A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #19040  by Xylitol
 Mon Apr 22, 2013 10:43 am
xwxproductions wrote:UPDATE: AVASoft (tech-ava-soft.org) and System Care Antivirus (systemcare-antivirus.org) sites brought down
• dns: 1 ›› ip: 5.149.249.151 - adresse: TECH-AVA-SOFT.ORG
seem working fine.

Bach Khoa Antivirus, seem legit but MBAM detect it as FakeAV
• dns: 1 ›› ip: 123.30.174.157 - adresse: BKAV.COM.VN
EXE is signed
https://www.virustotal.com/fr/file/08a4 ... 366626953/
i'm a bit annoyed by this one since months because bkav exes make trigg some of my yara rules about pos malware.
 #19042  by herg62123
 Tue Apr 23, 2013 12:11 am
This is ESET.com's post about the malware rogue app http://www.welivesecurity.com/2013/04/1 ... o-malware/

and here is the website for the download of the rogue app (keep in mind this is an infected app if you download) hxxp://freeantivirusglobe.com/about.php

I tried to upload the program in a zip file but the system keeps blocking it so I had to post the link.

The EXE is signed by Comodo as well.

ESET calls it MSIL_LockScreen.EC - http://www.virusradar.com/en/MSIL_LockS ... escription

Here is virustotal.com remarks - https://www.virustotal.com/en/file/31f1 ... 366674831/
Last edited by EP_X0FF on Tue Apr 23, 2013 3:14 am, edited 1 time in total. Reason: link to malware must be obfuscated
 #19043  by EP_X0FF
 Tue Apr 23, 2013 3:13 am
Above madskillz FakeAV in attach. Pass infected.
Attachments
(3.32 MiB) Downloaded 98 times
(5 MiB) Downloaded 87 times
(5 MiB) Downloaded 88 times
(5 MiB) Downloaded 93 times
(5 MiB) Downloaded 92 times
 #19119  by BachMinuetInG
 Tue Apr 30, 2013 6:58 am
herg62123 wrote:This is ESET.com's post about the malware rogue app http://www.welivesecurity.com/2013/04/1 ... o-malware/

and here is the website for the download of the rogue app (keep in mind this is an infected app if you download) hxxp://freeantivirusglobe.com/about.php

I tried to upload the program in a zip file but the system keeps blocking it so I had to post the link.

The EXE is signed by Comodo as well.

ESET calls it MSIL_LockScreen.EC - http://www.virusradar.com/en/MSIL_LockS ... escription

Here is virustotal.com remarks - https://www.virustotal.com/en/file/31f1 ... 366674831/
It now links to AVG Free Antivirus. Ripoff of Secure Bit Technologies.
 #19209  by acoustics
 Tue May 07, 2013 6:29 pm
Xylitol wrote:Disk Antivirus Professional
Image

Original: https://www.virustotal.com/file/95e4027 ... 359625432/ > 21/46
Unpack: https://www.virustotal.com/file/41fc7f7 ... 359625192/ > 12/45
Network:
Code: Select all
GET /api/urls/?ts=f3626e3f&affid=00100 HTTP/1.1
Host: 112.121.178.189
---
GET /api/stats/install/?ts=f3626e3f&affid=00100&ver=3070024&group=dap HTTP/1.1
Host: 112.121.178.189
---
GET /p/?&lid=3070024&affid=00100&nid=8065D52C&group=dap HTTP/1.1
Host: kilopaybilling.com
thank you very much for unpacking this sample. :D

I try to unpack it by myself. I found 2 packers. The first packer is a manual packer. the second one, I guest PE Compact. I can dump process and fix IAT. My unpacked sample can be loaded and run. When I open my unpacked version with IDA, some functions are broken. I compare my version and yours, I see the difference from headers. My unpacked header has 6 sections : text, rdata, data, rsrc, reloc and mackt (from ImportREC) but your one has 3 sections: text. data and mackt. Can you help me to fix the header? I don't know how to do?

Thank you!!
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 15