PDA

View Full Version : Malware which password protects office files


LaptoniC
January 12th, 2010, 22:40
Hi,
I am trying to understand the algorithm of one malware. It is detected by most of the anti-viruses as Virut.

It password protects office files like doc,xls etc. I decompiled with VB decompiler and some generate password functions but couldn't make head or tails of it. What you can suggest to reverse password generating algorithm ? How can I catch it when it is putting a password?

I attached virus and decompiled source code. password of the archive is "malware"

Kayaker
January 12th, 2010, 23:12
Hi

This might not be the same thing at all, just a thought, but there were a few links given in a conficker thread about how random domain names were generated. I was just thinking there might be some similarities in the algo syntax. Once virus writers develop something, they might use it elsewhere.

http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html

http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html

http://mhl-malware-scripts.googlecode.com/files/downatool.zip

LaptoniC
January 13th, 2010, 20:10
I tried to debug on live system but because it is p-code I failed miserably. I tried to put memory and hardware breakpoints to bytecode of functions but it didn't triggered any event. I tried with p-code debugger and still no luck.

xelerated
January 14th, 2010, 15:50
Hi,

frx resource could have an embedded executable, check with a resource (frx) viewer/extractor.

the decompiled files share some code base with another virus i came across on a vietnamese site (google bot will translate it to english):
http://www.giaiphapexcel.com/forum/showthread.php?t=13143

this GUID in frmMain.frm is linked to the worm mentioned in the above post: 649EEC1E-B012-4E8C-BB3B-4997F8000000
ref: http://www.threatexpert.com/report.aspx?uid=672aa684-3732-4a6d-8de8-3c11a168c0bd

are you trying to figure out the GeneratePass function algorithm?

LaptoniC
January 14th, 2010, 20:04
Thanks for the info. Yes I am trying to understand how the password generation works so I can remove the password from some of my files.

kiki
January 20th, 2010, 23:36
if you are in hurry to removed password try elcomsoft AOPR

LaptoniC
January 21st, 2010, 10:42
If you look at the source you will see that it is not a small password. I couldnt understand the algorithm but it looks a like a long password. I have already tried with that program and it couldn't find the password.