A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3905  by EP_X0FF
 Thu Dec 09, 2010 5:54 pm
NSIS setup with trojan downloader. Runs through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as C:\Program Files\Common Files\Microsoft Shared\Web Components\updater.exe

Downloads another trojan Microsoft .NET Framework 3.6 SP8.exe

Which finally drops main component wbdbasew.exe to system32 folder.

Stuff from wbdbasew.exe
\drivers\etc\hosts
thepiratebay.org
127.0.0.1 thepiratebay.org
127.0.0.1 http://www.thepiratebay.org
127.0.0.1 mininova.org
127.0.0.1 http://www.mininova.org
127.0.0.1 forum.mininova.org
127.0.0.1 blog.mininova.org
127.0.0.1 suprbay.org
127.0.0.1 http://www.suprbay.org
\ipconfig.exe
/flushdns
http://www.virustotal.com/file-scan/rep ... 1291917268

all trash in attach, topic title changed.
Attachments
pass: malware
(411.23 KiB) Downloaded 53 times
 #3908  by Meriadoc
 Thu Dec 09, 2010 8:16 pm
Seems a strange addition to the hosts file.

edit: only thing I can think of is to block access to (comments) the sites it was spread from.