A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #15091  by Waves97
 Fri Aug 10, 2012 9:09 am
MD5:
Code: Select all
C3B8AD4ECA93114947C777B19D3C6059
08D7DDB11E16B86544E0C3E677A60E10
055AE6B8070DF0B3521D78E1B8D2FCE4
FA54A8D31E1434539FBB9A412F4D32FF
01567CA73862056304BB87CBF797B899
23D956C297C67D94F591FCB574D9325F
ED5559B0C554055380D75C1D7F9C4424
E379270F53BA148D333134011AA3600C
EF83394D9600F6D2808E0E99B5F932CA
5604A86CE596A239DD5B232AE32E02C6
90F5C45420C295C73067AF44028CE0DD
9CA4A49135BCCDB09931CF0DBE25B5A9
ED2B439708F204666370337AF2A9E18F
CBB982032AED60B133225A2715D94458
EF6451FDE3751F698B49C8D4975A58B5
7AC2799B5337B4BE54E5D5B03B214572
4FB4D2EB303160C5F419CEC2E9F57850
DE2D0D6C340C75EB415F726338835125
 #15092  by Xylitol
 Fri Aug 10, 2012 10:04 am
Waves97 wrote:MD5:
Code: Select all
C3B8AD4ECA93114947C777B19D3C6059
08D7DDB11E16B86544E0C3E677A60E10
055AE6B8070DF0B3521D78E1B8D2FCE4
FA54A8D31E1434539FBB9A412F4D32FF
01567CA73862056304BB87CBF797B899
23D956C297C67D94F591FCB574D9325F
ED5559B0C554055380D75C1D7F9C4424
E379270F53BA148D333134011AA3600C
EF83394D9600F6D2808E0E99B5F932CA
5604A86CE596A239DD5B232AE32E02C6
90F5C45420C295C73067AF44028CE0DD
9CA4A49135BCCDB09931CF0DBE25B5A9
ED2B439708F204666370337AF2A9E18F
CBB982032AED60B133225A2715D94458
EF6451FDE3751F698B49C8D4975A58B5
7AC2799B5337B4BE54E5D5B03B214572
4FB4D2EB303160C5F419CEC2E9F57850
DE2D0D6C340C75EB415F726338835125
Not found:
C3B8AD4ECA93114947C777B19D3C6059
055AE6B8070DF0B3521D78E1B8D2FCE4
01567CA73862056304BB87CBF797B899
ED2B439708F204666370337AF2A9E18F
Rest is in attach.
Attachments
infected
(3.06 MiB) Downloaded 165 times
 #15099  by rkhunter
 Fri Aug 10, 2012 2:28 pm
I'm already not surprised that some files belonging to Gauss were at VT already 3 month with FUD detection ratio. lol
 #15128  by retrogad
 Sun Aug 12, 2012 10:28 am
hey
can u plz guide me how to run those samples? as i understand it is enough to open the files and explorer will execute them,i have downloaded samples but nothing happens when i explore the usb stick,the files dont have any extension

tnx!
 #15129  by dfine
 Sun Aug 12, 2012 11:02 am
Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
 #15130  by retrogad
 Sun Aug 12, 2012 11:38 am
dfine wrote:Some (or all) of the samples are DLL's. So if u want to run them use rundll. Use dumpbin or debugger to find out the exports of the DLL's. See http://support.microsoft.com/kb/164787 for more info about running a DLL.
tnx for the answering

the first sample (Trojan-Spy.Win32.Gauss.zip) contains SMDK,WMI,WINSHELL,WINDIG and other files
so its not actually DLL'S ,should i rename them to DLL ?
sorry the questions i am beginner researcher so can u explainm or give a link what do you mean "exports of the DLL" what info should it provide me?

my goal is to infect the machine and to investigate how it works especially how it infects the USB stick with his payload
 #15131  by dfine
 Sun Aug 12, 2012 11:46 am
dumpbin is a tool thats part of the Windows Debugging Tools. install Visual C++ Express and u r settled

rename them to .dll en start 'dumpbin /exports sayhellotomylittlefriend.dll' to see the exports

the previous MS link will help you with running the DLL