Jump to content
Tuts 4 You

Reversing worm

~karthikeyanck~

By ~karthikeyanck~
in Malware Reverse Engineering

 Share

Recommended Posts

~karthikeyanck~

~karthikeyanck~

Posted
Posted

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

Link to comment
Share on other sites
~karthikeyanck~

~karthikeyanck~

Posted
  • Author
Posted (edited)

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

got the worm attached, password - infected.

This worm usually spreads from one machine to another via shared drives (open to everyone) and via external storage mediums (with the help of autorun.inf file). Drops the same file to %systemdirectory% and starts on startup using the registry key (RUN). Connects to couple of remote web sites to download additional malwares (port 88 GET ******.gif file).. deletes the source using suicide.bat file that was dropped in %temp% directory... This is what I know of this worm, but can somebody reverse this, I think it is obfuscated Autoit packed.

*Edit*

Checks the availability of a debugger - "IsDebugger" present

csrcs.zip

Edited by ~karthikeyanck~
Link to comment
Share on other sites
~karthikeyanck~

~karthikeyanck~

Posted
  • Author
Posted

Hi All

I'm not sure if these kind-a requests are welcome'd. :unsure:

Am trying to reverse a worm and having troubles in doing it. I found that the worm is packed using autoit. Please can somebody assist me in reversing it. Let me know if you need the source.

I understood the behavior of the worm, but trying to dig deep into the code to understand things better.

Thanks for your assistance in advance,

Note: I've already tried using autoit decompiler with no luck. It doesn't identify the executable :down:

got the worm attached, password - infected.

This worm usually spreads from one machine to another via shared drives (open to everyone) and via external storage mediums (with the help of autorun.inf file). Drops the same file to %systemdirectory% and starts on startup using the registry key (RUN). Connects to couple of remote web sites to download additional malwares (port 88 GET ******.gif file).. deletes the source using suicide.bat file that was dropped in %temp% directory... This is what I know of this worm, but can somebody reverse this, I think it is obfuscated Autoit packed.

*Edit*

Checks the availability of a debugger - "IsDebugger" present

I'm trying to find the OEP of the exe, can somebody shed some light :rolleyes:

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...