Results 1 to 4 of 4

Thread: Some VB malware

  1. #1
    undefined
    Join Date
    Mar 2007
    Location
    Australia
    Posts
    27

    Some VB malware

    Hello there!

    I've been following the post on this forum for a while and today i found a file that i thought would be a good try to reverse a malware myself. The file claims to be a keygen for some program but there are a number of reasons why i dont believe it is what it claims to be. The strongest evidence is that the file has been uploaded under several different names.

    After sending the file to VirusTotal i got the following result:
    http://www.virustotal.com/analisis/88a1465ba89419312837f6daac55f4ff

    7 scanners report that the file is suspicious. I analyzed the file in PeId and it turns out to be a VisualBasic executable. The next step that i took was to disassemble the file with IDA which did not turn out the way i wanted. The code at the entry point seems kinda messed up. I decided to give VB Decompiler a try and got a better looking result. As far as i can tell my previous assumptions were confirmed, that the file seems to be some sort of malware. It uses two modules, one called modCryptText and modInject. Furthermore a module CRijndael can be found in the file. At present i have no idea what the file does, as im installing VMWare right now.

    So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?


    Also for those who are interested in having a look at the program, you can find it attached to this post. The password is "malware" without the quotes.


    Cheers,
    b3n
    Attached Files Attached Files
    -------
    nothing
    -------

  2. #2
    Hi,
    You can find some info about these modules here:
    A C++ Implementation of the Rijndael Encryption/Decryption method
    http://www.codeproject.com/KB/security/aes.aspx
    ModCryptText - > vb source code of this module
    http://forums.asp.net/p/1098518/1670106.aspx
    Rijndael AES Block Encryption Demo (VB/ASP)
    http://www.freevbcode.com/ShowCode.Asp?ID=2389

    also modInject is mod copied from other project,but I couldn't find source code.
    So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?
    I don't what kind of problems u had but code on EP:
    .text:004015F8 public start
    .text:004015F8 start:
    .text:004015F8 push offset dword_401740
    .text:004015FD call ThunRTMain

    looks like standard code for VB app.
    Anyway ,using vb decompiler u can that SubMain(major procedure,related with event FormLoad) is located at
    loc_00404630: push ebp
    loc_00404631: mov ebp, esp
    and there u should start your adventure with this malware.
    Best regards
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,494
    Blog Entries
    1
    this is usual VB_loader as i described in thread "torretnz fun"

    finally i get DLL - probably "Bifrost Remote Controller"
    Attached Files Attached Files

  4. #4
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,494
    Blog Entries
    1
    so will look decrypted DLL-loader with it overleys;

    also added other Bifrost trojan with unpacked DLL; for comparizion;
    Attached Files Attached Files

Similar Threads

  1. some FB shared malware.
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: March 17th, 2014, 08:03
  2. JAVA malware
    By BATMAN in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: March 2nd, 2010, 10:08
  3. Is this malware?
    By bboitano in forum Malware Analysis and Unpacking Forum
    Replies: 2
    Last Post: December 18th, 2009, 07:18
  4. fun malware cryptor ~;
    By evaluator in forum Malware Analysis and Unpacking Forum
    Replies: 34
    Last Post: March 26th, 2009, 13:29
  5. Where to download malware?
    By Cthulhu in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: February 18th, 2009, 05:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •