Attachments
(322.59 KiB) Downloaded 204 times
A forum for reverse engineering, OS internals and malware analysis
I wasn't able to open the hosts file, maybe because UAC is enabled in remote computer!Written on Delphi. Below is a detailed list of units used.
server
EditServer
UntMain
uFZ
ShlObj
UrlMon
ActiveX
Windows
Types
SysInit
System
Messages
WinInet
RegStr
ShellAPI
CommCtrl
UntServices
Registry
RTLConsts
IniFiles
Classes
SysConst
TypInfo
SysUtils
ImageHlp
Variants
VarUtils
WinSvc
UntShell
UntSendStream
MD5Api
MD5Core
UntControlKey
UntRC4
UntGFXResize
Graphics
Consts
UntWebCam
jpeg
JConsts
MMSystem
untFunctions
PsAPI
TlHelp32
UntProcess
UntResizePic
GDIPUTIL
GDIPOBJ
GDIPAPI
Math
DirectDraw
UntCore
UntFWB
untMainFunctions
untBypass
PELoad
ComObj
ComConst
UntSinInfo
Nb30
CryptApi
WinSock
UntIE7
Pstoreclib
PSTORECLib_TLB
UntKeylogger
UntFTP
Clipbrd
Forms
UxTheme
SyncObjs
DwmApi
Themes
Controls
ActnList
Menus
ImgList
Contnrs
Imm
MultiMon
StdActns
StrUtils
Dialogs
HelpIntfs
WideStrUtils
Dlgs
ExtCtrls
GraphUtil
StdCtrls
Printers
WinSpool
CommDlg
FlatSB
UntUDPFlood
UntSynFlood
UntScanPorts
UntSound
ACMConvertor
MSAcm
ACMIn
ListUnit
UntActivePorts
USock
UntRPCScan
UntInfections
untstartup
UntFireFox
SHFolder
UntFun
UntPasswordAndData
UntMClipboard
UntDesktopCapture
UntBot
UntMSN
MessengerAPI_TLB
StdVCL
OleServer
OleConst
UntMsConfig
UntWindowManager
UntRegEdit
UntNetShareLister
UntHTTPFlood
UntCPU
UntMiscFunc
UntIP
Sockets
uMir
uTrill
RASReader
UntRootKit
UntServerReader
uRes
UntAntiSB
markusg wrote:LESSOL~1.EXEPassword protected SFX archive with Backdoor:Win32/Fynloski.A inside.
http://www.virustotal.com/file-scan/rep ... 1299667963
markusg wrote:Crysis2.exeBackdoor:Win32/Fynloski.A
http://www.virustotal.com/file-scan/rep ... 1301427310
markusg wrote:http://www.virustotal.com/file-scan/rep ... 1301928073Keylogger/stealer/trojan
attrib -s -h C:\WINDOWS\system32\explorer.exe
------------------------------------------
@ Caption : [Process Explorer]
@ at 18:46:19 the 04/04/2011
------------------------------------------
------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:46:22 the 04/04/2011
------------------------------------------
------------------------------------------
@ Clipboard Change : size = 0 Bytes
@ at 18:46:22 the 04/04/2011
------------------------------------------
------------------------------------------
@ Caption : [Poste de travail]
@ at 18:46:26 the 04/04/2011
------------------------------------------
------------------------------------------
@ Caption : [C:\WINDOWS\system32]
@ at 18:46:59 the 04/04/2011
.txt
------------------------------------------
------------------------------------------
@ Clipboard Change : size = 20 Bytes
@ at 18:46:59 the 04/04/2011
C:\WINDOWS\system32\
------------------------------------------
------------------------------------------
@ Caption : [explorer.exe:1512 Properties]
@ at 18:48:08 the 04/04/2011
------------------------------------------
------------------------------------------
@ Caption : [Exécuter]
@ at 18:48:53 the 04/04/2011
%temp%
------------------------------------------
------------------------------------------
@ Caption : [Program Manager]
@ at 18:49:07 the 04/04/2011
testtestesttesttesttesttest
------------------------------------------
------------------------------------------
@ Caption : [Exécuter]
@ at 18:49:10 the 04/04/2011
lol[<-][<-][<-]
------------------------------------------
------------------------------------------
@ Caption : [C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp]
@ at 18:49:26 the 04/04/2011
*
------------------------------------------
------------------------------------------
@ Caption : [Program Manager]
@ at 18:50:17 the 04/04/2011
.y[<-]txt
------------------------------------------
------------------------------------------
@ Caption : [Process Explorer - Sysinternals: www.sysinternals.com [XYLITOL-28E1A19\Administrateur]]
@ at 18:54:31 the 04/04/2011
------------------------------------------