Results 1 to 7 of 7

Thread: Malware which password protects office files

  1. #1

    Malware which password protects office files

    Hi,
    I am trying to understand the algorithm of one malware. It is detected by most of the anti-viruses as Virut.

    It password protects office files like doc,xls etc. I decompiled with VB decompiler and some generate password functions but couldn't make head or tails of it. What you can suggest to reverse password generating algorithm ? How can I catch it when it is putting a password?

    I attached virus and decompiled source code. password of the archive is "malware"
    Attached Files Attached Files
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,114
    Blog Entries
    5
    Hi

    This might not be the same thing at all, just a thought, but there were a few links given in a conficker thread about how random domain names were generated. I was just thinking there might be some similarities in the algo syntax. Once virus writers develop something, they might use it elsewhere.

    http://blog.threatexpert.com/2008/11/srizbis-domain-calculator.html

    http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html

    http://mhl-malware-scripts.googlecode.com/files/downatool.zip

  3. #3
    I tried to debug on live system but because it is p-code I failed miserably. I tried to put memory and hardware breakpoints to bytecode of functions but it didn't triggered any event. I tried with p-code debugger and still no luck.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  4. #4
    xelerated
    Guest
    Hi,

    frx resource could have an embedded executable, check with a resource (frx) viewer/extractor.

    the decompiled files share some code base with another virus i came across on a vietnamese site (google bot will translate it to english):
    http://www.giaiphapexcel.com/forum/showthread.php?t=13143

    this GUID in frmMain.frm is linked to the worm mentioned in the above post: 649EEC1E-B012-4E8C-BB3B-4997F8000000
    ref: http://www.threatexpert.com/report.aspx?uid=672aa684-3732-4a6d-8de8-3c11a168c0bd

    are you trying to figure out the GeneratePass function algorithm?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Thanks for the info. Yes I am trying to understand how the password generation works so I can remove the password from some of my files.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

  6. #6
    if you are in hurry to removed password try elcomsoft AOPR

  7. #7
    If you look at the source you will see that it is not a small password. I couldnt understand the algorithm but it looks a like a long password. I have already tried with that program and it couldn't find the password.
    "There is only one road to human greatness: through the school of hard knocks." Albert Einstein

Similar Threads

  1. Extracting shellcode from office docs?
    By xtrm2008 in forum Malware Analysis and Unpacking Forum
    Replies: 10
    Last Post: June 4th, 2009, 15:20
  2. Replies: 4
    Last Post: January 18th, 2008, 01:24
  3. Haspemulator with same password
    By sumon in forum The Newbie Forum
    Replies: 7
    Last Post: October 20th, 2005, 04:31
  4. password sender?
    By nyah in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: January 29th, 2001, 15:38

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •