A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6719  by Xylitol
 Wed Jun 08, 2011 6:58 am
Milestone Antivirus

Image

20/42 >> 47.6%
http://www.virustotal.com/file-scan/rep ... 1307516228

for spoof a referrer if you have firefox: download refspoof here ~ https://addons.mozilla.org/en-us/firefo ... /refspoof/ or RefControl: https://addons.mozilla.org/en-us/firefo ... efcontrol/
In case of refspoof, for make it work with firefox 4.* download the .xpi and rename it to .xpi.rar
Extract the install.rdf, open it with notepad and change the line
Code: Select all
<em:maxVersion>3.0.*</em:maxVersion>
by
Code: Select all
<em:maxVersion>4.*.*</em:maxVersion>
After, just repack the file and install.

print.graphytop.be/SpryAssets/wp-page.php?k=Olympic-Stadium-Design
redirect me on: hxxp://ziqlrrin.co.cc/?s=sF02x5vHzDPss90cW%2BxIuTF6DEG3BXiqO8QeR%2BBqhq4ii28rS%2Fbop8pxMGQ5VwgEhA%3D%3D

Image

Abuse sent ~ http://www.co.cc/prosecution/prosecution.php
I've ripped the html page of the fake scanner if you guys are interested, btw most interesting fake scanner page i've see for the moment are the security shield one, they use base64 then rsa with a 26 or 27 bits modulo and then again base64, and this just with javascript :D
heavy to load but fun to 'depack'
Attachments
pwd: xylibox
(146.53 KiB) Downloaded 76 times
pwd: infected
(2.16 MiB) Downloaded 85 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:55 am, edited 1 time in total. Reason: title edited
 #6721  by EP_X0FF
 Wed Jun 08, 2011 7:54 am
Xylitol wrote:print.graphytop.be/SpryAssets/wp-page.php?k=Olympic-Stadium-Design
redirect me on: hxxp://ziqlrrin.co.cc/?s=sF02x5vHzDPss90cW%2BxIuTF6DEG3BXiqO8QeR%2BBqhq4ii28rS%2Fbop8pxMGQ5VwgEhA%3D%3D
Yes me too. Drops this one (0 at VT), crypted and then packed by UPX. Ms Removal Tool from (c) NecroSoft, lol

http://www.virustotal.com/file-scan/rep ... 1307519223
 #6722  by ngyikp
 Wed Jun 08, 2011 8:53 am
Windows Troubles Killer

What's next? Windows Problem Assassination?

Image
Attachments
password: infected
(1.68 MiB) Downloaded 70 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:55 am, edited 1 time in total. Reason: title edited
 #6724  by bitx
 Wed Jun 08, 2011 9:33 am
Windows Monitoring Utility

But Windows Problem Assassination sounds fair enough to me, ngyikp :)

Image
Attachments
pass=malware
(13.2 KiB) Downloaded 55 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:57 am, edited 2 times in total. Reason: title edited
 #6725  by Xylitol
 Wed Jun 08, 2011 9:35 am
Windows Monitoring Utility (another sample)

Image

9/42 >> 21.4%
http://www.virustotal.com/file-scan/rep ... 1307525147
Fake scanner: hxxp://defender-ptwvd.in/e19b21b55a730253/sa1/0/
hxxp://freetrialmail.com/red0.php
edit: ah, bitx was more fast than me
Attachments
pwd: xylibox
(2.02 MiB) Downloaded 62 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:57 am, edited 1 time in total. Reason: title edited
 #6733  by Xylitol
 Wed Jun 08, 2011 6:56 pm
Security Essentials Ultimate Pack

Image

They have forget to remove old strings
Image

26/43 >> 60.5%
https://www.virustotal.com/file-scan/re ... 1307325871

----

Image

22/43 >> 51.2%
http://www.virustotal.com/file-scan/rep ... 1307560777
Attachments
pwd: xylibox
(339.61 KiB) Downloaded 68 times
pwd: xylibox
(1.44 MiB) Downloaded 74 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:58 am, edited 1 time in total. Reason: title edited
 #6736  by bitx
 Thu Jun 09, 2011 2:22 pm
Security Central

Image
Attachments
pass=malware
(1.61 MiB) Downloaded 81 times
Last edited by EP_X0FF on Mon Oct 31, 2011 6:58 am, edited 1 time in total. Reason: title edited
 #6743  by bitx
 Thu Jun 09, 2011 4:09 pm
Windows Work Checker

Image
Attachments
pass=malware
(1.67 MiB) Downloaded 67 times
Last edited by EP_X0FF on Mon Oct 31, 2011 7:00 am, edited 1 time in total. Reason: title edited
 #6744  by EP_X0FF
 Thu Jun 09, 2011 4:10 pm
@bitx

from day to day names become more and more idiotic, don't you think so? :)
  • 1
  • 14
  • 15
  • 16
  • 17
  • 18
  • 34