A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #16004  by rkhunter
 Mon Oct 15, 2012 1:20 pm
ha ha ha, trashing completely on pro-kaspersky forum...at least it's new version/modification of Alureon and MS classification confirms it -

Detection initially created:
Released: Aug 28, 2012

Detection last updated:
Released: Oct 08, 2012

http://www.microsoft.com/security/porta ... Alureon.FV
 #16005  by rkhunter
 Mon Oct 15, 2012 1:22 pm
rkhunter wrote:ha ha ha, trashing completely on pro-kaspersky forum...at least it's new version/modification of Alureon and MS classification confirms it -

Detection initially created:
Released: Aug 28, 2012

Detection last updated:
Released: Oct 08, 2012

http://www.microsoft.com/security/porta ... Alureon.FV
And as we can see on screen above, it writes 8192 bytes which corresponds to usual size of VBR modification.
 #16007  by rkhunter
 Mon Oct 15, 2012 3:23 pm
If I remember correctly Mr. Vaber already spoke that will take samples for their "independent tests" from kernelmode...
...but now he told that kernelmode is a low-trustable forum, wtf?? - "kernelmode trolling like a BOSS"?? I hope he's thinking before speaking this.

Image
 #16008  by sww
 Mon Oct 15, 2012 3:29 pm
rkhunter wrote:If I remember correctly Mr. Vaber already spoke that will take samples for their "independent tests" from kernelmode...
Artem, please stop this bullshit, you're not in drweb anymore.
 #16010  by sww
 Mon Oct 15, 2012 3:53 pm
rkhunter wrote:@sww Why you talking about Dr.Web?
'Coz u're talking about Mr.Vaber, anti-malware.ru and Kaspersky Lab. And about all that myths distributed by drweb... Please read all posts again very carefully. Especially this one.

UPD: Question from Vaber to you: Is it possible to infect system's VBR using Alureon.FV?
 #16011  by kmd
 Mon Oct 15, 2012 4:01 pm
seems a lot of misunderstonding there.

sst.c as proclaimed by erikloman and inspired by dambabla is mysterious new maxss variant that "infects" already existing vbr not adding new volume like old maxss did. if you take both vbr's - old and attached there - they are different. take ms description - Trojan:DOS/Alureon.E and Trojan:DOS/Alureon.K - different.

all as i got from erikloman blogpost. since no1 didnt spoken anything else. so original important question is that - is this true or just bs? no need discuss tests - who believes in this trash. i wanna know truth not science fiction. Is it exist and does exactly what proclaimed or is just morphed old variant.
 #16012  by rkhunter
 Mon Oct 15, 2012 4:07 pm
sww wrote:
rkhunter wrote:@sww Why you talking about Dr.Web?
'Coz u're talking about Mr.Vaber, anti-malware.ru and Kaspersky Lab. And about all that myths distributed by drweb... Please read all posts again very carefully. Especially this one.
I said nothing about Kaspersky Lab in this context as u see... and I don't know him personally, as I see he expert of anti-malware and he told:
Do not trust some persons on kernelmode [he mean, at least, Erik Loman(LOL!) and, probably, me]. There are no sst.c which infects VBR...
Don't u think that this is incorrect behaviour??
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 15