A forum for reverse engineering, OS internals and malware analysis
rkhunter wrote:Guys, detailed ZeroAccess/Sirefef research by Sophos - http://sophosnews.files.wordpress.com/2 ... access.pdf.I liked this one. Very easy to understand and follow. Thanks Sophos and thanks rkhunter for sharing :D
PX5 wrote:http://www.keygendb.com/Tried five "different" files. All are Win32/Nebuler.
Any crack should do.
Iczelion Tutorial No.2 Win32 Assembly is Great! \p_sys.dll \sysclos.exe ControlService Диспетчер системных COM+ \*.dat " db %03Xh
.data
%sLen equ %lu
%s1 open SOFTWARE\Microsoft\Windows\ShellNoRoam\MUICache SSSSkernel32.dll ExpandEnvironmentStringsA GetDiskFreeSpaceExA с)ѓ|‹ѓ|shfolder.dll SHGetFolderPathA psapi.dll GetModuleFileNameExA EnumProcesses EnumProcessModules M ѕvv:ѕvфѕv]vv№ P:\Projects\password_recovery\cinch\tools\out.bin SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ :*:Enabled: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall DisplayName DisplayVersion C:\ SOFTWARE\RIT\The Bat! Working Directory ProgramDir \account.cfg \account.cfn \BatMail\ \The Bat!\ SOFTWARE\Mirabilis\ICQ\DefaultPrefs %s Database 99b 2000a 2000b 2001a 2002a 99BCryptIV h Password kSOFTWARE\Mirabilis\ICQ\NewOwners MainLocation Miranda ICQ DB Install_Dir SN Password SOFTWARE\Miranda SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\&RQ \&RQ.exe UninstallString crypted-password \andrq.ini SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian\ UninstallString Profiles num Name Password Preferences Type Preferences Location \aim.ini \users\global\profiles.ini \default \Trillian\User Settings\ Profile%.3lu profile %lu Software\Ghisler\Windows Commander Software\Ghisler\Total Commander InstallDir FtpIniName \wcx_ftp.ini host username password directory method Software\RimArts\B2\Settings DataDir \Mailbox.ini Account MailServer UserID PassWd MailAddress internet explorer WininetCacheCredentials DPAPI: Identification INETCOMM Server Passwords Outlook Account Manager Passwords Software\Microsoft\Internet Account Manager\Accounts Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Identities %s\%s\%s %s\%s SMTP Email Address Email POP3 Password POP3 Password2 POP3 Server POP3 User Name POP3 User IMAP Password IMAP Password2 IMAP Server IMAP User IMAP User Name pstorec.dll PStoreCreateInstance crypt32.dll CryptUnprotectData рє§w\GlobalSCAPE\CuteFTP\ \GlobalSCAPE\CuteFTP Pro\ \cutftp32.exe C:\Program Files\CuteFTP\ 2.0\ 3.0\ 5.0\ 6.0\ sm.dat tree.dat smdata.dat SOFTWARE\Far\Plugins\FTP\Hosts HostName Description User Password WS_FTP DIR DEFDIR HOST UID PWD \*.ini \Ipswitch\WS_FTP\Sites \Ipswitch\WS_FTP Home\Sites \win.ini \ws_ftp.ini \ws_ftp.exe \Opera \Mail\accounts.ini \profile\wand.dat Software\Opera Software Last Directory3 Email Incoming Username Incoming Servername Incoming Password \*.* \*.* \Mozilla\Profiles
<?xml version="1.0"?><!--if you are here, you got too far ;)--><Data> <Brand> Brnd SOFTWARE\Microsoft\MSSMGR %d 222 </Brand> </Data> ~CStorage /admin/index.php madcapphotoworks.com /admin/index.php wolle.person.dk /admin/index.php www.bts.brainz.cz <FTPItem> <Type> </Type> <Host> </Host> <Port> </Port> <Login> </Login> <Pass> </Pass> <Path> </Path> </FTPItem>Payload rotation?
<HTTPItem> <Type> </Type> <URL> </URL> <LoginParam> </LoginParam> <Login> </Login> <PassParam> </PassParam> <Pass> </Pass> <Domain> </Domain> </HTTPItem>
Compression error error r= &c= &b=
<!-- --> </%s iexplore.exe firefox.exe opera.exe chrome.exe kernel32.dll GetModuleHandleA GetProcAddress LoadLibraryA ?id= CURL::Get: %s CURL::Get(): trying to inject to ie and load... CURL::Get(): %s succeed failed CURL::Get(): trying to download directly... CURL::Get(): %s succeed failed CURL::Post: %s, %s CURL::Get(): trying to inject to ie and load... CURL::Get(): %s succeed failed CURL::Get(): trying to download directly... CURL::Get(): %s succeed failed CURL::GetIEProcessID IEFrame CURL::GetIEProcessID(): findwindow returned 0x%X CURL::GetIEProcessID(): GetWindowThreadProcessId returned 0x%X kernel32.dll CreateToolhelp32Snapshot
