A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #4032  by EP_X0FF
 Thu Dec 16, 2010 8:11 pm
Thanks for sharing. Typical backdoor with tcp server inside. Bot packed with UPX 3.07 and crypted.

Autoruns through HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as SmartIndex

Just a coupe of stirngs from this bot (there are a lot of them inside), some typos detected :)
Client
started.
Error!!! .\client.cpp
Failed to init client!
_tWinMain
GoogleImpl
GooglePath
Software\Google
client:
Autorun update write failed
Config loaded Ok. own_id=
, port =
Loaded bootstrap list:
[forwardingrequest]Failed to connect to job_server:
X-Real-My-IP
[forwardingrequest]Failed to invoke get to job_server:
[forwardingrequest]http_response_info* presnose not filled after success get.
HTTP Proxy routed success. [remote_client:
-->> remote_server:
], URI=
Internal Server Error
AppID
SmartIndex
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to write autorun entry
Autorun entry writed success.
[requesting_parachute]Failed to resolve URL:
[requesting_parachute]Connecting to
[requesting_parachute]Failed to connect to server:
[requesting_parachute]Invoking to
[requesting_parachute]Failed to invoke to server:
[requesting_parachute] presnose not filled, server:
[requesting_parachute]boot_helper surprise, response code =
[requesting_parachute]Failed! wrong response code =
[requesting_parachute] Empty body in http response :(
 #16418  by nullptr
 Sun Nov 04, 2012 9:08 am
MD5: F22AF0C2BC0356FFBEA84D6034BFD4A9
SHA-1: C1D3CE13E0473CC333D8A484E3BD58E1AD953CA6
From Oct 31, 2012

dropper + unpacked attached
Attachments
pwd: infected
(1.56 MiB) Downloaded 156 times
 #16889  by Win32:Virut
 Wed Nov 28, 2012 6:07 pm
I don't have this file, but I don't think this is Tepfer, probably System Progressive Protection but I'm not sure. I have file B59C79DCEA3404E86161C01593A1F358. This is also detected by Kaspersky as Tepfer but also probably SPP.

EDIT:

One more attached.
Attachments
Password is "infected" without quotes.
(748.37 KiB) Downloaded 105 times
Password is "infected" without quotes.
(743.17 KiB) Downloaded 105 times
Last edited by Win32:Virut on Wed Nov 28, 2012 6:15 pm, edited 1 time in total.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 10