A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20319  by Xylitol
 Wed Jul 31, 2013 11:31 pm
Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU
 #20325  by Win32:Virut
 Thu Aug 01, 2013 4:21 pm
Xylitol wrote:
Win32:Virut wrote:Sorry, it's Live Security Professional fakeav.
From your last post ? no it's Reveton confirmed.

I can't attach sample because the uploader is broken for the moment so here are videos
Cool Exploit Kit leading to Reveton: http://www.youtube.com/watch?v=BitCYj2GExE
Unpacking the sample grabbed + lolav: http://www.youtube.com/watch?v=HA6FzT-e4nU
I tested it while ago, it's Live Security Professional.
 #20330  by EP_X0FF
 Thu Aug 01, 2013 5:13 pm
Win32:Virut wrote:rundll32.exe path,XFG00

https://www.virustotal.com/en/file/90b6 ... 375267929/

I was just browsing some websites and got infected, maybe some site was infected.
Reveton. In attach decrypted.

https://www.virustotal.com/en/file/4f2e ... 375377166/
You do not have the required permissions to view the files attached to this post.
 #20333  by Win32:Virut
 Thu Aug 01, 2013 6:23 pm
@EP_X0FF and Xylitol

How do you run it?

I use WIN + R, then rundll32.exe path-to-file,XFG00

and Live Security Professional.

Image
 #20340  by S!Ri
 Fri Aug 02, 2013 8:59 am
Hello,

Unpacked is the dropper (X:\PGP\Programming\JimmMonsterNew\ServerWinlock\Source\SysUtils.pas) :twisted:
Just rename to *.cpl and double click

dump is the rogue binary (dll, not executable, not rebuilt)
(many references to "OPG Security")
You do not have the required permissions to view the files attached to this post.
 #20353  by thisisu
 Fri Aug 02, 2013 8:47 pm
https://www.virustotal.com/en/file/014f ... 375475881/

MD5 : df50510b6bac36f7b8901796b618ef8f

PC was infected with Pihar.C, ZeroAccess Recycler, and looks like this is ransomware but it never displayed for me (sorry no pic).

Legit service used for startup:
Code: Select all
S2 Winmgmt; C:\Windows\system32\config\SYSTEM~1\3950568.dll [204800 2013-02-05] (Microsoft Corporation)
You do not have the required permissions to view the files attached to this post.
 #20640  by Horgh
 Thu Aug 29, 2013 8:45 pm
Trojan:Win32/Reveton.N
You do not have the required permissions to view the files attached to this post.
  • 1
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16