tnx very much for deep explanation
i have exported the functions and the functions are:
refreshdev
createentry
initcache
revertcache
vaidateentry
initshellex
setwindowevent
shellnotifyuser
shellnotifyuserex
dllregisterserver
globaldeleteatoml
from http://www.securelist.com
Creates events: '{12258790-A76B}', 'Global\RasSrvReady'
All functionality is implemented in 'RevertCache' export. The module starts its main thread and then returns. The main thread waits for the '{12258790-A76B}' event and continuously checks for the presence of anti-malware software.
'ValidateEntry' signals the '{12258790-A76B}' event, allowing for the main thread to work for 3 seconds before terminating it.
Writes log file: %temp%\~gdl.tmp
The log file entries are compressed with Zlib.
By querying disk enum in registry, it also tries to identify whether the storage is USB-connected or not by searching 'USBSTOR' string in their information.
When a drive contains '.thumbs.db' file, its contents are read and checked for the valid magic number 0xEB397F2B. If it matches, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes '.thumbs.db'.
Then, it infects the USB drives by creating directories with the names .Backup0[D-M] and .Backup00[D-M]
how to call the function that will infect the USB ? i tried "rundll32 gaus.dll,RevertCache " but nothing happened
i have exported the functions and the functions are:
refreshdev
createentry
initcache
revertcache
vaidateentry
initshellex
setwindowevent
shellnotifyuser
shellnotifyuserex
dllregisterserver
globaldeleteatoml
from http://www.securelist.com
Creates events: '{12258790-A76B}', 'Global\RasSrvReady'
All functionality is implemented in 'RevertCache' export. The module starts its main thread and then returns. The main thread waits for the '{12258790-A76B}' event and continuously checks for the presence of anti-malware software.
'ValidateEntry' signals the '{12258790-A76B}' event, allowing for the main thread to work for 3 seconds before terminating it.
Writes log file: %temp%\~gdl.tmp
The log file entries are compressed with Zlib.
By querying disk enum in registry, it also tries to identify whether the storage is USB-connected or not by searching 'USBSTOR' string in their information.
When a drive contains '.thumbs.db' file, its contents are read and checked for the valid magic number 0xEB397F2B. If it matches, the module creates %commonprogramfiles%\system\wabdat.dat and writes the data to this file, and then deletes '.thumbs.db'.
Then, it infects the USB drives by creating directories with the names .Backup0[D-M] and .Backup00[D-M]
how to call the function that will infect the USB ? i tried "rundll32 gaus.dll,RevertCache " but nothing happened
