Skip navigation.
Home

Looking for malware samples which bypass UAC

Hello,
Can any one guide/help me in findings malware samples which play or circumvent UAC(User Access/Account controls).
I need to analyze what kind of actions they perform..either they create a new user account or what else.
Thanks in advance

This TDSS sample installs

This TDSS sample installs UACd.sys.

http://h1.ripway.com/HHMalTests2/tmfnozaqqhflwzc.rar

Have fun. :)

steve

Along the lines of the TDSS,

Along the lines of the TDSS, do you know if the coders of the TDSS are also the ones working with GAOP*.sys and pjxyv*.sys? It seems to be following the same behaviors but there are some differences. (I.E. the disallowed list present in TDSS*.sys infections but not any of the others)
Could it just be they released their sdk?

Thanks

Pretty easy to turn off UAC

Pretty easy to turn off UAC with a single silent registry edit. It does have to be OK'd once, but after that every application will run with full admin privileges and without any UAC prompts on the system ever again.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorAdmin"=dword:00000000

UAC prompts?

Cubex, as far as I know UAC prompts are added in windows Vista not in xp-base/sp2, so what do you say If I need malware samples for xp-base/sp2? Thanks

No such behaviour

I was analysing it, http://h1.ripway.com/HHMalTests2/tmfnozaqqhflwzc.rar, with the help of on-line tools like threatexpert but nothing such activity is found. can you please re-verify its behaviour.
Thanks for the help!

Sure. Runs fine in the

Sure. Runs fine in the Anubis sandbox. :)

Request: GET /banner/crfiles/uacd
- Drivers Loaded:
HKLM\system\currentcontrolset\services\UACd.sys

http://anubis.iseclab.org/?action=result&task_id=1c00ef67be9814874098e5e0e43011cc3&format=html

Yeah..Anubis works

Yeah, later I ran this malwre into Anubis and it works there as expected there.
Thanks.

Could you mail the malware to me?

Riz, I cannot get the malware from the above site,file does not exist.
Could you mail the malware to me?
My mailbox is :
wangerwuya AT gmail dot com

Re-link the Malware sample?

hi steve,

Can you please relink the sample? or it wld be very nice if you cld mail me on push_dot_pashupat_at_gmail_dot_com

I am looking for a sample like this for analysing it.

Thank you.

-push-