A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4486  by EP_X0FF
 Sun Jan 16, 2011 1:25 pm
It drops something winrar.exe which renames itself to logon.exe and runs through HKCU\....\Run registry key. Extracted from VBC.exe payload dll attached.
Attachments
pass: malware
(248.74 KiB) Downloaded 38 times
pass: malware
(414.23 KiB) Downloaded 38 times
 #4563  by EP_X0FF
 Wed Jan 19, 2011 10:21 am
markusg wrote:WinInstall.exe
http://www.virustotal.com/file-scan/rep ... 1295375352
That's Spatet. Same winlogon.exe execution with payload PWS dll written on Delphi. Additionally works like Autorunner worm.

Posts moved.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7