A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #451  by EP_X0FF
 Fri Mar 26, 2010 6:15 am
Trojan that using Microsoft Office component - Word to survive and download additional stuff.
If Microsoft Office not installed / Word not present, trojan starting additional svchost process and uses it for it's purposes (in both cases trojan maps malicious dll inside address space of victim processes).

Bot (file.ex_ in attach) is trying to contact _hxxp://netmegasite.net/source/bb.php (C&C link obfuscated) to get additional instructions.

Norton Safe Web report

It is getting additional commands looking like this:
[info]runurl:_hxxp://www.gynweb.de/forum/customavatars/2_u.e ... 0|backurls:[/info]
(link obfuscated)

VirusTotal report for 2_u.exe

Set itself to autorun through HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.

Original dropper VirusTotal result
Extracted malicious code to be injected inside svchost/winword VirusTotal result

All samples, including payload, attached.
You do not have the required permissions to view the files attached to this post.
 #1294  by Alex
 Sat Jun 19, 2010 7:24 pm
The password which gjf has been posted above - virus - is correct. If you have any security software installed try to disable it while extracting the archive.
 #1396  by EP_X0FF
 Sat Jul 03, 2010 5:44 am
UPX -> custom cryptor -> Delphi.
pro WinSock System SysInit Windows Types Unit1 MagicApiHook ShellAPI
original (in attach)
http://www.virustotal.com/analisis/654d ... 1278134671

removed upx
http://www.virustotal.com/analisis/b8ad ... 1278135472
You do not have the required permissions to view the files attached to this post.
 #2858  by Evilcry
 Fri Sep 24, 2010 8:55 am
Hi,

The following sample come out from a malicious domain tha has the particularity of caching victim's IP
second access lead to 404; here the Oficla trojan I''ve extracted from.

Regards
You do not have the required permissions to view the files attached to this post.