A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15955  by thisisu
 Thu Oct 11, 2012 9:16 pm
thisisu wrote:Isn't working for me on VM. Will try tomorrow on a live machine.
Isn't working for me, even on live machine. Tried Win 7 x 64. Dropper goes into a temp folder as something like A3.tmp but disappears after a reboot.
 #15961  by rkhunter
 Fri Oct 12, 2012 10:32 am
Hope it's will useful for someone.
In attach droper, decrypted dropper (with fixed imports).

As we know it not infects VBR on WXPx86 as well on X7x86 too...but it contains code for VBR infection (with help of usual IOCTL_SCSI_PASS_THROUGH_DIRECT) -

Image
Image

Dropper
SHA256: cb45edce8374b316b93ed7cd2f4cf3e774996a053d7fafa52674eff0e921ba2f
SHA1: 63291b0b5a00836bef8eb503c843a8aad024a4da
MD5: eddfd9618010fc3cdd76d6beeab4ca8e

Also note that dropper contains:

- obfuscated code with trash instructions
- anti-emu features
- checking debug from huge number of functions
- calling key functions via stack modification for hiding code flow
Attachments
pass:infected
(819.77 KiB) Downloaded 107 times
pass:infected
(873.53 KiB) Downloaded 132 times
 #16003  by kmd
 Mon Oct 15, 2012 1:14 pm
@erikloman, @rkhunter

im reading this trashing thread (http://www.anti-malware.ru/forum/index. ... 4034&st=80) and wondering, is this SST.C exists or not? Does it really infect anything or this is just a old MaxSS with hidden volume? and does Kaspersky removes it? asking because im not buying a 1cent of marketing shit they are talking :D
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 15