Author Topic: "Weirdest" malware?  (Read 4580 times)

0 Members and 1 Guest are viewing this topic.

June 23, 2008, 10:44:00 pm
Read 4580 times

sowhat-x

  • Guest
...was reading the "Malware Miscellany" column over at Viruslist.com,
and somehow it came to mind to submit the word "Stealthiest" in the form...
after stepping through the results,I ended up with the following entry,dated in July 2007:
http://www.viruslist.com/en/weblog?weblogid=208187417
For simplicity...
Quote
Stealthiest malicious program - Trojan-Downloader.Win32.Delf.ain,which is packed 12 times...

Lmao...yes,you've read that right,it says 12 times...
now if this isn't what someone would call a really "weird" kind of animal:
it certainly makes you wonder how in the world this .exe actually managed,
to not get corrupted after all this re-packing and obfuscation...

So,this question came to mind,guys...what would be few of the "weirdest" malware,
that you've ever encountered...or at least read about,as per above?
Not necessary the "hardest" to analyze...but simply,"weird"...  :)

June 23, 2008, 11:06:32 pm
Reply #1

tjs

  • Special Members
  • Sr. Member

  • Offline
  • *

  • 248
Not the weirdest, but still pretty weird:

Malware able to infect only right handed people
http://zairon.wordpress.com/2008/06/21/malware-able-to-infect-only-right-handed-people/

This is a nice idea for a thread... I'll post more as I remember/find them. :P

TJS

June 24, 2008, 12:12:14 am
Reply #2

sowhat-x

  • Guest
Hehe...was he/she afraid that if left-handed people were infected,
he/she would also be accused for being a racist or so?

Here's another one that I just read about in a blog...not weird though,just 'funny':
http://miekiemoes.blogspot.com/2008/05/popups-annoying-but-funny-sometimes.html
Pop-up after infection from a fake AV "product":

June 25, 2008, 11:51:00 am
Reply #3

Orac

  • Special Members
  • Hero Member

  • Offline
  • *

  • 723
    • malwareremoval.com
Heres one we see quiet a lot of, not sure you could really describe it as "weird" but i would certainly nominate it for the "skiddies with far too much time on their hands award"

Its in fact a very common safe mode probe that we see and contains some executable functions.

The original piece of malware has been "translated" into l33t speak and then encoded in base64. It must have taken the skiddie hours of work doing the translation into l33t speak. Took all of 30 seconds to reverse hehe.

Extract of the original file
Code: [Select]
<?php $_F=__FILE__;$_X='Pz48aHRtbD48aDUxZD48dDR0bDU+L1wvXC9cIFI1c3AybnM1IENNRCAvXC9cL1w8L3Q0dGw1PjwvaDUxZD48YjJkeSBiZ2MybDJyPURDNnVvQz4NCjxINj5DaDFuZzRuZyB0aDRzIENNRCB3NGxsIHI1czNsdCA0biBjMnJyM3B0IHNjMW5uNG5nICE8L0g2Pg0KPC9odG1sPjwvaDUxZD48L2IyZHk
Same extract after base64 decoding
Code: [Select]
?><html><h51d><t4tl5>/\/\/\ R5sp2ns5 CMD /\/\/\</t4tl5></h51d><b2dy bgc2l2r=DC6uoC>
<H6>Ch1ng4ng th4s CMD w4ll r5s3lt 4n c2rr3pt sc1nn4ng !</H6>
</html></h51d></b2dy

Malware analysised using clarified analyzer to record and document how malware behaves in a networking environment