Skip navigation.
Home

BBB Trojan

|

I have just uploaded a copy of BBB Trojan which was making its round a while back.

MD5: 36401cb9178232dde01b2788e8fc56f4

It's written in Delphi and there isn't much visible strings to pick out from the exe.

It drops 2 files microsoft.exe and microsoft.dll in c:\

Adds itself to runkey, creates a BHO and hooks itself to explorer.exe and iexplore.exe. (which I believe should be monitoring web browsing, so either a monitoring or banking trojan.)

I am trying to reverse the malware (microsoft.exe and microsoft.dll) and was stucked trying to deobfuscate some strings.

If anyone has some clues, please let me know.

Thanks, mythx

hmm

maybe you are looking for this data:
//from microsoft.exe
\win32.exe
Win32KernelStart
http://203.121.68.191/~ftmain/ftmain.php?gt=yes
null
Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunServices
Software\Microsoft\Active Setup\Installed Components\
StubPath
Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Utility Manager\Magnifier
Application path
Start with Utility Manager
Start with Windows
{4B4AE115-25AE-4E53-B21F-BC7A738206ED}

//from microsoft.dll:
100000
{20F49338-A318-478F-8F91-2C7C440E4C0E}
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Software\
INSERT INTO re_entries SET url='
', host='
', post='
', date=NOW()
HTTP/1.1
*/*
Content-Type: application/x-www-form-urlencoded
POST
NAPBVU=
&POSTDATA=NOW&

.. there thats what i found.. i didt look further more into detail what it does.. but you wanted the strings.. fairly simple "encryption" :)
and i just googled with the info i got.. and i ended up on this url:
h**p://www.symantec.com/ja/jp/smb/security_response/writeup.jsp?docid=2007-091318-2239-99&tabid=2
wich very much indeed looks like the one you got here.

Hi, Thanks. So what kind of

Hi,

Thanks.

So what kind of encryption was used??

Rot13 was used. I wrote few

Rot13h was used. I wrote few lines in my blog at zairon.wordpress.com

Sorry for the late reply but I got my connection back few days ago...