A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #499  by cjbi
 Tue Mar 30, 2010 1:29 pm
You do not have the required permissions to view the files attached to this post.
Last edited by cjbi on Sun Sep 05, 2010 11:26 am, edited 6 times in total.
 #500  by EP_X0FF
 Tue Mar 30, 2010 1:40 pm
Thanks for the samples :)

Seems to be It was reviewed by me here

It is using payload dll memory injection to running processes. When injecting trojan using simple loader so antirootkits will not flag it as hidden, because Windows loader wasn't used.
Rootkit performing hooking of these functions (if appreciate dll is loaded)
ntdll.dll-->NtEnumerateValueKey
ntdll.dll-->NtQueryDirectoryFile
ntdll.dll-->NtResumeThread
ntdll.dll-->NtVdmControl
ntdll.dll-->LdrLoadDll
user32.dll-->TranslateMessage
wininet.dll-->InternetCloseHandle
wininet.dll-->HttpSendRequestA
wininet.dll-->HttpSendRequestW
ws2_32.dll-->send
 #527  by vCatcher
 Fri Apr 02, 2010 3:05 pm
Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.
Im not sure which version of trojan it is,but cleaner should work on all versions.
I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.

output:
SpyEyeCleaner version v1.00
SpyEye Infection detected,cleaning ...
Removing "C:\cleansweep.exe\cleansweep.exe": OK
Removing "C:\cleansweep.exe\config.bin": OK
Removing "C:\cleansweep.exe": OK
Removing SpyEye autostart key: OK
All SpyEye components removed from system
Now restart system to complete cleaning

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659
 #531  by EP_X0FF
 Fri Apr 02, 2010 5:47 pm
Hello,

thank you for your tool and time, perhaps it will be helpful for somebody.
vCatcher wrote:I would be thankfull for samples when Trojan changes its file-paths or add self-protection
so i could update cleaner.
Sure of course. If this malware will be updated, it will be posted here.

Regards.
 #1418  by EP_X0FF
 Mon Jul 05, 2010 5:10 am
Some new info about SpyEye :)

Crapware author name is Gribodemon.

http://www.wasm.ru/forum/viewtopic.php?id=35855 (author has some troubles with NtDeleteFile)
hxxp://forum.zloy.bz/showthread.php?p=4810658
hxxp://damagelab.org/lofiversion/index.php?t=18763&st=30

Links including v1.2 info.

+ some sample from May 2010.

http://www.virustotal.com/analisis/e310 ... 1278309507
You do not have the required permissions to view the files attached to this post.
 #1420  by EP_X0FF
 Mon Jul 05, 2010 6:07 am
vCatcher wrote:Hello
Here is very simple cleaner i wrote.I have tested it with samples posted in this thread.

link: http://rapidshare.com/files/371173568/S ... r.rar.html
md5 of binary:A99BEB87ECDBA9B6D81113FBB1B5E659
Link is dead so I can't test your tools against current version I have.
This file is neither allocated to a Premium Account, or a Collector's Account, and can therefore only be downloaded 10 times.
This limit is reached.
 #1430  by PX5
 Tue Jul 06, 2010 2:50 pm
nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe.crypted.exe was first release

nerukabbcompany.com/fgdhfgvcryegf/bin/build.exe is current

nerukabbcompany.com/fgdhfgvcryegf/bin/ is open directory :lol:
You do not have the required permissions to view the files attached to this post.
 #1431  by EP_X0FF
 Tue Jul 06, 2010 3:09 pm
Thanks :)

Unpacked trojan seems to be belongs to newest SpyEye variants 1.2.4 (with screenshots feature).

SpyEye executable now randomly named and placed in randomly named directory.

Example from infected machine
C:\xgukxzrvux.exe\xgukxzrvux.exe
In attach you will find SpyEye's config data recovered by me from this bot posted above (archive recovered, spyeye pass removed).

Enjoy.
You do not have the required permissions to view the files attached to this post.
 #1435  by PX5
 Tue Jul 06, 2010 7:21 pm
Think it is this one seems very mean, steals my other malware and or cause other running malware to bugout.

If not this is the other version I see of cleansweep.exe with cleansweepudp.exe I think.....think being keyword here! ;)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 42