Author Topic: Is this file a trojan-malware?  (Read 7232 times)

0 Members and 1 Guest are viewing this topic.

February 12, 2008, 01:15:23 am
Read 7232 times

Malware_destroy

  • Newbie

  • Offline
  • *

  • 1
Hi mates,

First, my sincere congratulations for your new malware's sites research project. its my first time here.

A new site with so much freeware tools are maded. Really need a review because nobody known this app's author. For security, your team should be review the app that offer this site. The official authors is this:

Code: [Select]
http://www.speedapps.com/
Sample download:
Code: [Select]
http://www.speedapps.com/Builds/DesktopActivityRecorderSetup.exe
i'll send a sample to VirusTotal.com but, say that is clean, but, not all is 100% clean in new app's with actual heuristic technic. Please, check auth the Author site content.

Thanks and good luck with this wondeful malware research project.


February 12, 2008, 02:41:50 am
Reply #1

sowhat-x

  • Guest
Quote
Really need a review because nobody known this app's author.
...the 'golden' rule is,if nobody knows/can verify the author,
then you're better off searching some alternatives,
preferably open source,where you can review/mod the code to your liking.
Sourceforge and Freshmeat are always the first places to start...

Really quick checking...site above seems to be hosted at godaddy.com,
which has had some security problems in the past.
Page itself loads the following...and this domain exists in quite a few blocklists...
Quote
hxxp://popunder.adsrevenue.net/popup.php?+(newDate()).getTime()+&id=nirmice&pop=enter&t=3&subid=74730&blk=1&fc=-1
The installer you mentioned above,contains a register.exe:
VirusTotal reports that someone had scan this exe again one week ago,at 4 Feb...
This register.exe sends data here...for some reason,lol...  :)
Quote
hxxp://www.app-zilla.com/register_desktopactivity.php
I also see "localhost:8080" in there,proxy-related port...

Not in front of a 'sacrificial lamp' machine at the moment,
so I can't actually debug/disassemble this thing in more detail...but well,
let's just say that by a first glance,quite a few things in there don't fulfill my standards...
I would probably need to run it directly and fire up a packet sniffer,
to actually see what it sends to that database and why...

Quote
For security, your team should be review the app that offer this site.
Our goal is to promote analysis,not individual reviews of every exe/site out there...
ie.to have people being able to do that for themselves by their own means,
at least to a certain point...don't think we're some kind of gurus here ;-)
Evenmore,if we were to analyse every exe/site out there that people wanted,
he-he,most probably we would never finish...  :)

EDIT:For the fun of it,I downloaded 'Echo Audio Ripper" from the app-zilla guys above,
and it seems to be a GPL-violating 'revamped' version of CDex...SkinCrafter.dll there,lol... ;-)
http://skincrafter.com/
You get the deal here...the 'easy' way to 'code' lots of apps in very short time:
thereby my guess is that the http address above is for "software registration",not malware...