A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #636  by f0x
 Sun Apr 11, 2010 2:12 am
Some n00b dropped by my irc, we run the irc for neworder.box.sk security network, that was his first mistake. He tried pasting some link to have us to load but it was an obvious trap. Check it out, as far as I can tell it's an unpacked VB executable with some kind of resource with a random name, possibly some extraneous code attached as a resource. I'm just getting IDA installed and I'd appreciate any techniques or advice on what I should do to analyze these kinds of apps, also if there is any app to attempt a heuristic decompilation into VB source. Also attached is some information I gathered on his little yahoo domain he registered right before trying his code out on the wrong group.

<thunderlord> Is this site working for you? http://msn.id-flacebook.com/album.php?= ... 8042010jpg
*** Notice -- Client exiting: thunderlord
(thunder@bas2-montreal31-1279580553.dsl.bell.ca) [Quit: ]

Whois Server Version 2.0


Domain Name: ID-FLACEBOOK.COM
Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
Whois Server: whois.melbourneit.com
Referral URL: http://www.melbourneit.com
Name Server: YNS1.YAHOO.COM
Name Server: YNS2.YAHOO.COM
Status: clientTransferProhibited
Updated Date: 08-apr-2010
Creation Date: 08-apr-2010
Expiration Date: 08-apr-2011

>>> Last update of whois database: Sat, 10 Apr 2010 03:15:19 UTC <<<

Domain Name.......... id-flacebook.com
Creation Date........ 2010-04-09
Registration Date.... 2010-04-09
Expiry Date.......... 2011-04-09
Organisation Name.... Stewart Geary
Organisation Address. 10838 Lasso Lane
Organisation Address.
Organisation Address. Houston
Organisation Address. 77079
Organisation Address. TX
Organisation Address. UNITED STATES

Admin Name........... Stewart Geary
Admin Address........ 10838 Lasso Lane
Admin Address........
Admin Address........ Houston
Admin Address........ 77079
Admin Address........ TX
Admin Address........ UNITED STATES
Admin Email.......... stewartgeary@yahoo.com
Admin Phone.......... +1.7138268320
Admin Fax............

Tech Name............ YahooDomains TechContact
Tech Address......... 701 First Ave.
Tech Address.........
Tech Address......... Sunnyvale
Tech Address......... 94089
Tech Address......... CA
Tech Address......... UNITED STATES
Tech Email........... domain.tech@yahoo-inc.com
Tech Phone........... +1.4089162124
Tech Fax.............
Name Server.......... yns1.yahoo.com
Name Server.......... yns2.yahoo.com


 #638  by EP_X0FF
 Sun Apr 11, 2010 3:52 am
Hello,

did you tried VB Lite Decompiler?

Regards.
Attachments
pass: infected
(57.4 KiB) Downloaded 34 times
Last edited by EP_X0FF on Mon Jan 28, 2013 1:52 pm, edited 1 time in total. Reason: edit: password added, original sample reupload