Skip navigation.


Warezov.DC (f-secure) uploaded.


i've uploaded Warezov.DC (name according to F-secure), this variant just got spammed this night.

MD5SUM: 83e00e3c95e51bb700a5380acdf9b2c3
SHA1SUM: ab471ad131a3590ba835ab622f4b9bc9f44685d3
SHA256SUM: 17d9827ed2aca3824f0f1916fc1d0048a2e70f1f109f518e2e23d90b826b2701

It tries to download a few files and execute it on the system, just like the rest of this downloader family it is trojans it downloads.

Some iPods Shipping with Viruses

Apple has publicly apologized for including a virus on some of the latest iPods. While only 25 have been detected so far, this is still a disturbing trend. Apparently another unnamed manufacturer makes the iPods and is responsible for the infection.

One interesting quote is, "As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it."

CNet is running the article.

Would You Like a Virus with that?

McDonald's gave away MP3 players loaded with a little more than music on them. It appears that they came preloaded with a QQPass variant as well. Anyone have a copy different than our archives?

Gizmodo Story detailing the event

New Licat (MSN Worm)

Another MSN worm in on the loose here, message from MSN:

--------------------------------------------------------- says:
lol check hxxp:// photo942.PIF

Rakningen Trojan

A new “rakningen” Trojan is beein spammed, this time it is a downloader, which downloads this file:
"http://www. ssl. exe" (again the URL is splittet) and executes it.

This file ssl.exe droppes hook.dll, which is injected into most running processes. It creates/edits a lot of registry values.

Yet another MSN worm...

So, i log on my computer this evening, and i get spammed with MSN messages like this:

"lol check http ://www. uglyphotos. net /photo223. PIF" url splitted for your safety ;)

I've added this to the database:
MD5SUM: aae98749a6d2cb23c3eba83a794f9edf
SHA1SUM: 8a39f2c7f954110227a753816f634d5359e5a349
SHA256SUM: 7dba761a6af4bbc18381d50c158470540f87e6a2aeefca6db18c10d8b3e6c8f2

I download the file and run it through and jotti's virusscanner, only a few Antivirus programs detect this thing, so i decide to take a look at is.

BinBLAST Pre-Alpha Release


BinBLAST is an extension of Karlin and Altschul's Basic Local Alignment and Search Tool (BLAST) to work with binaries. This technique has proved invaluable in aiding reverse engineering of genomes and its variants have become mainstays of modern bioinformatics. The analog developed for security analysis of binary executables, binBLAST, demonstrates sensitivity to code versions, compiler variations, and can be used to generate antivirus signatures.

Attached to this post is the code as of the DefCon presentation, provided without much documentation. If you have the DefCon CD, there is an outline in the slides of the programs and how they fit together. This includes the proof-of-concept code necessary to produce signatures of uniqueness.

Symbian OS Malware

Check this address:

I try to download the attachment but it isn't being downloaded.
I enter one of the MD5 in Malware Search:Nothing
I enter a name in Malware Search:Nothing

Can somebody help?

Determining Physical Offsets from Virtual Addresses in PE Files

While writing some PE analysis code I needed to calculate the actual physical offset in a PE file for a given RVA (relative virtual address). Looking around on the Internet it was non-obvious. The Metasploit Framework's msfpescan was actually the most help. I've ported it to Ero Carrera's pefile module and attached the patch to this post. Pefile is a Python module that I highly recommend.

Read more for the simple technique.


What's the password for the encrypted archives?
how do I find the password?

Syndicate content