Results 1 to 6 of 6

Thread: my USB another infection..

  1. #1
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1

    my USB another infection..

    file "~$WX.FAT" is DLL;
    it will executed via shortcut by "rundll32.exe";
    it's exported function "crys" will load file "desktop.ini",
    which is program code for download/decrypt/execute file from:
    "http://suckmycocklameavindustry.in/"

    crypted file is "Thumbs.db";
    decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
    it will unpack in "TEMP" folder these files:

    "vesececune.ric",
    "hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

    and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

    "hewefuxasa.exe"s job is "vesececune.ric" management..;

    ahm, tired..
    continued, with second atatchment

    "hewefuxasa.exe"s job is "vesececune.ric" management:
    decrypt "vesececune.ric" (see "vesececune.ric_decoded.bin"),
    start new process and inject there executable code (see "in_vesececune.ric.EXE").

    "in_vesececune.ric.EXE" is last wrapper.
    it has removal code for temporary files "hewefuxasa.exe" & it's DLLs (see "for_deletion.bin");
    and fianlly it has in resource true body (see "compressed_true_NSIS.bin" & "true_NSIS.bin");

    here we arrived to updated version of malware:
    http://www.woodmann.com/forum/showthread.php?15082-just-today-infected-USB-flash

    it also has "msiexec.exe", but now as NSIS executable..

    PS
    password for zip: malware
    Attached Files Attached Files
    Last edited by evaluator; January 21st, 2014 at 10:42.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,047
    Blog Entries
    5
    You sure get infected a lot eval. I'd love to see your browser history

  3. #3

    Exclamation Infected by Gamarue aka Andromeda

    Quote Originally Posted by evaluator View Post
    file "~$WX.FAT" is DLL;
    it will executed via shortcut by "rundll32.exe";
    it's exported function "crys" will load file "desktop.ini",
    which is program code for download/decrypt/execute file from:
    "http://suckmycocklameavindustry.in/"

    crypted file is "Thumbs.db";
    decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
    it will unpack in "TEMP" folder these files:

    "vesececune.ric",
    "hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

    and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

    "hewefuxasa.exe"s job is "vesececune.ric" management..;

    ahm, tired..

    PS
    password for zip: malware
    Hi, you have been infected by gamarue aka andromeda botnet. try running malware cleaner tools.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    ::[ Reverse Engineer ]:: OHPen's Avatar
    Join Date
    Nov 2002
    Location
    .text
    Posts
    399
    Blog Entries
    5
    @evaluator: yeah you are infected with a botnet! be careful. if you need further help, just ask lia, maybe you get help there ;DDDD

    Good luck!

    PS: Its always you eval, you have to be more careful when browsing the internet, its a dangerous place!
    Last edited by OHPen; January 21st, 2014 at 08:37.
    - Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -

  5. #5
    Musician member evaluator's Avatar
    Join Date
    Sep 2001
    Posts
    1,479
    Blog Entries
    1
    I update 1st thread with new info & attachment.

    Kayaker wrote:
    You sure get infected a lot eval. I'd love to see your browser history
    well, if you take precise look &r logic:
    1. my USB-stick catches malware.
    2. from other's PC; (such a low thoughts about my PC or me-infecting-my-USB-stick came from..)

    lia, you got infected by Kayaker.
    OHPen, may lia forgive you :~)

  6. #6
    Sounds like my life. I stick my usb in to fix another computer and, VIOLA, insta-infected.

    I remember the old days when I would use a CD with my weapons for cleaning on it.
    When I was done, I threw the CD away.

    Woodmann
    Learn Or Die.

Similar Threads

  1. Introduction to various file infection techniques
    By Kurapica in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 21st, 2010, 07:22
  2. Trojan type infection perhaps?
    By Woodmann in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: August 24th, 2009, 06:02

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •