A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9760  by EP_X0FF
 Sat Nov 19, 2011 2:44 pm
Kill files thats all payload. Sample courtesy of nullptr, he found it and was so kind to share.
Valid digital certificate - Air Software, certification center - COMODO Time Stamping Signer.

Image

However this maybe not a true trojan but a buggy part of some kind of installation. However obviously deleting user files in current directory its kind of malicious behavior.
Attachments
pass: malware
(220.28 KiB) Downloaded 53 times
 #9777  by nullptr
 Sun Nov 20, 2011 12:46 pm
It's a buggy online installer for 7-Zip 9.20, that attempts to delete the contents of the %USERTEMP% directory when
it has finished - regardless of installation status.

Due to some brilliant programming, instead of calling FindFirstFileW(...) with (on XP)
C:\Documents and Settings\User\Local Settings\Temp

We get C:\Documents and Settings [terminating null - forgot the backslash] User\Local Settings\Temp meaning
it starts enumerating and deleting from C:\Documents and Settings :lol:

edited because I was bored
 #9782  by EP_X0FF
 Sun Nov 20, 2011 9:51 pm
Yes preliminary assumptions were correct. This is not trojan, but piece of code which produces malicious behavior. I will change topic title to not confuse readers.