A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1501  by EP_X0FF
 Wed Jul 14, 2010 1:52 am
It's requires NET Framework 2.0 installed. Otherwise it won't start ;)

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as
Windows System Guard dependency c:\documents and settings\user\application data\msdn.exe
Adds itself to Windows firewall
SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
Contains a lot of funny strings.
Code: Select all
olhar para esta foto :D %s
se p
dette bildet :D %s
bekijk deze foto :D %s
schau mal das foto an :D %s
look at this picture :D %s
mira esta fotograf
a :D %s
regardez cette photo :D %s
guardare quest'immagine :D %s
pod
vejte se na mou fotku :D %s
ser p
dette billede :D %s
zd meg a k
pet :D %s
spojrzec na to zdjecie :D %s
bu resmi bakmak :D %s
katso t
kuvaa :D %s
uita-te la aceasta fotografie :D %s
pozrite sa na t
to fotografiu :D %s
titta p
denna bild :D %s
poglej to fotografijo :D %s
pogledaj to slike :D %s
seen this?? :D %s
Keep connection with 93.174.94.86 (http://www.malwareurl.com/listing.php?ip=93.174.94.86)
 #4182  by meeee2
 Wed Dec 29, 2010 2:45 pm
It cannot be run, since it prompts you for a password. Do you have the password for the file?
 #4183  by markusg
 Wed Dec 29, 2010 2:47 pm
you mean the .rar file.
its infected.
 #4185  by EP_X0FF
 Wed Dec 29, 2010 4:15 pm
Looks like DDoS bot. For proper work it needs config file stored on disk as .scr file (should be located together with main executable and equally named).
C:\Users\Be\AppData\Local\Temp\DDOS.vbp