Malware Reverse Engineering

...

...

...

...

...

Hey, I was wondering if anyone had a copy of W32/Sharp-A. I would like it for researching it.http://www.sophos.com/security/analyses/viruses-and-spyware/w32sharpa.html

More nice work from ap0x and deroko. />http://blog.reversinglabs.com/2010/04/introducing-nyxengine/

I bet you have come across some software you’ve made which you didn’t want the AV to pick up. This article explains how to import from DLLs without having to call GetProcAddress, and also how to encrypt your data section. Anti-viruses rely heavily on their heuristics, if all other (signature) scans fail. The patterns they search for in your executable, are the functions being imported, and the order they are being called. No imports! Having no import table is relatively easy. There are however some functions I haven’t imported dynamically, but which are very normal in any application (libc functions). The steps you need to do are: Get the kernel32 module base address. (…

Here's an excellent video on malware removal by Mark Russinovich, author of many tools in the sysinternals suite. Very good for semi-beginners into the world of malware exploration and analysis.

I want to get more into malware analysis but there are a few barriers to my getting started. Hopefully someone here can help me out. 1. I use VmWare, when I plug in a flash drive or ipod it sometimes automatically connects to the VM. Not a good thing if you have malware hanging around. How do you make it so they won't(preferably can't) connect to my VM? 2. If the network is unchecked is there anything to worry about? I can't remember for sure but I think there were times when it woke up and it was connected to the network. Any ideas on how to fix that? 3. Is the copying from a host to a guest a security risk? 4. Is it safe to download the malware on your regular comp…

Hi, Are you aware of any malware that refuses to run, or tryies to kill analysis tools if it detect their presence at run-time? (Some analysis tools come to mind are: RegMon, FileMon, ...) Please name some malwares do such kind of thing. The more famous, the better ... Thanks a lot, N

I downloaded the demo software at www.hacks4sale.com b/c I was going to try & crack it. While installing it dropped ods.exe, stm.exe, msn.exe, iexplorer.exe, and ICSharpCode.SharpZipLib.dll into the Internet Explorer directory and had the attributes of being System files and were hidden. Also, the demo doesn't do anything, I opened it in Reflector after unpacking, here's a bit of it: box.Text = (box.Text & "Activated" & ChrW(13) & ChrW(10)) Thread.Sleep(2000) box = Me.TextBox7 box.Text = (box.Text & "Connected to database!" & ChrW(13) & ChrW(10)) box = Me.TextBox7 box.Text = (box.Text & "Database dropped connection, retry in 2#" &amp…

hi..can I ask for your help plz? before i ask for your help, sorry for my bad english cos i'm from indonesia. this file not an original from the author, cos it was infected from my computer. lot's my file in harddrive has been infected by this. thx 4 your help and time. devilz's KeyGen-me N

/>http://www.avertlabs.com/research/blog/index.php/2010/01/18/an-insight-into-the-aurora-communication-protocol/ Ted.

My friends i have a problem!There are some days,which i try to reversing with olly and in every aplication the start assembly code is: 0049596E > $- E9 8DA6B07F JMP 7FFA0000 00495973 . 68 20 7B 4A 0>ASCII "h {J",0 00495978 . 68 78 5D 49 0>ASCII "hx]I",0... When i recovery the windows everything it is ok,and in my reversing application the code is: PUSH EBP MOV EBP,ESP... I can't find which aplication causes it!Perhaps it is a virus?I check my pc with avast and malwarebytes,but everything it is ok! Thanks in advance!

VirusTotal Results Just thought I'd share this. Renaming this DLL throws a RUNDLL error on startup, it's in CurrentVersion\Run and ran with RUNDLL. Analysis in ollydbg with phantom shows the same thing as virus total in abstract, I didn't look at it further. Seems to start a thread with native API and collect system data. Removing the startup placement in registry just causes it to be replaced by something on next reboot. Survives only on 32bit kernel. There is no packer or anti-debug..it's just there and backed by some rootkit witch the latest builds of GMER and RKU doesn't detect. McAfee heuristics picked it up as an injector. The most interesting thing is, renaming it …

Hello All, this is my first post to tuts4you! Hopefully my question is a simple one. I'm trying to load a DLL (dropped by malware) into Olly. I have made the changes to the characteristics section of binary so that olly sees the DLL as a .exe to bypass loaddll. The following is the EP of the malicious dll when opening in olly: 100037A1 >/$ 8BFF MOV EDI,EDI ; ntdll.7C910228 100037A3 |. 55 PUSH EBP 100037A4 |. 8BEC MOV EBP,ESP 100037A6 |. 33C0 XOR EAX,EAX 100037A8 |. 40 INC EAX 100037A9 |. 3945 0C CMP DWORD PTR SS:[EBP+C],EAX 100037AC |. 75 09 JNZ SHORT Copy…

Hi All I found the attached malware in one of my test machine. It looks like it drops itself to the system32 directory with some random name and adds entries to the registry so that it can start as a service every time the machine boots. I don't seem to go further after, can you look into this. Seems like it does do some damage so analyzing this in a virtual environment is recommended. Attached is a malware so pls exercise care!!! password - infected EDIT: Nobody looked at this yet? MNR8TTI7OP.zip

Hello, I'm trying to analyze a ring 0 driver which can completely lock my computer except one software, VM(Ware) player. In fact, this driver communicates with the Virtual Machine to allow access to a software installed in the VM. It can't run without this driver. As it's a 32 bit driver, my goal is to recreate a program which would emulate the presence of this driver so I could use my VM on Seven. I'm focusing on the communication between the VM and the host machine. As I'm a complete newbie, disassembling the driver with IDA didn't help me much. Many of the calls made by the driver are a part of the "locking host system" routine. Then I made some analysis with Wireshack…

As you can understand I have a worm virus on my computer, iI have used Ad-Aware,Malware Bytes,Security Task Manager and Windows Defender and non of them can effectively remove the virus entirely. There's one file that I know exists but have no way of deleting it (my version of Security Task Manager isnt registered so I can't remove drivers and DLLs....can't find a registered one). The file I cant delete is called afmain0.dll and I its the reason why i keep getting other worm-like viruses for a week now... is there anything I can do besides formating the hard-drive?

Hi guys. I decide to revers one malware, which I found on my PC. But I have some problems with unpacking of this malware, because it is packed with Xenocode (2009). I try unpack it as a previous version Xenocode (2007 & 2008), but it's does not work. If somebody has experience how to unpack this protection, please help me. Thank you. !!!WARNING!!! !!!Attached ACTIVE MALWARE!!! pass:tuts4you.com malware.7z

Hi everyone! I have received a file from a friend asking me if i could maybe help him analyze this file. Since i'm still new to this, i thought of maybe asking you guys before i endanger my PC I have tried to firstly run this sample in VM but it seem to detect the VM. Secondly, i have tried running it with Olly, but it uses some kind of VB protection that is WAY out of my league.. Third, since i saw VB (and PEiD also said it's Microsoft Visual Basic 5.0 & 6.0) i tried running it with SmartCheck but run into a wall of errors saying something about the program is using p-code... Anyway, since this file is really out of my league, i thought i would ask the expert…

This is a malware archive that i found on a cyber i've been in if someone is interested to give it a try password: vrs be carefull have fun Malwares Archive.zip

I've already took apart the dropper, but I just want to see if anyone here can unpack what it drops. I wont say anything else, interested in feedback. zip pass = infected GodLike.zip

Win32.Polip.a I have included in the archive; the original untouched executable, infected executable, section dump of the target and some information about it from McAfee (http://vil.nai.com/vil/content/v_139296.htm). />http://www.tuts4you.com/download.php?view.2795 Ted.