A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3938  by PX5
 Sat Dec 11, 2010 6:02 pm
Find the protector dll, mine was dropped in a subfolder inside WinSxS, made to appear as a backup file or something since subfolder is named like all backup folders for Vista/7
 #3967  by B-boy/StyLe/
 Sun Dec 12, 2010 10:52 pm
windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Image


Regards,
G. ;)
Attachments
pass: infected
(55.43 KiB) Downloaded 86 times
 #5014  by EP_X0FF
 Fri Feb 11, 2011 3:24 pm
Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.
Attachments
pass: malware
(32.49 KiB) Downloaded 141 times
 #5129  by digitalranger
 Mon Feb 21, 2011 8:29 pm
EP_X0FF wrote:Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.
It can infect only XP kernel or Win 7 kernel too?
 #5143  by EP_X0FF
 Wed Feb 23, 2011 9:52 am
It does not infect kernel it infect drivers. Start vm and try yourself.
 #5215  by Flopik
 Mon Feb 28, 2011 4:50 pm
That's a nice malware , hidden from the PsLoadedModuleList & Object directory

lkd> dt _DRIVER_OBJECT 812203B0
ntdll!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : (null)
+0x008 Flags : 4
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : 0x82261b70
+0x018 DriverExtension : 0x81220458 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\driver\2989018276"
+0x024 HardwareDatabase : (null)
+0x028 FastIoDispatch : 0xf89f6550 _FAST_IO_DISPATCH
+0x02c DriverInit : 0xb2106764 long <Unloaded_dFlr1nhs.SYS>+5764
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xf89f3e52 void +fffffffff89f3e52
+0x038 MajorFunction : [28] 0xf89f3dd9 long +fffffffff89f3dd9


lkd> dt _LDR_DATA_TABLE_ENTRY 0x82261b70
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82261b70 - 0x82261b70 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0xf89f2000
+0x01c EntryPoint : 0xf89f3ed8
+0x020 SizeOfImage : 0x7000
+0x024 FullDllName : _UNICODE_STRING ""
+0x02c BaseDllName : _UNICODE_STRING "80000002.sys"
+0x034 Flags : 0x1004000
+0x038 LoadCount : 1
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0xffffffff - 0x7aff ]
+0x03c SectionPointer : 0xffffffff
+0x040 CheckSum : 0x7aff
+0x044 TimeDateStamp : 0xfffffffe
+0x044 LoadedImports : 0xfffffffe
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : 0x00300038

B-boy/StyLe/ wrote:
windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Image


Regards,
G. ;)
 #5610  by shaheen
 Thu Mar 24, 2011 1:14 am
Just want to know few things:

1- Which anti-rootkit applications can detect this currently?

2- Can it bypass VM?

Thanks
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 38