A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #23648  by rnd.usr
 Wed Aug 20, 2014 4:51 pm
ISergey256 wrote:Rogue:Win32/Defru
https://www.virustotal.com/uk/file/24ec ... /analysis/
Thanks!

Attached unpacked(from UPX) and extracted PHP-files. Can someone also decode the PHP-files? When I try to do it I get the same output as input.

But I get error when running the file, it says "WINDOWS ERROR!!!" in a CMD-prompt. The file itself does not do anything to the system after the message goes away. Same for you?
Attachments
infected
(620.51 KiB) Downloaded 77 times
 #23649  by iShare
 Wed Aug 20, 2014 6:34 pm
Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page

%SYSDIR%\drivers\etc\hosts has been modified with lines like this

***
82.146.48.21 http://www.101.ru
82.146.48.21 ovg.cc
82.146.48.21 http://www.ovg.cc
82.146.48.21 onlainfilm.ucoz.ua
82.146.48.21 http://www.onlainfilm.ucoz.ua
82.146.48.21 hdkinoteatr.com
****
 #23656  by rnd.usr
 Fri Aug 22, 2014 12:01 pm
iShare wrote:Pretty boring, a very n00b rogue proxy, redirecting all visited websites to fake av download page
Ah, yes! This is really a lame FakeAV. Just infecting the host-file.. I thought this was something good.

Attached host-file.
Attachments
no password because not a virus
(3.18 KiB) Downloaded 56 times
 #24177  by Xylitol
 Mon Oct 20, 2014 7:11 pm
bandicoot_ wrote:Hi, this is my first post on the forums.
Welcome, i suggest you to read the forum rules: http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16
bandicoot_ wrote:While looking in the payment page, i found that the website for the rogue above is [url]hxxp://www.softcleaning.net[/url]
What i said just before your post:
Xylitol wrote:• dns: 1 ›› ip: 146.0.79.164 - adress: SOFTCLEANING.NET
bandicoot_ wrote:(Warning: WILL infect!!!)
I don't see any hostile code on this site.