what's packer of this malware code. [Archive] - RCE Messageboard's Regroupment

gloom

January 5th, 2009, 20:34

Hi everyone! Happy New Year and Merry Christmass to All researchers and reverse engineers!

today i have caught virus from one of warez sites and have decided to research its file - boot.com (actually it's usual .exe, size about 30 kb). i can't understand what packer of this. PEiD can't detect packer too.
Some code from EP:

data:00401EC4 start proc near
data:00401EC4 xor edx, eax
data:00401EC6 jmp loc_401415
data:00401EC6 start endp

data:00401415 loc_401415: ; CODE XREF: start+2j
data:00401415 xor eax, eax
data:00401417 call sub_4010FB
data:00401417 sub_401400 endp ; sp-analysis failed

data:004010FB sub_4010FB proc near ; CODE XREF: sub_401400+17p
data:004010FB mov ecx, ecx
data:004010FD add esp, 4
data:00401100 sub eax, 0FFFFFFFFh
data:00401103 call sub_40171E
data:00401103 sub_4010FB endp ; sp-analysis failed

data:0040171E sub_40171E proc near ; CODE XREF: sub_4010FB+8p
data:0040171E mov ecx, ecx
data:00401720 add esp, 4
data:00401723
data:00401723 loc_401723: ; CODE XREF: sub_401BCF+18j
data:00401723 push 0A7E2DCE3h
data:00401728 mov [esp+0], eax
data:0040172B ror dword ptr [esp+0], 0Ch
data:0040172F and dword ptr [esp+0], 0F00000h
data:00401736 rol dword ptr [esp+0], 0Ch
data:0040173A mov eax, [esp+0]
data:0040173D mov ecx, ecx
data:0040173F add esp, 4
data:00401742 call sub_4018D9
data:00401742 sub_40171E endp ; sp-analysis failed

Attached boot.zip with password - "damnmalware" include boot.com
Thank to everybody!

esther

January 6th, 2009, 03:03

It extracts 3 files,2 tmp files trojan and autorun info
Copy bootmalware into resycle folder(if I spelt it right heh)
It starts spoolsv,it sucks up your memory and freeze your windoze.

Nothing interesting in this malware....

PaCHER

January 6th, 2009, 09:05

Quote:

what's packer of this malware code.

packed private cryptor, PEID identify only public packers.

evaluator

January 6th, 2009, 09:21

malwares are packed with custom packers, which are called as "trcrypt"

esther

January 6th, 2009, 12:03

A1AD might be the oep,I might be wrong

since it doesn't runs at all LOL

evaluator

January 7th, 2009, 05:45

this is TDSSL group malware with SYS file + dll insideSYS, i many time unpacked..

& this tr/packer probably uses VM-ised_loader code.., but easy for tracing using TRACE_OVER on calls : )

esther

January 7th, 2009, 09:03

Hey evaluator,

Thanks for clearing up the mess I'm in

I thought the oep is some where beyond that

l8r

roxaz

January 7th, 2009, 17:10

since this thread is already open i'd like to ask what packer creates sections like rdata, fdata, cdata, pdata..?

Arcane

January 8th, 2009, 12:11

could be any packer , but wild guess...armadillo ?

roxaz

January 8th, 2009, 13:09

that was first thought that came to my mind too but i wanted to be sure. oh well, i failed to notice VirtualizerSDK64.dll in same dir. looks like its virtualizer.... not too good