4.exe and what it does

[Kayrac]

so i ran 4.exe from mdl's list file here

Code: [Select]

aaa.ns-ok.com/down/4.exe
and holy crap look at what this does

PS i just found out how to export from totaluninstall so i'm happy


to much spam in it, so gotta figure out what to exclude, if anyone knows registry keys/folders i can exclude from change scanning, please let me know

[sowhat-x]

Here you go...(Note: .rar is NOT password-protected)

[sowhat-x]

The "Changes.txt" you attached above has way too many info,no way I can actually step through it...
In short,by quickly looking at the .exe,it seems to be enumerating process at first,
checking priviledges and setting them accordingly (SeBackupPriviledge),
deletes Microsoft's verclsid.exe (because it's meant to validates shell extensions),
extracts the .dll above from the executable's resources,
adds the .reg entry included above via /s ('silent' switch),
.reg entry sets the .dll so that it starts along with explorer.exe (ShellExecuteHooks)...

[Serg]

it's standard onlinegame trojan. Main code is here

Code: [Select]

LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x29)
DeleteFileA(0x001517a8 -> "C:\\WINDOWS\\system32\\Verclsid.exe")
Sleep(0x5dc)
UnhookWindowsHookEx(0x4464)
SetWindowsHookExA(0x3 -> WH_GETMESSAGE, 0x0011639c, 0x00110000, 0x0)
SetWindowsHookExA(0x7 -> WH_MOUSE, 0x001163dc, 0x00110000, 0x0)0x0
SetWindowsHookExA(0x2 -> WH_KEYBOARD, 0x0011641c, 0x00110000, 0x0)
LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x19)
injected dll is C\WINDOWS\SYSTEM32\TDFFDL.DLL
reg file C\WINDOWS\SYSTEM32\winsys.reg
shell extention is C0595A7E-2E2F-4B34-A83A-019270A0A464
password will be saved C\WINDOWS\SYSTEM32\tdffdl.dll.log
// I'll keep quit where are stolen passwords :p

8-)

[sowhat-x]

I'll keep quit where is stolen passwords

Rotflmao 

[Serg]

I'll keep quit where is stolen passwords

Rotflmao 

it's not funny if u r 80+ overlord   

[Kayrac]

yeah what i need is a 'whitelist', i got someone that said they'd send me one, so just waiting patiently