A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5233  by EP_X0FF
 Tue Mar 01, 2011 3:50 am
markusg wrote:http://virusscan.jotti.org/de/scanresul ... 02fa67d8b3
Keygen for Adobe Photoshop CS5 joined with Agobot.

Original attach removed, actual malware and music from keygen attached.
keygen wrote:AVAST EAT YOUR SHIT
Attachments
music
(3.96 KiB) Downloaded 47 times
pass: malware
(14.49 KiB) Downloaded 49 times
 #5249  by EP_X0FF
 Tue Mar 01, 2011 6:08 pm
markusg wrote:Free Sms Setup.exe
http://www.virustotal.com/file-scan/rep ... 1298998285
Like previous Smart Install Maker setup joined with Agobot. In attach actual malware file extracted from bundle.
Nothing impressive, can be easily removed by users even without deep knowledge.
Attachments
pass: malware
(14.9 KiB) Downloaded 46 times
 #10752  by rkhunter
 Tue Jan 03, 2012 5:55 am
One more IRCBot - Backdoor:Win32/IRCbot.FH.

Copies itself to: %AppData%\Microsoft\svchost.exe
Runs from: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
DNS query to
venomz1000.no-ip.biz.
Creates mutex: 7VTE1FB2ZY.
SOFTWARE\Borland\Delphi\RTL
kernel32.dll
CreateToolhelp32Snapshot
kernel32.dll
GetDiskFreeSpaceExA
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
SOFTWARE\
\FileNameActual
\FirstInstall
~cache.bat
sqlite3_open
sqlite3_errmsg
sqlite3_free
sqlite3_close
sqlite3_last_insert_rowid
sqlite3_total_changes
sqlite3_errcode
sqlite3_bind_text
sqlite3_bind_int
sqlite3_bind_int64
sqlite3_bind_double
sqlite3_bind_null
sqlite3_bind_blob
sqlite3_prepare_v2
sqlite3_step
sqlite3_reset
:\windows\explorer.exe
SOFTWARE\Mozilla\Mozilla Firefox\CurrentVersion
[autorun]
shell=verb
open=
action=Open folder to view files
shell\open=Open
icon=%SystemRoot%\system32\SHELL32.dll,4
Responce to 144.132.216.78:3086 http://whois.domaintools.com/144.132.216.78.
Attachments
pass:malware
(22.38 KiB) Downloaded 49 times
malware traffic
(1.28 KiB) Downloaded 45 times