A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #10634  by rkhunter
 Wed Dec 28, 2011 7:32 am
Super AV

MS: Rogue:Win32/Naparb

Image

Image

It copy itself to %windir%\kfpckaun.exe. Runs from HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Security".
Seems written on Delphi.
SOFTWARE\Borland\Delphi\RTL
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Serial number is already in use
The serial number: 8425-3952-7321-4410 is already in use!
Serial number is wrong
The serial number you have entered is incorrect!
ZYYd
- License Manager
To activate
, you must own a serial number that you can buy easily by clicking Purchase License. After you buy a serial number, you need to wait 24 hours for the serial and information to be emailed to the email address you provide on the purchase form.
QQQQQS
ZYYd
- License Manager
To activate
, you must own a serial number that you can buy easily by clicking Purchase License. After you buy a serial number, you need to wait 24 hours for the serial and information to be emailed to the email address you provide on the purchase form.
Continuing without protection and removal of viruses may cause serious damage to your computer! Continue?
- Malware detected
What is
About
Why is
one of the best antiviruses today?
What advantages do I gain by purchasing
Why can`t I remove the viruses
detects?
Please click the 'Update now' button if you would like to download the newest database definitions.
To download this specific database, an internet connection and activated software is required. Are you sure you would like to continue?
To activate this antivirus program, you must own a serial number that you can buy easily by clicking Purchase License. After you buy a serial number, you need to wait 24 hours for the serial and information to be emailed to the email address you provide on the purchase form.
Attachments
pass:malware
(928.11 KiB) Downloaded 77 times
 #10637  by BachMinuetInG
 Wed Dec 28, 2011 10:50 am
rkhunter wrote:Super AV

MS: Rogue:Win32/Naparb
Worst one ever!
BTW: NAPARB = Napalm Rogue Builder..
Last edited by EP_X0FF on Wed Dec 28, 2011 11:13 am, edited 1 time in total. Reason: overquoting removed
 #10638  by EP_X0FF
 Wed Dec 28, 2011 11:31 am
Interesting, is it the same Napalm as the one that was on SysInternals 5 years ago? :)
 #10678  by rkhunter
 Thu Dec 29, 2011 7:55 am
Similar to XP Antispyware 2012

Security Shield

VT (8/43, 18.6%)

After installation.

Image

Scanning.

Image

Alert.

Image

Blocks programs to start.

Image

Edit: replying from MS by ticket -> Rogue:Win32/Winwebsec
info http://go.microsoft.com/fwlink/?linkid= ... /Winwebsec
Attachments
pass:malware
(287.76 KiB) Downloaded 70 times
 #10684  by rough_spear
 Thu Dec 29, 2011 9:34 am
Hi All,
Another Security shield. :D

Web link - hxxp://91.196.216.59/files/20
VT link - http://www.virustotal.com/file-scan/rep ... 1325150604
3/ 42 (7.1%)

MD5 : 21dae99de85494c7cfe04c5158330322
SHA1 : 0caf1cebda1a1440180d79f559d338d7e19be651
SHA256: 79fed885c257c5e1d7ab1486ba8f01852ceeb31661e650e653359dc10c0e54d7
ssdeep: 6144:vlgLTSQ/46y8nDCtBtO0qp6PO7wygavSaWO8QD:vlOSQ/4H8IB6p2+jHvSo

Regards,

rough_spear. :twisted:
Attachments
password - malware.
(287.16 KiB) Downloaded 57 times
  • 1
  • 30
  • 31
  • 32
  • 33
  • 34