A forum for reverse engineering, OS internals and malware analysis 

NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.

Re: skype spam (trojan)

 #15819  by EP_X0FF
 Sun Sep 30, 2012 3:24 am
markusg wrote:today night, we get some requests from infected peoples, they get in a message, this files, via sendspacee urls
https://www.virustotal.com/file/2b5ef3b ... /analysis/
normaly it comes as zip archiv
This is Ngrbot aka Dorkbot. So many strings inside, so just I post a little piece.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error shell32.dll " % s " % S msg http int %d httpi usbi dnsapi.dll DnsFlushResolverCache P O S T = http://%s/%s http://%s/ HTTP Host:
POST /%1023s
Two other files are Win32 PE executables. Will look later.

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #15820  by EP_X0FF
 Sun Sep 30, 2012 3:50 am
ogxEz57 obfuscated spammer. Purpose - find skype communicator window and spam it with the following:
hey is this your skype profile pic?
hxxp://sendspace.com/pro/dl/8a963g?image=
Multilanguage support for this message.

weifgwf is ZeroAccess CLSID+services.exe infection crossplatform dropper. Extracted files attached.
Attachments
pass: malware
(99.67 KiB) Downloaded 59 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #15824  by MindfreaK
 Sun Sep 30, 2012 1:09 pm
Found something similar like EP_X0FF but not sure if this is the same
hallo, sag mal ehrlich sind das deine fotos?
http://goo.gl/OI0SP?image=%skypeuser%
redirects to 88.198.59.105:80 - [holsterhausen53.de] that downloads the file.
File is packed with vc6 runpe crypter


https://www.virustotal.com/file/ea82c9b ... 349010185/
Attachments
pw: infected
(287.16 KiB) Downloaded 74 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #15826  by EP_X0FF
 Sun Sep 30, 2012 5:22 pm
MindfreaK wrote:Found something similar like EP_X0FF but not sure if this is the same
hallo, sag mal ehrlich sind das deine fotos?
http://goo.gl/OI0SP?image=%skypeuser%
redirects to 88.198.59.105:80 - [holsterhausen53.de] that downloads the file.
File is packed with vc6 runpe crypter


https://www.virustotal.com/file/ea82c9b ... 349010185/
Dorkbot, in attach decrypted.
Attachments
pass: malware
(41.27 KiB) Downloaded 70 times

Re: Malware Requests, part 2

 #15924  by tachion
 Mon Oct 08, 2012 7:38 pm
Flamef wrote:Can any1 give me this ransomware sample mentioned here?
http://www.gfi.com/blog/skype-users-tar ... ick-fraud/
No MD5(Sorry,can't find).
Thanks in advance.
MD5 e8e2ba08f9aff27eed45daa8dbde6159
https://www.virustotal.com/file/5110055 ... /analysis/

and dump MD5 18fb5a103974f0c69d165aef19ff2793

https://www.virustotal.com/file/d2db00f ... /analysis/
Attachments
password: infected
(232.67 KiB) Downloaded 69 times
password: infected
(267.06 KiB) Downloaded 78 times

Re: NgrBot (aka Win32/Dorkbot.gen!A)

 #16281  by Win32:Virut
 Thu Oct 25, 2012 6:51 pm
Dorkbot, also spreads by Skype.

_hxxp://goo.gl/vE8bq?foto=l7n.16 with redirect to_hxxp://beurer.by/images/foto_skype_10-24-2012.zip

Scans:
https://www.virustotal.com/file/9d11e95 ... /analysis/
https://www.virustotal.com/file/a46a28e ... /analysis/
https://www.virustotal.com/url/6b1f949a ... /analysis/
https://www.virustotal.com/url/58bb40af ... /analysis/
Attachments
Password is "infected" without quotes.
(185.85 KiB) Downloaded 82 times
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
 Return to “Malware”