A forum for reverse engineering, OS internals and malware analysis 

Malware/AutoIt

Forum for analysis and discussion about malware.

Misc critter Gen/Heur detections VT 8/43

 #7740  by fatdcuk
 Thu Jul 28, 2011 9:29 pm
Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start
Code: Select all
http://leechpro.tk/
Payload
Code: Select all
http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
Attachments
No password** >>> kind of sucks typing different PW's to extract files day in day out! If resident AV alerts to it select ignore and no need to forward it them lols + if your prone to decompressing and executing a zipped trojan by accident...lay off the caffeine and get some needed sleep :P
(389.08 KiB) Downloaded 60 times

Re: Malware/AutoIt

 #8024  by EP_X0FF
 Mon Aug 15, 2011 10:47 am
markusg wrote:this time no error messages
but its done nothing here
SerialsPart1-Htxt.puorG.EXE
http://www.virustotal.com/file-scan/rep ... 1313400261
This is funny sample, as you see its using unicode name text reverting to look like text file.
It starts firefox.exe or iexplore.exe copy - browser names are hardcoded, then it tries to write something into their memory, all fails here.

Re: Misc critter Gen/Heur detections VT 8/43

 #8152  by Wack0
 Fri Aug 19, 2011 4:17 pm
fatdcuk wrote:Nothing special just weird these types of pages been about for a while now and not may vendors tracking them it would seem..

Java loader start
Code: Select all
http://leechpro.tk/
Payload
Code: Select all
http://dl.dropbox.com/u/27300888/update.exe
http://www.virustotal.com/file-scan/rep ... 1311881026
this is version 2 of some kind of irc bot coded in autoit. it gets the config from either
Code: Select all
http://www.vtp1hero.xlphp.net/Info.php
or
Code: Select all
http://dl.dropbox.com/u/27300888/Info.php
which it saves to %windir%\server.txt but both links are down right now.
it then puts the config into an array, seperated by spaces.
5th parameter shows the latest bot version. if it's later than the current version it gets the latest binary from the above two links, s/Info.php/update.exe
it then connects to the server which is in the 2nd param in config, with the port in the 3rd param, and joins the channel that;s in the 5th param.

The botmaster can show the list of processses, kill a process, shutdown/logoff/restart bots, screen capture (which will be uploaded to an ftpd), run a program, modify the registry, ...

and oh yeah, login password is hardcoded to be 18091989vutanphat - :)

Also, the nick is VTR-<6 random characters, uppercase A to Z>
 Return to “Malware”