A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #8764  by rkhunter
 Tue Sep 27, 2011 7:24 am
dcmorton wrote:Couple of samples of Trojan:Win32/Alureon.FE referenced in the article

7c2d273c453ed366e80807f678e0d633
http://www.virustotal.com/file-scan/rep ... 1315775582

db9984106cc88700c035c545c21d5aae
http://www.virustotal.com/file-scan/rep ... 1314922124
And here Microsoft shows excellent results, one vendors, who correctly detect Tdss droppers (as Trojan:Win32/Alureon).
Other detections, it seems, were taken from Kaspersky (names) or 'generic'.
 #9031  by EP_X0FF
 Sat Oct 08, 2011 3:25 am
rough_spear wrote:HI All, :D
W32.Jorik dropper and dropped file.

File name - 531-01.exe
VT link - http://www.virustotal.com/file-scan/rep ... 1317995335

File name - E33D.tmp
virusscan link - http://virusscan.jotti.org/en/scanresul ... 93ea93671d
This is FakeAV and it's friend Alureon from F series (Alureon.FE/L variant).

In attach decrypted
Attachments
pass: malware
(237.67 KiB) Downloaded 179 times
 #9062  by EP_X0FF
 Sun Oct 09, 2011 9:32 pm
We are little surprised that nobody didn't posted anything about this new rootkit based on updated TDL4 engine. Where all these fairy tales, "serious threat" like in case of bioskit? :) PR machine is broken, captain obvious co-player went on vacation? Nothing to write maybe? Yes it's more in beta stage, but anyway :)
 #9072  by rkhunter
 Mon Oct 10, 2011 4:25 pm
I think that many people took this information (post with name "A tale of grannies, Chinese herbs, Tom Cruise, Alureon and steganography") is not entirely correct. Wrote (in news) that TDSS(!) received new update. Probably many do not even know that it's not original TDL. Maybe if Kasperky or Dr.Web call it as .tdss it is not quite true. But Microsoft, as I understand, has its own internal naming system of droppers, in my opinion it is very different from Kaspersky or Dr.Web. I can see that Microsoft terminology more correct, because the names given droppers very meaningful! =)
 #9073  by rkhunter
 Mon Oct 10, 2011 4:32 pm
Perhaps EP_XOFF will open the mystery of how Microsoft accurately refers to as tdl-based droppers, including their versions? =)
 #9077  by kmd
 Tue Oct 11, 2011 12:49 am
this new rk is interesting. more intersting than bioskit (pr shit "we all gone die, serious threat"), new legit way of exploiting mbr :D

@rkhunter
Image
as everywhere guess - honeypots, controlled c&c + good emulator to break the obfuscation where all others detects by crypters
 #9082  by rkhunter
 Tue Oct 11, 2011 9:25 am
@kmd
I think Microsoft is suitable more professionally and efficiently to the addition of droppers and their classification. What the dropper was added as Alureon.FL/E says that the name was added to his hands, it does not work the robot, as in the case of others. Moreover, the classification, in my view, higher capacity because it says TDL-based engine.
 #9111  by frank_boldewin
 Wed Oct 12, 2011 1:49 pm
find attached all decrypted ressources from the dropper.

pw: malware

NAME ---> just a string "chromeupdtr.exe"
AFFID ---> just a string "5"
SUBID ---> just a string "ctest70"

VBR
BOOT
CMD32
CMD64
DBG32
DBG64
DRV32
DRV64
LDR32
LDR64
MAIN ----> this is the CFG-File.
Attachments
(88.1 KiB) Downloaded 137 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 15