| View previous topic :: View next topic |
| Author |
Message |
Schwimmbad
Newbie cheater
![]() Reputation: 0
Joined: 04 Aug 2012
Posts: 17
Location: E.T.A.-Hoffmann-Str. 54, 82418 Seehausen am Staffelsee
|
 Posted: Mon Aug 27, 2012 3:50 pm Post subject: Do you want a challenge |
 |
|
Hi!
Today I got a virus/troian via mail. I used it on jotti.org and no virus was found. As a lot of people here like to disassemble things I decided to upload it so you can play with it.
I renamed it to virus.vir but in fact it's an exe.
d01 . megashares . com / dl / xBCdccI / virus.vir
PS: I didn't run it of course. I just presume it's a troian/virus even though jotti does not say so.
Last edited by Schwimmbad on Tue Aug 28, 2012 10:27 pm; edited 1 time in total |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Aug 28, 2012 6:23 am Post subject: |
|
|
Pretty crappy virus, if you want to even call it one.
_________________
- Retired. |
|
| Back to top |
|
|
Schwimmbad
Newbie cheater
![]() Reputation: 0
Joined: 04 Aug 2012
Posts: 17
Location: E.T.A.-Hoffmann-Str. 54, 82418 Seehausen am Staffelsee
|
| Posted: Tue Aug 28, 2012 2:25 pm Post subject: |
|
|
| Wiccaan wrote: | | Pretty crappy virus, if you want to even call it one. |
Why? What did you find?
|
|
| Back to top |
|
|
[email protected]
Cheater
![]() Reputation: 0
Joined: 24 Sep 2009
Posts: 28
|
| Posted: Tue Aug 28, 2012 9:52 pm Post subject: |
|
|
Could go deeper but this will do for removal purposes(where it connects to, any files read etc..)
Also, just for your sake, virus scans are useless/ridiculous, never judge a file based on an av scan. Anyway,
as far as I've seen it doesn't have any anti's(anti emulation code).
Files created are:C:\Documents and Settings\User\Local Settings\Temp\errefmozlc.pre
An exe in C:\Users\Roderic\AppData\Roaming\Xivwjrly (lmao just missed it)
It deletes itself and drops a shitload of files.
A new process is created named svchost.exe.
If you're still infected go get yourself auto runs from ms and take a look at any new start up items you don't recognize or seem suspicious.
Check each process individually, where it is located, when you find the infection just delete it.
A bonus would be to end all processes(just keeping the crucial ones)
install shadow defender and use wireshark to monitor any activity and post that here.
|
|
| Back to top |
|
|
Schwimmbad
Newbie cheater
![]() Reputation: 0
Joined: 04 Aug 2012
Posts: 17
Location: E.T.A.-Hoffmann-Str. 54, 82418 Seehausen am Staffelsee
|
| Posted: Tue Aug 28, 2012 10:25 pm Post subject: |
|
|
| [email protected] wrote: | Could go deeper but this will do for removal purposes(where it connects to, any files read etc..)
Also, just for your sake, virus scans are useless/ridiculous, never judge a file based on an av scan. Anyway,
as far as I've seen it doesn't have any anti's(anti emulation code).
Files created are:C:\Documents and Settings\User\Local Settings\Temp\errefmozlc.pre
An exe in C:\Users\Roderic\AppData\Roaming\Xivwjrly (lmao just missed it)
It deletes itself and drops a shitload of files.
A new process is created named svchost.exe.
If you're still infected go get yourself auto runs from ms and take a look at any new start up items you don't recognize or seem suspicious.
Check each process individually, where it is located, when you find the infection just delete it.
A bonus would be to end all processes(just keeping the crucial ones)
install shadow defender and use wireshark to monitor any activity and post that here. |
Great for guys who were infected with this. I cannot verify his claims as my computer has never been infected.
PS: You need to reply to my reply in the other thread about creating malware.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
