A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4093  by EP_X0FF
 Wed Dec 22, 2010 9:09 am
This is trojan dropper. It drops XrBot.exe to Users\UserName\Templates and then executes it. Probably due to buggy code payload wasn't dropped well - executable file is damaged.

XrBot.exe itself is VB autorunner backdoor (c) Dan (C:\Users\Dan\Desktop\HostBooterv3.5\Server\Project1.vbp) with the following functionality:

AutRUSB
DownloadEXEFile
InstallRegistry
Configuration
InstallEXE

Topic title changed.
 #5446  by nullptr
 Sat Mar 12, 2011 4:56 am
Venom.exe is usual VB autorun junk.
Tries to add USB Autorun.inf entries
Project File: F:\HostBooter\Server\Project1.vbp

Registry start entries in:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
%USERPROFILE%\Application Data\winlogon.exe

Some lol features:
BeginEXE
StringGen
MiscFunctions
AutRUSB
DownloadEXEFile
InstallRegistry
Configuration
InstallEXE

Connects to:
* hxxp://ahpvenomz.no-ip.biz
* hxxp://www.maxmind.com
Decrypted file report 29/42 - http://www.virustotal.com/file-scan/rep ... 1299904478
 #6344  by Xylitol
 Mon May 16, 2011 8:06 pm
markusg wrote:(Nero 10 Crack).exe
http://www.virustotal.com/file-scan/rep ... 1305571034
exe powered by HostBooter v4.1
in attachement HostBooter killer for remove the infection (exe powered by the same guys who developed HostBooter)
Attachments
(49.45 KiB) Downloaded 54 times