[acoustics]

That was actually worm Brontok, infected with Virut :)

cured and unpacked in attach
https://www.virustotal.com/en/file/0cfe ... 368772119/

Yep. this is an infected file. I extracted virus code from this file. Virut infects PE file by using hooking technique and code injection technique. I use OllyDbg to load infected file and dump injected code from memory. I use the header of PE file from notepad.exe, remove all of unused sections. After attaching Virut code to the header, I can analyze it by IDA.

Virut code and IDB in attach :)

[rough_spear]

Hi All,

Virut sample!!! low detection.

VT link - https://www.virustotal.com/en/file/4df2 ... 376853761/


Regards,

rough_spear. ;)

[AaLl86]

Thank you for sharing! Very interesting sample!
Andrea

Hi All,

Virut sample!!! low detection.

VT link - https://www.virustotal.com/en/file/4df2 ... 376853761/


Regards,

rough_spear. ;)

[lukasz]

Thank you for sharing! Very interesting sample!
Andrea

Hi All,

Virut sample!!! low detection.

VT link - https://www.virustotal.com/en/file/4df2 ... 376853761/


Regards,

rough_spear. ;)

Isn't it just a normal FTP client/server?
I don't see any Virut infection in it, nor does any sandbox. Can someone give me a hint on how to analyze this?

[patriq]

Citadel script was pushing this to bots:
https://malwr.com/analysis/ZjJmZWU0NzNh ... EzNzY1ODM/

Vendors are detecting it as Virut.

The C&C was telling bots to download this as well:
https://malwr.com/analysis/MWYyOGZkYTA0 ... c0Mjc3Yjc/
droper.exe (dropper?)
It crashed.

More details:
http://protectyournet.blogspot.com/2014 ... tadel.html