1. Reverse Engineering radar.dll Malware (Practical #1507)  |
| Overall, this malware sample appears to be one of several components that make up a
trojan capable of recording users’ keystrokes. Without the other components, it was not
possible to actually observe this behavior; however, reverse engineering helped identify
and explain some of the malware’s functionality, as well as provide a clear image of its
capabilities. The given file is used to generate and configure another executable which, if
installed on a system, will record user’s keystrokes and send a log to a location of the
attackers choosing. This represents a significant threat as it potentially provides an
attacker with remote access to sensitive data, such as credit card numbers or passwords. |
| http:// |
| From: Malware |
| Rating: [10.00] Votes: [1] Hits: [99] |
| Add to Favorites | Rate It | Comments | Report | More Info |
2. Reverse Engineering Email-Worm.Win32.Xanax Malware (Practical #1605)  |
| The malware that was analyzed was found to be a mass mailing worm called Xanax. Besides
propagating through email, the worm also uses IRC channel as an alternate medium for
distribution. Although Xanax was written in C programming, the analyst had encountered the
use of scripting languages (such as Visual Basic Scripting and mirc script) used by the Xanax
worm for propagation. In the course of the analysis, several crashes were encountered by the
analyst. It was later verified that the crashes were due to the lack of check in the programming
code used for infecting the legitimate system executables. In situations where the Xanax worm
failed to open the executable to infect, the code will crash when an attempt was made to close
an invalid file handle at the end of the infection routine. In order to observe and analyze the
behavior of the worm beyond the crash point, the analyst had performed some specific
operations to bypass the file infection routine so that proper analysis could be performed. |
| http:// |
| From: Malware |
| Rating: [1.00] Votes: [1] Hits: [94] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 3. Reverse Engineering the Trojan-Downloader.WMA-GetCodec.u Malware (Practical #1216) |
| The malware comes packaged in a compressed executable archive, consisting primarily of additional zip files. These files, despite differing names, are composed primarily of the same components.
161.music.au
157.crack.zip.kwd
158.keygen.zip.kwd
159.serial.zip.kwd
160.setup.zip.kwd
161.music.au.kwd
As suggested, the malware has two means for acquiring remote software and/or commands for execution on the system which shall be explored throughout this report. |
| http:// |
| From: Malware |
| Rating: [10.00] Votes: [1] Hits: [29] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 4. Regitstry Key Malware |
| Malware creates a copy of itself, places itself in the registry for persistent start via the registry key, drops a dll, and executes the exported function. |
| http:// |
| From: Malware |
| Rating: [10.00] Votes: [1] Hits: [7] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 5. Reverse Engineering SpamBot malware - customer.krypt.com |
| The malware sample appears to be a spam bot. There are two main components to it: the
original malware binary that facilitates infection and propagation, and the decrypted bot
that handles emailing the spam messages. The original binary included in the .rar
contains an encrypted copy of the spam bot; this allows the malware author to conceal the
actual functionality and purpose of the malware, as well as make detection by anti-virus
scanners more difficult. |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [94] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 6. Reverse Engineering the (7y7.us/oK/svchost.exe Malware |
| From our code analysis, we can conclude that this malware requires to be run inside an
application that is able to run javascripts such as a web browser. So the method of
infection would most likely come from an infected webpage or infected email. It then
uses vulnerabilities in the ActiveX controls to download a malicious file (svchost.exe)
located on a remote server (http://7y7.us) into our computer in the Windows Folder. It
then tries to launch itself using ActiveX objects. Multiple instance of this malware may
exist on one computer since it generates a new instance (with new semi-random names)
of itself when the javascript is run again. This malware uses 2 levels of obfuscations; I
believe this is to try bypassing various security mechanisms that may be in place on our
host system. |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [92] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 7. Reverse Engineering WINLIBUPDATE.EXE Malware |
| Malware.exe initially calls the function GetSystemDirectory to find the system directory. Next, it calls GetModuleFileName to find what it is currently named and what directory it is running from. It then does a string compare against the results of what it is currently running as to see if it is running as INLIBUPDATE.EXE. If it is not running as WINLIBUPDATE.EXE it will copy itself to the %SYSTEM% directory with the name of WINLIBUPDATE.EXE. It sets the memory @00403FB2. It then creates the process %SYSTEM%WINLIBUPDATE.EXE to run the malware it just copied/created. |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [88] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 8. Reverse Engineering Email-Worm.Win32.Kermit Malware (Practical #1602) |
| The worm builts a email message that, along with the user's contact's email addresses, is sent out to all the addressees as if it came from the User themselves. I have identifiedthe portion of the code that builds the message using IDA Pro. See below. Note the VB commands usage within the code. VB plays a critical role in this worm. |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [88] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 9. Reverse Engineering Windows-based worm (scrgrd.exe) - Malware Practical #1252 |
| Windows-based worm that:
◦ Opens a port on 113 and spoofs identd for IRC connections.
◦ Connects to an IRC server, joins a channel and waits for commands from the author.
◦ Commands give broad control of the machine to the author
◦ Can steal keys for many games.
◦ Can spread by exploiting network shares with weak passwords (uses a list of common user
names and passwords). |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [87] |
| Add to Favorites | Rate It | Comments | Report | More Info |
| 10. Reverse Engineering scvhosthk.dll - Malware Practical #1173 |
| The malware installs itself into the system32 folder, and starts itself with a registry run key. It has a list of virus scanners that it detects and disables, if they are present. It has another list of security products that it detects, and if present, will not run. The malware includes a keystroke logger, which appears to be using the dll from the Perfect Keylogger. These strings, from scvhosthk.dll, are known to be associated with the Perfect Keylogger |
| http:// |
| From: Malware |
| Rating: [0.00] Votes: [0] Hits: [85] |
| Add to Favorites | Rate It | Comments | Report | More Info |
|
