Skip navigation.
Home

W32.Rinbot.BC - detects VM and Ollydbg's presence

This piece of malware detects the presence of VM and Ollydbg.

AhnLab-V3 2007.5.9.0 05.09.2007 no virus found
AntiVir 7.4.0.15 05.08.2007 BDS/Vanbot.AR
Authentium 4.93.8 05.08.2007 no virus found
Avast 4.7.997.0 05.07.2007 no virus found
AVG 7.5.0.467 05.08.2007 Win32/CryptExe
BitDefender 7.2 05.09.2007 Backdoor.Vanbot.AR
CAT-QuickHeal 9.00 05.08.2007 no virus found
ClamAV devel-20070416 05.09.2007 no virus found
DrWeb 4.33 05.08.2007 BackDoor.IRC.Sdbot.1335
eSafe 7.0.15.0 05.08.2007 Win32.Rinbot.BC
eTrust-Vet 30.7.3618 05.08.2007 Win32/Nirbot.BD
Ewido 4.0 05.08.2007 Backdoor.Sdbot
FileAdvisor 1 05.09.2007 No threat detected
Fortinet 2.85.0.0 05.08.2007 W32/VanBot.BX!worm
F-Prot 4.3.2.48 05.08.2007 no virus found
F-Secure 6.70.13030.0 05.09.2007 W32/Malware.QPK
Ikarus T3.1.1.7 05.09.2007 Backdoor.VanBot.AR
Kaspersky 4.0.2.24 05.09.2007 no virus found
McAfee 5026 05.08.2007 W32/Nirbot.worm.gen
Microsoft 1.2503 05.09.2007 Backdoor:Win32/Nirbot!CFEC
NOD32v2 2250 05.08.2007 no virus found
Norman 5.80.02 05.08.2007 W32/Malware.QPK
Panda 9.0.0.4 05.08.2007 Suspicious file
Prevx1 V2 05.09.2007 no virus found
Sophos 4.17.0 05.08.2007 W32/ExDns-Fam
Sunbelt 2.2.907.0 05.05.2007 no virus found
Symantec 10 05.09.2007 W32.Rinbot.BC
TheHacker 6.1.6.110 05.08.2007 no virus found
VBA32 3.12.0 05.08.2007 BackDoor.IRC.Sdbot.1335
VirusBuster 4.3.7:9 05.08.2007 no virus found
Webwasher-Gateway 6.0.1 05.08.2007 Trojan.Vanbot.AR

File size: 250880 bytes
MD5: eccf1f30fb095be23fd77bccab309c4c
SHA1: 357d79c4513ea2a40ab4fbfa0fe1e1385f7cae6e
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=eccf1f30fb095be23fd77bccab309c4c
packers: EXECryptor

cool thanks

do you have any info on how it does this? what methods are used, etc.

V.

unpacking w32.rinbot.bc

Does someone successfully unpacked w32.rinbot.bc ?

I find it difficult, it's packed using execryptor 2.2.4 and checks the following:

BeingDebugged/IsDebuggerPresent
NTGlobalFlag
ProcessHeap
Remotedebuggerpresent
SEH (bunch of exceptions)
CreateThread to detect olly
AntiOlly like Findwindow, readprocess memory

It also uses TLS callback function to control before getting to entry point. I also notice, imports are redirected to execryptor for decryption. ...And alot of unnecessary (garbage) code.

It terminate regmon,filemon, lordpe, but process explorer works fine. I can't find OEP =( ... I hope somebody can share how to unpack this or share unpacked code.

So far, I haven't seen VM checking.

~ Zeno