A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #13069  by retrogad
 Sun May 06, 2012 2:54 pm
Hey

i am looking for samples that use SVCHOST :inject,manipulate,loading from svchost etc
anything that use svchost

i know only about Conficker ,Bamital i know only injects itslef to svhost
anything else ?
 #13084  by EP_X0FF
 Mon May 07, 2012 4:03 pm
retrogad wrote:Hey

i am looking for samples that use SVCHOST :inject,manipulate,loading from svchost etc
anything that use svchost

i know only about Conficker ,Bamital i know only injects itslef to svhost
anything else ?
SpyEye, TDL, lots of others.
 #13085  by retrogad
 Mon May 07, 2012 4:17 pm
EP_X0FF wrote:
retrogad wrote:Hey

i am looking for samples that use SVCHOST :inject,manipulate,loading from svchost etc
anything that use svchost

i know only about Conficker ,Bamital i know only injects itslef to svhost
anything else ?
SpyEye, TDL, lots of others.
sorry,i need to explain more...
i DONT look for those who INJECT themself into SVCHOST running process memory,but run as service - pretendes to be a svchost,uploading DLL to legit svchost,modify svchost ,create new svchost services ,or enter values in registry that belongs only to system files,or simply damage svchost file or something FOR EXAMPLE : (i really looking for those)

SSearch.biz
home search assistant
conficker --- > i have tried to execute the samples on this forum,but no success,the conficker modify folder options but doesnt even try to communicate,and doesnt add a new service to svchost,something strange...

i have run as is : c:\ rundll32 conficker.vmx,ahaezedrn
its like half not working...
 #13086  by EP_X0FF
 Mon May 07, 2012 4:20 pm
but run as service - pretendes to be a svchost,uploading DLL to legit svchost,modify svchost ,create new svchost services ,or enter values in registry that belongs only to system files,or simply damage svchost file
Oficla aka myloader? IIRC it was using svchost.exe zombie process for payload download.
 #13087  by retrogad
 Mon May 07, 2012 4:51 pm
EP_X0FF wrote:
but run as service - pretendes to be a svchost,uploading DLL to legit svchost,modify svchost ,create new svchost services ,or enter values in registry that belongs only to system files,or simply damage svchost file
Oficla aka myloader? IIRC it was using svchost.exe zombie process for payload download.
everything will be good!

can u tell plz where to get working CONFICKER ?


(conficker --- > i have tried to execute the samples on this forum,but no success,the conficker modify folder options but doesnt even try to communicate,and doesnt add a new service to svchost,something strange...

i have run as is : c:\ rundll32 conficker.vmx,ahaezedrn
its like half not working... )