Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

my USB another infection..

This forum focuses on analyzing malware and any aspects of dealing with packer protections.
Locked
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

my USB another infection..

Post by evaluator »

file "~$WX.FAT" is DLL;
it will executed via shortcut by "rundll32.exe";
it's exported function "crys" will load file "desktop.ini",
which is program code for download/decrypt/execute file from:
"http://suckmycocklameavindustry.in/"

crypted file is "Thumbs.db";
decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
it will unpack in "TEMP" folder these files:

"vesececune.ric",
"hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

"hewefuxasa.exe"s job is "vesececune.ric" management..;

ahm, tired..
continued, with second atatchment

"hewefuxasa.exe"s job is "vesececune.ric" management:
decrypt "vesececune.ric" (see "vesececune.ric_decoded.bin"),
start new process and inject there executable code (see "in_vesececune.ric.EXE").

"in_vesececune.ric.EXE" is last wrapper.
it has removal code for temporary files "hewefuxasa.exe" & it's DLLs (see "for_deletion.bin");
and fianlly it has in resource true body (see "compressed_true_NSIS.bin" & "true_NSIS.bin");

here we arrived to updated version of malware:
http://www.woodmann.com/forum/showthrea ... -USB-flash

it also has "msiexec.exe", but now as NSIS executable..

PS
password for zip: malware
Attachments
TrustedInstaller_files.zip
(595.96 KiB) Downloaded 103 times
usb_malware.zip
(522.87 KiB) Downloaded 213 times
User avatar
Kayaker
Posts: 4169
Joined: Thu Oct 26, 2000 11:00 am

Post by Kayaker »

You sure get infected a lot eval. I'd love to see your browser history :p
lia
Junior Member
Posts: 1
Joined: Tue Jan 21, 2014 7:04 am

Infected by Gamarue aka Andromeda

Post by lia »

evaluator wrote:file "~$WX.FAT" is DLL;
it will executed via shortcut by "rundll32.exe";
it's exported function "crys" will load file "desktop.ini",
which is program code for download/decrypt/execute file from:
"http://suckmycocklameavindustry.in/"

crypted file is "Thumbs.db";
decrypted is "TrustedInstaller.exe", which is "Nullsoft.NSIS.exehead";
it will unpack in "TEMP" folder these files:

"vesececune.ric",
"hewefuxasa.exe","Fewuxusahif.dll","vinoliwulab.dll","Hunoqoriqop.dll","Zayimahizo.dll"

and then will execute "hewefuxasa.exe" with it's 4 linked DLLs.

"hewefuxasa.exe"s job is "vesececune.ric" management..;

ahm, tired..

PS
password for zip: malware
Hi, you have been infected by gamarue aka andromeda botnet. try running malware cleaner tools.
User avatar
OHPen
Posts: 399
Joined: Wed Nov 06, 2002 1:20 pm
Location: .text

Post by OHPen »

@evaluator: yeah you are infected with a botnet! be careful. if you need further help, just ask lia, maybe you get help there ;DDDD

Good luck!

PS: Its always you eval, you have to be more careful when browsing the internet, its a dangerous place!
- Reverse Enginnering can be everything, but sometimes it's more than nothing. Really rare moments but then they appear to last ages... -
User avatar
evaluator
Posts: 1538
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

I update 1st thread with new info & attachment.

Kayaker wrote:
You sure get infected a lot eval. I'd love to see your browser history
well, if you take precise look &r logic:
1. my USB-stick catches malware.
2. from other's PC; (such a low thoughts about my PC or me-infecting-my-USB-stick came from..)

lia, you got infected by Kayaker.
OHPen, may lia forgive you :~)
User avatar
Woodmann
Posts: 3605
Joined: Fri Jan 26, 2001 6:28 pm

Post by Woodmann »

Sounds like my life. I stick my usb in to fix another computer and, VIOLA, insta-infected.

I remember the old days when I would use a CD with my weapons for cleaning on it.
When I was done, I threw the CD away.

Woodmann
Learn Or Die.
Locked