markusg wrote:http://www.virustotal.com/file-scan/rep ... 1294331058Another variant of the same PWS stuff.
Dot net container with payload written on Delphi. Payload executed by Visual Basic Command Line Compiler (vbc.exe). I believe most MSIL samples you posted belongs to the same malware family.
Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run as Sys32c.exe.
Executable stored in Documents and Settings\All Users\Application Data folder
\Internet Explorer\iexplore.exe \Mozilla Firefox\ mozcrt19.dll sqlite3.dll nspr4.dll plc4.dll plds4.dll nssutil3.dll softokn3.dll nss3.dll NSS_Init NSSBase64_DecodeBuffer PK11_GetInternalKeySlot PK11_Authenticate PK11SDR_Decrypt NSS_Shutdown PK11_FreeSlot userenv.dll GetUserProfileDirectoryA \Mozilla\Firefox\ profiles.ini Path Profile0 \signons3.txt \signons2.txt \signons1.txt \signons.txt (unnamed value)(unnamed password) Software\Microsoft\Internet Explorer\IntelliForms\Storage2 RAS Passwords DialParamsUID advapi32.dll Messenger CredEnumerateA CredFree WindowsLive:name=*
Dot net is annoying stuff when it comes to malware :roll:
Ring0 - the source of inspiration
