NgrBot (aka Win32/Dorkbot.gen!A)

Forum for analysis and discussion about malware.
User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: skype spam (trojan)

Post by EP_X0FF » Sun Sep 30, 2012 3:24 am

markusg wrote:today night, we get some requests from infected peoples, they get in a message, this files, via sendspacee urls
https://www.virustotal.com/file/2b5ef3b ... /analysis/
normaly it comes as zip archiv
This is Ngrbot aka Dorkbot. So many strings inside, so just I post a little piece.
Main reasons:
- you stupid cracker
- you stupid cracker...
- you stupid cracker?!
ngrBot Error shell32.dll " % s " % S msg http int %d httpi usbi dnsapi.dll DnsFlushResolverCache P O S T = http://%s/%s http://%s/ HTTP Host:
POST /%1023s
Two other files are Win32 PE executables. Will look later.
Ring0 - the source of inspiration

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by EP_X0FF » Sun Sep 30, 2012 3:50 am

ogxEz57 obfuscated spammer. Purpose - find skype communicator window and spam it with the following:
hey is this your skype profile pic?
hxxp://sendspace.com/pro/dl/8a963g?image=
Multilanguage support for this message.

weifgwf is ZeroAccess CLSID+services.exe infection crossplatform dropper. Extracted files attached.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

User avatar
MindfreaK
Posts: 15
Joined: Wed Mar 14, 2012 3:33 pm
Location: Germany

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by MindfreaK » Sun Sep 30, 2012 1:09 pm

Found something similar like EP_X0FF but not sure if this is the same
hallo, sag mal ehrlich sind das deine fotos?
http://goo.gl/OI0SP?image=%skypeuser%
redirects to 88.198.59.105:80 - [holsterhausen53.de] that downloads the file.
File is packed with vc6 runpe crypter


https://www.virustotal.com/file/ea82c9b ... 349010185/
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by EP_X0FF » Sun Sep 30, 2012 5:22 pm

MindfreaK wrote:Found something similar like EP_X0FF but not sure if this is the same
hallo, sag mal ehrlich sind das deine fotos?
http://goo.gl/OI0SP?image=%skypeuser%
redirects to 88.198.59.105:80 - [holsterhausen53.de] that downloads the file.
File is packed with vc6 runpe crypter


https://www.virustotal.com/file/ea82c9b ... 349010185/
Dorkbot, in attach decrypted.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by markusg » Wed Oct 03, 2012 2:28 pm

https://www.virustotal.com/file/9e3aa9e ... /analysis/
shourt analysis in sandbox shows a download, but can not find, and irc comunication, so it looks a bit diferent to the other one
You do not have the required permissions to view the files attached to this post.

User avatar
Blaze
Posts: 198
Joined: Fri Aug 27, 2010 7:35 am
Contact:

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by Blaze » Mon Oct 08, 2012 2:55 pm

You do not have the required permissions to view the files attached to this post.


Flamef
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm

Worm:Win32/Dorkbot.I

Post by Flamef » Mon Oct 08, 2012 7:25 pm

Can any1 give me this ransomware sample mentioned here?
http://www.gfi.com/blog/skype-users-tar ... ick-fraud/
No MD5(Sorry,can't find).
Thanks in advance.

User avatar
tachion
Posts: 32
Joined: Sat Dec 24, 2011 10:03 am

Re: Malware Requests, part 2

Post by tachion » Mon Oct 08, 2012 7:38 pm

Flamef wrote:Can any1 give me this ransomware sample mentioned here?
http://www.gfi.com/blog/skype-users-tar ... ick-fraud/
No MD5(Sorry,can't find).
Thanks in advance.
MD5 e8e2ba08f9aff27eed45daa8dbde6159
https://www.virustotal.com/file/5110055 ... /analysis/

and dump MD5 18fb5a103974f0c69d165aef19ff2793

https://www.virustotal.com/file/d2db00f ... /analysis/
You do not have the required permissions to view the files attached to this post.

Win32:Virut
Posts: 324
Joined: Sat Jun 02, 2012 2:22 pm

Re: NgrBot (aka Win32/Dorkbot.gen!A)

Post by Win32:Virut » Thu Oct 25, 2012 6:51 pm

You do not have the required permissions to view the files attached to this post.

Post Reply