A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #9355  by CloneRanger
 Sat Oct 22, 2011 4:23 am
@ kmd

Hi,
who told u this is gov malware? av?
There have been numerous articles about the similarity between Stuxnet & Duqu, as i'm sure you know. I agree that most, if not all, of those articles may have "possibly" jumped the gun & automatically presumed it came from the same/similar source/s, & with similar intentions, and/or other nefarious deeds in mind. The way i, & many other people read it was as reported. If it turns out it is not from and/or via .GOV sources, directly and/or indirectly, then we've also been misled.

If it's not due to thoses sources, then we have some other people who are up to no good making use of the original Stuxnet code, for reasons that are not clear right now. Hopefully we will discover Much more about who/what/why etc, before too long ;)

Also keep in mind that very recently there was the very public disclosure about the German .GOV malware http://ccc.de/en/updates/2011/staatstrojaner So it can/has/does happen !

*

No Duqu install as of yet :(
 #9357  by rkhunter
 Sat Oct 22, 2011 6:10 am
First results: seven drivers, dll and no droppers.
 #9391  by Flopik
 Mon Oct 24, 2011 3:33 pm
From the sample under [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmi4432]
You dont need a dropper, the only thing in order to run is to place the cmi4432.PNF in C:\WINDOWS\inf and remove the key Enum after that the service should start fine.
 #9397  by kmd
 Tue Oct 25, 2011 1:58 am
dropper is needed not for how to install drivers but for investigation for 0day exploits it maybe using
Frank B. posted on 1st page how to install driver manually.
 #9398  by R00tKit
 Tue Oct 25, 2011 6:26 am
hi i have all seven file
but cant start it

this is reg for jminet7

how do it?
Attachments
(869 Bytes) Downloaded 104 times
 #9529  by Edi
 Fri Nov 04, 2011 9:17 am
Isn't the dropper MD5 b4ac366e24204d821376653279cbad8 (232448 bytes)? I just can't find out whats the encryption routine. Anyone know?