Malware Domain List
Malware Related => Malware Analysis => Topic started by: Kayrac on August 05, 2008, 09:42:43 am
-
so i ran 4.exe from mdl's list file here
aaa.ns-ok.com/down/4.exe
and holy crap look at what this does
PS i just found out how to export from totaluninstall so i'm happy
to much spam in it, so gotta figure out what to exclude, if anyone knows registry keys/folders i can exclude from change scanning, please let me know :)
-
Here you go...(Note: .rar is NOT password-protected)
-
The "Changes.txt" you attached above has way too many info,no way I can actually step through it...
In short,by quickly looking at the .exe,it seems to be enumerating process at first,
checking priviledges and setting them accordingly (SeBackupPriviledge),
deletes Microsoft's verclsid.exe (because it's meant to validates shell extensions),
extracts the .dll above from the executable's resources,
adds the .reg entry included above via /s ('silent' switch),
.reg entry sets the .dll so that it starts along with explorer.exe (ShellExecuteHooks)...
-
it's standard onlinegame trojan. Main code is here
LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x29)
DeleteFileA(0x001517a8 -> "C:\\WINDOWS\\system32\\Verclsid.exe")
Sleep(0x5dc)
UnhookWindowsHookEx(0x4464)
SetWindowsHookExA(0x3 -> WH_GETMESSAGE, 0x0011639c, 0x00110000, 0x0)
SetWindowsHookExA(0x7 -> WH_MOUSE, 0x001163dc, 0x00110000, 0x0)0x0
SetWindowsHookExA(0x2 -> WH_KEYBOARD, 0x0011641c, 0x00110000, 0x0)
LocalAlloc(0x0 -> NONZEROLPTR | LMEM_FIXED, 0x19)
injected dll is C\WINDOWS\SYSTEM32\TDFFDL.DLL
reg file C\WINDOWS\SYSTEM32\winsys.reg
shell extention is C0595A7E-2E2F-4B34-A83A-019270A0A464
password will be saved C\WINDOWS\SYSTEM32\tdffdl.dll.log
// I'll keep quit where are stolen passwords :p
8-)
-
I'll keep quit where is stolen passwords
Rotflmao :D
-
I'll keep quit where is stolen passwords
Rotflmao :D
it's not funny if u r 80+ overlord ::)
-
yeah what i need is a 'whitelist', i got someone that said they'd send me one, so just waiting patiently :)