A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4225  by EP_X0FF
 Sun Jan 02, 2011 6:04 am
This is trojan password stealer written on Delphi and crypted by VB crap with invalid import directory thunk.

It includes detection of several debuggers, sandboxes
\\.\Syser
\\.\SyserDbgMsg
\\.\SyserBoot
\\.\SICE
\\.\NTICE
VBoxService.exe
SbieDll.dll
Affected software
RasDialer
Internet Explorer
Mozilla Firefox
Windows Messenger
 #4243  by EP_X0FF
 Mon Jan 03, 2011 12:27 pm
Drops copy to %Program Files% as winlogon.exe, drops some executable dll into temp folder as txt file. Typical VB trash.
Attachments
pass: malware
(792 Bytes) Downloaded 57 times
 #4599  by EP_X0FF
 Fri Jan 21, 2011 2:56 am
markusg wrote:Codec v2.001.exe
http://www.virustotal.com/file-scan/report.html?id=08ff5392e4979dcbdbaba48c1f82db09e925ee765dc227c0c45348761d9958d4-1295549255
VB downloader/clicker

payload
hxxp://divxprocodec.com/znkalinks.txt
//Country Codes must be kept in same order
usa:
babylon:hxxp://reactmedia.go2jump.org/aff_c?offer_id=85&aff_id=35
pagerage:hxxp://reactmedia.go2jump.org/aff_c?offer_id=375&aff_id=35
webfetti:hxxp://reactmedia.go2jump.org/aff_c?offer_id=381&aff_id=31
dropdown:hxxp://www.affiliatecashpile.net/aff_c?offer_id=1984&aff_id=3518
uk:
babylon:hxxp://reactmedia.go2jump.org/aff_c?offer_id=85&aff_id=35
pagerage:hxxp://reactmedia.go2jump.org/aff_c?offer_id=376&aff_id=35
webfetti:hxxp://reactmedia.go2jump.org/aff_c?offer_id=382&aff_id=31
ca:
pagerage:hxxp://reactmedia.go2jump.org/aff_c?offer_id=318&aff_id=35
webfetti:hxxp://reactmedia.go2jump.org/aff_c?offer_id=384&aff_id=31
END:
thread moved to other vb trash