b3n
November 22nd, 2008, 12:08
Hello there!
I've been following the post on this forum for a while and today i found a file that i thought would be a good try to reverse a malware myself. The file claims to be a keygen for some program but there are a number of reasons why i dont believe it is what it claims to be. The strongest evidence is that the file has been uploaded under several different names.
After sending the file to VirusTotal i got the following result:
http://www.virustotal.com/analisis/88a1465ba89419312837f6daac55f4ff
7 scanners report that the file is suspicious. I analyzed the file in PeId and it turns out to be a VisualBasic executable. The next step that i took was to disassemble the file with IDA which did not turn out the way i wanted. The code at the entry point seems kinda messed up. I decided to give VB Decompiler a try and got a better looking result. As far as i can tell my previous assumptions were confirmed, that the file seems to be some sort of malware. It uses two modules, one called modCryptText and modInject. Furthermore a module CRijndael can be found in the file. At present i have no idea what the file does, as im installing VMWare right now.
So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?
Also for those who are interested in having a look at the program, you can find it attached to this post. The password is "malware" without the quotes.
Cheers,
b3n
I've been following the post on this forum for a while and today i found a file that i thought would be a good try to reverse a malware myself. The file claims to be a keygen for some program but there are a number of reasons why i dont believe it is what it claims to be. The strongest evidence is that the file has been uploaded under several different names.
After sending the file to VirusTotal i got the following result:
http://www.virustotal.com/analisis/88a1465ba89419312837f6daac55f4ff
7 scanners report that the file is suspicious. I analyzed the file in PeId and it turns out to be a VisualBasic executable. The next step that i took was to disassemble the file with IDA which did not turn out the way i wanted. The code at the entry point seems kinda messed up. I decided to give VB Decompiler a try and got a better looking result. As far as i can tell my previous assumptions were confirmed, that the file seems to be some sort of malware. It uses two modules, one called modCryptText and modInject. Furthermore a module CRijndael can be found in the file. At present i have no idea what the file does, as im installing VMWare right now.
So for now i just have one question, why does IDA fail on decompiling the program, whereas i get a good result with VB Decompiler?
Also for those who are interested in having a look at the program, you can find it attached to this post. The password is "malware" without the quotes.
Cheers,
b3n
.