A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7909  by blueblackant
 Tue Aug 09, 2011 3:05 pm
Tried that... but error msg prompt 'xxxx is not a valid win32 file' appeared. Checked the file type. They are MZ. Could the files be corrupted ? Thanks.
 #7910  by r2nwcnydc
 Tue Aug 09, 2011 3:32 pm
They are DLLs. You'll need to to use a DLL loader to test them.

Doing a quick run of the first file, it tries to load system32\xfemdhb.dll.. I don't know if this is one of the other DLLs, but I'm sure you can figure it out.

The DLL actually expects itself to be named xfemdhb.dll and to be in the system32 directory.
 #8766  by noppy
 Tue Sep 27, 2011 7:38 am
I analyze a sample of conficker, and I found there is method this malware used to hiding service registry's entrys
there is no UserMode/KernelMode API/SysCall hook as I seen by tools like Rootkit Unhooker,XueTr, gmer, ... relate to Registry
and also I looking for Registry filter driver by using XueTr and Kernel Detective, but Unfortunately with no luck.

if anyone analyze this malware can help to understand what technique used.

the hash of my sample is: c3852074ee50da92c2857d24471747d9,

 #18366  by EP_X0FF
 Thu Feb 28, 2013 3:47 am
MAXS wrote:Has someone succeded running Kido under VM and how? I downloaded 10 samples and none works...
Which file(s)?