Posted March 5, 200916 yr Hi FriendsPlease Patch First Nag :-)Please Report DificaultyGo0d LuckRemove_Nag.zip Edited March 7, 200916 yr by Teddy Rogers Edited topic title...
March 11, 200916 yr what does the virus do?I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.Could have sandbox detection?
March 11, 200916 yr who moved this to Malicious Software Research?i haven't tried to reverse it but i did see it drops some dllits made in vb and i don't think its a virusnothing unusual on my system since i ran this ****
March 16, 200916 yr if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .if we delete shadovv.dll of system32 , then terminate app and not run ...Bye
March 16, 200916 yr Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this: 00401080 .- FF25 2C104000 JMP DWORD PTR DS:[40102C] ; MSVBVM60.DllFunctionCall Setting a breakpoint there will show all external functions that are used, like this one for instance: Detailing: 00402D74 . 47 65 74 56 65>ASCII "GetVersionExA",0..00402D84 00204000 DD Remove_N.00402000 ; ASCII "kernel32"00402D88 742D4000 DD Remove_N.00402D74 ; ASCII "GetVersionExA"..00402D90 D4784000 DD Remove_N.004078D4..00402D9C . A1 DC784000 MOV EAX,DWORD PTR DS:[4078DC] // null pointer00402DA1 . 0BC0 OR EAX,EAX // check if null (if not null, function address is not acquired)00402DA3 . 74 02 JE SHORT 00402DA7 // jump or not based on above condition00402DA5 . FFE0 JMP EAX // if internal function (as in pointer is not null), then jump to it00402DA7 > 68 842D4000 PUSH 402D84 // push library00402DAC . B8 80104000 MOV EAX,401080 // set EAX to VB_caller00402DB1 . FFD0 CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+400402DB3 . FFE0 JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA) And so on for the rest of them. I'll post the "unpacked" file in a bit.. Not sure what nag he is speaking of, but the DLL is pretty much EMPTY.. 10001000 PUSH EBP10001001 MOV EBP,ESP10001003 CMP DWORD PTR SS:[EBP+C],110001007 JNZ SHORT 1000100B10001009 JMP SHORT 100010211000100B CMP DWORD PTR SS:[EBP+C],01000100F JNZ SHORT 1000101310001011 JMP SHORT 1000102110001013 CMP DWORD PTR SS:[EBP+C],210001017 JNZ SHORT 1000101B10001019 JMP SHORT 100010211000101B CMP DWORD PTR SS:[EBP+C],31000101F JNZ SHORT 1000102110001021 LEAVE10001022 RET 0C Edited March 16, 200916 yr by SunBeam
Create an account or sign in to comment