A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3093  by NOP
 Sat Oct 16, 2010 1:50 pm
This sample crashes rKu when you do a code hook scan. I call it GBOT because of the internal PDB paths of the 3 dropped files, some AV's label it as a FakeAV.

http://i56.tinypic.com/9jhd3t.png
Attachments
Password: infected
(93.64 KiB) Downloaded 56 times
 #3094  by EP_X0FF
 Sat Oct 16, 2010 2:41 pm
Thanks. This appears when rku is trying to scan for IAT hooks. Apparently structures damaged. I will fix that right now.
I believe this is caused incidentally by malware cryptor.

upd.
Seems to be fixed. At least no errors anymore. The code I've changed wasn't changed since 2007.
Last edited by EP_X0FF on Sat Oct 16, 2010 4:07 pm, edited 2 times in total. Reason: upd
 #3115  by NOP
 Sun Oct 17, 2010 12:16 pm
EP_X0FF wrote:The code I've changed wasn't changed since 2007.
Yeah that makes sense, I was using an older version when I first got the crash.
 #6862  by EP_X0FF
 Sat Jun 18, 2011 4:39 pm
markusg wrote:dwm.exe
http://www.virustotal.com/file-scan/rep ... 1308413525
Some AV blacklist located.
avgnt.exe Avira* ccsvchst.exe Norton* Symantec* AvastUI.exe Alwil Software* Avast* mcagent.exe
McAfee* none avira norton avast mcafee err1026 err1025 err1027 r o o t \ C I M V 2 err1028 err1029
S e l e c t * f r o m W i n 3 2 _ P r o d u c t W Q L err1030 err1031 N a m e A V G A v a s t A v i r a D r . W e b
K a s p e r s k y M c A f e e E S E T N O D 3 2 N o r t o n B i t D e f e n d e r avg bitdef kasper drweb
nod32 SOFTWARE\Microsoft\Windows Defender DisableAntiSpyware
 #7110  by nullptr
 Thu Jul 07, 2011 10:07 am
markusg wrote:dwm.exe
http://www.virustotal.com/file-scan/rep ... 1310028203
Cycbot.B
Some internal URLs and other stuff.
Code: Select all
SEND_INSTALL_REPORT_TM
hxxp://mysmallhomespace.com
hxxp://happyratatuy.com
hxxp://resetsystems-1.com
hxxp://superaudiosysrem.com
hxxp://simpsoncatalog.com
hxxp://futurama-1.com
hxxp://bigcalculon.com
hxxp://notebooksportals.com
hxxp://freedinediconline.com
hxxp://restbackonline.com
hxxp://kitiketcatalogs.com
hxxp://cigaretteonlines.com
hxxp://freemailantispam.com
SELECT_RESERV_SRV_%d
SEL_SERV
DMNAVL
c1.exe
c2.exe
c3.exe
DWN_CON_STRP_%d_%s
hxxp://%d.ctrl.%s
blog/images/3521.jpg
blog/images/3522.jpg
blog/images/3523.jpg
hxxp://monochrom.at/polytheism/pictures/TanzenderShiva.jpg
hxxp://crazyleafdesign.com/blog/images/share/stumble.png
hxxp://crazyleafdesign.com/blog/images/share/facebook.png
hxxp://realsoftwaredevelopment.com/WindowsLiveWriter/web-2_0_thumb_1.gif
hxxp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be1
hxxp://gravatar.com/avatar.php?gravatar_id=f2a3889aff6fc9711a3cbcfe64067be2
hxxp://folusho.com/wp-content/uploads/2010/09/web-20-what-is-300x251.jpg
hxxp://psfk.com/img/icons/twitter.png
hxxp://psfk.com/img/icons/facebook.png
hxxp://healthylifenow.com/templates/7348/images/header_logo.jpg
hxxp://healthylifenow.com/templates/7349/images/header_logo.jpg
hxxp://hollandandbarrett.com/images/footer/account.jpg
hxxp://hollandandbarrett.com/images/footer/account.gif
hxxp://nationsautoelectric.com/images/50-217-1_F_1_.jpg
hxxp://nationsautoelectric.com/images/50-217-1_F_2_.jpg
hxxp://onlinebizdirectory.com/images/PowerShowBanner.gif
hxxp://onlinebizdirectory.com/images/PowerHideBanner.gif
hxxp://lostpropaganda.net/blog/pics/3321.jpg
hxxp://lostpropaganda.net/blog/pics/3322.jpg
hxxp://japanesegreenteaonline.com/assets/images/greentea-cha-1.gif
hxxp://japanesegreenteaonline.com/assets/images/greentea-cha-2.gif
hxxp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup250.gif
hxxp://greenherbalteaonline.com/images/greenherbalteagirlholdingcup350.gif
hxxp://onlineinstitute.com/g7/images/logo.jpg
hxxp://onlineinstitute.com/g7/images/logo2.jpg
hxxp://onlineinstitute.com/g7/images/logo3.jpg
hxxp://onlineinstitute.com/g7/images/logo4.jpg
hxxp://onlinedatingsecretfriends.com/images/im133.jpg
hxxp://onlinedatingsecretfriends.com/images/im134.jpg
BlueFlare Antivirus
ms.conf
s-internals.com
hxxp://core%s.%s/s.php?id=%s&c=121
system-reports.com
hxxp://xprstats.com/images/logo.png
hwid=%s&ver=%d&os=%s
u.exe

avgnt.exe
Avira*
ccsvchst.exe
Norton*
Symantec*
AvastUI.exe
Alwil Software*
Avast*
mcagent.exe
McAfee*
avira
norton
avast
mcafee
Avast
Avira
Dr.Web
Kaspersky
McAfee
ESET NOD32
Norton
BitDefender
bitdef
kasper
drweb
nod32
SOFTWARE\Microsoft\Windows Defender
DisableAntiSpyware