A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #570  by STRELiTZIA
 Wed Apr 07, 2010 7:55 am
Hi,
Old PE infector drops rootkit...
See attachement:
WinRAR Archives password: malware
---
1- Virus.Win32.Alman.b_Dropper.rar contains :-->> Protected.
- Infected file.
- Original file.
- Disinfected file.

2- linkinfo.dll_Alias_Virus.Win32.Agent.bu.rar -->> Protected.
3- IsDrv122.sys_Alias_Virus.Win32.Alman.b.rar -->> Protected.
--
4- linkinfo.dll_Listing.txt
5- linkinfo.dll_strings.txt
6- Report.txt
---
7- IsDrv122_IDA_Data-base-file.idb -->> Ida database file.


dfs_Infected.exe:
http://www.virustotal.com/fr/analisis/8 ... 1270626442

linkinfo.dll:
http://www.virustotal.com/fr/analisis/d ... 1270626586

IsDrv122.sys:
http://www.virustotal.com/fr/analisis/9 ... 1270626598
You do not have the required permissions to view the files attached to this post.
 #572  by EP_X0FF
 Wed Apr 07, 2010 9:22 am
Hello,

I don't remember if it is the same Alman I have analyzed in 2008, but it had on board specific code against Rootkit Unhooker v1.x/2.x (hardcoded RkU driver signature).

Regards.

edit:

Yep, the same ;)
I S P U B D R V I S D R V 1 R K R E V E A L P R O C E X P S A F E M O N R K H D R V 1 0 N P F I R I S