A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4833  by Xylitol
 Mon Jan 31, 2011 8:45 pm
AVG Antivirus 2011

Fake AVG
Image

https://www.virustotal.com/file-scan/re ... 1296506326
http://www.virustotal.com/file-scan/rep ... 1296506331
https://www.virustotal.com/file-scan/re ... 1296506334

kg:
Code: Select all
.386
.model flat, stdcall
option casemap :none

      include windows.inc
      include user32.inc
      include kernel32.inc
      include C:\masm32\macros\macros.asm
      includelib user32.lib
      includelib kernel32.lib

DlgProc     PROTO   :DWORD,:DWORD,:DWORD,:DWORD
RandomAP    PROTO   :DWORD,:DWORD
RandomN     PROTO   :DWORD,:DWORD

.const
IDD_MAIN        equ 1000
IDB_EXIT            equ 1001
IDC_NAME        equ 1002
IDC_SERIAL      equ 1005
IDB_GENERATE    equ 1006
IDB_ABOUT       equ 1007

.data
Rndm        dd  0
b10         db  "0123456789012345",0
Base26A     db  "ABCDEFGHIJKLMNOP",0
tab             db   "-",0
hc          db  "XYL",0

.data?
hInstance   dd  ?
szSerial    db  100h    dup(?)
szSerial2   db  100h    dup(?)
szFinal db  100h    dup(?)

.code
start:
    invoke  GetModuleHandle, NULL
    mov hInstance, eax
    invoke  DialogBoxParam, hInstance, IDD_MAIN, 0, offset DlgProc, 0
    invoke  ExitProcess, eax

DlgProc proc uses esi edi hWnd:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
    mov eax,uMsg
    .if eax == WM_INITDIALOG
        invoke  LoadIcon,hInstance,200
        invoke  SendMessage, hWnd, WM_SETICON, 1, eax
    .elseif eax == WM_COMMAND
        mov eax,wParam
        .if eax == IDB_EXIT
            invoke  SendMessage, hWnd, WM_CLOSE, 0, 0
        .elseif eax == IDB_GENERATE

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2            
                invoke lstrcpy,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomAP,3,addr szSerial
                invoke RandomN,3,addr szSerial2
                invoke lstrcat,addr szFinal,addr szSerial
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke lstrcat,addr szFinal,addr tab
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke RandomN,2,addr szSerial2
                invoke lstrcat,addr szFinal,addr hc
                invoke lstrcat,addr szFinal,addr szSerial2
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2

                invoke SetDlgItemText,hWnd,IDC_SERIAL,addr szFinal
                invoke RtlZeroMemory,addr szSerial,sizeof szSerial 
                invoke RtlZeroMemory,addr szSerial2,sizeof szSerial2
                invoke RtlZeroMemory,addr szFinal,sizeof szFinal   

        .endif
    .elseif eax == WM_CLOSE
        invoke  EndDialog, hWnd, 0
    .endif
    xor eax,eax
    ret
DlgProc endp

RandomAP Proc   Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset Base26A
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomAP endp

RandomN Proc Length_:DWORD,OutPut:DWORD
    mov ecx,Length_
    mov esi,offset b10
    mov edi,OutPut
    .repeat
    invoke  GetTickCount
    add Rndm,eax
    add Rndm,'abcd'
    mov eax,Rndm
    rol Rndm,4
    and eax,0Fh
    mov al,byte ptr [esi+eax]
    stosb
    dec ecx
    .until ecx == 0
    Ret
RandomN endp
end start
rc
Code: Select all
;This Resource Script was generated by WinAsm Studio.

#define IDD_MAIN 1000
#define IDB_EXIT 1001
#define IDC_SERIAL 1005
#define IDB_GENERATE 1006

IDD_MAIN DIALOGEX 10,10,268,19
CAPTION "Fake AVG Keygen"
FONT 8,"Tahoma"
STYLE 0x90c80804
EXSTYLE 0x00000188
BEGIN
    CONTROL "Exit",IDB_EXIT,"Button",0x10010000,220,3,45,13,0x00020000
    CONTROL "Xylitol",IDC_SERIAL,"Edit",0x50010801,3,3,167,13,0x00020000
    CONTROL "Generate",IDB_GENERATE,"Button",0x10010000,173,3,44,13,0x00020000
END
Attachments
Keygen for fake avg
(223.65 KiB) Downloaded 106 times
See archive comment for password
(3.24 MiB) Downloaded 151 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:11 am, edited 1 time in total. Reason: Screenshot resized to be more accurate
 #4834  by kiskav
 Tue Feb 01, 2011 2:02 am
Antivirus .NET

This is a Newish Rogueware comes from the Family of Antivirus Scan, Antivirus System pro, etc . Can anyone help me with some info around this Rogueware. Like, From Which country its originated ? Packer ? etc

Image

This Hijacks Browsers through proxy And blocks many Executable files. Still, any tool renamed as iexplore.exe works like a charm. Though this family is worthy to discuss, i dont find any info/discussion around this family. It would be great if any share the info on this piece of Malware.

Thanks & Regards,
Kiskav
Attachments
(310.92 KiB) Downloaded 107 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:13 am, edited 1 time in total. Reason: Screenshot resized to be more accurate
 #4862  by Meriadoc
 Thu Feb 03, 2011 3:02 pm
Attachments
pass=malware
(2.23 MiB) Downloaded 121 times
Last edited by EP_X0FF on Sat Apr 16, 2011 7:14 am, edited 1 time in total. Reason: Screenshot resized to be more accurate
 #4917  by Xylitol
 Sun Feb 06, 2011 7:12 pm
Meriadoc wrote:Windows Problem Protector
http://www.virustotal.com/file-scan/rep ... 1296743632
New loc: hXXp://componentsprotector.com/scan4/107/freesystemscan.exe

Windows Problems Protector patcher
Code: Select all
.486 ;Only 2,50 Kb :þ
.model flat,stdcall
option casemap:none

include windows.inc

uselib  MACRO   libname
    include     libname.inc
    includelib  libname.lib
ENDM

uselib  user32
uselib  kernel32

rogue PROTO :DWORD,:DWORD,:DWORD,:DWORD

.data
Titre       db "Windows Problems Protector patch", 0
PasTrouver  db "There is no thread called",13,10,"help",0
Trouver     db "Full of win",13,10,"Enter any serial like 1111-1111-1111-1111 And enjoy",0
szFileName  db "help",0

;====== Patching
AddressToPatch1 dd 0411288h ;0x0411288
ReplaceBy1 db 0EBh,047h ;75 47 JNZ SHORT 00411025 -> To JMP
ReplaceSize1 dd 2 ;2 bytes changed
AddressToPatch2 dd 04112D4h ;0x04112D4
ReplaceBy2 db 090h,090h,090h,090h,090h,090h ;0F85 03030000 JNZ 004115DD
ReplaceSize2 dd 6 ;6 bytes changed
AddressToPatch3 dd 04112DDh ;0x04112DD
ReplaceBy3 db 090h,090h,090h,090h,090h,090h ;0F85 FA020000 JNZ 004115DD
ReplaceSize3 dd 6 ;6 bytes changed
AddressToPatch4 dd 04112EAh ;0x04112EA
ReplaceBy4 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize4 dd 6 ;6 bytes changed
AddressToPatch5 dd 04112F7h ;0x04112F7
ReplaceBy5 db 090h,090h,090h,090h,090h,090h ;0F85 ED020000 JNZ 004115DD
ReplaceSize5 dd 6 ;6 bytes changed
AddressToPatch6 dd 0411333h ;0x0411333
ReplaceBy6 db 090h,090h ;7C 05 JL SHORT 0041133A
ReplaceSize6 dd 2 ;2 bytes changed
AddressToPatch7 dd 0411338h ;0x0411338
ReplaceBy7 db 0EBh,047h ;7E 47 JLE SHORT 00411381 -> To JMP
ReplaceSize7 dd 2 ;2 bytes changed

.data?
PID         dd ?

.code
  start:
rogue proc hWin:DWORD,uMsg:DWORD,wParam:DWORD,lParam:DWORD
            invoke FindWindow, NULL, offset szFileName
            .If eax != NULL
                mov ebx, eax
                Invoke GetWindowThreadProcessId, ebx, offset PID
                Invoke OpenProcess, PROCESS_ALL_ACCESS,NULL, PID
                mov ebx, eax
                            Invoke VirtualProtectEx, ebx, AddressToPatch1, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch1, offset ReplaceBy1, ReplaceSize1, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch2, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch2, offset ReplaceBy2, ReplaceSize2, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch3, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch3, offset ReplaceBy3, ReplaceSize3, NULL 
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch4, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch4, offset ReplaceBy4, ReplaceSize4, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch5, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch5, offset ReplaceBy5, ReplaceSize5, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch6, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch6, offset ReplaceBy6, ReplaceSize6, NULL
                           

                            Invoke VirtualProtectEx, ebx, AddressToPatch7, 2, PAGE_EXECUTE_READWRITE, 00
                            Invoke WriteProcessMemory, ebx, AddressToPatch7, offset ReplaceBy7, ReplaceSize7, NULL 
                           
                        Invoke CloseHandle, ebx
                        invoke MessageBox, NULL, addr Trouver, addr Titre, MB_ICONINFORMATION
            .else
                invoke Beep,100,30 ;lol
                invoke MessageBox, NULL, addr PasTrouver, addr Titre, MB_ICONEXCLAMATION
            .endif
                invoke ExitProcess,0
rogue endp
  end start
Attachments
see archive comment for password
(2.4 MiB) Downloaded 88 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 34