A forum for reverse engineering, OS internals and malware analysis 

Search found 28 matches

 Go to advanced search

Re: Trojan:Win32/Reveton

 by Neurofunk ¦  Wed Dec 12, 2012 6:53 pm ¦  Forum: Malware ¦  Topic: Win32/Reveton ¦  Replies: 150 ¦  Views: 192911

https://www.virustotal.com/file/d5a7e7c2a321c8c541b01e2be762368ce9a519d24423564b20e9584fac3844b3/analysis/ edit: this one is kind of fucked up in my opinion, there is a VERY questionable image embedded into it when it executes. Also not sure if the right place but does anyone know what the giant 90+...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Tue Aug 28, 2012 3:20 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

Sure thing it is attached in this post, I also included the RKreport.txt in the zip file in case it is of use. edit: some of the files that Rogue Killer touched got detected by mcafee and it quarantined them first so I went back and restored them to their original state and threw them into an extra ...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Tue Aug 28, 2012 4:14 am ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

RogueKiller was able to blast all of it but the MBR portion. When trying to write to the MBR it was giving the following error: http://imgur.com/3siUKl.jpg (First run was the full check list for faked & antirootkit. I just ran the MBR only version so I could get a screenshot of the error message.) E...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Mon Aug 27, 2012 4:27 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

I'll give it a shot, got about 7 tickets that came in this morning one of them is bound to be some unfortunate soul with it If not I still haven't fixed the machine from my screenshot post, for someone with a malware infection that is still active he seems to be taking it lightly, won't return my ca...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Mon Aug 27, 2012 1:56 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

@Neurofunk : Do you have a dropper for this? Sorry but I don't :( I checked around on the machine for anything that would resemble the dropper but came up empty handed. Judging by the access protection logs for our AV suite that we use it was using the install_flash_player.exe + malicious msimg32.d...

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Wed Aug 22, 2012 11:20 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

Is sirefef moving back into the bootkit market? On this Win 7 x64 build I just found a machine hit with the services.exe infection but on top of that i found the following detections using Hitman Pro: http://i.imgur.com/XxBsD.jpg It is killing TDSSKiller, aswMBR and other similar tools that are used...

Re: Malware/Not classified

 by Neurofunk ¦  Wed Aug 08, 2012 7:02 pm ¦  Forum: Malware ¦  Topic: Trojan.Tracur ¦  Replies: 4 ¦  Views: 4841

Sucpicious DLL file I came across on a users machine it currently has a 1/42 detection on VirusTotal (2 days after I uploaded it to VT originally), not sure what threat it is tied to but it launches 2 IExplore processes in the background and starts itself using Rundll32 and a key in HKEY_USERS inste...

Re: Win32/Carberp

 by Neurofunk ¦  Tue Jun 26, 2012 3:51 pm ¦  Forum: Malware ¦  Topic: Win32/Carberp ¦  Replies: 46 ¦  Views: 58082

"Russian K-force operatives cuff suspected Carberp trojan bank raider"
http://www.theregister.co.uk/2012/06/26 ... st_russia/

Re: ZeroAccess (alias MaxPlus, Sirefef)

 by Neurofunk ¦  Fri Jun 22, 2012 4:10 pm ¦  Forum: Malware ¦  Topic: ZeroAccess (alias MaxPlus, Sirefef) ¦  Replies: 557 ¦  Views: 571478

Yup, ran into the same thing. When the reboot prompt comes up if you look for services.exe it isn't present anymore as a running process on the infected machine.

Re: Rogue antimalware (FakeAV, FakeAlert)

 by Neurofunk ¦  Mon May 21, 2012 5:26 pm ¦  Forum: Malware ¦  Topic: Rogue Antimalware (FakeAV, 2012 year) ¦  Replies: 454 ¦  Views: 222160

Not only do they offer to remove malware but now they also help you torrent anonymously apparently. Such help people coding these applications why wouldn't anyone register for a copy :P

Image

Virus Total Link
MD5: 6d8d64254666452a94e970f31633a9da
Detection Ratio: 15/41