Jump to content
Tuts 4 You

[keygenme] keygenme

xiaojiam

By xiaojiam
in KeygenMe

 Share

Recommended Posts

xiaojiam

xiaojiam

Posted
Posted (edited)

Xiaojiam's keygenme #02 ! :lol::lol::lol:

name: Xiaojiam's Keygen.zip

size: 562 kb

code: yiyuyan

date: 12.12.2008

About:

A so easy Keygen .....

Rules:

1) No patching ;

2) Find serial for your name ;

3) Make a Keygen ;

Xiaojiam__s_Keygen.zip

Edited by xiaojiam
Link to comment
Share on other sites
Teddy Rogers

Teddy Rogers

Posted
Posted

The [keygenme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites
  • 2 weeks later...
ghandi

ghandi

Posted
Posted (edited)

I downloaded this file today to take a look. Loaded the keygenme into Olly and looked at the code, to see what i was getting myself into. Imagine my surprise when i found that the executable decrypts a dll file that is attached as an overlay, saves it to the users temp directory and then loads it, looking for a function call CreateNewSock.

Now, call me pessimistic, but that doesn't sound like a necessary function for a keygenme to be performing. I sent a copy of the keygenme to virustotal.org and it flagged multiple hits with the scanners there, although a lot still didn't detect anything amiss.

'Trojan-Dropper.Win32.Flystud' was the most common name, so with that information i then proceeded to ask google for the verdict... According to the posts i read, this wasn't something that can be removed properly & easily. It opens a UDP port and downloads whatever the instigator has configured it to grab and install/run, also making changes in the windows system.

The difference with this keygenme is that there isn't a self-executable in the payload, just this dll.

I am not sure what to think of this, because i haven't had too much trouble with virii/trojans before, except the odd infected file downloaded and quarantined. I have opened the dropped dll with OllyDbg and it imports the winsock functions: connect, closesocket, bind and accept. (These are what the malware uses to access the internet.)

Is this a framework that has been used by VX skiddies, thus being labelled as malware without deeper inspection? Any information would be helpful, so to that end, can somebody who actually knows what they are doing please take a look at this keygenme and verify:

* If this is indeed malware, not just a mechanism that the AV's have flagged as a malware.

* If this does indeed perform the functions that it would set out to achieve if it were malware, those being to open the port and d/l a file.

If i am wrong, i apologize in advance. However, one can never be too careful...

HR,

Ghandi

Edited by ghandi
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...