Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

Remove_Nag.zip

Edited by Teddy Rogers
Edited topic title...

it doesn't run for me :huh:

work on this ;)

it doesn't run for me too~

its a virus

Hi Friends

Please Patch First Nag :-)

Please Report Dificaulty

Go0d Luck

It' virus!

it doesn't run for me either.....

Please remove the link if the virus is

what does the virus do?

I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.

Could have sandbox detection?

who moved this to Malicious Software Research?

i haven't tried to reverse it but i did see it drops some dll

its made in vb and i don't think its a virus

nothing unusual on my system since i ran this ****

it seems that used dll injection because of this all AV detect it as a virus.

dropper detected so some injection technique might b used

if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .

if we delete shadovv.dll of system32 , then terminate app and not run ...

Bye

Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this:

00401080   .- FF25 2C104000  JMP DWORD PTR DS:[40102C]	;  MSVBVM60.DllFunctionCall

Setting a breakpoint there will show all external functions that are used, like this one for instance:

2wm2h43.png

Detailing:

00402D74   .  47 65 74 56 65>ASCII "GetVersionExA",0
..
00402D84 00204000 DD Remove_N.00402000 ; ASCII "kernel32"
00402D88 742D4000 DD Remove_N.00402D74 ; ASCII "GetVersionExA"
..
00402D90 D4784000 DD Remove_N.004078D4
..
00402D9C . A1 DC784000 MOV EAX,DWORD PTR DS:[4078DC] // null pointer
00402DA1 . 0BC0 OR EAX,EAX // check if null (if not null, function address is not acquired)
00402DA3 . 74 02 JE SHORT 00402DA7 // jump or not based on above condition
00402DA5 . FFE0 JMP EAX // if internal function (as in pointer is not null), then jump to it
00402DA7 > 68 842D4000 PUSH 402D84 // push library
00402DAC . B8 80104000 MOV EAX,401080 // set EAX to VB_caller
00402DB1 . FFD0 CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+4
00402DB3 . FFE0 JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA)

And so on for the rest of them. I'll post the "unpacked" file in a bit..

Not sure what nag he is speaking of, but the DLL is pretty much EMPTY..

10001000	PUSH EBP
10001001 MOV EBP,ESP
10001003 CMP DWORD PTR SS:[EBP+C],1
10001007 JNZ SHORT 1000100B
10001009 JMP SHORT 10001021
1000100B CMP DWORD PTR SS:[EBP+C],0
1000100F JNZ SHORT 10001013
10001011 JMP SHORT 10001021
10001013 CMP DWORD PTR SS:[EBP+C],2
10001017 JNZ SHORT 1000101B
10001019 JMP SHORT 10001021
1000101B CMP DWORD PTR SS:[EBP+C],3
1000101F JNZ SHORT 10001021
10001021 LEAVE
10001022 RET 0C

Edited by SunBeam

heu O_o didn't know that it's packed maybe it's a VB Packer!!

  • 2 weeks later...

it was bad,don't run in my machine!

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.