Skip navigation.
Home

winvpn analysis

|

Found at:
http://81.95.146.204/winvpn.exe

9773b2541759435c987d9f13430de38b

Not packed. This sample is not very interesting. It uses a bunch of old unsophisticated methods.

Contains some lame ROT13 to obfuscate strings and seems to use a batch file.

0000CD00 0040EB00 0 @rpub bss
0000CD0A 0040EB0A 0 :ybbc
0000CD11 0040EB11 0 qry %1
0000CD19 0040EB19 0 vs rkvfg %1 tbgb ybbc
0000CD30 0040EB30 0 qry %0
0000CD38 0040EB38 0 a.bat
0000CD48 0040EB48 0 zfipey.qyy
0000CD54 0040EB54 0 CEBTENZSVYRF
0000CD64 0040EB64 0 \Vagrearg Rkcybere\vrkcyber.rkr
0000CD8C 0040EB8C 0 \zfipey.qyy
0000CD9C 0040EB9C 0 \fsp_bf.qyy
0000CDA8 0040EBA8 0 vrkcyber.rkr

@ECHO OFF
:LOOP
DEL %1
IF EXIST %1 GOTO LOOP
DEL %0
a.bat
MSVCRL.DLL
PROGRAMFILES
\INTERNET EXPLORER\IEXPLORE.EXE
\MSVCRL.DLL
\SFC_OS.DLL
IEXPLORE.EXE

creates

c:\windows\system32\msvcrl.dll
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

then i start seeing
dfrgntfs.exe:368 WRITE C:\$Directory

I didnt see dfrgntfs.exe get created but its definilty running. I think its supposed to be defrag so im not sure why its running now.

Seems to index the whole hard drive and writes the results out to appcompat.txt in c:\documents and settings\user\local settings\temp\tempfilename

It creates a file called a.bat in the same directory as itself. The contents of the .bat are:

@echo off
:loop
del %1
if exist %1 goto loop
del %0

So it deletes itself.

Primary function is to take over internet explorer.