 Allaple Worm |
| Name: Temesgen Kitaw Damenu |
| The malware analyzed is a network worm called Allaple. The worm is encrypted/ compressed, multithreaded and polymorphic. This made the analysis complicated. There are also interesting features. The actual attack of the worm is done by a PE binary compressed in the code section of the worm. This binary is obtained after passing repeated obfuscation techniques. The binary create different threads for the attack on the system and on network. The debugging process crash on some threads and made difficult to exactly understand the functionality especially on the network attack. In this case the functionalities are tried to be identified by analyzing the code without debugging. |
| Rating: [0.00] Votes: [0] |
| Malware Practical #971 - MyWebSearch Toolbar |
| Name: Alex Chan |
| The analyst found that the malicious code results in installation of a “Browser Helper Object” (BHO) on the affected system in the form of a “Search Toolbar”. The file targets Mozilla Firefox and Netscape browsers. The code also provides an “Update” capability for the installed toolbar. |
| Rating: [0.00] Votes: [0] |
| MSN Messenger Virus |
| Name: Vincent Hutsebaut |
| This executable is a toolkit containing “annoying tools” to use with msn messenger. |
| Rating: [0.00] Votes: [0] |
Regitstry Key Malware  |
| Name: Robert Huey-Plewinski |
| Malware creates a copy of itself, places itself in the registry for persistent start via the registry key, drops a dll, and executes the exported function. |
| Rating: [10.00] Votes: [1] |
| Reverse Engineering a Sub7 Backdoor malware (Malware Practical #1505) |
| Name: InfoSec Student |
| The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access the Windows Registry checking to see if a few local registry values exists. The malware will then try to search and display information regarding the executing host (such as a server) including but not limited to the password, port number, ICQ number, and E-mail address. |
| Rating: [0.00] Votes: [0] |
| Reverse Engineering C.exe Windows Trojan - Malware Practical #1515 |
| Name: Murray |
| This is a Trojan that installs itsef in the registry and hides itself in the background. It can
install and copy itself to multiple files that it then moves to Windows directories. It communicates via
internet and just sits in the background but can run a series of commands that will let a target user know
its there at times. |
| Rating: [0.00] Votes: [0] |
| Reverse Engineering Email-Worm.Win32.Kermit Malware (Practical #1602) |
| Name: Rocco DiSciascio |
| The worm builts a email message that, along with the user's contact's email addresses, is sent out to all the addressees as if it came from the User themselves. I have identifiedthe portion of the code that builds the message using IDA Pro. See below. Note the VB commands usage within the code. VB plays a critical role in this worm. |
| Rating: [0.00] Votes: [0] |
| Reverse Engineering Email-Worm.Win32.Sivel.a - Malware Practical #1604 |
| Name: InfoSec Student |
| The malware was essentially an email worm that interfaced with Microsoft Outlook via the Outlook COM object using Visual Basic code, to send out emails containing copies of the worm to all the entries in Outlook’s address book. In a bid to improve the success of propagation, the relatively unsophisticated worm employed social engineering tricks by using strings in the email’s subject line and body and attachment name that entice the victim to open the attachment. The author of the worm even included a seemingly egoistic feature, albeit a flawed one, that displayed a birthday greeting message when it was a particular day of the year. Finally, the worm was compressed using UPX, primarily for compression purposes. |
| Rating: [0.00] Votes: [0] |
Reverse Engineering Email-Worm.Win32.Xanax Malware (Practical #1605)  |
| Name: William Chua Box Chin |
| The malware that was analyzed was found to be a mass mailing worm called Xanax. Besides
propagating through email, the worm also uses IRC channel as an alternate medium for
distribution. Although Xanax was written in C programming, the analyst had encountered the
use of scripting languages (such as Visual Basic Scripting and mirc script) used by the Xanax
worm for propagation. In the course of the analysis, several crashes were encountered by the
analyst. It was later verified that the crashes were due to the lack of check in the programming
code used for infecting the legitimate system executables. In situations where the Xanax worm
failed to open the executable to infect, the code will crash when an attempt was made to close
an invalid file handle at the end of the infection routine. In order to observe and analyze the
behavior of the worm beyond the crash point, the analyst had performed some specific
operations to bypass the file infection routine so that proper analysis could be performed. |
| Rating: [1.00] Votes: [1] |
| Reverse Engineering HackTool.Win32.PHPInject.exe - Malware Practical #241 |
| Name: Arjun Pednekar |
| The application under analysis was a Hacktool, which is used to automate the process of identify RFI
vulnerable web applications from a list of URL’s.
Behavioural patterns of malware
The executable was compiled using Microsoft Visual Basic (6.0) compiler and was not intended to infect
the system on which it was launched. It however helped the user in speeding up the manual process of
locating RFI vulnerable web applications. |
| Rating: [0.00] Votes: [0] |
|
