View Full Version : Some VB malware

November 22nd, 2008, 12:08
Hello there!

I've been following the post on this forum for a while and today i found a file that i thought would be a good try to reverse a malware myself. The file claims to be a keygen for some program but there are a number of reasons why i dont believe it is what it claims to be. The strongest evidence is that the file has been uploaded under several different names.

After sending the file to VirusTotal i got the following result:

7 scanners report that the file is suspicious. I analyzed the file in PeId and it turns out to be a VisualBasic executable. The next step that i took was to disassemble the file with IDA which did not turn out the way i wanted. The code at the entry point seems kinda messed up. I decided to give VB Decompiler a try and got a better looking result. As far as i can tell my previous assumptions were confirmed, that the file seems to be some sort of malware. It uses two modules, one called modCryptText and modInject. Furthermore a module CRijndael can be found in the file. At present i have no idea what the file does, as im installing VMWare right now.

So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?

Also for those who are interested in having a look at the program, you can find it attached to this post. The password is "malware" without the quotes.


November 24th, 2008, 08:31
You can find some info about these modules here:
A C++ Implementation of the Rijndael Encryption/Decryption method
ModCryptText - > vb source code of this module
Rijndael AES Block Encryption Demo (VB/ASP)

also modInject is mod copied from other project,but I couldn't find source code.
So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?

I don't what kind of problems u had but code on EP:
.text:004015F8 public start
.text:004015F8 start:
.text:004015F8 push offset dword_401740
.text:004015FD call ThunRTMain

looks like standard code for VB app.
Anyway ,using vb decompiler u can that SubMain(major procedure,related with event FormLoad) is located at
loc_00404630: push ebp
loc_00404631: mov ebp, esp
and there u should start your adventure with this malware.
Best regards

November 24th, 2008, 09:29
this is usual VB_loader as i described in thread "torretnz fun"

finally i get DLL - probably "Bifrost Remote Controller"

November 24th, 2008, 11:38
so will look decrypted DLL-loader with it overleys;

also added other Bifrost trojan with unpacked DLL; for comparizion;