A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4120  by EP_X0FF
 Thu Dec 23, 2010 12:03 pm
This is trojan downloader.
MySpaceIM with Skype SkinuxWindow MySpaceIM with Skype SkinuxWindow P r e s e n c e I M . d l l VirtualProtect _snprintf ntdll.dll lstrcmpiW GetTickCount %d X-MMS-IM-Format: MSG x p r t 6 . d l l aim.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll < H T M L > < B O D Y > < F O N T MSVCR90.dll wcslen user32.dll aim.exe c o o l c o r e 5 9 . d l l ICQ.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW GetTickCount size= Ws2_32.dll send ICQ.exe n s p r 4 . d l l YahooMessenger.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll GetTickCount YMSG 14 Ws2_32.dll send YahooMessenger.exe M y S p a c e I M . e x e kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW GetTickCount v=' Ws2_32.dll send X f i r e . e x e Xfire.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll GetTickCount Ws2_32.dll sendto msgtype im send Xfire.exe n s p r 4 . d l l firefox.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll GetTickCount OutputDebugStringA POST /ajax/chat/send.php? Host: http://www.facebook.com msg_id= &msg_text= Content-Length: POST /ajax/updatestatus.php? action= status= POST /ajax/minifeed.php? POST /ajax/ufi/modify.php? POST /status/update authenticity_token= Host: twitter.com POST /status/destroy/ %d Ws2_32.dll send firefox.exe W I N I N E T . d l l IEXPLORE.EXE IEXPLORE.EXE kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll GetTickCount OutputDebugStringA POST /ajax/chat/send.php? Host: http://www.facebook.com Content-Length: msg_id= &msg_text= POST /ajax/updatestatus.php? action= status= POST /ajax/minifeed.php? POST /ajax/ufi/modify.php? POST /status/destroy/ authenticity_token= Host: twitter.com %d Ws2_32.dll send IEXPLORE.EXE IEXPLORE.EXE C F N e t w o r k . d l l Safari.exe kernel32.dll GetProcAddress VirtualProtect GetModuleHandleA lstrcmpiW _snprintf ntdll.dll GetTickCount POST /ajax/chat/send.php? Host: http://www.facebook.com Content-Length: msg_id= &msg_text= POST /ajax/updatestatus.php? action=PROFILE_UPDATE status= POST /ajax/minifeed.php? POST /ajax/ufi/modify.php? %d Ws2_32.dll send Safari.exe
download this (see attach). I saw this trash few times, usually it comes with win32 vb autorunner
hxxp://video-central.net/?watch=YM4sKMC
Attachments
pass: malware
(119.92 KiB) Downloaded 45 times