A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5605  by EP_X0FF
 Wed Mar 23, 2011 11:07 am
@Striker
Malware samples and links to malware are permitted, but you must obfuscate a link (ie. hxxp://, NOT http://) and clearly show that a link is malware. This is to ensure people don't accidentally infect themselves.
Forum rules

Your post has been edited.
 #5662  by Meriadoc
 Sat Mar 26, 2011 11:27 am
XP Anti-Spyware 2011

XP Anti-Spyware 2011, couldn't find it here so,

I haven't run this but here is an old pic, basically the same with a change of date
Image

Image

VT - http://www.virustotal.com/file-scan/rep ... 1300956690 22/43
Attachments
pass=malware
(251.2 KiB) Downloaded 83 times
Last edited by EP_X0FF on Sat Apr 16, 2011 8:14 am, edited 2 times in total. Reason: Title edited
 #5667  by peet
 Sat Mar 26, 2011 9:16 pm
XP antispyware 2011 is an odd beast.

Disables Malwarebytes, MSE
Disables Firewall and updates
Blocks websites

But:
Runs in VMware, you can run installed software like CCleaner or a debugger (wut?)

After RKill and starting Mbam is does remove this rogue, but leaves a damaged Windows update, damaged service which you can not turn on.
 #5668  by SUPERIOR
 Sat Mar 26, 2011 11:25 pm
@peet completely agree with ...anyone else analyzed it? i tested it and something fishy was going on its like rootkit :shock:
i got this
suspicious: \\?\globalroot\device\harddiskvolume1\windows\temp\srvc04.tmp
which i guess dll runs under "svchost" process
 #5688  by bitx
 Mon Mar 28, 2011 12:48 pm
MS Removal Tool

Screenshot:
Image
Attachments
pass=malware
(294.83 KiB) Downloaded 89 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:54 am, edited 1 time in total. Reason: Screenshot resized to be more accurate
 #5712  by Xylitol
 Tue Mar 29, 2011 7:22 am
yumm anti vmware :)

Image

Image

Image

ascii dump:
Code: Select all
00A31FF0  ¾.ú–Ø)ÌgWNDS-S0DF5-GS5E0-FG14S-2DF8G¦..WNDS-JUYH3-24GHJ-
00A32030  HGKSH-FKLSD¦..WNDS-89OF7-7324R-5SAD4-TG68U¦..WNDS-HFVDR-9844O-U5
00A32070  4DA-5TBSC¦..WNDS-G8FB6-1V87S-DRT1S-63SRG¦..WNDS-4BGY2-JY4KO-IT98
00A320B0  Y-7HJ43¦..WNDS-5D1V2-XB0D5-JT1TY-97DS3¦..WNDS-F40SA-1ER5H-4FG5D-
00A320F0  F8412¦..WNDS-SERFH-2642S-F04SD-64FG1¦..WNDS-S0DF5-GS5E0-FG14S-2D
00A32130  F8G¦..WNDS-452S3-ER00F-TSE35-S8FSD¦..WNDS-FGS5D-649RG-4S53D-412S
00A32170  F¦..WNDS-4TS8R-D6F5D-4JH8T-U4JK5¦..WNDS-2AE32-1VFC2-B6894-G67YU¦
00A321B0  ..WNDS-P9685-4H41A-DSW3A-2R64T¦..WNDS-5SRTS-AEHUF-YA54S-D6F35¦..
00A321F0  WNDS-A1SDF-RY4E8-7U98D-F1GB2¦..WNDS-A1SDF-6AS4D-RF5RE-79G84¦..WN
00A32230  DS-TTUYJ-7UO54-G561H-J1D6F¦..WNDS-G84H6-S854F-79ZA8-W4ERS¦..WNDS
00A32270  -6W954-FX65B-41VDF-8G4JI¦..WNDS-U94KO-LF4G4-1V8S1-2CRFE¦..WNDS-T
00A322B0  GN15-RFF29-AASDJ-ASD65¦..AAAA-BBBBB-CCCCC-DDDDD-EEEEE¦..........
 #5733  by Xylitol
 Tue Mar 29, 2011 7:51 pm
Attachments
See archive comment for password
(325.95 KiB) Downloaded 64 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:55 am, edited 1 time in total. Reason: Title edited
 #5777  by EP_X0FF
 Fri Apr 01, 2011 4:00 am
XP Anti-Spyware

The same "XP Anti-Spyware" as posted above, but without "2011" in name :) Has RU/UA origin.

d/l hxxp://109.94.220.52/lol2.exe

https://www.virustotal.com/file-scan/re ... 1301628843

Nothing really special, detections and their descriptions embedded as array of text strings and it choose them randomly.

Runs through
HKCU\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)
HKCU\Software\Classes\.exe\Shell\Open\Command(Default) as "X:\Documents and Settings\User\Local Settings\Application Data\xov.exe" -a "%1" %*"

So after removal you need to manually fix these entries ("%1" %*) otherwise .exe files wont start anymore.
Attachments
pass: malware
(256.92 KiB) Downloaded 57 times
 #5797  by Xylitol
 Sat Apr 02, 2011 8:54 am
Attachments
See archive comment for password
(918.31 KiB) Downloaded 70 times
  • 1
  • 5
  • 6
  • 7
  • 8
  • 9
  • 34