A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #5996  by EP_X0FF
 Wed Apr 20, 2011 9:21 am
deco11 wrote:advanced security tool 2010
Original attach removed, see comment.
In attach re-uploaded original and unpacked exe (Solodovnikov creative removed).

Crapware has Russian origin and written on CodeGear RAD Studio v12.0.3170.16989
Attachments
pass: malware
(1.55 MiB) Downloaded 67 times
 #6010  by Xylitol
 Thu Apr 21, 2011 4:38 pm
@lolikas: for register your Antivirus AntiSpyware 2011: AAS17-F7D9M-G3B2A or AAS17F7D9MG3B2A

---
Fake BitDefender 2011

http://www.virustotal.com/file-scan/rep ... 1303403611

Image

Fake BitDefender 2011 serial: BKI14-HJP10-IKO78-OBK894-XYL77

kg:
Code: Select all
.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start
Code: Select all
;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake BitDefender 2011 *KeyGen*"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
edit: another vt: http://www.virustotal.com/file-scan/rep ... 1303403931
sample repacked :x
Attachments
(2.98 KiB) Downloaded 76 times
See archive comment for password
(1.14 MiB) Downloaded 97 times
See archive comment for password
(1.14 MiB) Downloaded 104 times
 #6112  by a_d_13
 Sat Apr 30, 2011 3:58 pm
Hello,

thekillergreece: I have added a password to the archive. Please be sure to password-protect malware samples in future.

Thanks,
--AD
 #6121  by Xylitol
 Sun May 01, 2011 7:59 am
Security Shield

Image

VT 7/41 >> 17.1%
http://www.virustotal.com/file-scan/rep ... 1304235188
Code: Select all
X-Message-Delivery: Vj0xLjE7dXM9MDtsPTA7YT0wO0Q9MjtTQ0w9NA==
X-Message-Status: n
X-SID-PRA: Security Shield <support@gods-support.com>
X-AUTH-Result: NONE
X-Message-Info: 6sSXyD95QpXVWcVGuYnXAzv4aWyjS8hakKG2aii+CD3n4o+ema3a5oL6WEtHot7IEE8RWG9T+VRElyxrKzFyYlwgzVMA+F07288PQ+dYKrs=
Received: from pcsecuritysolutions.biz ([195.225.55.16]) by bay0-mc2-f4.Bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675);
	 Sun, 1 May 2011 00:16:28 -0700
Received: from v-2-do12-d1334-16.webazilla.com (v-2-do12-d1334-16.webazilla.com [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pcsecuritysolutions.biz (Postfix) with ESMTP id 0856C2A0234
	for <phoenixbytes@live.fr>; Sun,  1 May 2011 07:16:11 +0000 (UTC)
Received: (from www@localhost)
	by v-2-do12-d1334-16.webazilla.com (8.13.8/8.13.8/Submit) id p417GAc1001577;
	Sun, 1 May 2011 07:16:10 GMT
Date: Sun, 1 May 2011 07:16:10 GMT
To: ******@live.fr
Subject: Your ST registration key
X-PHP-Originating-Script: 5001:send_key.php
From: Security Shield<support@gods-support.com>
Reply-To: Security Shield<support@gods-support.com>
Message-ID: <1304234170-support@gods-support.com>
X-Mailer: PHP v5.3.3
Return-Path: www@v-2-do12-d1334-16.webazilla.com
X-OriginalArrivalTime: 01 May 2011 07:16:28.0620 (UTC) FILETIME=[B06908C0:01CC07CF]

Your new serial key: 64C665BE-4DE7-423B-A6B6-BC0172B25DF2
Regards, ST support
Attachments
See archive comment for password

91.205.174.174 [DIR]
Security Shield.cfg
2d30742287f3b386ff4bfacd078a4b13.exe.ViR
e53e7220e69abad207f5ec8604006102.exe.ViR
4a8d5487d756987f82e233d686f9be9a.exe.ViR
dd34bbb56bb6af97fe166baa132e5c71.exe.ViR
8d5c183f1acd29b584f7ec31a9e6536c.exe.ViR
5d26b14297f40ccbbb36425153c3badd.exe.ViR
445c27c48a6e54767673b74e0a0579a5.exe.ViR
97802e20893d79fc5f28f43f32a6d5cf.exe.ViR
5030ae77b8ece249c9e2800a01a1637b.exe.ViR
2e2945ad53d4e3e4055b9760e2480a63.exe.ViR
a2187c91e41dd9e8b2b4676dbc25f91b.exe.ViR
0946070c44b8df8485ea3bc1c797afcf.exe.ViR
6e9c2e811b740aa7f0ae9c1165178af8.exe.ViR
7824a9c86e7d7085839349becc6e9e1a.exe.ViR

(2.26 MiB) Downloaded 64 times
 #6135  by EP_X0FF
 Sun May 01, 2011 10:11 am
Flood and offtopic deleted.

deco11 and thekillergreece both go to rest until May 4, 2011.

Reasons: Prophylactic ban due to multiple flooding with nonsense replies, contempt of forum rules. Also seems both banned in Google and forum "Search" button unavailable too.
Next time this will be permanent ban including all their IP's.
  • 1
  • 8
  • 9
  • 10
  • 11
  • 12
  • 34