Skip navigation.
Home

Malware

Mydoom.M

Creates registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Daemon
HKEY_CURRENT_USER\Software\Microsoft\Daemon

Creates:
%windir%\java.exe

Listens on TCP port 1034

MD5: 65cee5de8a2e13f739a987ea2e060495
SHA1: d862a2d041903651af9e62e662bde9f38030001c

AntiVir Found Worm/Mydoom.M
ArcaVir Found Worm.Mydoom.M
Avast Found Win32:Mydoom-M
AVG Antivirus Found I-Worm/Mydoom.O
BitDefender Found Win32.Mydoom.M@mm
ClamAV Found Worm.Mydoom.M
Dr.Web Found Win32.HLLM.MyDoom.49
F-Prot Antivirus Found W32/Mydoom.O@mm
Fortinet Found W32/Mydoom.N-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Mydoom.m

New to malware research...............

Hi All

I am new to malware research.
Can anyone suggest me form where i should start.
Wat are the common tools and from where i can download it with documents.

Please help me getting all these.
Thanks and regards,
Hooker

TrojanHaxdoor

| |

TrojanHaxdoor
MD5SUM: 7a961a17bf7f04d51c266634d0d10e5a
SHA1SUM: 3b306e98b54eaba5893086254cf2ed716e8e7088
SHA256SUM: 42e56bc95c04e3a1928f9c7b4403d74e2093d82e10708f8bf23b346b0c65651e

PACKER: FSG v2
REF: Submitted by MythX
DATE FOUND: 02/14/06
VECTOR: OC Submission
THREAT: TrojanHaxdoor (as identified by multiple AV Vendors)
CME #: N/A
SIZE (Pack) 12.7 KB
Size (Unpack) 97.0 KB

W32.Nymex.E@mm

MD5: 3cb74baa2858f2e75fb5ce2efd51b8bd
SHA1: 649a8276a1d5594c5a41d26ba465ddd7e4c5cf00

UPX packed.
UUEncodes itself to get around some MIME filters.

AntiVir Found Worm/KillAV.GR
ArcaVir Found Worm.Vb.Bi
Avast Found Win32:VB-CD
AVG Antivirus Found Worm/Generic.FX
BitDefender Found Win32.Nyxem.E@mm
ClamAV Found Worm.Nyxem.E
Dr.Web Found Win32.HLLM.Generic.391
F-Prot Antivirus Found W32/Kapser.A@mm
Fortinet Found nothing
Kaspersky Anti-Virus Found Email-Worm.Win32.Nyxem.e
NOD32 Found Win32/VB.NEI
Norman Virus Control Found Small.KI@mm
UNA Found I-Worm.VB
VBA32 Found Email-Worm.Win32.VB.bi

Acebot and CIH

| |

Thanks to Scarlet Pimpernel for multiple contributions!

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 515980587de204fad7333d8a4f2bbd51
SHA1SUM: 7f2149706862d26240d1921c78e99b3e9046430b
SHA256SUM: 4e16e340dbe7fae2661a34961ae110d139d8cc3a38283ef3b7528863e52b4fe9
A/V SCAN: Trojan.Acebot-1
#################################
> perl scan.pl Worm.Win32.Newbiero.032.032
#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 823b48f2646ebe622f264dacda91b492
SHA1SUM: 0e46b606cfca97370989dbeec7fe55b18e97af7f

Broken_Executable

| |

thanks to sevill for the contribution:

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: c686e9b14452fd4b15c4799382b0df1b
SHA1SUM: a48c52aaab09c36540836d9192510780bee8be78
SHA256SUM: 61670a687a506301c4507123eb74e90aac6c01c88a73c2c3dc7681789bc80cff
A/V SCAN: Broken.Executable
PACKER: SVKP 1.3x Pavol Cerven - Slovak Protector encrypted !
#################################

trojan_spybot-123

| |

thanks to sevill for the contribution:

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 4e89934d3554741f832cd39084d6d489
SHA1SUM: e02d45d03f7b9c2b5179f19384030f106aa93186
SHA256SUM: 12d36ae4e96fbe8403602dcd83a4bde4c2365d321546bb80e1a27e3c26cdfd76
A/V SCAN: Trojan.Spybot-123
PACKER: [!] SVKP - Slovak Protector encrypted !
#################################

Worm.Ardurk.G

Ardurk.G, useds a modified version of PE_PATCH packer.

MD5: bd243bed6aed37341c87416785b5587a
SHA1: a978ad431c92a527bdff431c7f75bf2f0045aa37

AntiVir Found Worm/Arduk.G
ArcaVir Found nothing
Avast Found Win32:Ardurk
AVG Antivirus Found nothing
BitDefender Found Win32.Ardurk.A
ClamAV Found Worm.Ardurk.G
Dr.Web Found Win32.Artur.9216
F-Prot Antivirus Found W32/Ardurk.A@mm
Fortinet Found W32/Adurk.A-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Ardurk.g
NOD32 Found Win32/Ardurk.G
Norman Virus Control Found nothing
UNA Found I-Worm.Ardurk.g
VBA32 Found Win32.Worm.Ardurk.g

Trojan.Win32.Zapchast

Found this in some spam. Apparently someone bulk emailed out the url: http://postcards2005.home.ro/postcards.gif.exe

The binary is an IRC controlled trojan.

Has an interesting XML blob in it as well, which when changed, makes a lot of AV software misdetect it:

WinRAR archiver.

W32/Netsky.D@mm

Yet another NetSky variant. Uses the "Petite" packer.

MD5: f2bb4d11b28b4a37f94c685b554cb5b0
SHA1: c2cd401716df387ff21db75ebf047c4c26abcc86

AntiVir Found Worm/Netsky.D.Dam
ArcaVir Found Worm.Netsky.D
Avast Found Win32:Netsky-D
AVG Antivirus Found I-Worm/Netsky.D
BitDefender Found Win32.Netsky.D
ClamAV Found Worm.SomeFool.Gen-1
Dr.Web Found Win32.HLLM.Netsky.based
F-Prot Antivirus Found W32/Netsky.D@mm
Fortinet Found W32/Netsky.D-mm
Kaspersky Anti-Virus Found Email-Worm.Win32.NetSky.d
NOD32 Found Win32/Netsky.D
Norman Virus Control Found Netsky.D@mm
UNA Found I-Worm.NoDoom.d

Syndicate content