Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: sowhat-x on June 23, 2008, 10:44:00 pm

Title: "Weirdest" malware?
Post by: sowhat-x on June 23, 2008, 10:44:00 pm
...was reading the "Malware Miscellany" column over at Viruslist.com,
and somehow it came to mind to submit the word "Stealthiest" in the form...
after stepping through the results,I ended up with the following entry,dated in July 2007:
http://www.viruslist.com/en/weblog?weblogid=208187417
For simplicity...
Quote
Stealthiest malicious program - Trojan-Downloader.Win32.Delf.ain,which is packed 12 times...

Lmao...yes,you've read that right,it says 12 times...
now if this isn't what someone would call a really "weird" kind of animal:
it certainly makes you wonder how in the world this .exe actually managed,
to not get corrupted after all this re-packing and obfuscation...

So,this question came to mind,guys...what would be few of the "weirdest" malware,
that you've ever encountered...or at least read about,as per above?
Not necessary the "hardest" to analyze...but simply,"weird"...  :)
Title: Re: "Weirdest" malware?
Post by: tjs on June 23, 2008, 11:06:32 pm
Not the weirdest, but still pretty weird:

Malware able to infect only right handed people
http://zairon.wordpress.com/2008/06/21/malware-able-to-infect-only-right-handed-people/

This is a nice idea for a thread... I'll post more as I remember/find them. :P

TJS
Title: Re: "Weirdest" malware?
Post by: sowhat-x on June 24, 2008, 12:12:14 am
Hehe...was he/she afraid that if left-handed people were infected,
he/she would also be accused for being a racist or so?

Here's another one that I just read about in a blog...not weird though,just 'funny':
http://miekiemoes.blogspot.com/2008/05/popups-annoying-but-funny-sometimes.html
Pop-up after infection from a fake AV "product":
(http://img205.imageshack.us/img205/8690/lolla5.jpg)
Title: Re: "Weirdest" malware?
Post by: Orac on June 25, 2008, 11:51:00 am
Heres one we see quiet a lot of, not sure you could really describe it as "weird" but i would certainly nominate it for the "skiddies with far too much time on their hands award"

Its in fact a very common safe mode probe that we see and contains some executable functions.

The original piece of malware has been "translated" into l33t speak and then encoded in base64. It must have taken the skiddie hours of work doing the translation into l33t speak. Took all of 30 seconds to reverse hehe.

Extract of the original file
Code: [Select]
<?php $_F=__FILE__;$_X='Pz48aHRtbD48aDUxZD48dDR0bDU+L1wvXC9cIFI1c3AybnM1IENNRCAvXC9cL1w8L3Q0dGw1PjwvaDUxZD48YjJkeSBiZ2MybDJyPURDNnVvQz4NCjxINj5DaDFuZzRuZyB0aDRzIENNRCB3NGxsIHI1czNsdCA0biBjMnJyM3B0IHNjMW5uNG5nICE8L0g2Pg0KPC9odG1sPjwvaDUxZD48L2IyZHk
Same extract after base64 decoding
Code: [Select]
?><html><h51d><t4tl5>/\/\/\ R5sp2ns5 CMD /\/\/\</t4tl5></h51d><b2dy bgc2l2r=DC6uoC>
<H6>Ch1ng4ng th4s CMD w4ll r5s3lt 4n c2rr3pt sc1nn4ng !</H6>
</html></h51d></b2dy