Skip navigation.
WARNING: This site contains samples of live malware. Use at your own risk.

win_klez comparison


So for this entry I'm doing something slightly different. 
I am going to compare two files which I think are variants
 of the same malware and post the results.

Another interesting thing to look out is function graph comparisons:



As you can see there is almost no difference visible. I conclude that these are two variants of the same malware.

What is OC working on?

What are the guys at OC workin on at the moment?

So some of the things in the works are:

- a web interface where you can upload a piece of malware and get an automated analysis.

- There have been a few suggestions for identification and comparison stuff which we are lookin into. We use Halvars awesome bindiff and just discovered bdiffm from nepenthes.

- a better interface for OC. This drupal stuff is ok but I don't think this scales or helps collaboration the way I want it to. Suggestions in this area (other than writing our own) are welcome. The reason we dont want to develop our own content management is that we'd much rather spend our time on malware and tool development.


Event: Threat Found!
Threat: Trojan.Adclicker
File: C:\malware\Bjq.exe
md5sum: 5237f35ccb015205d01262a19879017b Blq.exe
sha1sum: 3122a37f1bb6ca59ba3e2cf436543a0abbfbf155 Blq.exe
info: 9729 Mar 30 2005 Blq.exe
Date found: Saturday, December 17, 2005 8:09:58 PM

PE Protection: Scanning -> C:\malware\bluemountain\Blq.exe
File Type : Exe, Size : 9729 (02601h) Bytes
-> File has 1 (01h) bytes of appended data starting at offset 02600h
[!] File appears to have no protection or is using an unknown protection
- Scan Took : 0.922 Seconds
Nothing found [Overlay] *

This is interesting. I have a big directory full of all kinds of malware from a malicious email that I purposely infected a vmware with. I decided to use the nepenthes bdiffm tool to see if any of them were the same thing. The results were awesome and I guess I don't have to analyze all those binaries :)


Event: Threat Found!
Threat: Trojan.Adclicker
File: C:\malware\Bds.exe
Date found: Friday, December 16, 2005 8:27:50 PM
info: 9729 Mar 30 2005 Bds.exe
md5sum: 5237f35ccb015205d01262a19879017b Bds.exe
sha1sum: 3122a37f1bb6ca59ba3e2cf436543a0abbfbf155 Bds.exe

How To OC

Just a couple of things to note:

- If you are an anonymous user you are missing 75% of the content of this site. Signing up for an account is free and realitivly painless. I promise not to sell you to spamers.

- I love getting emails with samples, tools, ideas, etc. However you might consider posting stuff directly to the site. I'm hoping to build a community and i think thats the best way to do it.

- I've seeded the site with lots of malware which could still use more analysis. If you want to learn / work on something pick one of the entries and go to down and update the site.

Thats about it for now.


This is the mytob worm. It needs to be unpacked. I currently only have an unpacker for FSG 0.4. If anyone has some generic unpacking tools that would realy help me out.

Event: Threat Found!
Threat: W32.Mytob.B@mm
File: C:\malware\mytob\>>Net-Worm...
Date found: Wednesday, December 14, 2005 7:39:53 PM

packing: Scanning -> C:\malware\mytob\win_mytob_a.exe.pif
File Type : Exe, Size : 41824 (0A360h) Bytes
[!] FSG v1.33 detected !
- Scan Took : 0.969 Seconds
FSG 1.33 -> dulek/xt

md5sum: f09bc90992e53eebb97ba8dd3dff6037 win_mytob_a.exe.pif
sha1sum: 38f91f75f58e5cdbca4871f2334193333261354b win_mytob_a.exe.pif


info: 4039 Jul 16 2001 codered.exe
md5sum: 6f5767ec5a9cc6f7d195dde3c3939120 codered.exe
sha1sum: 4605a2d0aae8fa5ec0b72973bea928762cc6d002 codered.exe

Threat: CodeRed Worm
File: C:\malware\codered.exe
Date found: Tuesday, December 13, 2005 8:57:29 PM


Here is the entry for the sober worm variant a.
I really need to get more standard about this information.
I have attached flowgraphs, ida database, disassembly, packed and unpacked
versions, unpacked strings, etc.

Event: Threat Found!
Threat: W32.Sober@mm
File: C:\malware\sober\win_sober_a.exe
Date found: Monday, December 12, 2005 11:29:39 PM

Scanning -> C:\malware\sober\win_sober_a.exe
File Type : Exe, Size : 63765 (0F915h) Bytes
-> File has 277 (0115h) bytes of appended data starting at offset 0F800h
[!] UPX [unknown / modified] !
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Open Discussion

This is an open discussion forum.


Moving OC

If you are reading this then the migration to the new ISP / hosting service was successful!

Let me know if something is broken please. (mvalsmith at

thanks for your patience