A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6713  by EP_X0FF
 Tue Jun 07, 2011 11:53 am
markusg wrote:dhvwwtos.exe
http://www.virustotal.com/file-scan/report.html?id=79ae68633278d40369eeab3aa24ed6c7968174e985b99d0f81e187aa696dd0e8-1307373422
Backdoor Woripecs.

Some sensitive strings.
AntiVirusDisableNotify FirewallOverride FirewallDisableNotify Software\Microsoft\Security Center ?customersupport contactuser contactus showcuportal 30921202\ 30299104\ .net .com explorer.exe "http://cgi.ebay.com/ebaymotors/ws/eBayISAPI.dll?ViewItem&item=%s" explorer.exe "http://sign-in.ebay.com/ws/eBayISAPI.dll?SignIn&UsingSSL=1&pUserId=&co_partnerId=255&siteid=255" Software\Microsoft\Windows\CurrentVersion\Run %state_full% %len_ownership% %d year%c %d month%c %d year%c %d month%c failed to allocat memory in DisableConnectionProxy() %s\Application Data\Mozilla\Firefox\Profiles\%s\user.js %s\Application Data\Mozilla\Firefox\Profiles\* user_pref("network.proxy.type", 0); w %s%s\Application Data\Mozilla\Firefox\Profiles\%s\user.js %s%s\Application Data\Mozilla\Firefox\Profiles\* \* .. . \ Click to install them using Windows Update New updates are available Windows myWndClass A.EXE _Windows_Security_Update_ wb getaddrinfo stub3 connect stub2 gethostbyname k32.dll 32.dll stub1 wsoc ws2_ .EXE %s\Start Menu\Programs\Startup\%s lck aolbrowser.exe safari.exe mozilla.exe netscape.exe flock.exe seamonkey.exe chrome.exe opera.exe iexplore.exe firefox.exe [END LIST]