A9installer_880221.exe

[sowhat-x]

Fake Microsoft security patch...I noticed it in the following thread over at SysInternals:
http://forum.sysinternals.com/forum_posts.asp?TID=16368
By the way,something weird is going on with this .exe's import table... 

Direct link to it...also as an attachment below:

hxxp://KB960830-SP2-x86.enu.v6.updates.cab.windowupdate.micros0ft.com.microsofred.cn/KR890831.exe

[ZaiRoN]

By the way,something weird is going on with this .exe's import table...

What's wrong with it? You can specify a null import table, everything is loaded at runtime. Is this the problem or is there something else I can't see?

Unpacked file is more than 5 Mb, btw (oep: 40ffcc)... a big file to analyze

[TeMerc]

I had a similarly named installer:
A9INSTALLER_77025304.EXE

But that sucker installed Virut on my system. Happened twice via a rogue install.

Reformatted both times. 

Fiddler info I snagged:

Code: [Select]

GET /2009/download/trial/A9installer_77025304.exe HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: onlineprivatescan.com
Connection: Keep-Alive
Cookie: av_inst=77025304


HTTP/1.1 200 OK
Date: Thu, 02 Oct 2008 06:10:06 GMT
Server: Apache
Last-Modified: Wed, 01 Oct 2008 13:36:33 GMT
ETag: "23f2b3-25400-4583130403a40"
Accept-Ranges: bytes
Content-Length: 152576
Keep-Alive: timeout=5, max=499
Connection: Keep-Alive
Content-Type: application/x-msdownload

[sowhat-x]

Is this the problem or is there something else I can't see?

I got quite a bit surprised with it...at first I thought,
that it might have been a bug/annoyance in PEiD...say as an example:
http://www.phreedom.org/solar/code/tinype/tiny.import.209/tiny.exe
(...supposedly smallest PE file with imports,which gets reported as..."Not a valid PE file"...)

But then I checked the malware above with couple other exe analyzers,
like PEBrowse,CFF Explorer etc...and the same info was reported,ie.nada,he-he...
I'm certainly far away from being a PE format guru myself,
just a supporting member over at PEiD,
packers' hunting/fingerprinting,bug reporting and the like...I don't code stuff there.
I've seen though few more proof of concept executables with no import table,
I think it was over at wasm.ru...maybe time has come for me to study them,he-he... 
Just in case,I'll send this over though to the rest of guys for archiving/reference...

Edit:Found the wasm.ru poc I remembered...
http://wasm.ru/src/6/NOIMP.ZIP

[CM_MWR]

But that sucker installed Virut on my system. Happened twice via a rogue install.

Reformatted both times

Perks of having your title include this neat little app call ACRONIS TRUE IMAGE!!!!!!

 

[sowhat-x]

Heh,just stumbled upon another one with no imports...is this some kind of trend,lol?
Timestamp back from...4 November 2007.Scanned today...14/36 (38.89%):
http://www.virustotal.com/analisis/bfddfe691e2895862386f3ea66ac0e12

[TeMerc]

But that sucker installed Virut on my system. Happened twice via a rogue install.

Reformatted both times

Perks of having your title include this neat little app call ACRONIS TRUE IMAGE!!!!!!

 

Yea, I was told same thing by another MVP, lol, need to send that email.