Skip navigation.
Home

Pincopall's blog

W32/Rustock.F, a quite unknown Rustock.C dropper

Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.

By submitting the file to virustotal.com I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.

As resulting from the analysis this is really a dropper for the famous malware Rustock.C.

A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.

The file I’m talking about is called “is7771.exe”.

In the article I will explain the behaviour of the dropper in details, take a look at it here:


http://revengstuff.wordpress.com/files/2009/09/rustock_f1.pdf

Trojan-Dropper.Win32.Agent.aang - focusing on the rootkit

Hi all!
Today I will show you the analysis of Trojan-Dropper.Win32.Agent.aang (Kaspersky), it’s a p2p worm that spreads through p2p applications by using .rar archives with different names.
These names are something like "xxx.crack.rar" or "xxx.keygen.rar" where xxx is the name of a famous application.
This time I focuses on the analysis of the rootkit because the trojan is very simple to understand.
The article is here:
http://revengstuff.files.wordpress.com/2009/09/trojan-dropper-agent-aang.pdf

Backdoor.W32.rizo.ab or W32.Spybot.Worm

Hi there!

I generally write articles about software protections, so I hope that my writing style will be good for malware too.

I’m used to reverse malware but this is the first time I write about it.

Backdoor.W32.rizo.ab (Kaspersky) or W32.SpyBot.Worm (Symantec) is a worm spreading through Windows MSN, it’s not too hard to reverse, it uses some anti-VM and anti-Debug protections with a little bit of cryptography.

We will discover that the coder is not so expert (we will find some bugs).

Syndicate content