A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18328  by R00tKit
 Mon Feb 25, 2013 6:23 am
https://www.virustotal.com/en/file/fe0d ... /analysis/
some string inside it :)
Accept: */*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
Host: %s:%d
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows 5.1)
Referer: http://%s
Connection: Keep-Alive
fix SSDT :geek:
Possibly KiServiceLimit==%08X
&KiServiceTable==%08X
Dumping 'old' ServiceTable:
an't find KiServiceTable...
can't find KeServiceDescriptorTable
eServiceDescriptorTable ailed to load! LastError=%i
\\.\Dark2118
[RepairSSDT] DriverEntry
c:\winddk\demo\repairssdt\bin\i386\RepairSSDT.pdb
resource string :)
http://www.rising-global.com/ ??
VALUE "CompanyName", "Beijing Rising Information Technology Co., Ltd."
VALUE "FileDescription", "RavCopy Module"
VALUE "FileVersion", "21.0.0.17"
VALUE "InternalName", "Beijing Rising Information Technology Co., Ltd."
VALUE "LegalCopyright", "Copyright(C) 2008-2009 Beijing Rising Information Technology Co., Ltd. All Rights Reserved."
VALUE "OriginalFilename", "ravcopy.exe"
VALUE "ProductName", "Rising AntiVirus 2009"
VALUE "ProductVersion", "21.00"
VALUE "SpecialBuild", "668531044687500"
}
ftp user pass of malware :D
59.175.153.49
xzq
p@ssw0rd
Attachments
pass : infected
(475.17 KiB) Downloaded 58 times
 #18332  by EP_X0FF
 Mon Feb 25, 2013 10:31 am
This is very old skid malware from China.

See
http://ddos.arbornetworks.com/2010/08/y ... ddos-bots/

SSDT restore driver compiled at 27 june 2009 from internet open sources. Original SDT lookups in user mode and then transfers to driver by DeviceIoControl call.
strange NtQuerySystemInformation()!
script-kiddie trash.