A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #737  by ConanTheLibrarian
 Thu Apr 15, 2010 6:04 pm
Patches imm32.dll so that it calls another netxxxxx.dll file when Winlogon loads it. If you try to delete the netxxxx.dll file you will get missing DLL errors on every executable you run while Windows loads. Target replacing the imm32.dll file and you are good.

MD5
760a89c2d05c41f68634e2fce991afe4
http://www.virustotal.com/analisis/d818 ... 1271354146

MD5
7773e253fd99e1425b06da3e09f5fc2f
http://www.virustotal.com/analisis/19f9 ... 1271352513
Attachments
no password just 3 DLL files
(362.98 KiB) Downloaded 82 times
 #738  by EP_X0FF
 Thu Apr 15, 2010 6:10 pm
Hi,

thanks for the sample.

Is the any dropper available also?

Thanks.
 #739  by ConanTheLibrarian
 Thu Apr 15, 2010 6:45 pm
Pulled it from an infected machine after other scanners were already run but failed on this one. I have no dropper at this time sorry.