A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #880  by EP_X0FF
 Sun Apr 25, 2010 5:05 pm
Copyright Violator

http://www.virustotal.com/ru/analisis/3 ... 1272214106

Created to scare low experienced users, gives a lot of LOL's all others.
Written on CodeGear RAD Studio v12.0.3170.16989.

Installs itself to X:\Documents and Settings\<UserName>\Application Data\ApManager (or in appreciate directory in Users for Vista/7).


Set to autostart via HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell registry key.
Changes wallpaper to the following


Note: contains uninstaller :)
dropper, pass: malware
(1.57 MiB) Downloaded 309 times
 #4048  by EP_X0FF
 Fri Dec 17, 2010 4:31 pm

Fake defragmenter with aggressive behavior. Firstly mentioned by PX5 here.

Works like trojan muldrop.

Maps malware dll to Explorer.exe memory, this dll responsible for throwing idiotic scary messages to user (like "Disk error" etc).
Terminates starting by explorer programs.

Runs through HKCU\Software\Microsoft\Windows\CurrentVersion\Run



http://www.virustotal.com/file-scan/rep ... 1292602183
http://www.virustotal.com/file-scan/rep ... 1292603379

Dropper attached. Removal - kill and erase both rouge processes, kill and restart explorer process to free it from rouge dll. Cleanup.
pass: malware
(401.13 KiB) Downloaded 185 times
 #4049  by EP_X0FF
 Fri Dec 17, 2010 5:25 pm
SMS Send

Just got this in ICQ :)

Masqueraded as WinRAR self extraction archive, for extraction ask to send SMS :)


http://www.virustotal.com/file-scan/rep ... 1292605745
pass: malware
(1.16 MiB) Downloaded 116 times
 #4151  by EP_X0FF
 Mon Dec 27, 2010 3:59 pm
HD Doctor

While initial installation displays custom shutdown dialog and reboots computer, after reboot runs through HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Written on Delphi/CBuilder whatever

Custom shutdown dialog

GUI, a little hacked, because this crap doesn't correctly worked for me :)

Payme dialog

http://www.virustotal.com/file-scan/rep ... 1293464852
pass: malware
(277.81 KiB) Downloaded 155 times
 #4416  by EP_X0FF
 Wed Jan 12, 2011 3:18 pm

This is quite interesting hoax, masqueraded as WinRAR archive.

Stuff coming from hxxp://rapidaloads4.ru/
To get sample download archive - ANY archive (which is actually executable packed by UPX).


When started hoax displaying main window with "contents" of archive and waiting for user action.
Here also present EULA, where (highlighted by red) honestly written that this is hoax. lol


You press "Extract", it's simulating some activity and then window is refreshed with "Select your country" stuff.
Be careful, because this buggy trash can crash if you select something except few countries in list. I suggest you to select first country in list.
Next it is wants some money - send 1 SMS to short number displayed on screen (numbers differs from country to country).
SMS price given in EULA, but nobody does not read EULA's, yes?

For Russia price for 1 SMS - 10$.

Once you send first SMS, it is asking second SMS :) And then it want third SMS.
Codes for this part 8109580, 2406415, 1645976.

So it's about 30$ only to get to this window
Now it is required to post tel number from which you send all 3 SMS previously.


Code to get in - 2406415.

Finally you have what you want - list of torrents, they are even working.
Here also very cool description how to download torrent client and how to download torrent files from server.


In simple words you are paying ~30$ and giving your phone number for FAQ how to install uTorrent and use Google. Obviously victims of this hoax are not really smart people.

Target site location hxxp://zakachalo6.ru
 #4418  by Xylitol
 Wed Jan 12, 2011 5:25 pm
Thanks for WinRARc explanation, i've tryed to crack it but it's a very hazrd stuff for me
I got another sample (more heavy, protected with vmprotect)
And similar to WinRARc...




Size is ~15,0 Mb
Full undetect: http://www.virustotal.com/file-scan/rep ... 1294367394
Download: http://www.mediafire.com/?ubuz51m5ipmgb4a
See archive comment for password.

I've repicked your text for update my article about that if you are against tell me and i remove it
Last edited by EP_X0FF on Sun Feb 06, 2011 5:10 am, edited 1 time in total. Reason: edit: resized images
 #4419  by EP_X0FF
 Wed Jan 12, 2011 5:31 pm
Cool, thanks for sharing.
I've repicked your text for update my article about that if you are against tell me and i remove it
It's Ok :)
 #4484  by Xylitol
 Sun Jan 16, 2011 12:59 pm
New HoaxSMS about flash player
can be downloaded from: http://avast-russ.ru/FLASH10.exe

VT: http://www.virustotal.com/file-scan/rep ... 1295179078
Seem EP have already check it :p
anyway something wrong not a fake installer about utorrent but about flash plugin
(just the site is about utorrent)

Right after execution the following information is displayed:


Select a folder:

Select an option and payd 3 SMS:

The serial check as done online
POST DATA: a_id=572&a_pass=serialHere

But we dont need to crack the file this time:
FLASH10.exe create a folder in %temp% called "extractor"

Then it launch "SfxChecker.exe" who ask you for some SMS
But FLASH10.exe have also added in the temp folder a file called "7zr.exe" and "arch.7z"
When you have entered your 3 SMS the SfxChecker launch 7zr.exe (7-Zip by Igor Pavlov) and extract the file arch.7z
We can do that right ?
Code: Select all
C:\Documents and Settings\Administrateur\Bureau>7zr.exe e arch.7z

7-Zip (A) 9.12 beta Copyright (c) 1999-2010 Igor Pavlov 2010-03-24

Processing archive: arch.7z

Extracting Plugins_Portable_Flash_10.1.53.64.paf.exe

Everything is Ok

Size: 2430844
Compressed: 2429724

C:\Documents and Settings\Administrateur\Bureau>
And you have your flash player extracted:


In simple words you are paying again 3 SMS for nothing.
the flash player from adobe is free.
Last edited by EP_X0FF on Sun Feb 06, 2011 5:16 am, edited 1 time in total. Reason: edit: resized images
  • 1
  • 2
  • 3
  • 4
  • 5
  • 12