Results 1 to 9 of 9

Thread: Suspicious file - Can't unpack

  1. #1
    0x0804
    Guest

    Question Suspicious file - Can't unpack

    Hi,

    We have been getting a lot of spam with this exe so I decided to see what it does. Problem is I can not identify who is this file packed/crypted. Can someone tell me who to detect that? I don't want to know just the name of the packer but the whole logic behind identifying the packer. My PEid did not identify it. IDA said i need to rebuild IAT manually. Olly just dies. I tried to single step it in a VM, and this file seems to call urlmon_ReleaseBindinfo function from urlmon.dll. If I can unpack it I would like to analyze it to see what it does.
    File can be downloaded from here

    WARNING : FOR ALL I KNOW THIS FILE IS A VIRUS/TROJAN. DO NOT RUN IT. Please be cautious with it as much as possible. I take no responsibility in any loss of data occurred due to this file, it will be your own responsibility.

    http://rapidshare.com/files/27840626/hotfix-61924.rar.html

    Cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    hi,

    Can someone tell me how to detect that?
    maybe can u try studPE, or possibly other tools (i didnt follow what is recent on win nowadays) just to confirm no tool identify this packer?

    It is entirely possible that the author used his own, or modified an existing one.
    The process of identifying is probably in general to look for specific patterns in the headers, and binary content at all, so I do not know how to give more specific help.

    regards, 0xf001

  3. #3
    The first layer is a trivial (probably polymorphic) decryptor. The call to ReleaseBindinfo is just to screw up AV emulation - it passes in a NULL pointer each time through the decryption loop. Underneath is a unpacker that looks familiar (especially the decompression algorithm), but I can't remember what it is.

    The unpacker starts at 559400. I have to go down the pub now, I'll have a go at unpacking it later this evening.

  4. #4
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    argh shit omfg description i dont know how many files i miss becasue
    these avs dont know wtf it is

    Trojan.Packed.13Risk Level 1: Very LowPrinter Friendly Page
    SUMMARY TECHNICAL DETAILS Discovered: February 1, 2007
    Updated: April 12, 2007 10:55:39 PM
    Type: Trojan
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

    Trojan.Packed.13 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal files from antivirus software.

    ProtectionVirus Definitions (LiveUpdate™ Daily) February 2, 2007
    Virus Definitions (LiveUpdate™ Weekly) February 7, 2007
    Virus Definitions (Intelligent Updater) February 2, 2007
    Virus Definitions (LiveUpdate™ Plus) February 2, 2007
    Threat AssessmentWildWild Level: Low
    Number of Infections: 0 - 49
    Number of Sites: 0 - 2
    Geographical Distribution: Low
    Threat Containment: Easy
    Removal: Easy
    DamageDamage Level: Low
    DistributionDistribution Level: Low
    we need to submit this and this is advanced technical description

    this was DISCOVERED by columbus on a specific date as well
    what can i say

    and my av promptly deleted this so atleast it does what it says

    Discovered: February 1, 2007
    Updated: April 12, 2007 10:55:39 PM
    Type: Trojan
    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

    A packer is a tool that compresses, encrypts or obfuscates Windows PE files. Malware authors often use packers to conceal threats from detection by antivirus software. Trojan.Packed.13 detects a packer that is not known to be used for legitimate purposes.

    Files that are detected as Trojan.Packed.13 are considered malicious. We suggest that any files you believe are incorrectly detected as Trojan.Packed.13 be submitted to Symantec Security Response. For instructions on how to do this using Scan and Deliver, read How to submit a file to Symantec Security Response using Scan and Deliver.RecommendationsSymantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

  5. #5
    0x0804
    Guest
    Quote Originally Posted by blabberer View Post
    argh shit omfg description i dont know how many files i miss becasue
    these avs dont know wtf it is
    When I submitted this file on virus total to see if its something documented, McAfee did not detect anything.

    I am going to try and unpack it just for learning more. :-)

    Cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    FYI, OEP is at 401880. Pretty interesting packer, I'm still analyzing it but I like what I'm seeing. VirtualAllocing and changing it's location, little bit of self modifying code, using PEB to get kernel32 base address and TEA for decryption, little bit of anti-debug, it's pretty cool
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  7. #7
    Super Moderator
    Join Date
    Dec 2004
    Posts
    1,486
    Blog Entries
    15
    this file doesnt look hard to unpack in any way the procedures decryptors all look vaguely familiar

    the code that fetches kernel32.base address and and getproc address seems to be stolen from iczelions downlaod site (there is a sample kernel.exe in there with source code that exactly shows how to fetch kernelbase and getproc address anything in an exe without import table

    if my memory serves me right this crap is a byte to byte copy of that source

    the 20 times loop decryptor seems to be stolen from several crackmes ive seen (yeah iirc its called tea or something)

    Code:
    this is the whole main body of the unpacker stub after it moved home a few times
    
    003B05FA  PUSH    EDX                                             ; ntdll.KiFastSystemCallRet
    003B05FB  PUSH    ESI
    003B05FC  CALL    <findingnemoimeansectionnames>
    003B0601  LEA     EBX, DWORD PTR DS:[EAX]
    003B0603  INC     EBX                                             ; hotfix-6.00400000
    003B0604  CMP     DWORD PTR DS:[EBX], 63727372
    003B060A  JE      SHORT 003B0653
    003B060C  MOV     EBX, DWORD PTR DS:[EAX+C]
    003B060F  CMP     DWORD PTR SS:[EBP+10], 1
    003B0613  JE      SHORT 003B0618
    003B0615  MOV     EBX, DWORD PTR DS:[EAX+14]
    003B0618  MOV     ECX, DWORD PTR DS:[EAX+10]
    003B061B  TEST    ECX, ECX
    003B061D  JE      SHORT 003B0653
    003B061F  MOV     EAX, DWORD PTR SS:[EBP+18]
    003B0622  CMP     EBX, EAX
    003B0624  JNZ     SHORT 003B062D
    003B0626  MOV     EAX, DWORD PTR SS:[EBP+14]
    003B0629  SUB     EAX, EBX                                        ; hotfix-6.00400000
    003B062B  MOV     ECX, EAX
    003B062D  ADD     EBX, DWORD PTR SS:[EBP+8]
    003B0630  CMP     DWORD PTR SS:[EBP+10], 1
    003B0634  JE      SHORT 003B0642
    003B0636  PUSH    DWORD PTR SS:[EBP+C]
    003B0639  PUSH    ECX
    003B063A  PUSH    EBX                                             ; hotfix-6.00400000
    003B063B  CALL    003B065F
    003B0640  JMP     SHORT 003B0653
    003B0642  PUSH    ECX
    003B0643  PUSH    EBX                                             ; hotfix-6.00400000
    003B0644  CALL    <getprocandcall>
    003B0649  PUSH    DWORD PTR SS:[EBP+C]
    003B064C  PUSH    ECX
    003B064D  PUSH    EBX                                             ; hotfix-6.00400000
    003B064E  CALL    <wrappertosomecraphasher>
    003B0653  TEST    EDX, EDX                                        ; ntdll.KiFastSystemCallRet
    003B0655  JNZ     SHORT 003B05F9
    003B0657  MOV     EAX, DWORD PTR SS:[EBP-4]
    003B065A  POPAD
    003B065B  LEAVE
    003B065C  RETN    14
    after decrypting this wants to attack .mil .gov and .god all at the same time

    Code:
    Text strings referenced in hotfix-6:.text
    Address    Disassembly                               Text string
    00401009   NOT     EAX                               (Initial CPU selection)
    00401147   PUSH    hotfix-6.004031B8                 ASCII "Registry Editor"
    00401365   PUSH    hotfix-6.004031D8                 ASCII "microsoft"
    00401383   PUSH    hotfix-6.004031D0                 ASCII ".gov"
    004013A1   PUSH    hotfix-6.004031C8                 ASCII ".mil"
    004014AE   PUSH    hotfix-6.004031F0                 ASCII "*.*"
    004014F0   PUSH    hotfix-6.004031EC                 ASCII ".."
    00401665   MOV     DWORD PTR SS:[ESP], hotfix-6.004  ASCII "kernel32.dll"
    00401676   PUSH    hotfix-6.00403260                 ASCII "RegisterServiceProcess"
    0040169A   PUSH    hotfix-6.00403254                 ASCII "//alsys.exe"
    004016E4   PUSH    hotfix-6.004031E4                 ASCII "Agent"
    0040170F   PUSH    hotfix-6.00403224                 ASCII "SYSTEM\CurrentControlSet\Services\SharedAccess"
    00401723   PUSH    hotfix-6.0040321C                 ASCII "Start"
    0040173A   PUSH    hotfix-6.00403214                 ASCII "SFC.DLL"
    00401753   PUSH    hotfix-6.00403200                 ASCII "SfcIsFileProtected"
    0040176E   MOV     ESI, hotfix-6.004031F4            ASCII "klllekkdkkd"
    004017F4   PUSH    hotfix-6.00403288                 ASCII ".exe"
    004019D7   PUSH    hotfix-6.00403854                 ASCII "%s, %d %s %04d %02d:%02d:%02d %c%02d%02d"
    004019F3   PUSH    hotfix-6.004038D8                 ASCII "Dnsapi.dll"
    00401A06   PUSH    hotfix-6.004038CC                 ASCII "DnsQuery_A"
    00401D1F   MOV     ESI, hotfix-6.004039A0            ASCII "From: <%s>
    To: %s
    Date: %s
    Subject: %s
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
    	boundary="%s"
    
    This is a multi-part message in MIME format.
    --%s
    Content-Type: text/plain;
    	charset="iso-8859-1"
    Content-Transfer-Encodi"...
    00401DAE   PUSH    hotfix-6.0040399C                 ASCII "220"
    00401DC4   PUSH    hotfix-6.00403988                 ASCII "HELO localhost
    "
    00401E17   PUSH    hotfix-6.00403984                 ASCII "250"
    00401E92   PUSH    hotfix-6.00403974                 ASCII "yahoo.com"
    00401EAA   PUSH    hotfix-6.00403960                 ASCII "MAIL FROM:<%s>
    "
    00401EF5   PUSH    hotfix-6.00403984                 ASCII "250"
    00401F11   PUSH    hotfix-6.00403950                 ASCII "RCPT TO:<%s>
    "
    00401F5C   PUSH    hotfix-6.0040394C                 ASCII "25"
    00401F72   PUSH    hotfix-6.00403944                 ASCII "DATA
    "
    00401FC1   PUSH    hotfix-6.00403940                 ASCII "354"
    00402079   PUSH    hotfix-6.00403934                 ASCII "
    --%s--
    "
    004020A0   PUSH    hotfix-6.0040392C                 ASCII "
    .
    "
    0040218B   PUSH    hotfix-6.00403E84                 ASCII "%s%d"
    004021AA   PUSH    hotfix-6.00403E80                 ASCII "%s"
    someone in some other thread asked if sexualimplications is probably rootcause of viral infections what better proof than this ?

    Code:
    00403000  @.. @..2@...@......C..~C..dC..RC..FC..6C..(C..C...C...C..B..
    00403040  B..B..B..B..B..B..pB..bB..TB..@..@..A.. A...A..@A..\A..
    00403080  nA..zA..A..A..A..A..A..A..A..A..A..B..B..2B..DB......
    004030C0  @..@..@..@..P@..^@..n@..@..@......s.........4....
    00403100  ....t......mcafee..taskmgr.hijack..f-pro...lockdown....msco
    00403140  nfig....firewall....blackice....avg.vsmon...zonea...spybot..nod3
    00403180  2...reged...rav.nav.avp.troja...viru....anti....alsys...Registry
    004031C0   Editor..mil.....gov....microsoft...Agent.......*.*.klllekkdkkd.
    00403200  SfcIsFileProtected..SFC.DLL.Start...SYSTEM\CurrentControlSet\Ser
    00403240  vices\SharedAccess..//alsys.exe.RegisterServiceProcess..kernel32
    00403280  .dll.....exe....A Precious Gift.Sent with Love..You're In My Tho
    004032C0  ughts...Memories of You.A Toast My Love.You... In My Dreams.A Ro
    00403300  se..Magic Power Of Love.Eternal Love....When Love Comes Knocking
    00403340  ....A Is For Attitude...Come Relax with Me..A Rose for My Love..
    00403380  Our Journey.Surrounded by Love..Come Dance with Me..Pages from M
    004033C0  y Heart.You're my Dream.The Moon & Stars....Kisses Through E-mai
    00403400  l...Dream of You....Heavenly Love...Happy I'll Be Your Bride....
    00403440  A Dream is a Wish...Special Romance.Words in my Heart...You're i
    00403480  n my Soul...Last Night..You're the One..Sending You All My Love.
    004034C0  In Your Arms....If Loving You...Your Friend and Lover...I Love Y
    00403500  ou Because..Destiny.Love Is.....I Would Dream...Path We Share...
    00403540  I Love You with All I Am....I Love Thee.The Time for Love...When
    00403580   You Fall in Love...Your Love Has Opened....My Love.Our Love is
    004035C0  Free....Eternity of Your Love...I Love You Soo Much.Wrapped in Y
    00403600  our Arms....Our Love Nest...Hugging My Pillow...Sending You My L
    00403640  ove.The Dance of Love...Falling In Love with You....Why I Love Y
    00403680  ou..A Kiss So Gentle....Miracle of Love.A Token of My Love..The
    004036C0  Mood for Love...For You....My Love..Our Love Will Last..Inside M
    00403700  y Heart.The Miracle of Love.Our Love is Strong..When I'm With Yo
    00403740  u...Love Remains....I am Complete...I Dream of you..My Love.exe.
    00403780  Love Postcard.exe...Love Card.exe...With Love.exe...Flash Postca
    004037C0  rd.exe..flash postcard.exe..greeting postcard.exe...Greeting Pos
    00403800  tcard.exe...greeting card.exe...Greeting Card.exe...postcard.exe
    00403840  ....Postcard.exe....%s, %d %s %04d %02d:%02d:%02d %c%02d%02d....
    00403880  Jan.Feb.Mar.Apr.May.Jun.Jul.Aug.Sep.Oct.Nov.Dec.Sun.Mon.Tue.Wed.
    004038C0  Thu.Fri.Sat.DnsQuery_A..Dnsapi.dll......ABCDEFGHIJKLMNOPQRSTUVWX
    00403900  YZabcdefghijklmnopqrstuvwxyz0123456789+/..............--%s--....
    00403940  354.DATA....25..RCPT TO:<%s>....MAIL FROM:<%s>......yahoo.com...
    00403980  @...250.HELO localhost......220.From: <%s>..To: %s..Date: %s..Su
    004039C0  bject: %s..MIME-Version: 1.0..Content-Type: multipart/mixed;...b
    00403A00  oundary="%s"....This is a multi-part message in MIME format...--
    00403A40  %s..Content-Type: text/plain;...charset="iso-8859-1"..Content-Tr
    00403A80  ansfer-Encoding: 7bit....%s..--%s..Content-Type: application/oct
    00403AC0  et-stream;...name= "%s"..Content-Transfer-Encoding: base64..Cont
    00403B00  ent-Disposition: attachment;...filename= "%s".......Zenia...Zoe.
    00403B40  Zilya...Xenia...Xylia...Xandra..Willa...Wendy...Vicky...Vivian..
    00403B80  Violet..Valora..Vanessa.Valda...Ula.Uma.Sharon..Silver..Rosa....
    00403BC0  Ruby....Rita....Rae.Rachel..Queen...Peggy...Pamela..Olivia..Olga
    00403C00  ....Nicole..Naomi...Natalie.Nora....Nina....Nova....Nadia...Maia
    00403C40  ....Mary....Melody..Mimi....Myra....Linda...Lisa....Lolita..Lynn
    00403C80  ....Laura...Lara....Kara....Kassia..Kyle....Kali....Kacey...Katr
    00403CC0  ina.Janet...Jewel...Joanna..Juliet..Julie...Ida.Idona...Isabel..
    00403D00  Iris....Ivana...Ivory...Helga...Holly...Haley...Gloria..Gilda...
    00403D40  Gale....Faith...Emily...Evelyn..Eve.Erika...Eliza...Eden....Ebon
    00403D80  y...Donna...Dora....Doris...Diana...Danielle....Daria...Damita..
    00403DC0  Camille.Cara....Carla...Carmen..Clarissa....Chelsea.Caitlin.Bett
    00403E00  ina.Blenda..Bridget.Briana..Bella...Becky...Barbra..Aldora..Alys
    00403E40  ia..Amorita.Aretina.Ara.April...Anita...http://www.google.com/..
    00403E80  %s..%s%d....>..........B@...0..?..........@..0..?..........
    00403EC0  @..0..?..........C..0......................@.. @..2@...@..
    00403F00  ....C..~C..dC..RC..FC..6C..(C..C...C...C..B..B..B..B..B..
    00403F40  B..B..pB..bB..TB..@..@..A.. A...A..@A..\A..nA..zA..A..A..
    00403F80  A..A..A..A..A..A..A..B..B..2B..DB......@..@..@..@..
    00403FC0  P@..^@..n@..@..@......s.........4........t......
    00404000  RegSetValueExA..RegCloseKey.RegDeleteValueA.RegOpenKeyEx
    00404040  A.ADVAPI32.dll..&.CharLowerA..PostMessageA..wGetWindowTextA..
    00404080  .FindWindowA..EnumWindows.wsprintfA..DispatchMessageA..:Ge
    004040C0  tMessageA.zSetTimer..USER32.dll..WS2_32.dll..Process32Next.^
    00404100  TerminateProcess..OpenProcess.4.CloseHandle.Process32First..
    00404140  r.CreateToolhelp32Snapshot..qUnmapViewOfFile.lstrcpyA..GetT
    00404180  ickCount..hMapViewOfFile.T.CreateFileMappingA..S.CreateFileA.
    004041C0  lstrlenA..lstrcmpA..VSleep.ReadFile...FindClose..FindNext
    00404200  FileA.iGetFullPathNameA...SetCurrentDirectoryA...FindFirstFil
    00404240  eA..`.CreateMutexA...ExitProcess.OpenMutexA..RLoadLibraryA..
    00404280  lstrcatA..GetSystemDirectoryA.*GetProcAddress..GetModuleH
    004042C0  andleA..}GetModuleFileNameA..SGetDriveTypeA.f.CreateProcessA..
    00404300  WriteFile.GlobalAlloc.cGetFileSize..FreeLibrary.o.CreateTh
    00404340  read..HeapAlloc.GetProcessHeap..GetSystemTimeAsFileTime..
    00404380  FileTimeToSystemTime..GetTimeZoneInformation..KERNEL32.dll....
    pamella peggy rosalyna and VIRGIN_LILY too


    and if symantic is going to be relying on naming this packed.shit.no

    then i think they are waiting for

    unpacked.givenintheplatter.spoonfedbytwomanservervents.stomachpressedbymaidforeasydigestion.whileavi ssittingoncommode.readytoshit.1000
    to find a signature and specify wtf this is authoritatively


    i have attached a fully disassembly copy from ollydbg of unpacked executable when it is on oep

    havefun

    btw attachemnt is not viral unless notepad has some vulnerability
    Attached Files Attached Files

  8. #8
    Quote Originally Posted by blabberer View Post
    and if symantic is going to be relying on naming this packed.shit.no

    then i think they are waiting for

    unpacked.givenintheplatter.spoonfedbytwomanservervents.stomachpressedbymaidforeasydigestion.whileavi ssittingoncommode.readytoshit.1000
    to find a signature and specify wtf this is authoritatively
    Unless this particular sample has any media impact (which is unlikely, unless gazillions of samples are seen), then companies like Symantec will most likely just leave it with that name and (lack of) description. The detection is either on the initial decryption layer, or on that and the underlying packer. Which is standard in the industry nowadays - you'll pick up malicious samples without doing any extra work, and you don't have to add another unpacker to your detection engine.

    An extremely conservative estimate of how many samples the large AVs receive a week would be 15000+ (those dealing with home users as well as corporate clients will get the most). It's not in their interest, or even in their capacity to manually analyze the vast majority of those samples if they want to release timely detection.

  9. #9
    King of Redonda
    Join Date
    Jul 2006
    Posts
    109
    Blog Entries
    4
    Quote Originally Posted by blabberer View Post
    the code that fetches kernel32.base address and and getproc address seems to be stolen from iczelions downlaod site (there is a sample kernel.exe in there with source code that exactly shows how to fetch kernelbase and getproc address anything in an exe without import table
    I'd hardly call it stolen, it's a very standard technique (first documented by Ratter/29A I believe). Used in shellcode all the time. Even if it's exactly the same as Iczelion's version, the algo is public so you can't 'steal' it IMHO.

    Quote Originally Posted by blabberer View Post
    the 20 times loop decryptor seems to be stolen from several crackmes ive seen (yeah iirc its called tea or something)
    The TEA algorithm is public domain, how can you steal it?

    Quote Originally Posted by blabberer View Post
    after decrypting this wants to attack .mil .gov and .god all at the same time
    It wants to avoid it (also microsoft).

    Quote Originally Posted by blabberer View Post
    unpacked.givenintheplatter.spoonfedbytwomanservervents.stomachpressedbymaidforeasydigestion.whileavi ssittingoncommode.readytoshit.1000
    It's a version of W32.Worm.Nuwar (aka Zhelatin aka Dref). Read the description here: http://www.iss.net/threats/W32.Worm.Nuwar.Gen.html

    FWIW, here's my unpacked version and idb (rarizo version) for the packer (not 100% ready), plus a small idc I used to decrypt the first layer.

    THE .VXE is MALWARE
    Attached Files Attached Files
    Last edited by fr33ke; April 26th, 2007 at 05:33.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

Similar Threads

  1. Can anybody unpack this file
    By localcrack in forum The Newbie Forum
    Replies: 2
    Last Post: February 13th, 2009, 19:31
  2. How to unpack a .sys file?(device driver)
    By cloud_y in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: February 19th, 2004, 14:34
  3. how to unpack Dll file for Aspack 2.12 ?
    By kernel5 in forum Malware Analysis and Unpacking Forum
    Replies: 29
    Last Post: March 14th, 2002, 17:23

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •