Skip navigation.
Home
WARNING: This site contains samples of live malware. Use at your own risk.

Going Live

I posted OC to DailyDave's (Dave Aitel) maling list today, and I noticed several new users and hits on the site so I just wanted to welcome the new comers. We're very interested in feedback and any contributions you all can make, especially adding malware/analysis. I uploaded a few dissasemblies for people to comment and there are ida databases for some of the malware.

Enjoy the site!

V.

win_mydoom_a

sha1: f91a4d7ac276b8e8b7ae41c22587c89a39ddcea5 win_mydoom_a.exe
md5sum: 53df39092394741514bc050f3d6a06a9 win_mydoom_a.exe
info: 22528 Oct 20 10:58 win_mydoom_a.exe
Threat: W32.Mydoom.A@mm
File: C:\malware\win_mydoom_a.exe
Date found: Monday, December 05, 2005 10:02:44 PM
Scanning -> C:\malware\win_mydoom_a.exe
File Type : Exe, Size : 22528 (05800h) Bytes
[!] UPX v1.24 compressed !
- Scan Took : 0.953 Seconds

unpacked mdsum: 41e28ad24d9c075b01ebba52ff28ff27 unpacked_win_mydoom_a.exe
upacked info: 53248 Dec 5 22:40 unpacked_win_mydoom_a.exe

entry point: 00004051

NOTES:
This binary was packed with UPX. There are both packed and unpacked versions attached.

Changes

So I removed the "exploits" and "shellcode" secitons. The reason for this is that there are many sites that do this way better than we ever could.

If you want exploits or shellcodes then I would like to direct you to Metasploit

Those guys are awesome and anything cool we do in that realm will be available through them one way or another.

So now this site can focus on what it does best which is malware analysis, searching database, etc.

V.

More on Korgo

Ok this is a massive post. For some reason my malware collector keeps picking up korgo worm binaries.

None of them will disassemble correctly as if they are packed/encoded. None of my file analyzers find anything. (peid, pescan, protection-id, etc) IDA shows that they are packed with a modified UPX2.

I have not figured out how to unpack it yet.

There are some A/V entries for this worm (its a LSASS worm)

http://www.f-secure.com/v-descs/korgo.shtml
http://securityresponse.symantec.com/avcenter/venc/data/w32.korgo.f.html

If anyone has ideas on how to unpack this or even a good generic unpacker to donate to the cause it would be greatly appreciated.

Sony DRM Rootkit

sha1: 8fe00da5f0b2114a132f41eb5e7065d46e7741fa $sys$DRMServer.exe
md5sum: $sys$DRMServer.exe
3692633395142b264b0a73e4994f657f *$sys$DRMServer.exe
md5sum: $sys$DRMServer.zip
2daffd7a9c415f1b41868340d32e680b *$sys$DRMServer.zip

This is just the executable. I'll get the other files up soon.

I have uploaded an ida database and flow graph for this as well.

V.

I added the supporting dlls and sys files. Ill see if i can get the installer off the cd as well.

W32.Korgo.V

Threat: W32.Korgo.V
7d99b0e9108065ad5700a899a1fe3441

md5sum: 7d99b0e9108065ad5700a899a1fe3441 *7d99b0e9108065ad5700a899a1fe3441
sha1: 5ab1a63cfca5be0dac591194583f6405c16905dd 7d99b0e9108065ad5700a899a1fe3441

http://www.f-secure.com/v-descs/korgo_p.shtml

need a generic or modified UPX unpacker to analyze.

win_sasser

sha1: d0de44bcf3ca6553307c77da8699dbc9b5e9d56a win_sasser_a.exe
md5sum: 1a2c0e6130850f8fd9b9b5309413cd00 *win_sasser_a.exe
md5sum: 2d2cd880b204bc6809effc3d850fcd14 *win_sasser_a.zip

http://www.f-secure.com/v-descs/sasser.shtml

win_netsky_aa

sha1: 9bc7cc5f2030ae4d0a307f063b93f7caedacc2b5 win_netsky_aa.exe
md5sum: 2f4f05bb09b396579225615ab4121256 *win_netsky_aa.exe
md5sum: caf5821dcd9fd5eebda86eeb861cf2ef *win_netsky_aa.zip

http://www.f-secure.com/v-descs/moodown.shtml

win_nimda

sha1: 1c944d94b906a5212d72a4462d18e853f490c245 win_nimda.exe
md5sum: 839d5d4abc115f22a6a32b5f934c5bbc *win_nimda.zip
md5sum: 7a9527afdda4179b10e5465e93d0f3aa *win_nimda.exe

http://www.f-secure.com/v-descs/nimda.shtml

linux_slappepr.tar.gz

md5sum: ac53b755c0f2909114a73b2743c41b16 *linux_slapper.tar.gz
sha1sum: 0f0166c3a5666a5281526f7853cf331c5092b3d8 linux_slapper.tar.gz

http://www.f-secure.com/v-descs/slapper.shtml