Sh4DoVV Posted March 5, 2009 Share Posted March 5, 2009 (edited) Hi FriendsPlease Patch First Nag :-)Please Report DificaultyGo0d LuckRemove_Nag.zip Edited March 7, 2009 by Teddy Rogers Edited topic title... Link to comment Share on other sites More sharing options...
xsp!d3r Posted March 5, 2009 Share Posted March 5, 2009 it doesn't run for me Link to comment Share on other sites More sharing options...
GioTiN Posted March 7, 2009 Share Posted March 7, 2009 work on this Link to comment Share on other sites More sharing options...
piaoyun Posted March 7, 2009 Share Posted March 7, 2009 it doesn't run for me too~ Link to comment Share on other sites More sharing options...
ArslanBhatti Posted March 7, 2009 Share Posted March 7, 2009 its a virus Link to comment Share on other sites More sharing options...
hitle_vn127 Posted March 10, 2009 Share Posted March 10, 2009 Hi FriendsPlease Patch First Nag :-)Please Report DificaultyGo0d LuckIt' virus! Link to comment Share on other sites More sharing options...
Squn ★ Posted March 10, 2009 Share Posted March 10, 2009 it doesn't run for me either..... Link to comment Share on other sites More sharing options...
TreaxeR Posted March 10, 2009 Share Posted March 10, 2009 Please remove the link if the virus is Link to comment Share on other sites More sharing options...
aztecx Posted March 11, 2009 Share Posted March 11, 2009 what does the virus do?I saw that it creates C:\WINDOWS\system32\Sh4DoVV.dll but thats about it.Could have sandbox detection? Link to comment Share on other sites More sharing options...
GEEK Posted March 11, 2009 Share Posted March 11, 2009 who moved this to Malicious Software Research?i haven't tried to reverse it but i did see it drops some dllits made in vb and i don't think its a virusnothing unusual on my system since i ran this **** Link to comment Share on other sites More sharing options...
Gladiator Posted March 12, 2009 Share Posted March 12, 2009 it seems that used dll injection because of this all AV detect it as a virus. Link to comment Share on other sites More sharing options...
sadiqhirani Posted March 14, 2009 Share Posted March 14, 2009 dropper detected so some injection technique might b used Link to comment Share on other sites More sharing options...
GioTiN Posted March 16, 2009 Share Posted March 16, 2009 if we use of olly for run it , so , it extract Shadovv.dll into system32 folder and detect our olly .if we delete shadovv.dll of system32 , then terminate app and not run ...Bye Link to comment Share on other sites More sharing options...
SunBeam Posted March 16, 2009 Share Posted March 16, 2009 (edited) Protection is pretty weak, in my opinion. Since it's a VB app, all calls to external functions will be done through this: 00401080 .- FF25 2C104000 JMP DWORD PTR DS:[40102C] ; MSVBVM60.DllFunctionCall Setting a breakpoint there will show all external functions that are used, like this one for instance: Detailing: 00402D74 . 47 65 74 56 65>ASCII "GetVersionExA",0..00402D84 00204000 DD Remove_N.00402000 ; ASCII "kernel32"00402D88 742D4000 DD Remove_N.00402D74 ; ASCII "GetVersionExA"..00402D90 D4784000 DD Remove_N.004078D4..00402D9C . A1 DC784000 MOV EAX,DWORD PTR DS:[4078DC] // null pointer00402DA1 . 0BC0 OR EAX,EAX // check if null (if not null, function address is not acquired)00402DA3 . 74 02 JE SHORT 00402DA7 // jump or not based on above condition00402DA5 . FFE0 JMP EAX // if internal function (as in pointer is not null), then jump to it00402DA7 > 68 842D4000 PUSH 402D84 // push library00402DAC . B8 80104000 MOV EAX,401080 // set EAX to VB_caller00402DB1 . FFD0 CALL EAX // call MSVBVM60.DllFunctionCall; this gets address of 402D84+400402DB3 . FFE0 JMP EAX // once address is acquired, jump to API (in this case, jmp to GetVersionExA) And so on for the rest of them. I'll post the "unpacked" file in a bit.. Not sure what nag he is speaking of, but the DLL is pretty much EMPTY.. 10001000 PUSH EBP10001001 MOV EBP,ESP10001003 CMP DWORD PTR SS:[EBP+C],110001007 JNZ SHORT 1000100B10001009 JMP SHORT 100010211000100B CMP DWORD PTR SS:[EBP+C],01000100F JNZ SHORT 1000101310001011 JMP SHORT 1000102110001013 CMP DWORD PTR SS:[EBP+C],210001017 JNZ SHORT 1000101B10001019 JMP SHORT 100010211000101B CMP DWORD PTR SS:[EBP+C],31000101F JNZ SHORT 1000102110001021 LEAVE10001022 RET 0C Edited March 16, 2009 by SunBeam Link to comment Share on other sites More sharing options...
xsp!d3r Posted March 16, 2009 Share Posted March 16, 2009 heu O_o didn't know that it's packed maybe it's a VB Packer!! Link to comment Share on other sites More sharing options...
Godkiller Posted March 30, 2009 Share Posted March 30, 2009 it was bad,don't run in my machine! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now