A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3843  by EP_X0FF
 Sun Dec 05, 2010 11:29 am
Well you are right :) This is trojan similar to yours previously posted bankers. More info will come soon :)

Crypted Delphi binary, upper layer requires NET framework.

Copies itself to c:\documents and settings\username\application data\microsoft\svchost.exe
Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

When started executes new copy of Internet Explorer and maps payload dll to it.
Payload doing most of job including spreading through USB devices.

The following string data was discovered inside payload.
kernel32.dll Urlmon.dll Shell32.dll GetProcAddress URLDownloadToFileA ShellExecuteA \Microsoft\ UPCOMP||*|| open
PING||*||
UDPStart||*||
DOWNCOMP||*||
IDLE||*||
USB||*||Infected Drive
FOX||*||
PONG||*||
SYNStart||*||
firstconnect||*||
:\autorun.inf [autorun]
shell=verb
open=
action=Open folder to view files shell\open=Open icon=%SystemRoot%\system32\SHELL32.dll,4
ddoser
 #3847  by EP_X0FF
 Sun Dec 05, 2010 2:01 pm
Not exactly. However it works like previous -> drops itself to autorun through HKCU\Software\Microsoft\Windows\CurrentVersion\Run, maps payload code (392 Kb) to Internet Explorer memory.

By specific patterns found inside
_x_X_PASSWORDLIST_X_x_
_x_X_UPDATE_X_x_
_x_X_BLOCKMOUSE_X_x_


this malware recognized as P2P-Worm.Win32.Palevo modification.
 #3876  by EP_X0FF
 Wed Dec 08, 2010 11:21 am
markusg wrote:next one:
http://www.virustotal.com/file-scan/rep ... 1291631825
Real size is about 80 Kb. Found nothing except funny PDB string.
C:\Users\sherry\documents\visual studio 2010\Projects\CrackerJack\CrackerJack\obj\x86\Release\CrackerJack.pdb
 #3955  by EP_X0FF
 Sun Dec 12, 2010 3:50 pm
Thread split, .NET based malware (Keygen/CCleaner samples) discussion moved to Mal/MSIL-BA thread.