Skip navigation.


"Life is Beautiful Hoax" once again after 7 years !

Hi everybody.
if you remember the old days in year "2002" (january), Microsoft and Norton companies warned the internet users about a new Hoax virus which circulate itself through E-Mails.
this Hoax virus is attached in a power point file, named "life is beautiful.pps"
it's an official message from Microsoft and Norton companies, here the full advice :


Be Extremely Careful

Especially if using Internet mail such as Yahoo, Hotmail, AOL and so on.

DDoS Botnet. New crimeware particular purpose

| |

An attack by Denial of Service (DoS) consists basically of abuse of a service or resource by successive requests, either intentional or negligent, which eventually break the availability of such service or resource temporarily or completely.

When this type of attack is performed using the processing power of an important set of computers carrying out the abuse of requests synchronously, we are witnessing an attack Distributed Denial of Service (DDoS).

Need password for downloading WinCE Mobile sample Virus

as the title says, i need a password for the WinCE sample virus. The page says password is infected, can someone tell me how to get it pls? thanks

DNAScan Malicious Network Activity Reverse Engineering


This is a paper split into two episodes, the first two can be read here


In this blog post we will investigate deeply the effective functionalities of DNAScan,
that can be seen as a set of Threads that accomplish different networking functionalities like:

* Server Functionalities
* Client Functionalities
* Malicious File Exchange
* Generic Backdoor

Let's start from the beginning of network functionalities setup, initially from the main thread is called WSAStartup used to initiate the Winsock DLL, successively is called a classical socket() and immediately after WSAIoctl

Sample Windows Mobile Virus

Dear Users,

I looking for a sample Virus for Windows Mobile 5. I need this Virus for my final year project. Help me pls..

TDL3 - Why so serious? Let's put a smile on that face ...


TDL or TDSS family is a famous trojan variant for its effectiveness and active technical development. It contains couple compoments: a kernel-mode rootkit and user-mode DLLs which performs the trojan operation such as downloaders, blocking Avs, etc,. Since the rootkit acts as an “injector” and protector for the usermode bot binaries, almost all technical evolutions of this threat family focus on rootkit technology so as to evade AV scanners.

Ether Mailing List

Artem has created a mailing list for all Ether development related activities. You can find it here in the Google Groups.

Buster Sandbox Analyzer 1.0 release version

I released Buster Sandbox Analyzer 1.0.

Buster Sandbox Analyzer is a malware analyzer using Sandboxie as environment to run programs.

You can follow the development of the tool here:

And you can download the tool from here:

Reading the manual before using the tool is necessary.

Wandering Through Trojan.NtRootKit.47 Driver


Wandering Through Trojan.NtRootKit.47 Driver
Author: ocean


I didn’t have the dropper at the moment of writing this, only the driver. Without the dropper we can only get a generic idea of what the driver is used for. The driver has been reverse engineered by deadlist, a really irritating thing to do actually, but it can be useful to see the generic structure of a typical driver.

It’s a driver with dll functionality. Erssd shows us that the driver is produced by ErrorSafe, a fake-av (scareware) company. Seems like there are no rootkit functionality in this driver, while only a few zw* functions are exposed to the dropper, through the use of IOCTLS, though we can’t know how this is used without access to the dropper.

Driver entry point:
driver entry point graph
Simple start structure, a Device is created with name “erssdd” and linked with a Dosdevice with the same name, next every PDRIVER_DISPATCH MajorFunction[IRP_MJ_MAXIMUM_FUNCTION+1] will be written to point to a general IRP_dispatch procedure. Also a driver unload routine is set.

.text:000113EA push 1Ch ; IRP_MJ_MAXIMUM_FUNCTION+1
.text:000113EC lea edi, [ebx+38h]
.text:000113EF pop ecx
.text:000113F0 mov eax, offset irp_dispatch
.text:000113F5 rep stosd

.text:000113F7 mov dword ptr [ebx+34h], offset unload

unload procedure is pretty simple too

.text:0001133A unload:
.text:0001133A cmp Handle, 0
.text:00011341 jz short loc_1134A
.text:00011343 push 0
.text:00011345 call close_handle
.text:0001134A loc_1134A:
.text:0001134A push offset DestinationString
.text:0001134F call ds:IoDeleteSymbolicLink
.text:00011355 push DeviceObject
.text:0001135B call ds:IoDeleteDevice
.text:00011361 retn 4

it will just check if there’s and object handle open and close it (inside function close_handle there’s a call to

now the irp dispatcher procedure :)

Huytebesy4ko Hijacker analysis

Continuing on the road of scammail-spread malwares, today I am going to analyze an interesting little toy i accidentally get in touch just yesterday when receiving this funny email at my Universitary address from a fake crafted address

We are contacting you in regards to an unusual activity that was identified in your mailbox. 
As a result, your mailbox has been deactivated. To restore your mailbox, you are required to 
extract and run the attached mailbox utility.

Best regards, technical support.

As you may guess there was an attachment called containing an utility.exe which VirusTotal rates with a 73%.

Syndicate content