Some days ago a friend of mine posted me a suspicious malware, unfortunately I couldn’t look at it before yesterday night because I was out for work.
By submitting the file to virustotal.com I could see that only the 39,02% of the av recognizes it as a malware (some popular antivirus like Kaspersky or Symantec, for example, don’t recognize it), Microsoft calls it “TrojanDropper:Win32/Rustock.F” while for Panda it is “Trj/Rustock.L”.
As resulting from the analysis this is really a dropper for the famous malware Rustock.C.
A lot of papers has been written on Rustock.C so I will analyze only this dropper in order to make you know that this is a malware even if your antivirus does not signal it as a bad application.
The file I’m talking about is called “is7771.exe”.
In the article I will explain the behaviour of the dropper in details, take a look at it here:
Today I will show you the analysis of Trojan-Dropper.Win32.Agent.aang (Kaspersky), it’s a p2p worm that spreads through p2p applications by using .rar archives with different names.
These names are something like "xxx.crack.rar" or "xxx.keygen.rar" where xxx is the name of a famous application.
This time I focuses on the analysis of the rootkit because the trojan is very simple to understand.
The article is here:
I generally write articles about software protections, so I hope that my writing style will be good for malware too.
I’m used to reverse malware but this is the first time I write about it.
Backdoor.W32.rizo.ab (Kaspersky) or W32.SpyBot.Worm (Symantec) is a worm spreading through Windows MSN, it’s not too hard to reverse, it uses some anti-VM and anti-Debug protections with a little bit of cryptography.
We will discover that the coder is not so expert (we will find some bugs).