can i post a virus here(VMProtect 2.07 xx)?

[aj3423]

Hi,

 

I'm new to tuts4you, I found all other posts are UnpackMe, and I want to analyze a virus to see what it does but I don't know unpack it. It's packed with VMProtect 2.07.

 

Anyone could shed some light on this? A tutorial would be great:)

 

again, it a virus, don't run it directly.

 

the virus deletes itself after running, so the unpacking would be successful if it's disappeared when executed.

 

Thanks.

virus.rar

[Loki]

This is fine as you have clearly stated its malicious.

 

Moved to the Malware forum though

[kao]

If you want to get a high-level overview, put a breakpoint on CreateProcessA and dump the file from memory. Many functions will still be protected by VMProtect virtual machine, but the strings are in the clear and you'll be able to get an idea how it's supposed to work. ProcMon should work too.

HalDispatchTable

hal.dll

cmd /c taskkill /f /pid %d && ping 127.0.0.1 -n 5 > nul && del /f /q "%s" > nul

*/tj.aspx

www.asp0202.com

XP-SP%d-%d

2K3-SP%d-%d

VISTA-SP%d-%d

WIN7-SP%d-%d

WIN8-SP%d-%d

a=%s&b=%s&c=%s&d=%d&e=%s&f=%d&g=%c&h=%d

%s?u=%s

SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontDPI

FontSize

FontSize

MmGetSystemRoutineAddress

RtlAnsiStringToUnicodeString

RtlFreeUnicodeString

ExAllocatePoolWithTag

ExFreePool

sbiedll.dll

%s\drivers\%s.sys

%s.sys

\\.\npkcrypt

%s\%s.sys

%s.sys

\\.\slPWACP

smss.exe

csrss.exe

GET %s HTTP/1.1

Host: %d.%d.%d.%d

Accept: */*

User-Agent: Mozilla/4.0 (compatible; MSIE 5.00; Windows 98)

Connection: Keep-Alive

//./%s

%allusersprofile%\NTUSER.DAT

%SystemRoot%\System32\ntdll.dll

If you want to de-virtualize each and every function, search the board, I think there were tools and tutorials dealing with VMProtect VM.

[aj3423]

Thanks guys.