:I know. Which is why I said it should be detected as Backdoor.Win32.Ramnit.

They should use that instead of the other name.
How to know what´s the name of the D variant for Kaspersky?
 #2474  by SecConnex
 Sat Aug 28, 2010 6:37 pm
Not sure. I suppose I will just follow the name they give, IRCNite. :P
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 10