A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #880  by EP_X0FF
 Sun Apr 25, 2010 5:05 pm
Copyright Violator

VirusTotal
http://www.virustotal.com/ru/analisis/3 ... 1272214106

Created to scare low experienced users, gives a lot of LOL's all others.
Written on CodeGear RAD Studio v12.0.3170.16989.

Installs itself to X:\Documents and Settings\<UserName>\Application Data\ApManager (or in appreciate directory in Users for Vista/7).

Image

Set to autostart via HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Changes wallpaper to the following

Image

Note: contains uninstaller :)
Attachments
dropper, pass: malware
(1.57 MiB) Downloaded 309 times
 #4048  by EP_X0FF
 Fri Dec 17, 2010 4:31 pm
Defragmenter

Fake defragmenter with aggressive behavior. Firstly mentioned by PX5 here.

Works like trojan muldrop.

Maps malware dll to Explorer.exe memory, this dll responsible for throwing idiotic scary messages to user (like "Disk error" etc).
Terminates starting by explorer programs.

Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Image

Image

http://www.virustotal.com/file-scan/rep ... 1292602183
http://www.virustotal.com/file-scan/rep ... 1292603379

Dropper attached. Removal - kill and erase both rouge processes, kill and restart explorer process to free it from rouge dll. Cleanup.
Attachments
pass: malware
(401.13 KiB) Downloaded 185 times
 #4049  by EP_X0FF
 Fri Dec 17, 2010 5:25 pm
SMS Send

Just got this in ICQ :)

Masqueraded as WinRAR self extraction archive, for extraction ask to send SMS :)

Image

http://www.virustotal.com/file-scan/rep ... 1292605745
Attachments
pass: malware
(1.16 MiB) Downloaded 116 times
 #4151  by EP_X0FF
 Mon Dec 27, 2010 3:59 pm
HD Doctor

While initial installation displays custom shutdown dialog and reboots computer, after reboot runs through HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Written on Delphi/CBuilder whatever

Custom shutdown dialog
Image

GUI, a little hacked, because this crap doesn't correctly worked for me :)
Image

Payme dialog
Image

http://www.virustotal.com/file-scan/rep ... 1293464852
Attachments
pass: malware
(277.81 KiB) Downloaded 155 times
 #4416  by EP_X0FF
 Wed Jan 12, 2011 3:18 pm
WinRARc

This is quite interesting hoax, masqueraded as WinRAR archive.

Stuff coming from hxxp://rapidaloads4.ru/
To get sample download archive - ANY archive (which is actually executable packed by UPX).

Image

When started hoax displaying main window with "contents" of archive and waiting for user action.
Here also present EULA, where (highlighted by red) honestly written that this is hoax. lol

Image

You press "Extract", it's simulating some activity and then window is refreshed with "Select your country" stuff.
Be careful, because this buggy trash can crash if you select something except few countries in list. I suggest you to select first country in list.
Next it is wants some money - send 1 SMS to short number displayed on screen (numbers differs from country to country).
SMS price given in EULA, but nobody does not read EULA's, yes?

For Russia price for 1 SMS - 10$.

Once you send first SMS, it is asking second SMS :) And then it want third SMS.
Codes for this part 8109580, 2406415, 1645976.

So it's about 30$ only to get to this window
Now it is required to post tel number from which you send all 3 SMS previously.

Image

Code to get in - 2406415.

Finally you have what you want - list of torrents, they are even working.
Here also very cool description how to download torrent client and how to download torrent files from server.

Image

In simple words you are paying ~30$ and giving your phone number for FAQ how to install uTorrent and use Google. Obviously victims of this hoax are not really smart people.

Target site location hxxp://zakachalo6.ru
 #4418  by Xylitol
 Wed Jan 12, 2011 5:25 pm
Thanks for WinRARc explanation, i've tryed to crack it but it's a very hazrd stuff for me
I got another sample (more heavy, protected with vmprotect)
And similar to WinRARc...

Image

Image

Image

Size is ~15,0 Mb
Full undetect: http://www.virustotal.com/file-scan/rep ... 1294367394
Download: http://www.mediafire.com/?ubuz51m5ipmgb4a
See archive comment for password.

I've repicked your text for update my article about that if you are against tell me and i remove it
hxxp://xylibox.blogspot.com/2011/01/hoaxsms-fake-installers.html
Last edited by EP_X0FF on Sun Feb 06, 2011 5:10 am, edited 1 time in total. Reason: edit: resized images
 #4419  by EP_X0FF
 Wed Jan 12, 2011 5:31 pm
Cool, thanks for sharing.
I've repicked your text for update my article about that if you are against tell me and i remove it
It's Ok :)
 #4484  by Xylitol
 Sun Jan 16, 2011 12:59 pm
New HoaxSMS about flash player
can be downloaded from: http://avast-russ.ru/FLASH10.exe
Image

VT: http://www.virustotal.com/file-scan/rep ... 1295179078
Seem EP have already check it :p
anyway something wrong not a fake installer about utorrent but about flash plugin
(just the site is about utorrent)
Image

Right after execution the following information is displayed:
Image

The EULA:
Image

Select a folder:
Image

Select an option and payd 3 SMS:
Image

The serial check as done online
URL: http://93.174.88.125/check_a_pass/
POST DATA: a_id=572&a_pass=serialHere

But we dont need to crack the file this time:
FLASH10.exe create a folder in %temp% called "extractor"
Image

Then it launch "SfxChecker.exe" who ask you for some SMS
But FLASH10.exe have also added in the temp folder a file called "7zr.exe" and "arch.7z"
When you have entered your 3 SMS the SfxChecker launch 7zr.exe (7-Zip by Igor Pavlov) and extract the file arch.7z
We can do that right ?
Code: Select all
C:\Documents and Settings\Administrateur\Bureau>7zr.exe e arch.7z

7-Zip (A) 9.12 beta Copyright (c) 1999-2010 Igor Pavlov 2010-03-24

Processing archive: arch.7z

Extracting Plugins_Portable_Flash_10.1.53.64.paf.exe

Everything is Ok

Size: 2430844
Compressed: 2429724

C:\Documents and Settings\Administrateur\Bureau>
And you have your flash player extracted:
Image

Image

In simple words you are paying again 3 SMS for nothing.
the flash player from adobe is free.
Last edited by EP_X0FF on Sun Feb 06, 2011 5:16 am, edited 1 time in total. Reason: edit: resized images
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12