A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #17735  by Belahzu
 Thu Jan 17, 2013 1:16 am
Got a weird one here.
http://www.pchelpforum.com/xf/threads/e ... on.145593/

A few different OP's all posting with the same thing - ukash, but all their files are broken. I know about the Rannoh variant, but this one is actually modifying files, the users files all contain "CR_M0x04" in the hex & and they all carry the same modification date.

I'm thinking along the lines of a file infecter? Can't find any documentation about this on Google or anywhere else.
 #17747  by Crush
 Fri Jan 18, 2013 3:02 am
There are several topics with the same encryption, but here are the logs from that particular topic
Attachments
(343.59 KiB) Downloaded 43 times
(291.96 KiB) Downloaded 43 times
(2.31 KiB) Downloaded 43 times
 #17765  by thisisu
 Sun Jan 20, 2013 12:28 am
I'm interested. What is this one called? Does anyone have example of encrypted file?
 #17766  by Belahzu
 Sun Jan 20, 2013 1:54 am
I can get my user to upload a few of his files if you want them.

Not sure what it is, a few users have tried dr.webs tool with no results.
Last edited by Belahzu on Sun Jan 20, 2013 2:07 am, edited 1 time in total.
 #17785  by master131
 Mon Jan 21, 2013 7:12 am
Crush wrote:Normal and encrypted sample files attached. User had backups ;)
If you compare the files, you can see that a small portion of the XLS near the end has remained untouched (eg. Summary Information, Root Entry, etc). There's been extra data appended at the end however of the file too (1044 bytes).