Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Reversing worm

~karthikeyanck~
~karthikeyanck~
in Malware Reverse Engineering

Featured Replies

Posted

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

  • Author

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

got the worm attached, password - infected.

This worm usually spreads from one machine to another via shared drives (open to everyone) and via external storage mediums (with the help of autorun.inf file). Drops the same file to %systemdirectory% and starts on startup using the registry key (RUN). Connects to couple of remote web sites to download additional malwares (port 88 GET ******.gif file).. deletes the source using suicide.bat file that was dropped in %temp% directory... This is what I know of this worm, but can somebody reverse this, I think it is obfuscated Autoit packed.

*Edit*

Checks the availability of a debugger - "IsDebugger" present

csrcs.zip

Edited by ~karthikeyanck~

  • Author

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

got the worm attached, password - infected.

This worm usually spreads from one machine to another via shared drives (open to everyone) and via external storage mediums (with the help of autorun.inf file). Drops the same file to %systemdirectory% and starts on startup using the registry key (RUN). Connects to couple of remote web sites to download additional malwares (port 88 GET ******.gif file).. deletes the source using suicide.bat file that was dropped in %temp% directory... This is what I know of this worm, but can somebody reverse this, I think it is obfuscated Autoit packed.

*Edit*

Checks the availability of a debugger - "IsDebugger" present

I'm trying to find the OEP of the exe, can somebody shed some light :rolleyes:

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.