Results 1 to 6 of 6

Thread: Strange Packer

  1. #1

    Strange Packer

    A friend sent me this for analysis. NOD32 calls it a Win32/VB.ASW which is supposedly a "Yuri RAT" trojan.

    I can't really tell anything other than the fact that it's written in VB due to the "MSVBVM60.DLL" in the header, and it's packed with something I haven't seen before -- it has the following entry point:
    00405000: FC           cld
    00405001: 55           push      ebp
    00405002: 50           push      eax
    00405003: E800000000   call     .000405008
    00405008: 5D           pop       ebp
    00405009: 60           pushad
    0040500A: E803000000   call     .000405012
    Section table is absolutely normal, and there are no obscure tricks like TLS (though the unpacker does look obfuscated).

    MALWARE - download at your own risk!
    Attached Files Attached Files

  2. #2
    King of Redonda
    Join Date
    Jul 2006
    Blog Entries
    I was playing a bit with it and check out these strings I stumbled upon:

    00391DD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 6E  ..............Un
    00391DE0  6B 6E 6F 77 6E 20 65 72 72 6F 72 21 00 49 6E 74  known error!.Int
    00391DF0  65 72 66 61 63 65 20 44 4C 4C 20 28 50 43 47 57  erface DLL (PCGW
    00391E00  33 32 2E 44 4C 4C 29 20 69 73 20 6D 69 73 73 69  32.DLL) is missi
    00391E10  6E 67 21 0D 0A 0A 54 68 69 73 20 44 4C 4C 20 69  ng!...This DLL i
    00391E20  73 20 69 6E 63 6C 75 64 65 64 20 69 6E 20 50 43  s included in PC
    00391E30  20 47 75 61 72 64 20 66 6F 72 20 57 69 6E 33 32   Guard for Win32
    00391E40  2F 2E 4E 45 54 20 56 35 20 44 45 4D 4F 20 70 61  /.NET V5 DEMO pa
    00391E50  63 6B 61 67 65 20 61 6E 64 20 73 68 6F 75 6C 64  ckage and should
    00391E60  20 62 65 20 6C 6F 63 61 74 65 64 20 69 6E 20 73   be located in s
    00391E70  61 6D 65 20 64 69 72 65 63 74 6F 72 79 20 61 73  ame directory as
    00391E80  20 70 72 6F 74 65 63 74 65 64 20 61 70 70 6C 69   protected appli
    00391E90  63 61 74 69 6F 6E 2E 00 46 69 6C 65 20 64 61 6D  cation..File dam
    00391EA0  61 67 65 64 21 0D 0A 0A 50 72 6F 74 65 63 74 69  aged!...Protecti
    So I think this packer is PCGuard V5.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  3. #3
    Now I know why PEiD didn't pick it up - I was using an older version. 0.94 works perfectly fine, identifying it as "PC-Guard 5.0 -> Blagoje Ceklic [Overlay]".

    Did you get infected, or halt at the OEP?

  4. #4
    King of Redonda
    Join Date
    Jul 2006
    Blog Entries
    I probably got infected, but I didn't save the changes on the Virtual PC

    EDIT: I found OEP in a lame way (running and searching for "VB", and the push). It's 4012B8. Then I ran it with a hardware breakpoint there, and on break I dumped it with ollydump.

    Attached Files Attached Files
    Last edited by fr33ke; March 31st, 2007 at 18:11.
    <[TN]FBMachine> i got kicked out of barnes and noble once for moving all the bibles into the fiction section

  5. #5
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Blog Entries
    Yeah, be careful with this one, it uses the Ardamax Keylogger to do some of its dirty work. I haven't really analyzed it yet but I'll mention how I got it to spew out its guts.

    Loading it in Ollydbg under VMWare and passing the exceptions with Shift-F9 soon gave a MessageBox saying that it won't run in a virtual machine. At this point the process is running code under a virtual mapping at 0x840000. Olly couldn't handle digging any further (or I couldn't get it to do so), so I switched to Softice.

    With Olly paused on the exception I could set a breakpoint in Softice on the next SMC instruction to be executed, let the program run again in Olly, then the Softice bp kicked in and I could continue tracing. Since this was "after the fact" it didn't do much good, so I restarted VMWare with just Softice and tried again.

    With IceExt loaded and PROTECT ON I could see that IceExt was executing its MeltIce protection. So I set a breakpoint on CreateFileA (the classic MeltIce break function) and started doing some real tracing.

    After bypassing MeltIce (or letting IceExt do all the work), the code went on to check IsDebuggerPresent. Since only a ring 0 debugger was active this check could be ignored. Then the code went on to retrieve the running modules with ZwQuerySystemInformation (with Class 11 SystemModuleInformation) and checked for the presence of "ntice.sys". This was easily bypassed as well by changing the string in memory.

    Finally we come to the part I was looking for, that of the VM detection. Hidden within the SMC was the well documented VMWare check for the magic number 0x564D5868 (or 'VMXh').
    0x8443B1 mov eax, 564D5868 // 'VMXh'

    Changing the magic number in memory to make the check fail was enough to let the malware execute its payload. Suddenly my ZoneAlarm under VMWare gave a warning about some executable trying to do something...

    4 files are created in a hidden folder under C:/Windows/System32/Sys
    alex_v13_server.exe - main executable identified as New Malware.b
    alex_v13_server.001 - keyfile of some sort
    alex_v13_server.006 - Ardamax Keylogger dll
    alex_v13_server.007 - Ardamax Keylogger dll


  6. #6
    Ardamax? That one has a rather simple "encryption" for its configuration file (including where the keylogs get sent to). Try to figure it out before scrolling down in the codebox for the solution
     A r d a m a x K e y l o g g e r
    I n s t a l l T i m e
    R e g N a m e
    I n v i s i b i l i t y . T r a y I c o n
    I n v i s i b i l i t y . T a s k L i s t
    I n v i s i b i l i t y . P r o g r a m G r o u p
    I n v i s i b i l i t y . U n i n s t a l l L i s
    I n v i s i b i l i t y . P r o g r a m F o l d e r
    I n v i s i b i l i t y . A u t o s t a r t
    E m a i l . P o r t
    E m a i l . S e n d T o
    E m a i l . S m t p H o s t
    E m a i l . U s e r n a m e
    E m a i l . P a s s w o r d
    F T P . P o r t
    F T P . F T P H o s t
    F T P . R e m o t e F o l d e r
    F T P . P a s s i v e M o d e
    F T P . U s e r n a m e
    F T P . P a s s w o r d
    C o n t r o l . N u m b e r 
    C o n t r o l . P e r i o d T y p e
    C o n t r o l . S e n d
    C o n t r o l . V i a E m a i l
    C o n t r o l . V i a F T P
    C o n t r o l . I n c l u d e K e y s L o g
    C o n t r o l . I n c l u d e W e b L o g
    C o n t r o l . C h e c k M i n L o g S i z e
    C o n t r o l . P e r i o d T y p e 
    S e c u r i t y . P a s s w o r d
    S e c u r i t y . P r o t e c t L o g F i l e
    S e c u r i t y . P r o t e c t H i d d e n M o d e
    S e c u r i t y . P r o t e c t O p t i o n s
    S e c u r i t y . L o c k C l o s e
    O p t i o n s . A u t o s t a r t
    O p t i o n s . H i d e O n S t a r t u p
    O p t i o n s . H i d e H o t k e y
    O p t i o n s . S e l f D e s t r u c t
    O p t i o n s . D a t e S e l f D e s t r u c t
    N o t i c e . H i d d e n M o d e
    I n s t a n t . L o g g i n g E n a b l e d
    **  XOR with repeating sequence "DA32" (44 41 33 32)
    I don't know why, but keyloggers are my fetish I've analysed at least 5 different ones already.

    Also, nice to see old SoftICE get a little respect
    Last edited by LLXX; April 1st, 2007 at 02:06.

Similar Threads

  1. Strange Packer
    By LLXX in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: October 9th, 2006, 09:19
  2. Crypting or Packer plz ?
    By BoOmSlAnGz in forum The Newbie Forum
    Replies: 12
    Last Post: April 29th, 2004, 10:56
  3. Optloader - who knows this Packer ??
    By wrxcv3 in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: October 7th, 2003, 16:02
  4. Help me Unpack this Packer!!!
    By AntiCrk in forum Mini Project Area
    Replies: 7
    Last Post: June 4th, 2003, 19:39
  5. Help me Unpack this Packer!!!
    By AntiCrk in forum Malware Analysis and Unpacking Forum
    Replies: 0
    Last Post: May 30th, 2003, 21:06


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts