[EP_X0FF]

Additionally to some fun posts from Xylitol

http://xylibox.blogspot.com/2011/06/spy ... -mine.html
http://xylibox.blogspot.com/search/labe ... e%201.3.45

there is the video friend of mine send me today, showing total fcukup of SpyEye hiding, and stuff that SpyEye author Gribodemon added for Rapport bypass etc.

Video recorded in Flash format, so you need proper media player to view it, enjoy.

[markusg]

Recycle.Bin.exe
http://www.virustotal.com/file-scan/rep ... 1308155408

[EP_X0FF]

Recycle.Bin.exe
http://www.virustotal.com/file-scan/rep ... 1308155408

v1.3

Fake gate used in attempt to discredit trackers.

Unpacked (removed crypter and UPX) in attach.

http://www.virustotal.com/file-scan/rep ... 1308179622

[markusg]

http://www.virustotal.com/file-scan/rep ... 1308235968

[EP_X0FF]

Courtesy of abuse.ch

Gates:

hxxp://djayw.net.in/wow/gate.php;90
hxxp://ipwnbotsforfun.net.in/images/gate.php;90p

Attached dropper, fully unpacked dropper, decrypted config.

http://www.virustotal.com/file-scan/rep ... 1308234830
http://www.virustotal.com/file-scan/rep ... 1303906933
http://www.virustotal.com/file-scan/rep ... 1305801988
http://www.virustotal.com/file-scan/rep ... 1308236546

[EP_X0FF]

http://www.virustotal.com/file-scan/rep ... 1308235968

Ukrainian bot (greets also for fake av's)

Gate:

hxxp://194.44.157.130/~brbrabr2/gate.php;300

http://www.virustotal.com/file-scan/rep ... 1308237100

Unpacked in attach.

[markusg]

Ukrainian bot? never heard about it, have you additional infos perhaps?

[EP_X0FF]

This gate located in Ukraine. However likely and botmaster can be also.
Most of currently available fakeav developed in Ukraine.

[EP_X0FF]

Courtesy of abuse.ch

v1.2.9

Gate:

hxxp://www.koburana.ru/m9-main/gate.php

Decrypted config password CFE00A774281F135702289DB2250DB14

http://www.virustotal.com/file-scan/rep ... 1308258129

v1.3.x

Gate:

hxxp://212.124.127.237/punto/got.php;90

Decrypted config password 188C03F3E26E09EC5FDC1F5312541C9A
All in attach.

http://www.virustotal.com/file-scan/rep ... 1308258129

[EP_X0FF]

This one new, hot and .. :)

Plugins:

block.dll (https://*.royalbank.com/cgi-bin/*ClientSignin* http://musicallive.nl/files/index.html)
ccgrabber.dll
customconnector.dll
ftpbc.dll (back connect %BOTNAME%;212.150.164.206;25;3000;0)
ffcertgrabber.dll (still looking for sww, gostev and z0mbie)
rdp.dll (212.150.164.206:443;randomword123;systemadmin2;secretpass123;http://www.cushyhost.com/download.php?img=76), downloads portable TotalCommander
socks5.dll (%BOTNAME%;212.150.164.206;110;3000;0)
SpySpread.dll

spySpreader owned you

yeah, infa 101.2%

[admin]
state=off
panel=hxxp://www.xxx.ru/stats/a.php

[spread]
state=on
tinyurl=off
msg=check this out,a new facebook feature hxxp://facebook-vote.com/forum.php?tp=ed402b19f555ec1d
inject=on
count=#

[usb]
state=on
proc=explorer.exe
sonar=on
lnk=on
file=csrss.exe

Gates:

hxxp://212.150.164.206/email/gate.php;30
hxxp://somerandomtrafficdomain.com/email/gate.php;30

Dropper crypted, starts new process of the itself, unpacks some code inside and transfer control to new copy which is responsible for actual payload decompress and execution.
Contains few checks of the VM execution.